Am I supposed to be using the ldap.yml file to make sure whose authenticating with ldap has the right groups assigned to them to allow them in?
I am not an AD pro by any means and this is confusing me...whats a group and attribute. From what I understand. We have a user in AD, they have a samAccount name, I can get it to let them into the app but it doesn't care at this point what their groups are. Its a specialized app and really those that have a memberOf attribute of:
HD Admin
HD Helper
HD Reset
Security
should all be allowed into the app, I also (after using apache directory studio) have realized that there are many memberOf entries:
Bob for instance might have two memberOf entries:
memberOf CN=Security,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu
memberOf CN=HD Admin, OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu
So how would my yaml look and is that the right spot to do these things?
authorizations: &AUTHORIZATIONS
group_base: OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=nmsu,DC=edu
## Requires config.ldap_check_group_membership in devise.rb be true
# Can have multiple values, must match all to be authorized
required_groups:
# If only a group name is given, membership will be checked against "uniqueMember"
- CN=HD Admin
- CN=HD Reset
- CN=Security
# If an array is given, the first element will be the attribute to check against, the second the group name
- ["memberOf", " CN=HD Admin,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
- ["memberOf", " CN=HD Helper,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
- ["memberOf", " CN=HD Reset,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
- ["memberOf", " CN=Security,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
require_attribute:
memberOf: HD Admin
I couldn't get the required attributes to work, so am I off base ? Is there some way to do this in the devise scaffolding that was built from ldap devise gem? Because it really is they can be any of those groups so an OR they don't have to be in all to be let into the app.
At least maybe is the yaml the place or not the place to try this? Update:
I did try it with the arrays I mentioned above, and the config.ldap_check_group_membership = true;
and it does not let me in no matter what now, so its either all or nothing. Even took all the memberOf arrays down to one I know my test user has and it still doesn't let me in.
I also wanted to ask, should I just keep the following development: line and deal with all the checking of roles in code (and is there any sort of link on how to do that), maybe I guess an api document (probably on github somewhere) , though it might just be easier to by hand code all the checking etc...means I will have to become much more familiar with devise too.
I should add the rest of my ldap.yml that is important:
development:
host: directory.ldapstuff.com
port: 636
attribute: sAMAccountName
base: OU=Main Users, OU=Accounts, DC=ACN, DC=ad, DC=tdsu, DC=edu
admin_user: CN=EASApps, OU=LDAP, OU=Service Accounts, DC=ACN, DC=ad, DC=tdsu, DC=edu
admin_password: asfssfaf
ssl: true
# <<: *AUTHORIZATIONS
I think you just need to uncomment the # <<: *AUTHORIZATIONS
merge.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With