You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by "Osvaldo OBA. Benítez Aliaga" <os...@gmail.com> on 2020/05/04 16:03:14 UTC

Integration problems with Active Directory

Hello, I am trying to integrate it with AD and it gives me an invalid
credential error.
This is my scenario:

I have a domain controller on Windows Server 2016.
My domain is domain.co.cu
In the User organizational unit the user is created so that OpenMeetings
can authenticate: the user is support.
It would be: CN = support, CN = Users, DC = domain, DC = co, DC = cu
Create an organizational unit called Domain Users where the users are
located.
It would be: OU = Users of the domain, DC = domain, DC = co, DC = cu

How would the configuration file look like?

Re: Integration problems with Active Directory

Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Osvaldo,

On Wed, 6 May 2020 at 02:24, Osvaldo OBA. Benítez Aliaga <
osval1980ba@gmail.com> wrote:

> I already tried Apache Directory and it worked.
> I really don't know what mistake I'm making.
>

please describe your detailed steps and the results


> El 5/5/2020 a las 10:27, Maxim Solodovnik escribió:
>
> Hello Osvaldo,
>
> grab you favorite LDAp explorer and check:
> 1) you can login with ldap_admin_dn and ldap_passwd
> IF login successful
> While you logged in as ldap_admin_dn
> 2) try to search with base ldap_search_base and query ldap_search_query
> NOTE you need to request `%s` in ldap_search_query with login entered by
> user
>
> If all was successful AND your search returning exactly 1 result
> get back here with results :)
>
> On Tue, 5 May 2020 at 21:05, Osvaldo OBA. Benítez Aliaga <
> osval1980ba@gmail.com> wrote:
>
>> Already SIMPLEBIND by SEARCHANDBIND but it keeps giving me the same error.
>> El 4/5/2020 a las 22:57, Maxim Solodovnik escribió:
>>
>> Hello Osvaldo,
>>
>> since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND
>> should be replaced with SEARCHANDBIND
>> In this case your users will be searched using search-base and
>> search-query, then authenticated ...
>>
>> On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <
>> osval1980ba@gmail.com> wrote:
>>
>>> yes.
>>> I have managed to authenticate well with the user that declared
>>> (support) and authenticate well with the users that are in the same
>>> organizational unit (CN). Now the problem is with users who are in other
>>> organizational units. For example, those in the Domain Users OU
>>>
>>>
>>> El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
>>> > Have you tested it with LDAP explorer as I suggest?
>>>
>>>
>>
>> --
>> Best regards,
>> Maxim
>>
>>
>
> --
> Best regards,
> Maxim
>
>

-- 
Best regards,
Maxim

Re: Integration problems with Active Directory

Posted by "Osvaldo OBA. Benítez Aliaga" <os...@gmail.com>.
I already tried Apache Directory and it worked.
I really don't know what mistake I'm making.

El 5/5/2020 a las 10:27, Maxim Solodovnik escribió:
> Hello Osvaldo,
>
> grab you favorite LDAp explorer and check:
> 1) you can login with ldap_admin_dn and ldap_passwd
> IF login successful
> While you logged in as ldap_admin_dn
> 2) try to search with base ldap_search_base and query ldap_search_query
> NOTE you need to request `%s` in ldap_search_query with login entered
> by user
>
> If all was successful AND your search returning exactly 1 result
> get back here with results :)
>
> On Tue, 5 May 2020 at 21:05, Osvaldo OBA. Benítez Aliaga
> <osval1980ba@gmail.com <ma...@gmail.com>> wrote:
>
>     Already SIMPLEBIND by SEARCHANDBIND but it keeps giving me the
>     same error.
>
>     El 4/5/2020 a las 22:57, Maxim Solodovnik escribió:
>>     Hello Osvaldo,
>>
>>     since your users doesn't "fit" into single LDAP DN pattern
>>     SIMPLEBIND should be replaced with SEARCHANDBIND
>>     In this case your users will be searched using search-base and
>>     search-query, then authenticated ...
>>
>>     On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga
>>     <osval1980ba@gmail.com <ma...@gmail.com>> wrote:
>>
>>         yes.
>>         I have managed to authenticate well with the user that declared
>>         (support) and authenticate well with the users that are in
>>         the same
>>         organizational unit (CN). Now the problem is with users who
>>         are in other
>>         organizational units. For example, those in the Domain Users OU
>>
>>
>>         El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
>>         > Have you tested it with LDAP explorer as I suggest?
>>
>>
>>
>>     -- 
>>     Best regards,
>>     Maxim
>
>
>
> -- 
> Best regards,
> Maxim

Re: Integration problems with Active Directory

Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Osvaldo,

grab you favorite LDAp explorer and check:
1) you can login with ldap_admin_dn and ldap_passwd
IF login successful
While you logged in as ldap_admin_dn
2) try to search with base ldap_search_base and query ldap_search_query
NOTE you need to request `%s` in ldap_search_query with login entered by
user

If all was successful AND your search returning exactly 1 result
get back here with results :)

On Tue, 5 May 2020 at 21:05, Osvaldo OBA. Benítez Aliaga <
osval1980ba@gmail.com> wrote:

