You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by Michael Wuttke <mi...@beuth-hochschule.de> on 2014/07/01 12:37:24 UTC
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Hello Maxim,
the parameters -Djavax.net.ssl.keyStore,
-Djavax.net.ssl.keyStorePassword, -Djavax.net.ssl.trustStore and
-Djavax.net.ssl.trustStorePassword are set to the JAVA_OPT environment
of the red5.sh script.
The credentials ldap_conn_host, ldap_conn_port=636,
ldap_conn_secure=true, ldap_admin_dn, ldap_passwd & ldap_search_base are
correct. Same like in PHP (moodle and mahara).
And:
ldap_search_query=(uid=%s)
ldap_auth_type=SIMPLEBIND
ldap_userdn_format=uid=%s,DC=company,DC=de
Additionally: The user attribute is 'sAMAccountName', the user type is
'MS ActiveDirectory' and the objectclass is 'person'.
How can I configure these credentials correctly in the om_ldap.cfg?
Thanks for any help,
Michael
Am 29.06.2014 04:00, schrieb Maxim Solodovnik:
> Is it possible DN you are using is incorrect?
> According to error code DN or password are incorrect :(
> not sure what to do without testing environment :(
>
>
> On 29 June 2014 01:20, <mwuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>> wrote:
>
> Hello Maxim,
>
> ok I added the offical ldap certificate/CA to a selfcreated truststore
> and '-Djavax.net.debug=all' '-Djavax.net.ssl.trustStore=trustStore
> -Djavax.net.ssl.trustStorePassword=Password' to the LOGGING_OPTS and the
> JVM_OPTS environment in the red5/red5.sh file.
>
> But I've got the same error messages after a restart of the OM server:
>
> DEBUG 06-28 19:56:36.755 o.a.m.f.s.SslFilter:452 [NioProcessor-17] -
> Session Client[1](SSL): Message received : HeapBuffer[pos=0 lim=149
> cap=4096: 17 03 01 00 90 B3 55 AF 21 A8 57 AE 05 27 45 18...]
> DEBUG 06-28 19:56:36.756 o.a.m.f.s.SslFilter:685 [NioProcessor-17] -
> Session Client[1](SSL): Processing the SSL Data
> DEBUG 06-28 19:56:36.756 o.a.m.f.c.ProtocolCodecFilter:211
> [NioProcessor-17] - Processing a MESSAGE_RECEIVED for session 1
> DEBUG 06-28 19:56:36.766 o.a.d.l.c.a.LdapNetworkConnection:1861
> [NioProcessor-17] - -------> MessageType : BIND_RESPONSE
> Message ID : 1
> BindResponse
> Ldap Result
> Result code : (INVALID_CREDENTIALS) invalidCredentials
> Matched Dn : ''
> Diagnostic message : '80090308: LdapErr: DSID-0C0903A9,
> comment: AcceptSecurityContext error, data 52e, v1db1'
>
> Do I need to create a certificate for the OM Server as well and add it
> to a keyStore?
>
> Thanks for any help,
> Michael
>
> Am 28.06.14 04:26, schrieb Maxim Solodovnik:
> > In case it is SSL issue you can try to enable SSL logs:
> > -Djavax.net.debug=all (
> >
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)
> > Additionally you can specify your custom truststore (in case of
> self-signed
> > certificate)
> >
> > -Djavax.net.ssl.trustStore=trustStore
> >
> > and/or add your certificate/CA to java global truststore
Re: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Maxim Solodovnik <so...@gmail.com>.
I'm glad it works :)
Thanks for the testing!
On Jul 4, 2014 2:58 AM, "Thibault Le Meur" <th...@supelec.fr>
wrote:
> Thanks for your tests and thank you to Maxim for the great work.
> Sorry that I wasn't able to help, I don't have enough free time these days.
>
> Thibault
>
>
> Envoyé de mon iPad
>
> Le 3 juil. 2014 à 21:29, mwuttke@beuth-hochschule.de a écrit :
>
> > Hello Maxim, Hello Thibault,
> >
> > now with the build 40 and the scope SUBTREE it works!
> >
> > Great!
> >
> > Thank you!
> > Michael
> >
> > Am 02.07.14 16:30, schrieb Maxim Solodovnik:
> >> #38 is on the way :)
> >>
> >>
> >> On 2 July 2014 21:25, Michael Wuttke <
> michael.wuttke@beuth-hochschule.de>
> >> wrote:
> >>
> >>> with the build 37 or a new one?
> >>>
> >>> m.w.
> >>>
> >>> Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
> >>>> should be fixed
> >>>> could you please set your scope to SUBTREE and try again?
>
Re: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Thibault Le Meur <th...@supelec.fr>.
Thanks for your tests and thank you to Maxim for the great work.
Sorry that I wasn't able to help, I don't have enough free time these days.
Thibault
Envoyé de mon iPad
Le 3 juil. 2014 à 21:29, mwuttke@beuth-hochschule.de a écrit :
> Hello Maxim, Hello Thibault,
>
> now with the build 40 and the scope SUBTREE it works!
>
> Great!
>
> Thank you!
> Michael
>
> Am 02.07.14 16:30, schrieb Maxim Solodovnik:
>> #38 is on the way :)
>>
>>
>> On 2 July 2014 21:25, Michael Wuttke <mi...@beuth-hochschule.de>
>> wrote:
>>
>>> with the build 37 or a new one?
>>>
>>> m.w.
>>>
>>> Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
>>>> should be fixed
>>>> could you please set your scope to SUBTREE and try again?
Re: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Michael Wuttke <mi...@beuth-hochschule.de>.
Hello Ed,
You are welcome. No problem. Please let us know if the LDAP
authentication is working for you as well. ;-)
Greetings,
Michael
Am 08.07.2014 15:00, schrieb BBS Technik:
> Hello Michael,
>
> thanks a lot for your fast response and the detailed informations.
> I think it is realy helpful.
>
> Best Regards
>
> Ed
>
>
>
> Gesendet: Montag, 07. Juli 2014 um 17:28 Uhr
> Von: "Michael Wuttke" <mi...@beuth-hochschule.de>
> An: user@openmeetings.apache.org
> Betreff: Re: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
> Hello Ed,
>
> sure! Here are my short howto, which works in our env. with an M$ Active
> Directory Server:
>
> O. I used the dev. builds of the version 3.0.3 with the Red5 Server
> version 1.0.3-SNAPSHOT under the hood. ;-)
>
> 1. I changed OpenMeetings to RTMS and HTTPS, you can change the ports of
> OM by using this tutorial here:
> http://openmeetings.apache.org/RTMPSAndHTTPS.html or you can configure a
> proxy for the apache server. Please see an example here in the tutorial
> step 13 on page 32:
> https://cwiki.apache.org/confluence/download/attachments/27838216/Installing%20OM2.1.1%20on%20Debian64%20Wheezy.pdf?version=1&modificationDate=1380291632000&api=v2[https://cwiki.apache.org/confluence/download/attachments/27838216/Installing%20OM2.1.1%20on%20Debian64%20Wheezy.pdf?version=1&modificationDate=1380291632000&api=v2].
