Marcelo de Moraes Serpa
2010-Apr-06 00:27 UTC
Authenticating against ActiveDirectory - can''t read userPassword/unicodePwd?
Hello list,
So, the application I am working on right now needs to have LDAP
authentication build in, meaning that if the user enabled it, we will query
about his basic data (email,pwd) on a user-setup LDAP directory. It used to
work fine when I was testing with OpenLDAP. The code, essentially, is this:
connection.bind(self.bind_dn,self.password)
connection.search2(self.base_dn,1,"(&
(userPassword=#{password})
(mail=#{email}))",nil,false,5,5000)
It binds and then searches for the user by mail and password. The entries
must have a userPassword and mail attributes. It''s part of the core
schema
(I guess), so it works fine on OpenLDAP.
I then went to test with Active Directory. I thought it would be basically
the same stuff, since it is a LDAP server too and speaks the same protocol.
The issue, however, is that, even though we had an entry with mail and the
password set, it was just no authenticating. I then changed the query to:
connection.search2(self.base_dn,1,"(mail=#{email})",nil,false,5,5000)
And then it did return the user entry.
The issue is the userPassword attribute (or is it unicodePwd?). From what
I''ve read, you just can''t read it from an AD directory. If
that''s true, how
could LDAP authentication be implemented against an Active Directory
repository?
I would appreciate some enlightenment :)
Cheers,
Marcelo.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
Matt Jones
2010-Apr-07 00:42 UTC
Re: Authenticating against ActiveDirectory - can''t read userPassword/unicodePwd?
On Apr 5, 8:27 pm, Marcelo de Moraes Serpa <celose...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hello list, > > So, the application I am working on right now needs to have LDAP > authentication build in, meaning that if the user enabled it, we will query > about his basic data (email,pwd) on a user-setup LDAP directory. It used to > work fine when I was testing with OpenLDAP. The code, essentially, is this: > > connection.bind(self.bind_dn,self.password) > connection.search2(self.base_dn,1,"(& (userPassword=#{password}) > (mail=#{email}))",nil,false,5,5000) > > It binds and then searches for the user by mail and password. The entries > must have a userPassword and mail attributes. It''s part of the core schema > (I guess), so it works fine on OpenLDAP. > > I then went to test with Active Directory. I thought it would be basically > the same stuff, since it is a LDAP server too and speaks the same protocol. > The issue, however, is that, even though we had an entry with mail and the > password set, it was just no authenticating. I then changed the query to: > > connection.search2(self.base_dn,1,"(mail=#{email})",nil,false,5,5000) > > And then it did return the user entry. > > The issue is the userPassword attribute (or is it unicodePwd?). From what > I''ve read, you just can''t read it from an AD directory. If that''s true, how > could LDAP authentication be implemented against an Active Directory > repository? >Typically, you''d want to store the user password as a hash (see http://users.ameritech.net/mhwood/ldap-sec-setup.html for some details) and then bind to server with the appropriate DN (based on the email) and password. This page: http://www.mhsoftware.com/caldemo/manual/en/470.htm may also be handy; it describes how to get a correct DN for ActiveDirectory. Hope this helps! --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Marcelo de Moraes Serpa
2010-Apr-07 07:58 UTC
Re: Re: Authenticating against ActiveDirectory - can''t read userPassword/unicodePwd?
Hi Matt, thanks for the reply,
The issue is solved. Fact is, you just can''t read the userPassword /
unicodPwd in a LDAP search on Active Directory. The solution was to just
directly use bind to authenticate, something along these lines:
... #create connection
connection.bind(''user@domain'',''password'')
Where user is the givenName attribute, and domain is the AD domain. This
works fine and authenticates the user. So, no need to bind as rootdn and
search for the user and compare agains the userPassword :)
Issue solved!
Thanks,
Marcelo.
On Tue, Apr 6, 2010 at 7:42 PM, Matt Jones
<al2o3cr-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>
> On Apr 5, 8:27 pm, Marcelo de Moraes Serpa
<celose...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> wrote:
> > Hello list,
> >
> > So, the application I am working on right now needs to have LDAP
> > authentication build in, meaning that if the user enabled it, we will
> query
> > about his basic data (email,pwd) on a user-setup LDAP directory. It
used
> to
> > work fine when I was testing with OpenLDAP. The code, essentially, is
> this:
> >
> > connection.bind(self.bind_dn,self.password)
> > connection.search2(self.base_dn,1,"(&
(userPassword=#{password})
> > (mail=#{email}))",nil,false,5,5000)
> >
> > It binds and then searches for the user by mail and password. The
entries
> > must have a userPassword and mail attributes. It''s part of
the core
> schema
> > (I guess), so it works fine on OpenLDAP.
> >
> > I then went to test with Active Directory. I thought it would be
> basically
> > the same stuff, since it is a LDAP server too and speaks the same
> protocol.
> > The issue, however, is that, even though we had an entry with mail and
> the
> > password set, it was just no authenticating. I then changed the query
to:
> >
> >
connection.search2(self.base_dn,1,"(mail=#{email})",nil,false,5,5000)
> >
> > And then it did return the user entry.
> >
> > The issue is the userPassword attribute (or is it unicodePwd?). From
what
> > I''ve read, you just can''t read it from an AD
directory. If that''s true,
> how
> > could LDAP authentication be implemented against an Active Directory
> > repository?
> >
>
> Typically, you''d want to store the user password as a hash (see
> http://users.ameritech.net/mhwood/ldap-sec-setup.html for some
> details) and then bind to server with the appropriate DN (based on the
> email) and password.
>
> This page:
> http://www.mhsoftware.com/caldemo/manual/en/470.htm
>
> may also be handy; it describes how to get a correct DN for
> ActiveDirectory.
>
> Hope this helps!
>
> --Matt Jones
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> .
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.