> Already SIMPLEBIND by SEARCHANDBIND but it keeps giving me the same error.
> El 4/5/2020 a las 22:57, Maxim Solodovnik escribió:
>
> Hello Osvaldo,
>
> since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND
> should be replaced with SEARCHANDBIND
> In this case your users will be searched using search-base and
> search-query, then authenticated ...
>
> On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <
> osval1980ba@gmail.com> wrote:
>
>> yes.
>> I have managed to authenticate well with the user that declared
>> (support) and authenticate well with the users that are in the same
>> organizational unit (CN). Now the problem is with users who are in other
>> organizational units. For example, those in the Domain Users OU
>>
>>
>> El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
>> > Have you tested it with LDAP explorer as I suggest?
>>
>>
>
> --
> Best regards,
> Maxim
>
>

-- 
Best regards,
Maxim

Re: Integration problems with Active Directory

Posted by Maxim Solodovnik <so...@gmail.com>.
On Tue, 5 May 2020 at 21:57, Ninnig, Alexander <
Alexander.Ninnig@rechnungshof.rlp.de> wrote:

> Hi Maxim,
>
>
>
> 1) you can login with ldap_admin_dn and ldap_passwd
>
> à yes
>
> While you logged in as ldap_admin_dn
>
> 2) try to search with base ldap_search_base and query ldap_search_query
>
> NOTE you need to request `%s` in ldap_search_query with login entered by
> user
>
> à no result for the attribute „uid“! As I wrote in my own mail, this
> field is empty here. If I search for „sn“ instead of „uid“, I can find
> users.
>

Please check my answer your big email :)


>
>
> It seems to me, that the problem is, that the field uid is always empty
> here.
>
> I tried to change ist to sAMAccountName, which is the unique login-name of
> our users, so I configured:
>

Yes
most probably this attr should be used for AD


>
>
> ldap_search_query=(sAMAccountName=%s)
>

search is done using ldap_search_query and ldap_search_base
there should be unique result ...


> ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=rhrlp,DC=intern [which is
> probably wrong, but hopefully not used, since I use SEARCHANDBIND]
>
> ldap_user_attr_login=sAMAccountName
>
>
>
> But that’s not working either.
>
>
>
> Best regards and thank you very much for all your work,
>
> Alex
>
>
>
> *Von:* Maxim Solodovnik <so...@gmail.com>
> *Gesendet:* Dienstag, 5. Mai 2020 16:27
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: Integration problems with Active Directory
>
>
>
> Hello Osvaldo,
>
>
>
> grab you favorite LDAp explorer and check:
>
> 1) you can login with ldap_admin_dn and ldap_passwd
>
> IF login successful
>
> While you logged in as ldap_admin_dn
>
> 2) try to search with base ldap_search_base and query ldap_search_query
>
> NOTE you need to request `%s` in ldap_search_query with login entered by
> user
>
>
>
> If all was successful AND your search returning exactly 1 result
>
> get back here with results :)
>
>
>
> On Tue, 5 May 2020 at 21:05, Osvaldo OBA. Benítez Aliaga <
> osval1980ba@gmail.com> wrote:
>
> Already SIMPLEBIND by SEARCHANDBIND but it keeps giving me the same error.
>
> El 4/5/2020 a las 22:57, Maxim Solodovnik escribió:
>
> Hello Osvaldo,
>
>
>
> since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND
> should be replaced with SEARCHANDBIND
>
> In this case your users will be searched using search-base and
> search-query, then authenticated ...
>
>
>
> On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <
> osval1980ba@gmail.com> wrote:
>
> yes.
> I have managed to authenticate well with the user that declared
> (support) and authenticate well with the users that are in the same
> organizational unit (CN). Now the problem is with users who are in other
> organizational units. For example, those in the Domain Users OU
>
>
> El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
> > Have you tested it with LDAP explorer as I suggest?
>
>
>
>
> --
>
> Best regards,
> Maxim
>
>
>
>
> --
>
> Best regards,
> Maxim
>


-- 
Best regards,
Maxim

Re: Integration problems with Active Directory

Posted by Maxim Solodovnik <so...@gmail.com>.
great :)

On Tue, 5 May 2020 at 22:35, Ninnig, Alexander <
Alexander.Ninnig@rechnungshof.rlp.de> wrote:

