Devise and LDAP for Authentication with Rails

Devise is a complete (as in MVC stack) and modular Rails authentication library. In order to learn devise it is best and easiest to watch Railscast episode #209. Also watch episode #210 to learn how to customize views and enable authorization. Learn about the devise LDAP plugin in the screencast LDAP Authentication With Devise.

Step by Step Instructions

Edit the Gemfile and add (check for up-to-date version numbers in the documentation):

gem 'devise'
gem 'devise_ldap_authenticatable'

Update your gems:

bundle install

Install devise and devise_ldap_authenticatable into your application:

rails generate devise:install
rails generate devise User
rails generate devise_ldap_authenticatable:install

Edit app/models/user.rb and take out :registerable, :recoverable, and :validatable. We allow neither creating new accounts nor changing passwords through the Rails application.

class User < ActiveRecord::Base
  devise :ldap_authenticatable, :rememberable, :trackable

Make the corresponding changes in the migration db/migate/YYYYMMDDhhmmss_devise_create_users.rb, i.e., delete/comment out t.recoverable and the :reset_password_token index. Replace :email with :login.

class DeviseCreateUsers < ActiveRecord::Migration
  def change
    create_table(:users) do |t|
      ## LDAP authenticatable
      t.string :login, :null => false, :default => "", :unique => true

      ## Rememberable
      t.datetime :remember_created_at

      ## Trackable
      t.integer  :sign_in_count, :default => 0
      t.datetime :current_sign_in_at
      t.datetime :last_sign_in_at
      t.string   :current_sign_in_ip
      t.string   :last_sign_in_ip

    add_index :users, :login, :unique => true

Apply the migrations

rake db:migrate

Edit config/initializers/devise.rb and set the following parameters:

 # [...]
config.ldap_create_user = true
config.ldap_update_password = false
 # [...]
config.authentication_keys = [ :login ]
 # [...]

Edit config/ldap.yml and set our access details:

 # [...]
  port: 389
  attribute: uid
  base: o=ethz,c=ch
 # [...]

Generate the devise views:

rails generate devise:views

Edit app/views/devise/session/new.html.haml and replace :email with :login and f.email_field with f.text_field. We don't need the other views.

<h2>Sign in</h2>

<%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>
  <div><%= f.label :login %><br />
  <%= f.text_field :login, :autofocus => true %></div>

  <div><%= f.label :password %><br />
  <%= f.password_field :password %></div>

  <% if devise_mapping.rememberable? -%>
    <div><%= f.check_box :remember_me %> <%= f.label :remember_me %></div>
  <% end -%>

  <div><%= f.submit "Sign in" %></div>
<% end %>

<%= render "devise/shared/links" %>

From here on you need to flesh out the authorization and adjust the views according to the needs of your application. This is standard Rails stuff with some examples in the above mentioned Railscasts.