Defect #1420

LDAP authentication extremely flaky

Added by mathew murphy about 11 years ago. Updated over 6 years ago.

Status:Needs feedbackStart date:2008-06-10
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:LDAP
Target version:Candidate for next major release
Resolution: Affected version:0.7.1

Description

I hit a problem with LDAP on Linux. It turns out that net/ldap is extremely unreliable when authenticating against the LDAP server at work. I've filed a bug against net/ldap on RubyForge, but since the project seems dormant it's not clear anything will happen.

As a workaround, I coded up a replacement for app/models/auth_source_ldap.rb that uses the Ruby interface to OpenLDAP. So far this has been reliable.

Presumably ruby/ldap works for some people, so it might be nice to offer both as options, but I couldn't immediately work out how to patch RedMine to do that.

auth_source_ldap.rb Magnifier - Replacement LDAP authentication code using Ruby's OpenLDAP interface (4.08 KB) mathew murphy, 2008-06-10 19:18

defect_1420_adriano_crestani_rev_2482.patch Magnifier - Patch for revision 2482 (5.44 KB) Adriano Crestani Campos, 2009-02-20 22:21

Related issues

Related to Redmine - Defect #3253: LDAP Auth : Alias Dereference New 2009-04-28

History

#1 Updated by Adriano Crestani Campos over 10 years ago

Hi Mathew,

I also ran into this problem when trying to use the default ldap api on a linux server. Your patch works great, thanks ; )

Adriano Crestani Campos

#2 Updated by Adriano Crestani Campos over 10 years ago

I'm uploading a new patch that contains a merge of the file created by Mathew (the one that uses OpenLDAP instead) and the auth_source_ldap.rb file from revision 2482.

#3 Updated by Daniel Marczisovszky about 10 years ago

I've created a patch that also uses Ruby/LDAP. After I wrote it, I found your patch and they are very similar ;) However it seems that your patch does not bind as the given user if it is set in the account and password fields. I've (hopefully) fixed it in initialize_ldap_con by adding a call to bind after creating connection. The patch can be found here: #3253

#4 Updated by Antoine Beaupré over 9 years ago

this should be filed under the LDAP category.

#5 Updated by Felix Schäfer over 9 years ago

  • Category changed from Accounts / authentication to LDAP

#6 Updated by Daniel Felix over 6 years ago

  • Status changed from New to Needs feedback

Well maybe this is resolved due some further upgrades of ldap.

Any news on this? Someone who can verify this?

#7 Updated by mathew murphy over 6 years ago

Last time I tried it was when I upgraded to 2.1, and it's still broken there. If there have been LDAP improvements in the last few months, I can try again?

#8 Updated by Daniel Felix over 6 years ago

  • Target version set to Candidate for next major release

Also available in: Atom PDF