Cannot login after failure using omniauth and LDAP

1
votes

I have a misterious problem with my first omniauth experiment. I can log in with my username and password, and I can log out properly. I can repeat it many times, but after I give wrong password once I can never log in again even if I try different user. I get "message"=>"invalid_credentials". Everything is fine again if I restart my application (until I mistype my password).

Before the first failure it connects with the given :bind_dn parameter (see below), as expected:

[14/Jun/2011:17:01:33 +0200] conn=7796 op=0 msgId=1 - BIND dn="cn=nss,o=People,o=IAN,o=AD,o=Secret" method=128 version=3

After the first failure it connects with a BIND dn fabricated from my username:

[14/Jun/2011:16:45:33 +0200] conn=7780 op=22 msgId=23 - BIND dn="edarabos" method=128 version=3, Invalid DN

I followed Railscast #241 http://railscasts.com/episodes/241-simple-omniauth with the following configuration (config/initializers/omniauth.rb):

Rails.application.config.middleware.use OmniAuth::Strategies::LDAP\
  , :host => '127.0.0.1'\
  , :method => :plain\
  , :port => 389\
  , :base => 'o=IAN,o=AD,o=Secret'\
  , :uid => 'uid'\
  , :bind_dn => 'cn=nss,o=People,o=IAN,o=AD,o=Secret'\
  , :password => 'TOPSECRET'

Did I make a mistake? Is it a bug? Thanks in advance!

-- I'm using JRuby 1.5.1, Ruby 1.8.7, Rails 3.0.7, omniauth 0.2.6.

UPDATE

If I redo the configuration (....use OmniAuth::Strategies::LDAP ...) after each failure then I can use it to log in successfully. I believed for a second that I am done and then came the new problem. After successful login and logout I cannot log in with different user even if I redo the configuration after successful authentication.

The bind_dn given at the options is a service account. Omniauth binds to the LDAP server with that account and searches with the given credentials (let's say 'user1'), it finds the result and binds with the uid of the search result.

At the next login attempt (with user2) the LDAP search is executed without rebinding according to the configuration. This is a braindead thing to do. User1 is not a service account, so the search does not find any results. Then it tries to rebind using the username of the credentials as bind_dn and fails. This is another braindead thing to do because it is configured exactly otherwise!

1
ruby-on-rails-3ldapomniauth
I skipped omniauth, I use 'net/ldap' directly. Pros and cons accepted :-)Notinlist
Did you try to use 'net/ldap' with Devise?Maxim Filatov
@Bregor Haven't tried Devise. The deadline was reached for writing the authentication, another experimenting would not fit. I programmed the direct usage of "net/ldap" in a day (with testing). And as time proved, we really don't need other types of authentication for the project.Notinlist

1 Answers

1
votes

I skipped omniauth, I use 'net/ldap' directly. Pros and cons accepted :-)