You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by Mihail Lukin <mi...@gmail.com> on 2013/12/13 13:54:30 UTC
AD integration: wrong search filter?
Hello, everyone!
I have problem integrating OM with AD. I've created configuration file
and added it through admin interface. I used wireshark to analyze
communication with LDAP server.
When I use option "add domain name to user name", authentications
succeeds 3 times with admin's credentials, then once with user's
credentials ("username@domain" form was used by OM), but then ldap
search fails because sAMAccountName is "username" but OM searches for
"username@domain".
When I turn off "add domain name to user name", authentications
succeeds 3 times with admin's credentials, but then fails, because OM
tries to bind with "username" while LDAP requires "username@domain".
Did anyone solve such problem already? Any suggestions?
Thanks a lot in advance!
--
Regards, Mihail.
Re: AD integration: wrong search filter?
Posted by Maxim Solodovnik <so...@gmail.com>.
LDAP was recently refactored
could you please try it?
GUI Admin->LDAP has setting: "Add domain to user name" maybe this can be
used?
On 16 December 2013 00:37, Mihail Lukin <mi...@gmail.com> wrote:
> Ok, I'll test it against MS AD and report back. Thanks in advance!
>
>
> On Sun, Dec 15, 2013 at 9:13 PM, Maxim Solodovnik <so...@gmail.com>
> wrote:
> > To be fair: I don't know :(
> > LDAP is the part I can modify but can't actually test, so I need someone
> who
> > is interested in it and understand what is going on :)
> >
> >
> > On Sun, Dec 15, 2013 at 11:55 PM, Mihail Lukin <mi...@gmail.com>
> > wrote:
> >>
> >> Maxim,
> >>
> >> Good to hear! I'm ready to test (although I'm not sure I'm quite ready
> >> to build it :) but I'll definitely try ).
> >>
> >> Do you think it's actually necessary to add another configuration key?
> >> I wonder if "username@domain" form of sAMAccountName/sid field is used
> >> somewhere...
> >>
> >>
> >> On Sun, Dec 15, 2013 at 8:41 PM, Maxim Solodovnik <solomax666@gmail.com
> >
> >> wrote:
> >> > I would like to to propose additional key with detailed use
> description
> >> > (the
> >> > patch will be perfect :) )
> >> > And I'll try to address the issue :)
> >> > The only requirement: you will need to test one or more nightly build
> :)
> >> >
> >> >
> >> > On Sun, Dec 15, 2013 at 11:33 PM, Mihail Lukin <
> mihail.lukin@gmail.com>
> >> > wrote:
> >> >>
> >> >> I looked at source code of LdapLoginManagement and it looks like
> there
> >> >> is no way of telling OM to add domain to user name only when
> >> >> authenticating to LDAP but not when searching by attribute configured
> >> >> by field_user_principal. But it really doesn't work this way.
> >> >>
> >> >> Am I missing some additional settings or it worth filling bug report?
> >> >>
> >> >> On Fri, Dec 13, 2013 at 4:54 PM, Mihail Lukin <
> mihail.lukin@gmail.com>
> >> >> wrote:
> >> >> > Hello, everyone!
> >> >> >
> >> >> > I have problem integrating OM with AD. I've created configuration
> >> >> > file
> >> >> > and added it through admin interface. I used wireshark to analyze
> >> >> > communication with LDAP server.
> >> >> >
> >> >> > When I use option "add domain name to user name", authentications
> >> >> > succeeds 3 times with admin's credentials, then once with user's
> >> >> > credentials ("username@domain" form was used by OM), but then ldap
> >> >> > search fails because sAMAccountName is "username" but OM searches
> for
> >> >> > "username@domain".
> >> >> >
> >> >> > When I turn off "add domain name to user name", authentications
> >> >> > succeeds 3 times with admin's credentials, but then fails, because
> OM
> >> >> > tries to bind with "username" while LDAP requires "username@domain
> ".
> >> >> >
> >> >> > Did anyone solve such problem already? Any suggestions?
> >> >> >
> >> >> > Thanks a lot in advance!
> >> >> >
> >> >> > --
> >> >> > Regards, Mihail.
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> С уважением, Михаил.
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > WBR
> >> > Maxim aka solomax
> >>
> >>
> >>
> >> --
> >> С уважением, Михаил.
> >
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
>
>
>
> --
> С уважением, Михаил.
>
--
WBR
Maxim aka solomax
Re: AD integration: wrong search filter?
Posted by Mihail Lukin <mi...@gmail.com>.
Ok, I'll test it against MS AD and report back. Thanks in advance!
On Sun, Dec 15, 2013 at 9:13 PM, Maxim Solodovnik <so...@gmail.com> wrote:
> To be fair: I don't know :(
> LDAP is the part I can modify but can't actually test, so I need someone who
> is interested in it and understand what is going on :)
>
>
> On Sun, Dec 15, 2013 at 11:55 PM, Mihail Lukin <mi...@gmail.com>
> wrote:
>>
>> Maxim,
>>
>> Good to hear! I'm ready to test (although I'm not sure I'm quite ready
>> to build it :) but I'll definitely try ).
