Home/ Questions/Q 7937361
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T22:30:19+00:00

I followed these instructions to set up basic LDAP authentication via Devise in my

  • 0

I followed these instructions to set up basic LDAP authentication via Devise in my Rails app:
http://blackfistsecurity.blogspot.dk/2011/12/rails-authentication-using-devise-and.html

A first-time log in with an AD account creates a corresponding user in the database, populating lastname, firstname, displayname, and email from the AD account’s object properties found by get_ldap_param()

The process is working fine EXCEPT when an AD user has a blank attribute, such as a blank last name (AD attribute ‘sn’)– that causes the following error:

NoMethodError in Devise::SessionsController#create
undefined method `sn' for #<Net::LDAP::Entry:0x00000004920758>

The user model is below:

class User < ActiveRecord::Base
  # Include default devise modules. Others available are:
  # :token_authenticatable, :encryptable, :confirmable, :lockable, :timeoutable and :omniauthable
  devise :ldap_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable

  attr_accessible :username, :email, :password, :password_confirmation, :remember_me, :firstname, :lastname, :displayname

  before_save :get_ldap_lastname, :get_ldap_firstname, :get_ldap_displayname, :get_ldap_email

  def get_ldap_lastname
      Rails::logger.info("### Getting the users last name")
      tempname = Devise::LdapAdapter.get_ldap_param(self.username,"sn")
      puts "\tLDAP returned lastname of " + tempname
      self.lastname = tempname
  end

  def get_ldap_firstname
      Rails::logger.info("### Getting the users first name")
      tempname = Devise::LdapAdapter.get_ldap_param(self.username,"givenname")
      puts "\tLDAP returned firstname of " + tempname
      self.firstname = tempname
  end

  def get_ldap_displayname
      Rails::logger.info("### Getting the users display name")
      tempname = Devise::LdapAdapter.get_ldap_param(self.username,"displayname")
      self.displayname = tempname
  end

  def get_ldap_email
      Rails::logger.info("### Getting the users email address")
      tempmail = Devise::LdapAdapter.get_ldap_param(self.username,"mail")
      self.email = tempmail
  end
end

The error is coming from this call:

Devise::LdapAdapter.get_ldap_param(self.username,"sn")

When get_ldap_param encounters a blank attribute, I would like it to return blank instead of undefined.

I tried addressing the issue with the following code, but it does not work because the error happens at the moment get_ldap_param is called.

if tempname.none?
  tempname = ""
end

Do I need to modify the Devise gem to do this, or can it be done somehow after the call?

Please forgive my newbness

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This looks like a bug in the devise_ldap_authenticatable devise module. It’s using the method accessor for the LDAP entry attribute values instead of the hash operatior:

      def ldap_param_value(param)
    filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
    ldap_entry = nil
    @ldap.search(:filter => filter) {|entry| ldap_entry = entry}

    if ldap_entry
      if ldap_entry[param]
        DeviseLdapAuthenticatable::Logger.send("Requested param #{param} has value #{ldap_entry.send(param)}")
        value = ldap_entry.send(param)
        value = value.first if value.is_a?(Array) and value.count == 1
        value

    According to the docs for ruby-net-ldap, the hash accessor should be used to retrieve the values like the following:

      def ldap_param_value(param)
    filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
    ldap_entry = nil
    @ldap.search(:filter => filter) {|entry| ldap_entry = entry}

    if ldap_entry
      if value = ldap_entry[param]
        DeviseLdapAuthenticatable::Logger.send("Requested param #{param} has value #{value}")
        value = value.first if value.is_a?(Array) and value.count == 1
        value

    This is a bug and you can update the issue you filed with devise_ldap_authenticatable with this information.

    • 0