> Ok, so now I don’t get it, because it all seems correct.
>
>
>
> I can use Apache Directory Studio in order to create a bind using
>
> ldap_conn_host=192.168.0.10
>
> ldap_conn_port=389
>
> ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern
>
> ldap_passwd=<SomePassword>
>
>
>
> Then I can perform a search in Apache Studio using
>
> ldap_search_base=OU=myfirm,DC=domain,DC=intern
>
> ldap_search_query=(sAMAccountName=%s)
>
>
>
> Which shows me exactly ONE hit.
>
>
>
> So why doesn’t it work then?
>
>
>
>
>
> NOW IT WORKS!
>
> I removed the „Add domain to username“-option.
>
> After that, I was able to login with a testuser.
>
> YES!
>
>
>
>
>
> Best wishes and thanks again!
>
> Alex
>
>
>
> *Von:* Maxim Solodovnik <so...@gmail.com>
> *Gesendet:* Dienstag, 5. Mai 2020 17:01
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: Integration problems with Active Directory
>
>
>
>
>
>
>
> On Tue, 5 May 2020 at 21:57, Ninnig, Alexander <
> Alexander.Ninnig@rechnungshof.rlp.de> wrote:
>
> Hi Maxim,
>
>
>
> 1) you can login with ldap_admin_dn and ldap_passwd
>
> à yes
>
> While you logged in as ldap_admin_dn
>
> 2) try to search with base ldap_search_base and query ldap_search_query
>
> NOTE you need to request `%s` in ldap_search_query with login entered by
> user
>
> à no result for the attribute „uid“! As I wrote in my own mail, this
> field is empty here. If I search for „sn“ instead of „uid“, I can find
> users.
>
>
>
> Please check my answer your big email :)
>
>
>
>
>
> It seems to me, that the problem is, that the field uid is always empty
> here.
>
> I tried to change ist to sAMAccountName, which is the unique login-name of
> our users, so I configured:
>
>
>
> Yes
>
> most probably this attr should be used for AD
>
>
>
>
>
> ldap_search_query=(sAMAccountName=%s)
>
>
>
> search is done using ldap_search_query and ldap_search_base
>
> there should be unique result ...
>
>
>
> ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=rhrlp,DC=intern [which is
> probably wrong, but hopefully not used, since I use SEARCHANDBIND]
>
> ldap_user_attr_login=sAMAccountName
>
>
>
> But that’s not working either.
>
>
>
> Best regards and thank you very much for all your work,
>
> Alex
>
>
>
> *Von:* Maxim Solodovnik <so...@gmail.com>
> *Gesendet:* Dienstag, 5. Mai 2020 16:27
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: Integration problems with Active Directory
>
>
>
> Hello Osvaldo,
>
>
>
> grab you favorite LDAp explorer and check:
>
> 1) you can login with ldap_admin_dn and ldap_passwd
>
> IF login successful
>
> While you logged in as ldap_admin_dn
>
> 2) try to search with base ldap_search_base and query ldap_search_query
>
> NOTE you need to request `%s` in ldap_search_query with login entered by
> user
>
>
>
> If all was successful AND your search returning exactly 1 result
>
> get back here with results :)
>
>
>
> On Tue, 5 May 2020 at 21:05, Osvaldo OBA. Benítez Aliaga <
> osval1980ba@gmail.com> wrote:
>
> Already SIMPLEBIND by SEARCHANDBIND but it keeps giving me the same error.
>
> El 4/5/2020 a las 22:57, Maxim Solodovnik escribió:
>
> Hello Osvaldo,
>
>
>
> since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND
> should be replaced with SEARCHANDBIND
>
> In this case your users will be searched using search-base and
> search-query, then authenticated ...
>
>
>
> On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <
> osval1980ba@gmail.com> wrote:
>
> yes.
> I have managed to authenticate well with the user that declared
> (support) and authenticate well with the users that are in the same
> organizational unit (CN). Now the problem is with users who are in other
> organizational units. For example, those in the Domain Users OU
>
>
> El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
> > Have you tested it with LDAP explorer as I suggest?
>
>
>
>
> --
>
> Best regards,
> Maxim
>
>
>
>
> --
>
> Best regards,
> Maxim
>
>
>
>
> --
>
> Best regards,
> Maxim
>


-- 
Best regards,
Maxim

AW: Integration problems with Active Directory

Posted by "Ninnig, Alexander" <Al...@rechnungshof.rlp.de>.
Ok, so now I don’t get it, because it all seems correct.

I can use Apache Directory Studio in order to create a bind using
ldap_conn_host=192.168.0.10
ldap_conn_port=389
ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern
ldap_passwd=<SomePassword>

Then I can perform a search in Apache Studio using
ldap_search_base=OU=myfirm,DC=domain,DC=intern
ldap_search_query=(sAMAccountName=%s)

Which shows me exactly ONE hit.

So why doesn’t it work then?


NOW IT WORKS!
I removed the „Add domain to username“-option.
After that, I was able to login with a testuser.
YES!


Best wishes and thanks again!
Alex

Von: Maxim Solodovnik <so...@gmail.com>
Gesendet: Dienstag, 5. Mai 2020 17:01
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: Integration problems with Active Directory



On Tue, 5 May 2020 at 21:57, Ninnig, Alexander <Al...@rechnungshof.rlp.de>> wrote:
Hi Maxim,

1) you can login with ldap_admin_dn and ldap_passwd
--> yes
While you logged in as ldap_admin_dn
2) try to search with base ldap_search_base and query ldap_search_query
NOTE you need to request `%s` in ldap_search_query with login entered by user
--> no result for the attribute „uid“! As I wrote in my own mail, this field is empty here. If I search for „sn“ instead of „uid“, I can find users.

Please check my answer your big email :)


It seems to me, that the problem is, that the field uid is always empty here.
I tried to change ist to sAMAccountName, which is the unique login-name of our users, so I configured:

Yes
most probably this attr should be used for AD


ldap_search_query=(sAMAccountName=%s)

search is done using ldap_search_query and ldap_search_base
there should be unique result ...

ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=rhrlp,DC=intern [which is probably wrong, but hopefully not used, since I use SEARCHANDBIND]
ldap_user_attr_login=sAMAccountName

But that’s not working either.