>>
>> Do you think it's actually necessary to add another configuration key?
>> I wonder if "username@domain" form of sAMAccountName/sid field is used
>> somewhere...
>>
>>
>> On Sun, Dec 15, 2013 at 8:41 PM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>> > I would like to to propose additional key with detailed use description
>> > (the
>> > patch will be perfect :) )
>> > And I'll try to address the issue :)
>> > The only requirement: you will need to test one or more nightly build :)
>> >
>> >
>> > On Sun, Dec 15, 2013 at 11:33 PM, Mihail Lukin <mi...@gmail.com>
>> > wrote:
>> >>
>> >> I looked at source code of LdapLoginManagement and it looks like there
>> >> is no way of telling OM to add domain to user name only when
>> >> authenticating to LDAP but not when searching by attribute configured
>> >> by field_user_principal. But it really doesn't work this way.
>> >>
>> >> Am I missing some additional settings or it worth filling bug report?
>> >>
>> >> On Fri, Dec 13, 2013 at 4:54 PM, Mihail Lukin <mi...@gmail.com>
>> >> wrote:
>> >> > Hello, everyone!
>> >> >
>> >> > I have problem integrating OM with AD. I've created configuration
>> >> > file
>> >> > and added it through admin interface. I used wireshark to analyze
>> >> > communication with LDAP server.
>> >> >
>> >> > When I use option "add domain name to user name", authentications
>> >> > succeeds 3 times with admin's credentials, then once with user's
>> >> > credentials ("username@domain" form was used by OM), but then ldap
>> >> > search fails because sAMAccountName is "username" but OM searches for
>> >> > "username@domain".
>> >> >
>> >> > When I turn off "add domain name to user name", authentications
>> >> > succeeds 3 times with admin's credentials, but then fails, because OM
>> >> > tries to bind with "username" while LDAP requires "username@domain".
>> >> >
>> >> > Did anyone solve such problem already? Any suggestions?
>> >> >
>> >> > Thanks a lot in advance!
>> >> >
>> >> > --
>> >> > Regards, Mihail.
>> >>
>> >>
>> >>
>> >> --
>> >> С уважением, Михаил.
>> >
>> >
>> >
>> >
>> > --
>> > WBR
>> > Maxim aka solomax
>>
>>
>>
>> --
>> С уважением, Михаил.
>
>
>
>
> --
> WBR
> Maxim aka solomax
--
С уважением, Михаил.
Re: AD integration: wrong search filter?
Posted by Maxim Solodovnik <so...@gmail.com>.
To be fair: I don't know :(
LDAP is the part I can modify but can't actually test, so I need someone
who is interested in it and understand what is going on :)
On Sun, Dec 15, 2013 at 11:55 PM, Mihail Lukin <mi...@gmail.com>wrote:
> Maxim,
>
> Good to hear! I'm ready to test (although I'm not sure I'm quite ready
> to build it :) but I'll definitely try ).
>
> Do you think it's actually necessary to add another configuration key?
> I wonder if "username@domain" form of sAMAccountName/sid field is used
> somewhere...
>
>
> On Sun, Dec 15, 2013 at 8:41 PM, Maxim Solodovnik <so...@gmail.com>
> wrote:
> > I would like to to propose additional key with detailed use description
> (the
> > patch will be perfect :) )
> > And I'll try to address the issue :)
> > The only requirement: you will need to test one or more nightly build :)
> >
> >
> > On Sun, Dec 15, 2013 at 11:33 PM, Mihail Lukin <mi...@gmail.com>
> > wrote:
> >>
> >> I looked at source code of LdapLoginManagement and it looks like there
> >> is no way of telling OM to add domain to user name only when
> >> authenticating to LDAP but not when searching by attribute configured
> >> by field_user_principal. But it really doesn't work this way.
> >>
> >> Am I missing some additional settings or it worth filling bug report?
> >>
> >> On Fri, Dec 13, 2013 at 4:54 PM, Mihail Lukin <mi...@gmail.com>
> >> wrote:
> >> > Hello, everyone!
> >> >
> >> > I have problem integrating OM with AD. I've created configuration file
> >> > and added it through admin interface. I used wireshark to analyze
> >> > communication with LDAP server.
> >> >
> >> > When I use option "add domain name to user name", authentications
> >> > succeeds 3 times with admin's credentials, then once with user's
> >> > credentials ("username@domain" form was used by OM), but then ldap
> >> > search fails because sAMAccountName is "username" but OM searches for
> >> > "username@domain".
> >> >
> >> > When I turn off "add domain name to user name", authentications
> >> > succeeds 3 times with admin's credentials, but then fails, because OM
> >> > tries to bind with "username" while LDAP requires "username@domain".
> >> >
> >> > Did anyone solve such problem already? Any suggestions?
> >> >
> >> > Thanks a lot in advance!
> >> >
> >> > --
> >> > Regards, Mihail.
> >>
> >>
> >>
> >> --
> >> С уважением, Михаил.
> >
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
>
>
>
> --
> С уважением, Михаил.
>
--
WBR
Maxim aka solomax
Re: AD integration: wrong search filter?
