I'm having a heck of a time getting omniauth-ldap to work properly with our AD server, and I believe it is because our usernames have our Domain Names in them.
This will successfully connect to our ldap server:
ldapsearch -h ldap.ourdomain.com -b "dc=ourdomain,dc=int" -D "OURDOMAIN\username" -w <password> '(sAMAccountName=username)'
But, these settings in OmniAuth only result in "invalid credentials"
Padrino.use OmniAuth::Strategies::LDAP,
:host => "ldap.ourdomain.com",
:base => "dc=OURDOMAIN,dc=INT",
:uid => "sAMAccountName",
:bind_dn => 'OURDOMAIN\%{username}',
# This is hard coded for now, but I need it to be the value entered by the user
:password => "mypassword"
UPDATE
Working on this further, I have discovered that omniauth-ldap sets the bind method to :anonymous if the :bind_dn and :password are not set.
However, it does not insert the username and does not provide the user-entered password if the values are set.
What I need is
:bind_dn => 'OURDOMAIN\<user entered username>',
:password => <user entered password>
but the password and entered username are only provided to the connection if you hard code them.
I had to solve this by creating a service account. That account logs in then queries for the existence and validity of the user that's actually trying to log in. The service account credentials can be set in your Omniauth configuration, and then you can utilize omniauth-ldap as you would any other omniauth methodology.