LDAP / Active Directory user login
|Category:||Accounts / authentication|
When trying to use Active Directory authentication with on-fly user addition, this procedure requires that user:
- must have at least "first name", "last name" and "email" fields in LDAP,
- must have "email" field in valid format.
In fact, in some AD/LDAP installations, some or all of these fields may be omitted. For example, in my AD, users were created only with "displayName", i.e. without "givenName" (=first name), "sn" (=last name) and email entries. I can solve first problem by setting up fake field mapping (for example, set everything to "displayName"), but I can't pass e-mail validation with these emails. I had to patch RedMine sources to
Last, but not least, saving on-the-fly created user uses
.save!, and thus fails silently with very strange error message "Invalid user or password" in flash notice and even more misleading
Authenticating 'xxx' against 'My Directory'
DN found for xxx: CN=xxx,CN=Users,DC=domain,DC=zone
Authentication successful for 'xxx'
I've only digged down to the real problem after inserting lots of debug and using
.save! method to produce an exception.