Best regards and thank you very much for all your work,
Alex

Von: Maxim Solodovnik <so...@gmail.com>>
Gesendet: Dienstag, 5. Mai 2020 16:27
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: Integration problems with Active Directory

Hello Osvaldo,

grab you favorite LDAp explorer and check:
1) you can login with ldap_admin_dn and ldap_passwd
IF login successful
While you logged in as ldap_admin_dn
2) try to search with base ldap_search_base and query ldap_search_query
NOTE you need to request `%s` in ldap_search_query with login entered by user

If all was successful AND your search returning exactly 1 result
get back here with results :)

On Tue, 5 May 2020 at 21:05, Osvaldo OBA. Benítez Aliaga <os...@gmail.com>> wrote:

Already SIMPLEBIND by SEARCHANDBIND but it keeps giving me the same error.
El 4/5/2020 a las 22:57, Maxim Solodovnik escribió:
Hello Osvaldo,

since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND should be replaced with SEARCHANDBIND
In this case your users will be searched using search-base and search-query, then authenticated ...

On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <os...@gmail.com>> wrote:
yes.
I have managed to authenticate well with the user that declared
(support) and authenticate well with the users that are in the same
organizational unit (CN). Now the problem is with users who are in other
organizational units. For example, those in the Domain Users OU


El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
> Have you tested it with LDAP explorer as I suggest?


--
Best regards,
Maxim


--
Best regards,
Maxim


--
Best regards,
Maxim

AW: Integration problems with Active Directory

Posted by "Ninnig, Alexander" <Al...@rechnungshof.rlp.de>.
Hi Maxim,

1) you can login with ldap_admin_dn and ldap_passwd
--> yes
While you logged in as ldap_admin_dn
2) try to search with base ldap_search_base and query ldap_search_query
NOTE you need to request `%s` in ldap_search_query with login entered by user
--> no result for the attribute „uid“! As I wrote in my own mail, this field is empty here. If I search for „sn“ instead of „uid“, I can find users.

It seems to me, that the problem is, that the field uid is always empty here.
I tried to change ist to sAMAccountName, which is the unique login-name of our users, so I configured:

ldap_search_query=(sAMAccountName=%s)
ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=rhrlp,DC=intern [which is probably wrong, but hopefully not used, since I use SEARCHANDBIND]
ldap_user_attr_login=sAMAccountName

But that’s not working either.

Best regards and thank you very much for all your work,
Alex

Von: Maxim Solodovnik <so...@gmail.com>
Gesendet: Dienstag, 5. Mai 2020 16:27
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: Integration problems with Active Directory

Hello Osvaldo,

grab you favorite LDAp explorer and check:
1) you can login with ldap_admin_dn and ldap_passwd
IF login successful
While you logged in as ldap_admin_dn
2) try to search with base ldap_search_base and query ldap_search_query
NOTE you need to request `%s` in ldap_search_query with login entered by user

If all was successful AND your search returning exactly 1 result
get back here with results :)

On Tue, 5 May 2020 at 21:05, Osvaldo OBA. Benítez Aliaga <os...@gmail.com>> wrote:

Already SIMPLEBIND by SEARCHANDBIND but it keeps giving me the same error.
El 4/5/2020 a las 22:57, Maxim Solodovnik escribió:
Hello Osvaldo,

since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND should be replaced with SEARCHANDBIND
In this case your users will be searched using search-base and search-query, then authenticated ...

On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <os...@gmail.com>> wrote:
yes.
I have managed to authenticate well with the user that declared
(support) and authenticate well with the users that are in the same
organizational unit (CN). Now the problem is with users who are in other
organizational units. For example, those in the Domain Users OU


El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
> Have you tested it with LDAP explorer as I suggest?


--
Best regards,
Maxim


--
Best regards,
Maxim

Re: Integration problems with Active Directory

Posted by "Osvaldo OBA. Benítez Aliaga" <os...@gmail.com>.
Already SIMPLEBIND by SEARCHANDBIND but it keeps giving me the same error.

El 4/5/2020 a las 22:57, Maxim Solodovnik escribió:
> Hello Osvaldo,
>
> since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND
> should be replaced with SEARCHANDBIND
> In this case your users will be searched using search-base and
> search-query, then authenticated ...
>
> On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga
> <osval1980ba@gmail.com <ma...@gmail.com>> wrote:
>
>     yes.
>     I have managed to authenticate well with the user that declared
>     (support) and authenticate well with the users that are in the same
>     organizational unit (CN). Now the problem is with users who are in
>     other
>     organizational units. For example, those in the Domain Users OU
>
>
>     El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
>     > Have you tested it with LDAP explorer as I suggest?
>
>
>
> -- 
> Best regards,
> Maxim

Re: Integration problems with Active Directory

Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Osvaldo,

since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND
should be replaced with SEARCHANDBIND
In this case your users will be searched using search-base and
search-query, then authenticated ...

On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <
osval1980ba@gmail.com> wrote:

> yes.
> I have managed to authenticate well with the user that declared
> (support) and authenticate well with the users that are in the same
> organizational unit (CN). Now the problem is with users who are in other
> organizational units. For example, those in the Domain Users OU
>
>
> El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
> > Have you tested it with LDAP explorer as I suggest?
>
>

-- 
Best regards,
Maxim

Re: AW: Integration problems with Active Directory

Posted by "Osvaldo OBA. Benítez Aliaga" <os...@gmail.com>.
The most logical thing is that you follow the thread.

