LDAP directed request


#1

Is it possible to have RoR to use a UPN formatted username to validate if a LDAP connection is a valid possibility?

Take for instance you have two LDAP connections, one to foo.com and the other to bar.com. Since ACL are sequential and foo.com is before the bar.com ACL, all logins will attempt foo.com and fail and then attempt bar.com and succeed. Instead can a user specify [email protected] in the login and RoR uses that as a pre-check in the ACL block to bypass the ACL with foo.com as the LDAP auth domain?

- name: "::foo:users::"
  ldap_authorization:
    name: "ldap1"
    groups: ["kibana"]
  kibana_access: rw
  kibana_index: ".kibana"

- name: "::bar:users::"
  ldap_authorization:
    name: "ldap2"
    groups: ["kibana"]
  kibana_access: rw
  kibana_index: ".kibana"

ldaps:
- name: ldap1
  host: "10.1.1.1"
  search_user_base_DN: "ou=People,dc=foo,dc=com"
  search_groups_base_DN: "ou=Groups,dc=foo,dc=com"

- name: ldap2
  host: "10.2.2.2"
  ssl_enabled: false
  search_user_base_DN: "ou=People,dc=bar,dc=com"
  search_groups_base_DN: "ou=Groups,dc=bar,dc=com"

(Simone Scarduzio) #2

Hi, this is very interesting. The answer for now is no. I might have an idea on the solution, but as a user, how would you expect ROR to solve this?


#3

In an enterprise environment with multiple domains, with some domains trusting other domains (so an LDAP to foo.com could theorietically authenticate bar.com users), I think it would be easiest to add an array into the ldap section with possible UPN domain names as a pre-check.

- name: "::foo:users::"
  ldap_authorization:
    name: "ldap1"
    groups: ["kibana"]
  kibana_access: rw
  kibana_index: ".kibana"

- name: "::bar:users::"
  ldap_authorization:
    name: "ldap2"
    groups: ["kibana"]
  kibana_access: rw
  kibana_index: ".kibana"

ldaps:
- name: ldap1
  host: "10.1.1.1"
  search_user_base_DN: "ou=People,dc=foo,dc=com"
  search_groups_base_DN: "ou=Groups,dc=foo,dc=com"
  upn: ["foo.com", "cat.com", dog.com"]
  username_format: "upn"

- name: ldap2
  host: "10.2.2.2"
  ssl_enabled: false
  search_user_base_DN: "ou=People,dc=bar,dc=com"
  search_groups_base_DN: "ou=Groups,dc=bar,dc=com"
  upn: ["bar.com"]
  username_format: "useronly"

If I log in as [email protected], RoR could pre-check the upn: array to see if “foo.com” exists as a pre-check. If it does then do the LDAP authentication.

If I log in as [email protected], the pre-check on the first ACL block fails the pre-check so LDAP for [email protected] is not done against foo.com directory/domain.

In either case, there would need to be an option to strip the @foo.com from the username to pass only “me” as the username. “username_format:” for instance. If =upn then pass "[email protected]" to LDAP to lookup, if =useronly then pass “me” to LDAP to lookup.


(Simone Scarduzio) #4

Yep. I like your solution better than the one I thought of. Will add it in the next release. Thanks @brian!


#5

Awesome. Thank you Simone.