Posted by Mihail Lukin <mi...@gmail.com>.
Maxim,
Good to hear! I'm ready to test (although I'm not sure I'm quite ready
to build it :) but I'll definitely try ).
Do you think it's actually necessary to add another configuration key?
I wonder if "username@domain" form of sAMAccountName/sid field is used
somewhere...
On Sun, Dec 15, 2013 at 8:41 PM, Maxim Solodovnik <so...@gmail.com> wrote:
> I would like to to propose additional key with detailed use description (the
> patch will be perfect :) )
> And I'll try to address the issue :)
> The only requirement: you will need to test one or more nightly build :)
>
>
> On Sun, Dec 15, 2013 at 11:33 PM, Mihail Lukin <mi...@gmail.com>
> wrote:
>>
>> I looked at source code of LdapLoginManagement and it looks like there
>> is no way of telling OM to add domain to user name only when
>> authenticating to LDAP but not when searching by attribute configured
>> by field_user_principal. But it really doesn't work this way.
>>
>> Am I missing some additional settings or it worth filling bug report?
>>
>> On Fri, Dec 13, 2013 at 4:54 PM, Mihail Lukin <mi...@gmail.com>
>> wrote:
>> > Hello, everyone!
>> >
>> > I have problem integrating OM with AD. I've created configuration file
>> > and added it through admin interface. I used wireshark to analyze
>> > communication with LDAP server.
>> >
>> > When I use option "add domain name to user name", authentications
>> > succeeds 3 times with admin's credentials, then once with user's
>> > credentials ("username@domain" form was used by OM), but then ldap
>> > search fails because sAMAccountName is "username" but OM searches for
>> > "username@domain".
>> >
>> > When I turn off "add domain name to user name", authentications
>> > succeeds 3 times with admin's credentials, but then fails, because OM
>> > tries to bind with "username" while LDAP requires "username@domain".
>> >
>> > Did anyone solve such problem already? Any suggestions?
>> >
>> > Thanks a lot in advance!
>> >
>> > --
>> > Regards, Mihail.
>>
>>
>>
>> --
>> С уважением, Михаил.
>
>
>
>
> --
> WBR
> Maxim aka solomax
--
С уважением, Михаил.
Re: AD integration: wrong search filter?
Posted by Maxim Solodovnik <so...@gmail.com>.
I would like to to propose additional key with detailed use description
(the patch will be perfect :) )
And I'll try to address the issue :)
The only requirement: you will need to test one or more nightly build :)
On Sun, Dec 15, 2013 at 11:33 PM, Mihail Lukin <mi...@gmail.com>wrote:
> I looked at source code of LdapLoginManagement and it looks like there
> is no way of telling OM to add domain to user name only when
> authenticating to LDAP but not when searching by attribute configured
> by field_user_principal. But it really doesn't work this way.
>
> Am I missing some additional settings or it worth filling bug report?
>
> On Fri, Dec 13, 2013 at 4:54 PM, Mihail Lukin <mi...@gmail.com>
> wrote:
> > Hello, everyone!
> >
> > I have problem integrating OM with AD. I've created configuration file
> > and added it through admin interface. I used wireshark to analyze
> > communication with LDAP server.
> >
> > When I use option "add domain name to user name", authentications
> > succeeds 3 times with admin's credentials, then once with user's
> > credentials ("username@domain" form was used by OM), but then ldap
> > search fails because sAMAccountName is "username" but OM searches for
> > "username@domain".
> >
> > When I turn off "add domain name to user name", authentications
> > succeeds 3 times with admin's credentials, but then fails, because OM
> > tries to bind with "username" while LDAP requires "username@domain".
> >
> > Did anyone solve such problem already? Any suggestions?
> >
> > Thanks a lot in advance!
> >
> > --
> > Regards, Mihail.
>
>
>
> --
> С уважением, Михаил.
>
--
WBR
Maxim aka solomax
Re: AD integration: wrong search filter?
Posted by Mihail Lukin <mi...@gmail.com>.
I looked at source code of LdapLoginManagement and it looks like there
is no way of telling OM to add domain to user name only when
authenticating to LDAP but not when searching by attribute configured
by field_user_principal. But it really doesn't work this way.
Am I missing some additional settings or it worth filling bug report?
On Fri, Dec 13, 2013 at 4:54 PM, Mihail Lukin <mi...@gmail.com> wrote:
> Hello, everyone!
>
> I have problem integrating OM with AD. I've created configuration file
> and added it through admin interface. I used wireshark to analyze
> communication with LDAP server.
>
> When I use option "add domain name to user name", authentications
> succeeds 3 times with admin's credentials, then once with user's
> credentials ("username@domain" form was used by OM), but then ldap
> search fails because sAMAccountName is "username" but OM searches for
> "username@domain".
>
> When I turn off "add domain name to user name", authentications
> succeeds 3 times with admin's credentials, but then fails, because OM
> tries to bind with "username" while LDAP requires "username@domain".
>
> Did anyone solve such problem already? Any suggestions?
>
> Thanks a lot in advance!
>
> --
> Regards, Mihail.
--
С уважением, Михаил.