El 5/5/2020 a las 10:06, Ninnig, Alexander escribió:
> Hi,
>
> I'm new and I don't know the etiquette: If I have a problem with Active Directory-Integration as well - do I start a new "thread" by sending an email with a new subject, or should I respond to this existing one?
>
> In case responding to an existierung one is right, I would like to describe the problem:
>
> Right now, if I try to authenticate as domain-user, I don't get a login-error (like: wrong username or password), but an internal error page instead (the browser tab shows "Internal Error" pretty fast, it takes a few more seconds until the page is openend (https://myopenmeetingsserver:5443/openmeetings/wicket/bookmarkable/org.apache.wicket.markup.html.pages.InternalErrorPage). Is this supposed to happen? As far as I remember, this was different in OpenMeetings 3 (I tried LDAP before with OM3, but the login was always denied, saying user oder password was wrong - the login kinda wiggled a few times, sort of like shaking it's head).
>
> Question 1: is there something wrong with my OpenMeetings-installation? Or is this just the behaviour caused by a wrong om_ldap.conf?
> --> I figured this one out! The sample-om_ldap.conf was in /opt/open504/webapps/openmeetings/data/conf/, but the LDAP-configuration said, the file should be in /opt/open504/webapps/openmeetings/conf [no DATA], after I copied/moved the conf, I got the regular "wrong username/wrong password"-message. So ist still not working, but there's no internal error anymore.
>
> Question 2: I still can't login using AD-credentials, no matter if I use username, username@domain.intern oder username@publicdomain.de. I add some info on my environment and my configuration, since I'm not sure, I understand all of it. Can someone have a look and help me with this?
>
> Here is my scenario:
> OpenMeeting 5.04 on Ubuntu Server 18.04 (English), NOT a domain member
> Active Directory on Windows Server 2012 R2
>
> Here is my configuration (this file is also set in OpenMeetings in LDAP-configuration; I tried with and without "add Domain to username"):
> ldap_conn_host=192.168.0.10
> ldap_conn_port=389
> ldap_conn_secure=false
> ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern
> ldap_passwd=SomeSuperPassword
> ldap_search_base=OU=myfirm,DC=domain,DC=intern
>
> --> so far, I can use these infos in order to get an ldap-bind (using Apache Directory Studio), THAT works.
> --> The om-ldap-user is NOT in the same OU as my users, that is intentionally, since there are no restricting group-policies on "Users", but on "myfirm".
> --> After creating an ldap-bind in Apache Directory Studio, I can also use this search-base, so that works too.
>
> ldap_search_query=(uid=%s)
> --> I left this unchanged, this means, OpenMeetings searches my AD for the entered string, right?
>
> ldap_search_scopes=SUBTREE
> --> I changed that to SUBTREE, since i have more OUs below "myfirm" (such as "users", "computers", "servers" and so on)
>
> ldap_auth_type=SEARCHANDBIND
> --> I tried SEARCHANDBIND as well as SIMPLEBIND. Wrong username/password keeps showing, no matter the ldap_auth_type. Can I also use NONE instead?
>
> ldap_userdn_format=uid=%s,OU=myfirm,DC=domain,DC=intern
> --> this is the parameter I don't understand. Is this how the DN of the useraccout, creating the ldap-bind, is created? But why is this necessary? I thought, I already told openmeetings what account to use (namely ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern). Since a lot of my users are in different OUs, I cannot supply ONE string, that matches all. In order to get a syntax that fits everyone, I would rather use an ldap-attribute like "userPrincipalName" (that's always: logonname@myfirm.intern). If I use SEARCHANDBIND and/or ldap_use_admin_to_get_attrs=true, can I just ignore this setting? Or is this the username-syntax OpenMeetings uses in order to check if the password is right? In that case, I would have to provide a DN-string, that would fit every user, which is not possible, when users are in different OUs.
>
> ldap_use_admin_to_get_attrs=true
> --> that means, the aforementioned ldap_admin_dsn is used in order to search the AD, right?
>
> (...)
>
> ldap_user_attr_login=uid
> --> is this an attribute used by OpenMeetings? That is not an attribute used in my Active Directory. It is always empty/not set! If this is supposed to be the loginname, should I change this to userPrincipalName (loginname@domain.intern) or sAMAccountName (loginname) instead? All the other attributes (sn, givenName, etc.) are used and filled.
>
>
>
> Best regards,
> Alex
>
> -----Ursprüngliche Nachricht-----
> Von: Maxim Solodovnik <so...@gmail.com> 
> Gesendet: Dienstag, 5. Mai 2020 04:57
> An: Openmeetings user-list <us...@openmeetings.apache.org>
> Betreff: Re: Integration problems with Active Directory
>
> Hello Osvaldo,
>
> since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND should be replaced with SEARCHANDBIND In this case your users will be searched using search-base and search-query, then authenticated ...
>
> On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <osval1980ba@gmail.com <ma...@gmail.com> > wrote:
>
>
> 	yes.
> 	I have managed to authenticate well with the user that declared
> 	(support) and authenticate well with the users that are in the same
> 	organizational unit (CN). Now the problem is with users who are in other
> 	organizational units. For example, those in the Domain Users OU
> 	
> 	
> 	El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
> 	> Have you tested it with LDAP explorer as I suggest?
> 	
> 	
>
>
>