>
> 2. I configured the OM server as a LDAP client. Please see the short
> steps/tutorial here: http://openmeetings.apache.org/LdapAndADS.html[http://openmeetings.apache.org/LdapAndADS.html]
>
> 3. I added the offical certificate of the OM server to a selfcreated
> keystore, added the chain of our CA to the keystore as well, added the
> offical certificate of the ldap server to a selfcreated truststore and
> added the paths of the stores and passwords to the java environment of
> the red5 server, by adding
> '-Djavax.net.ssl.keyStore=/usr/lib/red/conf/keystore
> -Djavax.net.ssl.keyStorePassword=keystorepassword
> -Djavax.net.ssl.trustStore=/usr/lib/red/conf/truststore
> -Djavax.net.ssl.trustStorePassword=truststorepassword' to the JVM_OPTS
> environment and I added '-Djavax.net.debug=all' to the LOGGING_OPTS (to
> see better, whats going on) in the ~/red5/red5.sh file.
>
> 4. The important parts of the om_ldap.cfg file for the authentication
> process against an Active Directory Server (!) looks like this:
> #LDAP URL
> ldap_conn_host=LDAP_server.Company.com
> ldap_conn_port=636
> ldap_conn_secure=true
>
> # Login distinguished name (DN) for Authentication on LDAP Server
> # Use full qualified LDAP DN
> ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com
>
> # Loginpass for Authentication on LDAP Server
> ldap_passwd=ldapauthpasswd
>
> # base to search for userdata(of user, that wants to login)
> ldap_search_base=OU=Users,DC=Company,DC=com
> #ldap_search_base=DC=Company,DC=com
>
> # Fieldnames (can differ between Ldap servers)
> ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s))
> #ldap_search_query=(sAMAccountName=%s)
> #ldap_search_query=(CN=%s)
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
> ldap_search_scope=SUBTREE
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
> ldap_auth_type=SEARCHANDBIND
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
> ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de,DC=com
> #ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com
> #ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com
> #ldap_userdn_format=CN=%s,DC=Company,DC=com
>
> # Ldap-password synchronization to OM DB
> ldap_sync_password_to_om=false
>
> # Ldap user attributes mapping
> # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
> ldap_user_attr_lastname=sn
>
> And it works as expected! ;-)
>
> Thanks & Greetings,
> Michael
>
> Am 06.07.2014 20:21, schrieb BBS Technik:
>> Hello Michael,
>>
>> it is a very good news to hear, that the secure ldap login to om now works.
>> The realy working steps for the implementation I found in the mailinglist are not clear to me.
>> Could you please write down the needed steps in a short howto. I think, a lot of om admins wait for a working guideline.
>>
>> Perhapse we can pulish it on the om wiki.
>>
>>
>> Best regards Ed
>>
>>
>> Gesendet: Donnerstag, 03. Juli 2014 um 21:29 Uhr
>> Von: mwuttke@beuth-hochschule.de
>> An: user@openmeetings.apache.org
>> Betreff: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
>> Hello Maxim, Hello Thibault,
>>
>> now with the build 40 and the scope SUBTREE it works!
>>
>> Great!
>>
>> Thank you!
>> Michael
>>
>> Am 02.07.14 16:30, schrieb Maxim Solodovnik:
>>> #38 is on the way :)
>>>
>>>
>>> On 2 July 2014 21:25, Michael Wuttke <mi...@beuth-hochschule.de>
>>> wrote:
>>>
>>>> with the build 37 or a new one?
>>>>
>>>> m.w.
>>>>
>>>> Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
>>>>> should be fixed
>>>>> could you please set your scope to SUBTREE and try again?
Aw: Re: [SOLVED !] (OPENMEETINGS-964) LDAP login should be
refactored
Posted by BBS Technik <do...@gmx.de>.
Hello Michael,
thanks a lot for your fast response and the detailed informations.
I think it is realy helpful.
Best Regards
Ed
Gesendet: Montag, 07. Juli 2014 um 17:28 Uhr
Von: "Michael Wuttke" <mi...@beuth-hochschule.de>
An: user@openmeetings.apache.org
Betreff: Re: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
Hello Ed,
sure! Here are my short howto, which works in our env. with an M$ Active
Directory Server:
O. I used the dev. builds of the version 3.0.3 with the Red5 Server
version 1.0.3-SNAPSHOT under the hood. ;-)
1. I changed OpenMeetings to RTMS and HTTPS, you can change the ports of
OM by using this tutorial here:
http://openmeetings.apache.org/RTMPSAndHTTPS.html or you can configure a
proxy for the apache server. Please see an example here in the tutorial
step 13 on page 32:
https://cwiki.apache.org/confluence/download/attachments/27838216/Installing%20OM2.1.1%20on%20Debian64%20Wheezy.pdf?version=1&modificationDate=1380291632000&api=v2[https://cwiki.apache.org/confluence/download/attachments/27838216/Installing%20OM2.1.1%20on%20Debian64%20Wheezy.pdf?version=1&modificationDate=1380291632000&api=v2].
2. I configured the OM server as a LDAP client. Please see the short
steps/tutorial here: http://openmeetings.apache.org/LdapAndADS.html[http://openmeetings.apache.org/LdapAndADS.html]
3. I added the offical certificate of the OM server to a selfcreated
keystore, added the chain of our CA to the keystore as well, added the
offical certificate of the ldap server to a selfcreated truststore and
added the paths of the stores and passwords to the java environment of
the red5 server, by adding
'-Djavax.net.ssl.keyStore=/usr/lib/red/conf/keystore
-Djavax.net.ssl.keyStorePassword=keystorepassword
-Djavax.net.ssl.trustStore=/usr/lib/red/conf/truststore
-Djavax.net.ssl.trustStorePassword=truststorepassword' to the JVM_OPTS
environment and I added '-Djavax.net.debug=all' to the LOGGING_OPTS (to
see better, whats going on) in the ~/red5/red5.sh file.
4. The important parts of the om_ldap.cfg file for the authentication
process against an Active Directory Server (!) looks like this:
#LDAP URL
ldap_conn_host=LDAP_server.Company.com
ldap_conn_port=636
ldap_conn_secure=true
# Login distinguished name (DN) for Authentication on LDAP Server
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com
# Loginpass for Authentication on LDAP Server
ldap_passwd=ldapauthpasswd
# base to search for userdata(of user, that wants to login)
ldap_search_base=OU=Users,DC=Company,DC=com
#ldap_search_base=DC=Company,DC=com
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s))
#ldap_search_query=(sAMAccountName=%s)
#ldap_search_query=(CN=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
ldap_auth_type=SEARCHANDBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de,DC=com
#ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com
#ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com
#ldap_userdn_format=CN=%s,DC=Company,DC=com
# Ldap-password synchronization to OM DB
ldap_sync_password_to_om=false
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding
Ldap-attribute
ldap_user_attr_lastname=sn
And it works as expected! ;-)
Thanks & Greetings,
Michael
Am 06.07.2014 20:21, schrieb BBS Technik:
> Hello Michael,
>
> it is a very good news to hear, that the secure ldap login to om now works.
> The realy working steps for the implementation I found in the mailinglist are not clear to me.
> Could you please write down the needed steps in a short howto. I think, a lot of om admins wait for a working guideline.
>
> Perhapse we can pulish it on the om wiki.
