检查组中的成员资格devise ldap宝石，是在yaml吗？ [英] Checking group membership in rails devise ldap gem, is it in the yaml?

问题描述

我应该使用ldap.yml文件，以确保使用ldap的身份验证是否有正确的组分配给他们以允许他们进入？

我是不是任何方式的AD pro，这是令我困惑...什么是一个组和属性。从我所了解的我们在AD中有一个用户，他们有一个samAccount名称，我可以让它进入应用程序，但是在这一点上它不在乎他们的团体。它是一个专门的应用程序，真正是具有memberOf属性的应用程序：

  HD Admin 
 HD Helper 
高清重置
安全
  

应该都被允许进入应用程序，我也（使用apache目录工作室）已经意识到有很多memberOf条目：

Bob可能有两个memberOf条目：

  memberOf CN = Security，OU = Groups，OU = Accounts，DC = ACN，DC = ad，DC = tdsu，DC = edu 
 
 memberOf CN = HD管理员，OU =组，OU =帐户，DC = ACN，DC = ad，DC = tdsu，DC = edu 
  

那么我的yaml看起来是不是正确的做这些事情？

 授权：& AUTHORIZATIONS 
 group_base：OU = Groups，OU = Accounts，DC = ACN，DC = ad，DC = nmsu，DC = edu 
 ##需要devise.rb中的config.ldap_check_group_membership为true 
＃可以有多个值，必须匹配所有要授权
 required_groups：
＃如果只有一个组na给予我的会员资格将被检查uniqueMember
  -  CN = HD管理
  -  CN =高清复位
  -  CN =安全
＃如果给出一个数组，第一个元素将是要检查的属性，第二个组名称为
  -  [memberOf，CN = HD Admin，OU = Groups，OU = Accounts，DC = ACN，DC = ad，DC = tdsu ，DC = edu] 
  -  [memberOf，CN = HD Helper，OU = Groups，OU = Accounts，DC = ACN，DC = ad，DC = tdsu，DC = edu] 
  -  [memberOf，CN = HD重置，OU =组，OU =帐户，DC = ACN，DC = ad，DC = tdsu，DC = edu] 
  -  [memberOf = Security，OU = Groups，OU = Accounts，DC = ACN，DC = ad，DC = tdsu，DC = edu] 
 
 require_attribute：
 memberOf：HD Admin 
  

我无法获得所需的属性，所以我离开了基地？有没有办法做这样的设计脚手架是由ldap设计宝石？因为真的是他们可以是任何这样的组，所以一个OR，他们不一定要放在应用程序。

至少也许是yaml的地方还是不去试试这个地方？
更新：

我使用上面提到的数组尝试了，而$ config.ldap_check_group_membership = true; 它不会让我在任何现在，所以它的全部或没有。甚至把所有的memberOf数组降到一个我知道我的测试用户有，但仍然不让我进去。

我也想问，我应该保持以下开发：线和处理代码中角色的所有检查（并且有什么样的链接如何做到这一点），也许我猜一个api文档（可能在github某处），虽然它可能会更容易通过手工编码所有的检查等...意味着我将不得不变得更加熟悉的设计。

我应该添加我的其他的ldap.yml是重要：

 开发：
主机：directory.ldapstuff.com 
端口：636 
属性：sAMAccountName 
 base：OU =主用户，OU =帐户，DC = ACN，DC = ad，DC = tdsu，DC = edu 
 admin_user：CN = EASApps，OU = LDAP，OU =帐户，DC = ACN，DC = ad，DC = tdsu，DC = edu 
 admin_password：asfssfaf 
 ssl：true 
＃<< ;: *授权
  

解决方案

我想你只需要取消注释＃<< ;: *授权合并。

Am I supposed to be using the ldap.yml file to make sure whose authenticating with ldap has the right groups assigned to them to allow them in?

I am not an AD pro by any means and this is confusing me...whats a group and attribute. From what I understand. We have a user in AD, they have a samAccount name, I can get it to let them into the app but it doesn't care at this point what their groups are. Its a specialized app and really those that have a memberOf attribute of:

HD Admin
HD Helper
HD Reset
Security

should all be allowed into the app, I also (after using apache directory studio) have realized that there are many memberOf entries:

Bob for instance might have two memberOf entries:

memberOf CN=Security,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu

memberOf CN=HD Admin, OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu

So how would my yaml look and is that the right spot to do these things?

authorizations: &AUTHORIZATIONS
 group_base: OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=nmsu,DC=edu
  ## Requires config.ldap_check_group_membership in devise.rb be true
  # Can have multiple values, must match all to be authorized
  required_groups:
  # If only a group name is given, membership will be checked against "uniqueMember"
   - CN=HD Admin
   - CN=HD Reset
   - CN=Security
  # If an array is given, the first element will be the attribute to check against, the second the group name
   - ["memberOf", " CN=HD Admin,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
   - ["memberOf", " CN=HD Helper,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
   - ["memberOf", " CN=HD Reset,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
   - ["memberOf", " CN=Security,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]

 require_attribute:
    memberOf: HD Admin

I couldn't get the required attributes to work, so am I off base ? Is there some way to do this in the devise scaffolding that was built from ldap devise gem? Because it really is they can be any of those groups so an OR they don't have to be in all to be let into the app.

At least maybe is the yaml the place or not the place to try this? Update:

I did try it with the arrays I mentioned above, and the config.ldap_check_group_membership = true; and it does not let me in no matter what now, so its either all or nothing. Even took all the memberOf arrays down to one I know my test user has and it still doesn't let me in.

I also wanted to ask, should I just keep the following development: line and deal with all the checking of roles in code (and is there any sort of link on how to do that), maybe I guess an api document (probably on github somewhere) , though it might just be easier to by hand code all the checking etc...means I will have to become much more familiar with devise too.

I should add the rest of my ldap.yml that is important:

development:
  host: directory.ldapstuff.com
  port: 636
  attribute: sAMAccountName
  base: OU=Main Users, OU=Accounts, DC=ACN, DC=ad, DC=tdsu, DC=edu
  admin_user: CN=EASApps, OU=LDAP, OU=Service Accounts, DC=ACN, DC=ad, DC=tdsu, DC=edu
  admin_password: asfssfaf
  ssl: true
  # <<: *AUTHORIZATIONS

解决方案

I think you just need to uncomment the # <<: *AUTHORIZATIONS merge.

这篇关于检查组中的成员资格devise ldap宝石，是在yaml吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！