Re: Integration problems with Active Directory

Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Alexander,

On Tue, 5 May 2020 at 21:06, Ninnig, Alexander <
Alexander.Ninnig@rechnungshof.rlp.de> wrote:

> Hi,
>
> I'm new and I don't know the etiquette: If I have a problem with Active
> Directory-Integration as well - do I start a new "thread" by sending an
> email with a new subject, or should I respond to this existing one?
>
> In case responding to an existierung one is right, I would like to
> describe the problem:
>

It is OK to use existing mail thread if topic match :))


>
> Right now, if I try to authenticate as domain-user, I don't get a
> login-error (like: wrong username or password), but an internal error page
> instead (the browser tab shows "Internal Error" pretty fast, it takes a few
> more seconds until the page is openend (
> https://myopenmeetingsserver:5443/openmeetings/wicket/bookmarkable/org.apache.wicket.markup.html.pages.InternalErrorPage).
> Is this supposed to happen? As far as I remember, this was different in
> OpenMeetings 3 (I tried LDAP before with OM3, but the login was always
> denied, saying user oder password was wrong - the login kinda wiggled a few
> times, sort of like shaking it's head).
>

This is not good
What in the logs? (openmeetings.log)


>
> Question 1: is there something wrong with my OpenMeetings-installation? Or
> is this just the behaviour caused by a wrong om_ldap.conf?
> --> I figured this one out! The sample-om_ldap.conf was in
> /opt/open504/webapps/openmeetings/data/conf/, but the LDAP-configuration
> said, the file should be in /opt/open504/webapps/openmeetings/conf [no
> DATA], after I copied/moved the conf, I got the regular "wrong
> username/wrong password"-message. So ist still not working, but there's no
> internal error anymore.
>

It is corrected here
https://openmeetings.apache.org/LdapAndADS.html#2-an-ldap-config-file
     Good to know there is no internal error


>
> Question 2: I still can't login using AD-credentials, no matter if I use
> username, username@domain.intern oder username@publicdomain.de. I add
> some info on my environment and my configuration, since I'm not sure, I
> understand all of it. Can someone have a look and help me with this?
>

I'll try


>
> Here is my scenario:
> OpenMeeting 5.04 on Ubuntu Server 18.04 (English), NOT a domain member
> Active Directory on Windows Server 2012 R2
>
> Here is my configuration (this file is also set in OpenMeetings in
> LDAP-configuration; I tried with and without "add Domain to username"):
> ldap_conn_host=192.168.0.10
> ldap_conn_port=389
> ldap_conn_secure=false
> ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern
> ldap_passwd=SomeSuperPassword
> ldap_search_base=OU=myfirm,DC=domain,DC=intern
>
> --> so far, I can use these infos in order to get an ldap-bind (using
> Apache Directory Studio), THAT works.
> --> The om-ldap-user is NOT in the same OU as my users, that is
> intentionally, since there are no restricting group-policies on "Users",
> but on "myfirm".
> --> After creating an ldap-bind in Apache Directory Studio, I can also use
> this search-base, so that works too.
>

thanks for doing initial investigation :)


>
> ldap_search_query=(uid=%s)
> --> I left this unchanged, this means, OpenMeetings searches my AD for the
> entered string, right?
>

this means IF ldap_auth_type=SEARCHANDBIND and bind with ldap_admin_dn
ldap_passwd was successful
OM will do the search for user DN using "admin" user, ldap_search_base and
ldap_search_query substituting %s with user entered login

then IF exactly one record found
it will try to bind using DN found and password entered


>
> ldap_search_scopes=SUBTREE
> --> I changed that to SUBTREE, since i have more OUs below "myfirm" (such
> as "users", "computers", "servers" and so on)
>

sounds right


>
> ldap_auth_type=SEARCHANDBIND
> --> I tried SEARCHANDBIND as well as SIMPLEBIND. Wrong username/password
> keeps showing, no matter the ldap_auth_type. Can I also use NONE instead?
>

SIMPLEBIND will use ldap_userdn_format, substitute user entered login in
place of %s and will try to bind


>
> ldap_userdn_format=uid=%s,OU=myfirm,DC=domain,DC=intern
> --> this is the parameter I don't understand. Is this how the DN of the
> useraccout, creating the ldap-bind, is created? But why is this necessary?
> I thought, I already told openmeetings what account to use (namely
> ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern). Since a lot of
> my users are in different OUs, I cannot supply ONE string, that matches
> all. In order to get a syntax that fits everyone, I would rather use an
> ldap-attribute like "userPrincipalName" (that's always:
> logonname@myfirm.intern). If I use SEARCHANDBIND and/or
> ldap_use_admin_to_get_attrs=true, can I just ignore this setting? Or is
> this the username-syntax OpenMeetings uses in order to check if the
> password is right? In that case, I would have to provide a DN-string, that
> would fit every user, which is not possible, when users are in different
> OUs.
>

hopefull i have answer this one above :)


>
> ldap_use_admin_to_get_attrs=true
> --> that means, the aforementioned ldap_admin_dsn is used in order to
> search the AD, right?
>

No
This means that AFTER successful bind as user (i.e. user exist and password
is correct)
bind with ldap_admin_dn and ldap_passwd will happen to get user attributes
listed here
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/main/webapp/data/conf/om_ldap.cfg#L84

user DN will be used if `false`



>
> (...)
>
> ldap_user_attr_login=uid
> --> is this an attribute used by OpenMeetings? That is not an attribute
> used in my Active Directory. It is always empty/not set! If this is
> supposed to be the loginname, should I change this to userPrincipalName
> (loginname@domain.intern) or sAMAccountName (loginname) instead? All the
> other attributes (sn, givenName, etc.) are used and filled.
>

this LDAP attribute will be used to fill OM internal "login" field


>
>
>
> Best regards,
> Alex
>
> -----Ursprüngliche Nachricht-----
> Von: Maxim Solodovnik <so...@gmail.com>
> Gesendet: Dienstag, 5. Mai 2020 04:57
> An: Openmeetings user-list <us...@openmeetings.apache.org>
> Betreff: Re: Integration problems with Active Directory
>
> Hello Osvaldo,
>
> since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND
> should be replaced with SEARCHANDBIND In this case your users will be
> searched using search-base and search-query, then authenticated ...
>
> On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <
> osval1980ba@gmail.com <ma...@gmail.com> > wrote:
>
>
>         yes.
>         I have managed to authenticate well with the user that declared
>         (support) and authenticate well with the users that are in the same
>         organizational unit (CN). Now the problem is with users who are in
> other
>         organizational units. For example, those in the Domain Users OU
>
>
>         El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
>         > Have you tested it with LDAP explorer as I suggest?
>
>
>
>
>
> --
>
> Best regards,
> Maxim
>


-- 
Best regards,
Maxim

AW: Integration problems with Active Directory

Posted by "Ninnig, Alexander" <Al...@rechnungshof.rlp.de>.
Hi,

I'm new and I don't know the etiquette: If I have a problem with Active Directory-Integration as well - do I start a new "thread" by sending an email with a new subject, or should I respond to this existing one?

In case responding to an existierung one is right, I would like to describe the problem:

Right now, if I try to authenticate as domain-user, I don't get a login-error (like: wrong username or password), but an internal error page instead (the browser tab shows "Internal Error" pretty fast, it takes a few more seconds until the page is openend (https://myopenmeetingsserver:5443/openmeetings/wicket/bookmarkable/org.apache.wicket.markup.html.pages.InternalErrorPage). Is this supposed to happen? As far as I remember, this was different in OpenMeetings 3 (I tried LDAP before with OM3, but the login was always denied, saying user oder password was wrong - the login kinda wiggled a few times, sort of like shaking it's head).

Question 1: is there something wrong with my OpenMeetings-installation? Or is this just the behaviour caused by a wrong om_ldap.conf?
--> I figured this one out! The sample-om_ldap.conf was in /opt/open504/webapps/openmeetings/data/conf/, but the LDAP-configuration said, the file should be in /opt/open504/webapps/openmeetings/conf [no DATA], after I copied/moved the conf, I got the regular "wrong username/wrong password"-message. So ist still not working, but there's no internal error anymore.

Question 2: I still can't login using AD-credentials, no matter if I use username, username@domain.intern oder username@publicdomain.de. I add some info on my environment and my configuration, since I'm not sure, I understand all of it. Can someone have a look and help me with this?

Here is my scenario:
OpenMeeting 5.04 on Ubuntu Server 18.04 (English), NOT a domain member
Active Directory on Windows Server 2012 R2

Here is my configuration (this file is also set in OpenMeetings in LDAP-configuration; I tried with and without "add Domain to username"):
ldap_conn_host=192.168.0.10
ldap_conn_port=389
ldap_conn_secure=false
ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern
ldap_passwd=SomeSuperPassword
ldap_search_base=OU=myfirm,DC=domain,DC=intern

--> so far, I can use these infos in order to get an ldap-bind (using Apache Directory Studio), THAT works.
--> The om-ldap-user is NOT in the same OU as my users, that is intentionally, since there are no restricting group-policies on "Users", but on "myfirm".
--> After creating an ldap-bind in Apache Directory Studio, I can also use this search-base, so that works too.

ldap_search_query=(uid=%s)
--> I left this unchanged, this means, OpenMeetings searches my AD for the entered string, right?

ldap_search_scopes=SUBTREE
--> I changed that to SUBTREE, since i have more OUs below "myfirm" (such as "users", "computers", "servers" and so on)

ldap_auth_type=SEARCHANDBIND
--> I tried SEARCHANDBIND as well as SIMPLEBIND. Wrong username/password keeps showing, no matter the ldap_auth_type. Can I also use NONE instead?

ldap_userdn_format=uid=%s,OU=myfirm,DC=domain,DC=intern
--> this is the parameter I don't understand. Is this how the DN of the useraccout, creating the ldap-bind, is created? But why is this necessary? I thought, I already told openmeetings what account to use (namely ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern). Since a lot of my users are in different OUs, I cannot supply ONE string, that matches all. In order to get a syntax that fits everyone, I would rather use an ldap-attribute like "userPrincipalName" (that's always: logonname@myfirm.intern). If I use SEARCHANDBIND and/or ldap_use_admin_to_get_attrs=true, can I just ignore this setting? Or is this the username-syntax OpenMeetings uses in order to check if the password is right? In that case, I would have to provide a DN-string, that would fit every user, which is not possible, when users are in different OUs.

ldap_use_admin_to_get_attrs=true
--> that means, the aforementioned ldap_admin_dsn is used in order to search the AD, right?

(...)

ldap_user_attr_login=uid
--> is this an attribute used by OpenMeetings? That is not an attribute used in my Active Directory. It is always empty/not set! If this is supposed to be the loginname, should I change this to userPrincipalName (loginname@domain.intern) or sAMAccountName (loginname) instead? All the other attributes (sn, givenName, etc.) are used and filled.



Best regards,
Alex

-----Ursprüngliche Nachricht-----
Von: Maxim Solodovnik <so...@gmail.com> 
Gesendet: Dienstag, 5. Mai 2020 04:57
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: Integration problems with Active Directory

Hello Osvaldo,

since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND should be replaced with SEARCHANDBIND In this case your users will be searched using search-base and search-query, then authenticated ...

On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <osval1980ba@gmail.com <ma...@gmail.com> > wrote:


	yes.
	I have managed to authenticate well with the user that declared
	(support) and authenticate well with the users that are in the same
	organizational unit (CN). Now the problem is with users who are in other
	organizational units. For example, those in the Domain Users OU
	
	
	El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
	> Have you tested it with LDAP explorer as I suggest?
	
	



-- 

Best regards,
Maxim

Re: Integration problems with Active Directory

Posted by "Osvaldo OBA. Benítez Aliaga" <os...@gmail.com>.
yes.
I have managed to authenticate well with the user that declared
(support) and authenticate well with the users that are in the same
organizational unit (CN). Now the problem is with users who are in other
organizational units. For example, those in the Domain Users OU


El 4/5/2020 a las 12:09, Maxim Solodovnik escribió:
> Have you tested it with LDAP explorer as I suggest?

Re: Integration problems with Active Directory

Posted by Maxim Solodovnik <so...@gmail.com>.
Have you tested it with LDAP explorer as I suggest?

On Mon, 4 May 2020 at 23:08, Osvaldo OBA. Benítez Aliaga <
osval1980ba@gmail.com> wrote:

> It keeps giving me the same invalid credential error
> El 4/5/2020 a las 12:06, Maxim Solodovnik escribió:
>
> This is the question I have answered
> please re-read my previous email (the one started with "do not write
> personal emails ...." :)))
>
> On Mon, 4 May 2020 at 23:03, Osvaldo OBA. Benítez Aliaga <
> osval1980ba@gmail.com> wrote:
>
>>
>> Hello, I am trying to integrate it with AD and it gives me an invalid
>> credential error.
>> This is my scenario:
>>
>> I have a domain controller on Windows Server 2016.
>> My domain is domain.co.cu
>> In the User organizational unit the user is created so that OpenMeetings
>> can authenticate: the user is support.
>> It would be: CN = support, CN = Users, DC = domain, DC = co, DC = cu
>> Create an organizational unit called Domain Users where the users are
>> located.
>> It would be: OU = Users of the domain, DC = domain, DC = co, DC = cu
>>
>> How would the configuration file look like?
>>
>>
>
> --
> Best regards,
> Maxim
>
>

-- 
Best regards,
Maxim

Re: Integration problems with Active Directory

Posted by "Osvaldo OBA. Benítez Aliaga" <os...@gmail.com>.
It keeps giving me the same invalid credential error

El 4/5/2020 a las 12:06, Maxim Solodovnik escribió:
> This is the question I have answered
> please re-read my previous email (the one started with "do not write
> personal emails ...." :)))
>
> On Mon, 4 May 2020 at 23:03, Osvaldo OBA. Benítez Aliaga
> <osval1980ba@gmail.com <ma...@gmail.com>> wrote:
>
>
>     Hello, I am trying to integrate it with AD and it gives me an invalid
>     credential error.
>     This is my scenario:
>
>     I have a domain controller on Windows Server 2016.
>     My domain is domain.co.cu <http://domain.co.cu>
>     In the User organizational unit the user is created so that
>     OpenMeetings
>     can authenticate: the user is support.
>     It would be: CN = support, CN = Users, DC = domain, DC = co, DC = cu
>     Create an organizational unit called Domain Users where the users are
>     located.
>     It would be: OU = Users of the domain, DC = domain, DC = co, DC = cu
>
>     How would the configuration file look like?
>
>
>
> -- 
> Best regards,
> Maxim

Re: Integration problems with Active Directory

Posted by Maxim Solodovnik <so...@gmail.com>.
This is the question I have answered
please re-read my previous email (the one started with "do not write
personal emails ...." :)))

On Mon, 4 May 2020 at 23:03, Osvaldo OBA. Benítez Aliaga <
osval1980ba@gmail.com> wrote:

>
> Hello, I am trying to integrate it with AD and it gives me an invalid
> credential error.
> This is my scenario:
>
> I have a domain controller on Windows Server 2016.
> My domain is domain.co.cu
> In the User organizational unit the user is created so that OpenMeetings
> can authenticate: the user is support.
> It would be: CN = support, CN = Users, DC = domain, DC = co, DC = cu
> Create an organizational unit called Domain Users where the users are
> located.
> It would be: OU = Users of the domain, DC = domain, DC = co, DC = cu
>
> How would the configuration file look like?
>
>

-- 
Best regards,
Maxim