>
>
> Best regards Ed
>
>
> Gesendet: Donnerstag, 03. Juli 2014 um 21:29 Uhr
> Von: mwuttke@beuth-hochschule.de
> An: user@openmeetings.apache.org
> Betreff: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
> Hello Maxim, Hello Thibault,
>
> now with the build 40 and the scope SUBTREE it works!
>
> Great!
>
> Thank you!
> Michael
>
> Am 02.07.14 16:30, schrieb Maxim Solodovnik:
>> #38 is on the way :)
>>
>>
>> On 2 July 2014 21:25, Michael Wuttke <mi...@beuth-hochschule.de>
>> wrote:
>>
>>> with the build 37 or a new one?
>>>
>>> m.w.
>>>
>>> Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
>>>> should be fixed
>>>> could you please set your scope to SUBTREE and try again?
Re: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Michael Wuttke <mi...@beuth-hochschule.de>.
Hello Ed,
sure! Here are my short howto, which works in our env. with an M$ Active
Directory Server:
O. I used the dev. builds of the version 3.0.3 with the Red5 Server
version 1.0.3-SNAPSHOT under the hood. ;-)
1. I changed OpenMeetings to RTMS and HTTPS, you can change the ports of
OM by using this tutorial here:
http://openmeetings.apache.org/RTMPSAndHTTPS.html or you can configure a
proxy for the apache server. Please see an example here in the tutorial
step 13 on page 32:
https://cwiki.apache.org/confluence/download/attachments/27838216/Installing%20OM2.1.1%20on%20Debian64%20Wheezy.pdf?version=1&modificationDate=1380291632000&api=v2.
2. I configured the OM server as a LDAP client. Please see the short
steps/tutorial here: http://openmeetings.apache.org/LdapAndADS.html
3. I added the offical certificate of the OM server to a selfcreated
keystore, added the chain of our CA to the keystore as well, added the
offical certificate of the ldap server to a selfcreated truststore and
added the paths of the stores and passwords to the java environment of
the red5 server, by adding
'-Djavax.net.ssl.keyStore=/usr/lib/red/conf/keystore
-Djavax.net.ssl.keyStorePassword=keystorepassword
-Djavax.net.ssl.trustStore=/usr/lib/red/conf/truststore
-Djavax.net.ssl.trustStorePassword=truststorepassword' to the JVM_OPTS
environment and I added '-Djavax.net.debug=all' to the LOGGING_OPTS (to
see better, whats going on) in the ~/red5/red5.sh file.
4. The important parts of the om_ldap.cfg file for the authentication
process against an Active Directory Server (!) looks like this:
#LDAP URL
ldap_conn_host=LDAP_server.Company.com
ldap_conn_port=636
ldap_conn_secure=true
# Login distinguished name (DN) for Authentication on LDAP Server
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com
# Loginpass for Authentication on LDAP Server
ldap_passwd=ldapauthpasswd
# base to search for userdata(of user, that wants to login)
ldap_search_base=OU=Users,DC=Company,DC=com
#ldap_search_base=DC=Company,DC=com
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s))
#ldap_search_query=(sAMAccountName=%s)
#ldap_search_query=(CN=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
ldap_auth_type=SEARCHANDBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de,DC=com
#ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com
#ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com
#ldap_userdn_format=CN=%s,DC=Company,DC=com
# Ldap-password synchronization to OM DB
ldap_sync_password_to_om=false
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding
Ldap-attribute
ldap_user_attr_lastname=sn
And it works as expected! ;-)
Thanks & Greetings,
Michael
Am 06.07.2014 20:21, schrieb BBS Technik:
> Hello Michael,
>
> it is a very good news to hear, that the secure ldap login to om now works.
> The realy working steps for the implementation I found in the mailinglist are not clear to me.
> Could you please write down the needed steps in a short howto. I think, a lot of om admins wait for a working guideline.
>
> Perhapse we can pulish it on the om wiki.
>
>
> Best regards Ed
>
>
> Gesendet: Donnerstag, 03. Juli 2014 um 21:29 Uhr
> Von: mwuttke@beuth-hochschule.de
> An: user@openmeetings.apache.org
> Betreff: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
> Hello Maxim, Hello Thibault,
>
> now with the build 40 and the scope SUBTREE it works!
>
> Great!
>
> Thank you!
> Michael
>
> Am 02.07.14 16:30, schrieb Maxim Solodovnik:
>> #38 is on the way :)
>>
>>
>> On 2 July 2014 21:25, Michael Wuttke <mi...@beuth-hochschule.de>
>> wrote:
>>
>>> with the build 37 or a new one?
>>>
>>> m.w.
>>>
>>> Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
>>>> should be fixed
>>>> could you please set your scope to SUBTREE and try again?
Aw: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
Posted by BBS Technik <do...@gmx.de>.
Hello Michael,
it is a very good news to hear, that the secure ldap login to om now works.
The realy working steps for the implementation I found in the mailinglist are not clear to me.
Could you please write down the needed steps in a short howto. I think, a lot of om admins wait for a working guideline.
Perhapse we can pulish it on the om wiki.
Best regards Ed
Gesendet: Donnerstag, 03. Juli 2014 um 21:29 Uhr
Von: mwuttke@beuth-hochschule.de
An: user@openmeetings.apache.org
Betreff: [SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
Hello Maxim, Hello Thibault,
now with the build 40 and the scope SUBTREE it works!
Great!
Thank you!
Michael
Am 02.07.14 16:30, schrieb Maxim Solodovnik:
> #38 is on the way :)
>
>
> On 2 July 2014 21:25, Michael Wuttke <mi...@beuth-hochschule.de>
> wrote:
>
>> with the build 37 or a new one?
>>
>> m.w.
>>
>> Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
>>> should be fixed
>>> could you please set your scope to SUBTREE and try again?
[SOLVED !] (OPENMEETINGS-964) LDAP login should be refactored
Posted by mw...@beuth-hochschule.de.
Hello Maxim, Hello Thibault,
now with the build 40 and the scope SUBTREE it works!
Great!
Thank you!
Michael
Am 02.07.14 16:30, schrieb Maxim Solodovnik:
> #38 is on the way :)
>
>
> On 2 July 2014 21:25, Michael Wuttke <mi...@beuth-hochschule.de>
> wrote:
>
>> with the build 37 or a new one?
>>
>> m.w.
>>
>> Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
>>> should be fixed
>>> could you please set your scope to SUBTREE and try again?
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Maxim Solodovnik <so...@gmail.com>.
#38 is on the way :)
On 2 July 2014 21:25, Michael Wuttke <mi...@beuth-hochschule.de>
wrote:
> with the build 37 or a new one?
>
> m.w.
>
> Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
> > should be fixed
> > could you please set your scope to SUBTREE and try again?
>
--
WBR
Maxim aka solomax
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Michael Wuttke <mi...@beuth-hochschule.de>.
with the build 37 or a new one?
m.w.
Am 02.07.2014 16:23, schrieb Maxim Solodovnik:
> should be fixed
> could you please set your scope to SUBTREE and try again?
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Maxim Solodovnik <so...@gmail.com>.
should be fixed
could you please set your scope to SUBTREE and try again?
On 2 July 2014 21:21, Michael Wuttke <mi...@beuth-hochschule.de>
wrote:
> Hello Maxim,
>
> You mean?
> https://issues.apache.org/jira/browse/OPENMEETINGS-1033
>
> Yes, that would be nice!
>
> Our AuthLDAPUrl is ldaps://x.x.x.x
> y.y.y.y:636/ou=users,dc=company,dc=de?sAMAccountName?sub"
>
> Thanks a lot,
> Michael
>
> Am 02.07.2014 16:07, schrieb Maxim Solodovnik:
> > I'll try to fix OPENMEETINGS-1033 maybe it will help with your AD
> >
> >
> > On 2 July 2014 17:44, Michael Wuttke <michael.wuttke@beuth-hochschule.de
> > <ma...@beuth-hochschule.de>> wrote:
> >
> > Hello Maxim, Hello Thibault,
> >
> > Yes it is an Active Directory server.
> >
> > Ok I testest now with the following configuration:
> > ldap_auth_type=SEARCHANDBIND
> > ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
> > and
> >
> ldap_search_query=(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s))
> > with:
> > ldap_search_query=(CN=%s)
> > and with:
> > ldap_search_query=(samAccountName=%s)
> >
> > But I still get always the same error message:
> >
> > 'NONE users found in LDAP'
> >
> > Please see:
> > http://pastebin.com/fyQvRKK7
> >
> > Thanks for any hints,
> > Michael
> >
> > Am 02.07.2014 09:31, schrieb Thibault Le Meur:
> > > I don't understand your LDAP setup.
> > >
> > > What is your directory ?
> > > Is it an Active Directory server ?
> > >
> > > In an ActiveDirectory LADP server, thebasic tree is something like:
> > > ROOT
> > > CN=Users,ROOT
> > > CN=aUser,CN=USers,ROOT
> > >
> > >
> > > So using simplebind would require:
> > > ldap_auth_type=SIMPLEBIND
> > > ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
> > >
> > > However, this is only the absic structure, and your AD
> > administrator may
> > > have created OU and changed this Tree.
> > >
> > >
> > >
> > > So you may want to use SEARCHANDBIND instead.
> > > For this you need a login on the AD that will have the ability to
> > search
> > > for users, then you should use an LDAP_FILTER that will search for
> > users.
> > > But your LDAP filter will most likely be
> > > ldap_search_query=(CN=%s)
> > > or
> > > ldap_search_query=(samAccountName=%s)
> > >
> > >
> > > My 2 cents,
> > > Thibault Le Meur
> > >
> > >
> > > Le 02/07/2014 06:30, Maxim Solodovnik a écrit :
> > >> login with admin DN is not happening in case of SIMPLEBIND.
> > >> You need to use SEARCHANDBIND to login with admin DN
> > >>
> > >>
> |(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s|))
> > >> this filter should search for users
> > >> you can use %1$s placeholder more than once in search query
> > >>
> > >>
> > >>
> > >>
> > >> On 1 July 2014 17:37, Michael Wuttke
> > >> <michael.wuttke@beuth-hochschule.de
> > <ma...@beuth-hochschule.de>
> > >> <mailto:michael.wuttke@beuth-hochschule.de
> > <ma...@beuth-hochschule.de>>> wrote:
> > >>
> > >> Hello Maxim,
> > >>
> > >> the parameters -Djavax.net.ssl.keyStore,
> > >> -Djavax.net.ssl.keyStorePassword, -Djavax.net.ssl.trustStore
> and
> > >> -Djavax.net.ssl.trustStorePassword are set to the JAVA_OPT
> > environment
> > >> of the red5.sh script.
> > >>
> > >> The credentials ldap_conn_host, ldap_conn_port=636,
> > >> ldap_conn_secure=true, ldap_admin_dn, ldap_passwd &
> > >> ldap_search_base are
> > >> correct. Same like in PHP (moodle and mahara).
> > >>
> > >> And:
> > >> ldap_search_query=(uid=%s)
> > >> ldap_auth_type=SIMPLEBIND
> > >> ldap_userdn_format=uid=%s,DC=company,DC=de
> > >>
> > >> Additionally: The user attribute is 'sAMAccountName', the
> > user type is
> > >> 'MS ActiveDirectory' and the objectclass is 'person'.
> > >>
> > >> How can I configure these credentials correctly in the
> > om_ldap.cfg?
> > >>
> > >> Thanks for any help,
> > >> Michael
> > >>
> > >> Am 29.06.2014 04:00, schrieb Maxim Solodovnik:
> > >> > Is it possible DN you are using is incorrect?
> > >> > According to error code DN or password are incorrect :(
> > >> > not sure what to do without testing environment :(
> > >> >
> > >> >
> > >> > On 29 June 2014 01:20, <mwuttke@beuth-hochschule.de
> > <ma...@beuth-hochschule.de>
> > >> <mailto:mwuttke@beuth-hochschule.de
> > <ma...@beuth-hochschule.de>>
> > >> > <mailto:mwuttke@beuth-hochschule.de
> > <ma...@beuth-hochschule.de>
> > >> <mailto:mwuttke@beuth-hochschule.de
> > <ma...@beuth-hochschule.de>>>> wrote:
> > >> >
> > >> > Hello Maxim,
> > >> >
> > >> > ok I added the offical ldap certificate/CA to a
> selfcreated
> > >> truststore
> > >> > and '-Djavax.net.debug=all'
> > >> '-Djavax.net.ssl.trustStore=trustStore
> > >> > -Djavax.net.ssl.trustStorePassword=Password' to the
> > >> LOGGING_OPTS and the
> > >> > JVM_OPTS environment in the red5/red5.sh file.
> > >> >
> > >> > But I've got the same error messages after a restart of
> the
> > >> OM server:
> > >> >
> > >> > DEBUG 06-28 19:56:36.755 o.a.m.f.s.SslFilter:452
> > >> [NioProcessor-17] -
> > >> > Session Client[1](SSL): Message received :
> HeapBuffer[pos=0
> > >> lim=149
> > >> > cap=4096: 17 03 01 00 90 B3 55 AF 21 A8 57 AE 05 27 45
> > 18...]
> > >> > DEBUG 06-28 19:56:36.756 o.a.m.f.s.SslFilter:685
> > >> [NioProcessor-17] -
> > >> > Session Client[1](SSL): Processing the SSL Data
> > >> > DEBUG 06-28 19:56:36.756
> o.a.m.f.c.ProtocolCodecFilter:211
> > >> > [NioProcessor-17] - Processing a MESSAGE_RECEIVED for
> > session 1
> > >> > DEBUG 06-28 19:56:36.766
> > o.a.d.l.c.a.LdapNetworkConnection:1861
> > >> > [NioProcessor-17] - -------> MessageType : BIND_RESPONSE
> > >> > Message ID : 1
> > >> > BindResponse
> > >> > Ldap Result
> > >> > Result code : (INVALID_CREDENTIALS)
> > >> invalidCredentials
> > >> > Matched Dn : ''
> > >> > Diagnostic message : '80090308: LdapErr:
> > >> DSID-0C0903A9,
> > >> > comment: AcceptSecurityContext error, data 52e, v1db1'
> > >> >
> > >> > Do I need to create a certificate for the OM Server as
> well
> > >> and add it
> > >> > to a keyStore?
> > >> >
> > >> > Thanks for any help,
> > >> > Michael
> > >> >
> > >> > Am 28.06.14 04:26, schrieb Maxim Solodovnik:
> > >> > > In case it is SSL issue you can try to enable SSL
> logs:
> > >> > > -Djavax.net.debug=all (
> > >> > >
> > >> >
> > >>
> >
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
> )
> > >> > > Additionally you can specify your custom truststore
> (in
> > >> case of
> > >> > self-signed
> > >> > > certificate)
> > >> > >
> > >> > > -Djavax.net.ssl.trustStore=trustStore
> > >> > >
> > >> > > and/or add your certificate/CA to java global
> truststore
>
--
WBR
Maxim aka solomax
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Michael Wuttke <mi...@beuth-hochschule.de>.
Hello Maxim,
You mean?
https://issues.apache.org/jira/browse/OPENMEETINGS-1033
Yes, that would be nice!
Our AuthLDAPUrl is ldaps://x.x.x.x
y.y.y.y:636/ou=users,dc=company,dc=de?sAMAccountName?sub"
Thanks a lot,
Michael
Am 02.07.2014 16:07, schrieb Maxim Solodovnik:
> I'll try to fix OPENMEETINGS-1033 maybe it will help with your AD
>
>
> On 2 July 2014 17:44, Michael Wuttke <michael.wuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>> wrote:
>
> Hello Maxim, Hello Thibault,
>
> Yes it is an Active Directory server.
>
> Ok I testest now with the following configuration:
> ldap_auth_type=SEARCHANDBIND
> ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
> and
> ldap_search_query=(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s))
> with:
> ldap_search_query=(CN=%s)
> and with:
> ldap_search_query=(samAccountName=%s)
>
> But I still get always the same error message:
>
> 'NONE users found in LDAP'
>
> Please see:
> http://pastebin.com/fyQvRKK7
>
> Thanks for any hints,
> Michael
>
> Am 02.07.2014 09:31, schrieb Thibault Le Meur:
> > I don't understand your LDAP setup.
> >
> > What is your directory ?
> > Is it an Active Directory server ?
> >
> > In an ActiveDirectory LADP server, thebasic tree is something like:
> > ROOT
> > CN=Users,ROOT
> > CN=aUser,CN=USers,ROOT
> >
> >
> > So using simplebind would require:
> > ldap_auth_type=SIMPLEBIND
> > ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
> >
> > However, this is only the absic structure, and your AD
> administrator may
> > have created OU and changed this Tree.
> >
> >
> >
> > So you may want to use SEARCHANDBIND instead.
> > For this you need a login on the AD that will have the ability to
> search
> > for users, then you should use an LDAP_FILTER that will search for
> users.
> > But your LDAP filter will most likely be
> > ldap_search_query=(CN=%s)
> > or
> > ldap_search_query=(samAccountName=%s)
> >
> >
> > My 2 cents,
> > Thibault Le Meur
> >
> >
> > Le 02/07/2014 06:30, Maxim Solodovnik a écrit :
> >> login with admin DN is not happening in case of SIMPLEBIND.
> >> You need to use SEARCHANDBIND to login with admin DN
> >>
> >> |(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s|))
> >> this filter should search for users
> >> you can use %1$s placeholder more than once in search query
> >>
> >>
> >>
> >>
> >> On 1 July 2014 17:37, Michael Wuttke
> >> <michael.wuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>
> >> <mailto:michael.wuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>>> wrote:
> >>
> >> Hello Maxim,
> >>
> >> the parameters -Djavax.net.ssl.keyStore,
> >> -Djavax.net.ssl.keyStorePassword, -Djavax.net.ssl.trustStore and
> >> -Djavax.net.ssl.trustStorePassword are set to the JAVA_OPT
> environment
> >> of the red5.sh script.
> >>
> >> The credentials ldap_conn_host, ldap_conn_port=636,
> >> ldap_conn_secure=true, ldap_admin_dn, ldap_passwd &
> >> ldap_search_base are
> >> correct. Same like in PHP (moodle and mahara).
> >>
> >> And:
> >> ldap_search_query=(uid=%s)
> >> ldap_auth_type=SIMPLEBIND
> >> ldap_userdn_format=uid=%s,DC=company,DC=de
> >>
> >> Additionally: The user attribute is 'sAMAccountName', the
> user type is
> >> 'MS ActiveDirectory' and the objectclass is 'person'.
> >>
> >> How can I configure these credentials correctly in the
> om_ldap.cfg?
> >>
> >> Thanks for any help,
> >> Michael
> >>
> >> Am 29.06.2014 04:00, schrieb Maxim Solodovnik:
> >> > Is it possible DN you are using is incorrect?
> >> > According to error code DN or password are incorrect :(
> >> > not sure what to do without testing environment :(
> >> >
> >> >
> >> > On 29 June 2014 01:20, <mwuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>
> >> <mailto:mwuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>>
> >> > <mailto:mwuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>
> >> <mailto:mwuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>>>> wrote:
> >> >
> >> > Hello Maxim,
> >> >
> >> > ok I added the offical ldap certificate/CA to a selfcreated
> >> truststore
> >> > and '-Djavax.net.debug=all'
> >> '-Djavax.net.ssl.trustStore=trustStore
> >> > -Djavax.net.ssl.trustStorePassword=Password' to the
> >> LOGGING_OPTS and the
> >> > JVM_OPTS environment in the red5/red5.sh file.
> >> >
> >> > But I've got the same error messages after a restart of the
> >> OM server:
> >> >
> >> > DEBUG 06-28 19:56:36.755 o.a.m.f.s.SslFilter:452
> >> [NioProcessor-17] -
> >> > Session Client[1](SSL): Message received : HeapBuffer[pos=0
> >> lim=149
> >> > cap=4096: 17 03 01 00 90 B3 55 AF 21 A8 57 AE 05 27 45
> 18...]
> >> > DEBUG 06-28 19:56:36.756 o.a.m.f.s.SslFilter:685
> >> [NioProcessor-17] -
> >> > Session Client[1](SSL): Processing the SSL Data
> >> > DEBUG 06-28 19:56:36.756 o.a.m.f.c.ProtocolCodecFilter:211
> >> > [NioProcessor-17] - Processing a MESSAGE_RECEIVED for
> session 1
> >> > DEBUG 06-28 19:56:36.766
> o.a.d.l.c.a.LdapNetworkConnection:1861
> >> > [NioProcessor-17] - -------> MessageType : BIND_RESPONSE
> >> > Message ID : 1
> >> > BindResponse
> >> > Ldap Result
> >> > Result code : (INVALID_CREDENTIALS)
> >> invalidCredentials
> >> > Matched Dn : ''
> >> > Diagnostic message : '80090308: LdapErr:
> >> DSID-0C0903A9,
> >> > comment: AcceptSecurityContext error, data 52e, v1db1'
> >> >
> >> > Do I need to create a certificate for the OM Server as well
> >> and add it
> >> > to a keyStore?
> >> >
> >> > Thanks for any help,
> >> > Michael
> >> >
> >> > Am 28.06.14 04:26, schrieb Maxim Solodovnik:
> >> > > In case it is SSL issue you can try to enable SSL logs:
> >> > > -Djavax.net.debug=all (
> >> > >
> >> >
> >>
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)
> >> > > Additionally you can specify your custom truststore (in
> >> case of
> >> > self-signed
> >> > > certificate)
> >> > >
> >> > > -Djavax.net.ssl.trustStore=trustStore
> >> > >
> >> > > and/or add your certificate/CA to java global truststore
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Maxim Solodovnik <so...@gmail.com>.
I'll try to fix OPENMEETINGS-1033 maybe it will help with your AD
On 2 July 2014 17:44, Michael Wuttke <mi...@beuth-hochschule.de>
wrote:
> Hello Maxim, Hello Thibault,
>
> Yes it is an Active Directory server.
>
> Ok I testest now with the following configuration:
> ldap_auth_type=SEARCHANDBIND
> ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
> and
>
> ldap_search_query=(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s))
> with:
> ldap_search_query=(CN=%s)
> and with:
> ldap_search_query=(samAccountName=%s)
>
> But I still get always the same error message:
>
> 'NONE users found in LDAP'
>
> Please see:
> http://pastebin.com/fyQvRKK7
>
> Thanks for any hints,
> Michael
>
> Am 02.07.2014 09:31, schrieb Thibault Le Meur:
> > I don't understand your LDAP setup.
> >
> > What is your directory ?
> > Is it an Active Directory server ?
> >
> > In an ActiveDirectory LADP server, thebasic tree is something like:
> > ROOT
> > CN=Users,ROOT
> > CN=aUser,CN=USers,ROOT
> >
> >
> > So using simplebind would require:
> > ldap_auth_type=SIMPLEBIND
> > ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
> >
> > However, this is only the absic structure, and your AD administrator may
> > have created OU and changed this Tree.
> >
> >
> >
> > So you may want to use SEARCHANDBIND instead.
> > For this you need a login on the AD that will have the ability to search
> > for users, then you should use an LDAP_FILTER that will search for users.
> > But your LDAP filter will most likely be
> > ldap_search_query=(CN=%s)
> > or
> > ldap_search_query=(samAccountName=%s)
> >
> >
> > My 2 cents,
> > Thibault Le Meur
> >
> >
> > Le 02/07/2014 06:30, Maxim Solodovnik a écrit :
> >> login with admin DN is not happening in case of SIMPLEBIND.
> >> You need to use SEARCHANDBIND to login with admin DN
> >>
> >> |(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s|))
> >> this filter should search for users
> >> you can use %1$s placeholder more than once in search query
> >>
> >>
> >>
> >>
> >> On 1 July 2014 17:37, Michael Wuttke
> >> <michael.wuttke@beuth-hochschule.de
> >> <ma...@beuth-hochschule.de>> wrote:
> >>
> >> Hello Maxim,
> >>
> >> the parameters -Djavax.net.ssl.keyStore,
> >> -Djavax.net.ssl.keyStorePassword, -Djavax.net.ssl.trustStore and
> >> -Djavax.net.ssl.trustStorePassword are set to the JAVA_OPT
> environment
> >> of the red5.sh script.
> >>
> >> The credentials ldap_conn_host, ldap_conn_port=636,
> >> ldap_conn_secure=true, ldap_admin_dn, ldap_passwd &
> >> ldap_search_base are
> >> correct. Same like in PHP (moodle and mahara).
> >>
> >> And:
> >> ldap_search_query=(uid=%s)
> >> ldap_auth_type=SIMPLEBIND
> >> ldap_userdn_format=uid=%s,DC=company,DC=de
> >>
> >> Additionally: The user attribute is 'sAMAccountName', the user type
> is
> >> 'MS ActiveDirectory' and the objectclass is 'person'.
> >>
> >> How can I configure these credentials correctly in the om_ldap.cfg?
> >>
> >> Thanks for any help,
> >> Michael
> >>
> >> Am 29.06.2014 04:00, schrieb Maxim Solodovnik:
> >> > Is it possible DN you are using is incorrect?
> >> > According to error code DN or password are incorrect :(
> >> > not sure what to do without testing environment :(
> >> >
> >> >
> >> > On 29 June 2014 01:20, <mwuttke@beuth-hochschule.de
> >> <ma...@beuth-hochschule.de>
> >> > <mailto:mwuttke@beuth-hochschule.de
> >> <ma...@beuth-hochschule.de>>> wrote:
> >> >
> >> > Hello Maxim,
> >> >
> >> > ok I added the offical ldap certificate/CA to a selfcreated
> >> truststore
> >> > and '-Djavax.net.debug=all'
> >> '-Djavax.net.ssl.trustStore=trustStore
> >> > -Djavax.net.ssl.trustStorePassword=Password' to the
> >> LOGGING_OPTS and the
> >> > JVM_OPTS environment in the red5/red5.sh file.
> >> >
> >> > But I've got the same error messages after a restart of the
> >> OM server:
> >> >
> >> > DEBUG 06-28 19:56:36.755 o.a.m.f.s.SslFilter:452
> >> [NioProcessor-17] -
> >> > Session Client[1](SSL): Message received : HeapBuffer[pos=0
> >> lim=149
> >> > cap=4096: 17 03 01 00 90 B3 55 AF 21 A8 57 AE 05 27 45 18...]
> >> > DEBUG 06-28 19:56:36.756 o.a.m.f.s.SslFilter:685
> >> [NioProcessor-17] -
> >> > Session Client[1](SSL): Processing the SSL Data
> >> > DEBUG 06-28 19:56:36.756 o.a.m.f.c.ProtocolCodecFilter:211
> >> > [NioProcessor-17] - Processing a MESSAGE_RECEIVED for session
> 1
> >> > DEBUG 06-28 19:56:36.766
> o.a.d.l.c.a.LdapNetworkConnection:1861
> >> > [NioProcessor-17] - -------> MessageType : BIND_RESPONSE
> >> > Message ID : 1
> >> > BindResponse
> >> > Ldap Result
> >> > Result code : (INVALID_CREDENTIALS)
> >> invalidCredentials
> >> > Matched Dn : ''
> >> > Diagnostic message : '80090308: LdapErr:
> >> DSID-0C0903A9,
> >> > comment: AcceptSecurityContext error, data 52e, v1db1'
> >> >
> >> > Do I need to create a certificate for the OM Server as well
> >> and add it
> >> > to a keyStore?
> >> >
> >> > Thanks for any help,
> >> > Michael
> >> >
> >> > Am 28.06.14 04:26, schrieb Maxim Solodovnik:
> >> > > In case it is SSL issue you can try to enable SSL logs:
> >> > > -Djavax.net.debug=all (
> >> > >
> >> >
> >>
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
> )
> >> > > Additionally you can specify your custom truststore (in
> >> case of
> >> > self-signed
> >> > > certificate)
> >> > >
> >> > > -Djavax.net.ssl.trustStore=trustStore
> >> > >
> >> > > and/or add your certificate/CA to java global truststore
>
--
WBR
Maxim aka solomax
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Michael Wuttke <mi...@beuth-hochschule.de>.
Hello Maxim, Hello Thibault,
Yes it is an Active Directory server.
Ok I testest now with the following configuration:
ldap_auth_type=SEARCHANDBIND
ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
and
ldap_search_query=(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s))
with:
ldap_search_query=(CN=%s)
and with:
ldap_search_query=(samAccountName=%s)
But I still get always the same error message:
'NONE users found in LDAP'
Please see:
http://pastebin.com/fyQvRKK7
Thanks for any hints,
Michael
Am 02.07.2014 09:31, schrieb Thibault Le Meur:
> I don't understand your LDAP setup.
>
> What is your directory ?
> Is it an Active Directory server ?
>
> In an ActiveDirectory LADP server, thebasic tree is something like:
> ROOT
> CN=Users,ROOT
> CN=aUser,CN=USers,ROOT
>
>
> So using simplebind would require:
> ldap_auth_type=SIMPLEBIND
> ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
>
> However, this is only the absic structure, and your AD administrator may
> have created OU and changed this Tree.
>
>
>
> So you may want to use SEARCHANDBIND instead.
> For this you need a login on the AD that will have the ability to search
> for users, then you should use an LDAP_FILTER that will search for users.
> But your LDAP filter will most likely be
> ldap_search_query=(CN=%s)
> or
> ldap_search_query=(samAccountName=%s)
>
>
> My 2 cents,
> Thibault Le Meur
>
>
> Le 02/07/2014 06:30, Maxim Solodovnik a écrit :
>> login with admin DN is not happening in case of SIMPLEBIND.
>> You need to use SEARCHANDBIND to login with admin DN
>>
>> |(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s|))
>> this filter should search for users
>> you can use %1$s placeholder more than once in search query
>>
>>
>>
>>
>> On 1 July 2014 17:37, Michael Wuttke
>> <michael.wuttke@beuth-hochschule.de
>> <ma...@beuth-hochschule.de>> wrote:
>>
>> Hello Maxim,
>>
>> the parameters -Djavax.net.ssl.keyStore,
>> -Djavax.net.ssl.keyStorePassword, -Djavax.net.ssl.trustStore and
>> -Djavax.net.ssl.trustStorePassword are set to the JAVA_OPT environment
>> of the red5.sh script.
>>
>> The credentials ldap_conn_host, ldap_conn_port=636,
>> ldap_conn_secure=true, ldap_admin_dn, ldap_passwd &
>> ldap_search_base are
>> correct. Same like in PHP (moodle and mahara).
>>
>> And:
>> ldap_search_query=(uid=%s)
>> ldap_auth_type=SIMPLEBIND
>> ldap_userdn_format=uid=%s,DC=company,DC=de
>>
>> Additionally: The user attribute is 'sAMAccountName', the user type is
>> 'MS ActiveDirectory' and the objectclass is 'person'.
>>
>> How can I configure these credentials correctly in the om_ldap.cfg?
>>
>> Thanks for any help,
>> Michael
>>
>> Am 29.06.2014 04:00, schrieb Maxim Solodovnik:
>> > Is it possible DN you are using is incorrect?
>> > According to error code DN or password are incorrect :(
>> > not sure what to do without testing environment :(
>> >
>> >
>> > On 29 June 2014 01:20, <mwuttke@beuth-hochschule.de
>> <ma...@beuth-hochschule.de>
>> > <mailto:mwuttke@beuth-hochschule.de
>> <ma...@beuth-hochschule.de>>> wrote:
>> >
>> > Hello Maxim,
>> >
>> > ok I added the offical ldap certificate/CA to a selfcreated
>> truststore
>> > and '-Djavax.net.debug=all'
>> '-Djavax.net.ssl.trustStore=trustStore
>> > -Djavax.net.ssl.trustStorePassword=Password' to the
>> LOGGING_OPTS and the
>> > JVM_OPTS environment in the red5/red5.sh file.
>> >
>> > But I've got the same error messages after a restart of the
>> OM server:
>> >
>> > DEBUG 06-28 19:56:36.755 o.a.m.f.s.SslFilter:452
>> [NioProcessor-17] -
>> > Session Client[1](SSL): Message received : HeapBuffer[pos=0
>> lim=149
>> > cap=4096: 17 03 01 00 90 B3 55 AF 21 A8 57 AE 05 27 45 18...]
>> > DEBUG 06-28 19:56:36.756 o.a.m.f.s.SslFilter:685
>> [NioProcessor-17] -
>> > Session Client[1](SSL): Processing the SSL Data
>> > DEBUG 06-28 19:56:36.756 o.a.m.f.c.ProtocolCodecFilter:211
>> > [NioProcessor-17] - Processing a MESSAGE_RECEIVED for session 1
>> > DEBUG 06-28 19:56:36.766 o.a.d.l.c.a.LdapNetworkConnection:1861
>> > [NioProcessor-17] - -------> MessageType : BIND_RESPONSE
>> > Message ID : 1
>> > BindResponse
>> > Ldap Result
>> > Result code : (INVALID_CREDENTIALS)
>> invalidCredentials
>> > Matched Dn : ''
>> > Diagnostic message : '80090308: LdapErr:
>> DSID-0C0903A9,
>> > comment: AcceptSecurityContext error, data 52e, v1db1'
>> >
>> > Do I need to create a certificate for the OM Server as well
>> and add it
>> > to a keyStore?
>> >
>> > Thanks for any help,
>> > Michael
>> >
>> > Am 28.06.14 04:26, schrieb Maxim Solodovnik:
>> > > In case it is SSL issue you can try to enable SSL logs:
>> > > -Djavax.net.debug=all (
>> > >
>> >
>> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)
>> > > Additionally you can specify your custom truststore (in
>> case of
>> > self-signed
>> > > certificate)
>> > >
>> > > -Djavax.net.ssl.trustStore=trustStore
>> > >
>> > > and/or add your certificate/CA to java global truststore
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Thibault Le Meur <Th...@supelec.fr>.
I don't understand your LDAP setup.
What is your directory ?
Is it an Active Directory server ?
In an ActiveDirectory LADP server, thebasic tree is something like:
ROOT
CN=Users,ROOT
CN=aUser,CN=USers,ROOT
So using simplebind would require:
ldap_auth_type=SIMPLEBIND
ldap_userdn_format=CN=%s,CN=Users,DC=company,DC=de
However, this is only the absic structure, and your AD administrator may
have created OU and changed this Tree.
So you may want to use SEARCHANDBIND instead.
For this you need a login on the AD that will have the ability to search
for users, then you should use an LDAP_FILTER that will search for users.
But your LDAP filter will most likely be
ldap_search_query=(CN=%s)
or
ldap_search_query=(samAccountName=%s)
My 2 cents,
Thibault Le Meur
Le 02/07/2014 06:30, Maxim Solodovnik a écrit :
> login with admin DN is not happening in case of SIMPLEBIND.
> You need to use SEARCHANDBIND to login with admin DN
>
> |(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s|))
> this filter should search for users
> you can use%1$s placeholder more than once in search query
>
>
>
>
> On 1 July 2014 17:37, Michael Wuttke
> <michael.wuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>> wrote:
>
> Hello Maxim,
>
> the parameters -Djavax.net.ssl.keyStore,
> -Djavax.net.ssl.keyStorePassword, -Djavax.net.ssl.trustStore and
> -Djavax.net.ssl.trustStorePassword are set to the JAVA_OPT environment
> of the red5.sh script.
>
> The credentials ldap_conn_host, ldap_conn_port=636,
> ldap_conn_secure=true, ldap_admin_dn, ldap_passwd &
> ldap_search_base are
> correct. Same like in PHP (moodle and mahara).
>
> And:
> ldap_search_query=(uid=%s)
> ldap_auth_type=SIMPLEBIND
> ldap_userdn_format=uid=%s,DC=company,DC=de
>
> Additionally: The user attribute is 'sAMAccountName', the user type is
> 'MS ActiveDirectory' and the objectclass is 'person'.
>
> How can I configure these credentials correctly in the om_ldap.cfg?
>
> Thanks for any help,
> Michael
>
> Am 29.06.2014 04:00, schrieb Maxim Solodovnik:
> > Is it possible DN you are using is incorrect?
> > According to error code DN or password are incorrect :(
> > not sure what to do without testing environment :(
> >
> >
> > On 29 June 2014 01:20, <mwuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>
> > <mailto:mwuttke@beuth-hochschule.de
> <ma...@beuth-hochschule.de>>> wrote:
> >
> > Hello Maxim,
> >
> > ok I added the offical ldap certificate/CA to a selfcreated
> truststore
> > and '-Djavax.net.debug=all'
> '-Djavax.net.ssl.trustStore=trustStore
> > -Djavax.net.ssl.trustStorePassword=Password' to the
> LOGGING_OPTS and the
> > JVM_OPTS environment in the red5/red5.sh file.
> >
> > But I've got the same error messages after a restart of the
> OM server:
> >
> > DEBUG 06-28 19:56:36.755 o.a.m.f.s.SslFilter:452
> [NioProcessor-17] -
> > Session Client[1](SSL): Message received : HeapBuffer[pos=0
> lim=149
> > cap=4096: 17 03 01 00 90 B3 55 AF 21 A8 57 AE 05 27 45 18...]
> > DEBUG 06-28 19:56:36.756 o.a.m.f.s.SslFilter:685
> [NioProcessor-17] -
> > Session Client[1](SSL): Processing the SSL Data
> > DEBUG 06-28 19:56:36.756 o.a.m.f.c.ProtocolCodecFilter:211
> > [NioProcessor-17] - Processing a MESSAGE_RECEIVED for session 1
> > DEBUG 06-28 19:56:36.766 o.a.d.l.c.a.LdapNetworkConnection:1861
> > [NioProcessor-17] - -------> MessageType : BIND_RESPONSE
> > Message ID : 1
> > BindResponse
> > Ldap Result
> > Result code : (INVALID_CREDENTIALS)
> invalidCredentials
> > Matched Dn : ''
> > Diagnostic message : '80090308: LdapErr:
> DSID-0C0903A9,
> > comment: AcceptSecurityContext error, data 52e, v1db1'
> >
> > Do I need to create a certificate for the OM Server as well
> and add it
> > to a keyStore?
> >
> > Thanks for any help,
> > Michael
> >
> > Am 28.06.14 04:26, schrieb Maxim Solodovnik:
> > > In case it is SSL issue you can try to enable SSL logs:
> > > -Djavax.net.debug=all (
> > >
> >
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)
> > > Additionally you can specify your custom truststore (in
> case of
> > self-signed
> > > certificate)
> > >
> > > -Djavax.net.ssl.trustStore=trustStore
> > >
> > > and/or add your certificate/CA to java global truststore
>
>
>
>
> --
> WBR
> Maxim aka solomax
Re: [jira] [Resolved] (OPENMEETINGS-964) LDAP login should be refactored
Posted by Maxim Solodovnik <so...@gmail.com>.
login with admin DN is not happening in case of SIMPLEBIND.
You need to use SEARCHANDBIND to login with admin DN
(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s))
this filter should search for users
you can use %1$s placeholder more than once in search query
On 1 July 2014 17:37, Michael Wuttke <mi...@beuth-hochschule.de>
wrote:
> Hello Maxim,
>
> the parameters -Djavax.net.ssl.keyStore,
> -Djavax.net.ssl.keyStorePassword, -Djavax.net.ssl.trustStore and
> -Djavax.net.ssl.trustStorePassword are set to the JAVA_OPT environment
> of the red5.sh script.
>
> The credentials ldap_conn_host, ldap_conn_port=636,
> ldap_conn_secure=true, ldap_admin_dn, ldap_passwd & ldap_search_base are
> correct. Same like in PHP (moodle and mahara).
>
> And:
> ldap_search_query=(uid=%s)
> ldap_auth_type=SIMPLEBIND
> ldap_userdn_format=uid=%s,DC=company,DC=de
>
> Additionally: The user attribute is 'sAMAccountName', the user type is
> 'MS ActiveDirectory' and the objectclass is 'person'.
>
> How can I configure these credentials correctly in the om_ldap.cfg?
>
> Thanks for any help,
> Michael
>
> Am 29.06.2014 04:00, schrieb Maxim Solodovnik:
> > Is it possible DN you are using is incorrect?
> > According to error code DN or password are incorrect :(
> > not sure what to do without testing environment :(
> >
> >
> > On 29 June 2014 01:20, <mwuttke@beuth-hochschule.de
> > <ma...@beuth-hochschule.de>> wrote:
> >
> > Hello Maxim,
> >
> > ok I added the offical ldap certificate/CA to a selfcreated
> truststore
> > and '-Djavax.net.debug=all' '-Djavax.net.ssl.trustStore=trustStore
> > -Djavax.net.ssl.trustStorePassword=Password' to the LOGGING_OPTS and
> the
> > JVM_OPTS environment in the red5/red5.sh file.
> >
> > But I've got the same error messages after a restart of the OM
> server:
> >
> > DEBUG 06-28 19:56:36.755 o.a.m.f.s.SslFilter:452 [NioProcessor-17] -
> > Session Client[1](SSL): Message received : HeapBuffer[pos=0 lim=149
> > cap=4096: 17 03 01 00 90 B3 55 AF 21 A8 57 AE 05 27 45 18...]
> > DEBUG 06-28 19:56:36.756 o.a.m.f.s.SslFilter:685 [NioProcessor-17] -
> > Session Client[1](SSL): Processing the SSL Data
> > DEBUG 06-28 19:56:36.756 o.a.m.f.c.ProtocolCodecFilter:211
> > [NioProcessor-17] - Processing a MESSAGE_RECEIVED for session 1
> > DEBUG 06-28 19:56:36.766 o.a.d.l.c.a.LdapNetworkConnection:1861
> > [NioProcessor-17] - -------> MessageType : BIND_RESPONSE
> > Message ID : 1
> > BindResponse
> > Ldap Result
> > Result code : (INVALID_CREDENTIALS) invalidCredentials
> > Matched Dn : ''
> > Diagnostic message : '80090308: LdapErr: DSID-0C0903A9,
> > comment: AcceptSecurityContext error, data 52e, v1db1'
> >
> > Do I need to create a certificate for the OM Server as well and add
> it
> > to a keyStore?
> >
> > Thanks for any help,
> > Michael
> >
> > Am 28.06.14 04:26, schrieb Maxim Solodovnik:
> > > In case it is SSL issue you can try to enable SSL logs:
> > > -Djavax.net.debug=all (
> > >
> >
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
> )
> > > Additionally you can specify your custom truststore (in case of
> > self-signed
> > > certificate)
> > >
> > > -Djavax.net.ssl.trustStore=trustStore
> > >
> > > and/or add your certificate/CA to java global truststore
>
--
WBR
Maxim aka solomax