轨道 3 和devise_ldap_authenticatable:针对 Active Directory 的授权?
我成功地使用 devise 和 devise_ldap_authenticatable 运行我的 Rails 3 应用程序,以针对本地 Active Directory 进行身份验证。
现在我想添加授权功能,以便仅允许属于特定 AD 组的 AD 用户进行访问。
因此,为了简单地开始,我首先使用 linux 命令 ldapsearch 在 AD 中查找我自己的用户。结果包含类似...
(...)
memberOf: CN=my,OU=foo,DC=bar,DC=role,DC=domain,DC=com
memberOf: CN=my,OU=foo,DC=bar2,DC=role,DC=domain,DC=com
memberOf: (...)
(...)
好吧,现在我决定,我想限制对 CN=my,OU=foo,DC=bar,DC=role,DC=domain,DC=com 成员的访问。
因此,我将 ldap.yml 更改为包含:
authorizations: &AUTHORIZATIONS
group_base: ou=role,dc=domain,dc=com
required_groups:
- CN=my,OU=foo,DC=bar,DC=role,DC=domain,DC=com
development:
(...)
<<: *AUTHORIZATIONS
另外,将 devise.rb 更改为包含:
Devise.setup do |config|
config.ldap_logger = true
config.ldap_create_user = true
config.ldap_update_password = false
config.ldap_check_group_membership = true # <-- activated this line
config.ldap_use_admin_to_bind = true
#config.ldap_ad_group_check = true <-- don't know what this is good for
现在,当尝试进行身份验证时,访问被拒绝,这是我没想到的:
User CN=myuser,OU=org,DC=domain,DC=com is not in group: CN=my,OU=foo,DC=bar,DC=role,DC=domain,DC=com
任何想法,如何针对 AD 进行授权完成于devise_ldap_authenticatable?在授权方面,该模块的文档还不够全面。
I successfully have my Rails 3 app running with devise and devise_ldap_authenticatable to authenticate against the local Active Directory.
Now I want to add authorization capabilities in order to allow access only to AD users that belong to certain AD groups.
So to start simple, I first have looked up my own user in AD with the linux command ldapsearch. The result contained something like ...
(...)
memberOf: CN=my,OU=foo,DC=bar,DC=role,DC=domain,DC=com
memberOf: CN=my,OU=foo,DC=bar2,DC=role,DC=domain,DC=com
memberOf: (...)
(...)
Ok, now I decided, that I want to restrict access to members of CN=my,OU=foo,DC=bar,DC=role,DC=domain,DC=com.
So, I changed my ldap.yml to contain:
authorizations: &AUTHORIZATIONS
group_base: ou=role,dc=domain,dc=com
required_groups:
- CN=my,OU=foo,DC=bar,DC=role,DC=domain,DC=com
development:
(...)
<<: *AUTHORIZATIONS
And in addition changed my devise.rb to contain:
Devise.setup do |config|
config.ldap_logger = true
config.ldap_create_user = true
config.ldap_update_password = false
config.ldap_check_group_membership = true # <-- activated this line
config.ldap_use_admin_to_bind = true
#config.ldap_ad_group_check = true <-- don't know what this is good for
Now, when trying to authenticate, access is denied, which I did not expect:
User CN=myuser,OU=org,DC=domain,DC=com is not in group: CN=my,OU=foo,DC=bar,DC=role,DC=domain,DC=com
Any idea, how authorization against AD is accomplished with devise_ldap_authenticatable? The documentation of this module is not yet that comprehensive when it comes to authorization.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
注意:代表 OP 添加答案 (@kwirschau)
devise .rb激活属性ldap_check_attributes并删除/注释掉ldap_check_group,因为它不检查 AD 特定属性memberOfldap.yml并注释掉group_base和required_groups。将所需的组成员身份添加到require_attribute。总之,问题中示例的设置如下所示:
和
Note: Adding an answer on behalf of the OP (@kwirschau)
devise.rbto activate the attributeldap_check_attributesand remove/comment outldap_check_groupas it does not check against the AD-specific attributememberOfldap.ymland comment outgroup_baseandrequired_groups. Add the required group membership torequire_attribute.In summary, the setup for the example in the question looks like this:
and
因此,zekus 的答案仅在用户直接是给定组的成员时才有效。
它不会递归搜索组。 kwirschau,您的初始配置已经差不多完成了。您指出:
设置该标志后,ldap 查询将使用具有 LDAP_MATCHING_RULE_IN_CHAIN 规则的过滤器来搜索嵌套组,该规则递归地搜索用户的组。
因此,在您的 devise.rb 中,设置:
在 ldap.yml 中设置您的授权组
此外,在您的代码中,如果您想根据另一个组检查用户,请不要使用“memberOf”,因为这不会搜索嵌套组。相反,使用:
So, the answer by zekus will only work if the user is directly a member of the given group.
It will not search groups recursively. kwirschau, you were almost there with your initial configuration. You stated:
When that flag is set, the ldap query will search nested groups by using a filter with the LDAP_MATCHING_RULE_IN_CHAIN rule, which searches the user's groups recursively.
Thus, in your devise.rb, set:
Set your authorization group in your ldap.yml
Additionally, in your code, if you want to check a user against another group, don't use "memberOf", as this will not search nested groups. Instead, use: