You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by Stephen COTTHAM <st...@robertbird.com.au> on 2020/04/15 14:00:47 UTC
RE: [Possible Untrusted Sender] Re: Ldap with Microsoft Active
Directory
Thanks Guys,
Confirmed on the DC that the
'sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local' = "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local"
(however the DN in AD is Stephen Cottham – with a space)
Changed to SEARCHANDBIND, I can put the wrong adm password ins an see it throws an exception, so we know the ADM account and password is correct.
DSo now when I do a logon attempt I get
DEBUG 04-15 13:51:54.681 o.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-6] - LdapLoginmanager.doLdapLogin
WARN 04-15 13:51:54.710 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it
WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it
WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it
ERROR 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:269 [nio-5443-exec-6] - NONE users found in LDAP
I thought changing ldap_deref_mode=always Should make it follow but still says ignore? – could this be related?
Changing the log level now and trying again.
Thanks!
Best regards
Stephen
From: Maxim Solodovnik <so...@gmail.com>
Sent: 15 April 2020 14:49
To: Openmeetings user-list <us...@openmeetings.apache.org>
Subject: [Possible Untrusted Sender] Re: Ldap with Microsoft Active Directory
On Wed, 15 Apr 2020 at 20:12, Stephen COTTHAM <st...@robertbird.com.au>> wrote:
Thanks Gerald,
Ive tried as suggested by using SAM and the UPN, even tried injecting the domain portion after the @ with the domain and email namespace, both result in the - No users was found:
Looking at the logs as they are we see this:
DEBUG 04-15 12:51:52.393 o.a.o.d.d.u.UserDao:626 [nio-5443-exec-7] - No users was found: stephen.cottham
DEBUG 04-15 12:51:52.393 o.a.o.c.l.LdapLoginManager:201 [nio-5443-exec-7] - getByLogin:: authenticated ? false, login = 'stephen.cottham', domain = 1, user = null
ERROR 04-15 12:51:52.394 o.a.o.c.l.LdapLoginManager:338 [nio-5443-exec-7] - LDAP entry is null, search or lookup by Dn failed
According to your config
You have ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
According to the log login is `stephen.cottham`
So Om tries to authenticate using "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local"
And unable to find such DN
can you confirm LDAP explorer able to find such user?
The last line, is it saying the variable is NULL as it returned no results from the bind OR is it saying the initial bind was not successful and therefore the variable is null? (this distinguishes if it’s the DN of the lookup user vs. getting the expected format correct)
Sorry I think I missed the debug option, can you please relink that here and I’ll see what else I can find out.
Also to confirm, the config file is escaping out the spaces?
For example:
ldap_admin_dn='CN=Adm some user with spaces,OU=London,OU=Administrative Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local'
Assume we don’t need to put the ‘ ‘ after the =’cn…. ? (just ruling this out as a cause)
Best regards
Stephen
From: Rohrbach, Gerald <G....@funkegruppe.de>>
Sent: 15 April 2020 13:41
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Subject: AW: Ldap with Microsoft Active Directory
Stephen, depends on your AD and how users login.
For us this worked
ldap_search_query=(userPrincipalName=%s)
Go under AD, pik one user account, properties, Attribute Editor. This shows all.
(
Probably under view you need to switch on advanced features!
Gerald
Von: Stephen COTTHAM [mailto:stephen.cottham@robertbird.com.au]
Gesendet: Mittwoch, 15. April 2020 14:22
An: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Betreff: Ldap with Microsoft Active Directory
Hey Guys,
I am in the same situation as Mathias ldap issue below.
My Config:
ldap_conn_host=DC
ldap_conn_port=389
ldap_conn_secure=false
ldap_admin_dn='CN=Adm some user,OU=London,OU=Administrative Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local'
ldap_passwd='******'
ldap_search_base='OU=Company,DC=domain,DC=local'
ldap_search_query=(sAMAccountName=%s)
ldap_search_scope=ONELEVEL
ldap_auth_type=SIMPLEBIND
ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
ldap_provisionning=AUTOCREATE
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
ldap_sync_password_to_om=true
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
ldap_user_attr_login=sAMAccountName
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
ldap_group_attr=memberOf
ldap_use_lower_case=false
ldap_import_query=(objectClass=inetOrgPerson)
Always returns:
No users was found:
Checked with ldapsearch and I can retrieve them fine, other systems that use LDAP from Linux such as Apache Guacamole and Next Cloud both have working AD integration using the same values I set there.
Is there a way to get a better debug logs from open Meetings? About what it is sending to the DC? The initial bind status, error code from the DC etc..
I rem in old versions of OM we could run it in debug mode to stdout?
Otherwise is there anything obviously I’m missing here?
Best regards
Stephen
From: Mathias Kocks <ko...@labmed.de>>
Sent: 15 April 2020 13:06
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Subject: [Possible Untrusted Sender] Can not use LDAP-Sync with Microsoft Active Directory
Hello,
i am new to this project and a have a problem with the LDAP-Sync. I even can not find any good documentations...
My problem is, that slapd does not find any user in my AD. I am not even shure, if it is searching for real. I found in the mailing list archive some example configs, but they does not work for me.
I found this one:
#LDAP URL
ldap_conn_host=LDAP_server.Company.com<https://urldefense.com/v3/__http:/LDAP_server.Company.com__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x50tz6JPw$>
ldap_conn_port=636
ldap_conn_secure=true
# Login distinguished name (DN) for Authentication on LDAP Server
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com
# Loginpass for Authentication on LDAP Server
ldap_passwd=ldapauthpasswd
# base to search for userdata(of user, that wants to login)
ldap_search_base=OU=Users,DC=Company,DC=com
#ldap_search_base=DC=Company,DC=com
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s))
#ldap_search_query=(sAMAccountName=%s)
#ldap_search_query=(CN=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
ldap_auth_type=SEARCHANDBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de<https://urldefense.com/v3/__http:/beuth-hochschule.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4wOw-oZw$>,DC=com
#ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com
#ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com
#ldap_userdn_format=CN=%s,DC=Company,DC=com
# Ldap-password synchronization to OM DB
ldap_sync_password_to_om=false
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding
Ldap-attribute
ldap_user_attr_lastname=sn
But even after i changed it to my AD and tried several changes, no users were found.
My actual config:
ldap_server_type=AD
ldap_conn_host=dc2.labmed.de<https://urldefense.com/v3/__http:/dc2.labmed.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4x1-bceQ$>
ldap_conn_port=389
ldap_conn_secure=false
ldap_admin_dn=CN=Administrator,CN=Users,DC=labmed,DC=de
ldap_passwd=SuperSecretPassword
ldap_search_base=OU=labmed,DC=labmed,DC=de
#ldap_search_query=(&(objectCategory=*)(objectClass=*)(sAMAccountName=%s))
ldap_search_query=(sAMAccountName=%s)
ldap_search_scope= SUBTREE
ldap_auth_type=SEARCHANDBIND
ldap_deref_mode=never
ldap_userdn_format=sAMAccountName=%s,DC=labmed,DC=de
ldap_provisionning=NONE
ldap_use_admin_to_get_attrs=true
ldap_sync_password_to_om=false
ldap_sync_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
ldap_use_lower_case=false
It is the second day by now were i am bursting by happyness....
Mit freundlichen Grüßen
Mathias Kocks
Teamleitung IT-Infrastruktur
Zertifizierter Information Security Officer ISO 27001 (TÜV Süd)
Überörtliche Berufsausübungsgemeinschaft
Medizinisches Versorgungszentrum
Dr. Eberhard & Partner Dortmund
MVZ-Haus 3: Balkenstr. 12-14
44137 Dortmund, Germany
Tel.: +49 231 9572 7158
Fax.: +49 231 9572 18 159
E-Mail: kocks@labmed.de<ma...@labmed.de>
Web: https://www.labmed.de<https://urldefense.com/v3/__https:/www.labmed.de/__;!!Bv4Xkg!z5sh0C1R9gGjNPTiHdemYSPR49XGTx-AmD4F8_dWPIXAw6SpTR3u5VSZWX8_PwBU1whiqaubSw$>
--
Best regards,
Maxim
Re: Installing Kurento
Posted by df...@gmx.de.
Kurento was for my actual system a "not possible", too. I am using a 32bit system and
there is no easy way to install Kurento there. Of course I can compile it by myself,
but I think that is shooting with canons on little birds. Sadly I have to wait until I
migrate to 64bit system - what will not be before 3rd quarter of 2020.
Best regards
Re: [Possible Untrusted Sender] Re: [Possible Untrusted Sender] Re:
Ldap with Microsoft Active Directory
Posted by Maxim Solodovnik <so...@gmail.com>.
Great :))
On Wed, 15 Apr 2020 at 23:02, Stephen COTTHAM <
stephen.cottham@robertbird.com.au> wrote:
> Thanks Maxim,
>
>
>
> Changed the referral to *follow* (not sure that’s a valid option or not)
> – then removed the *add domain to user name* under administration and
> then used the *email address* which in our case is the UPN.
>
>
>
> Logged on and working now.
>
>
>
> Thanks for your help guys!
>
>
>
> I’ll add the JIRA for the referral shortly.
>
>
>
> *From:* Maxim Solodovnik <so...@gmail.com>
> *Sent:* 15 April 2020 15:32
> *To:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Subject:* [Possible Untrusted Sender] Re: [Possible Untrusted Sender]
> Re: Ldap with Microsoft Active Directory
>
>
>
>
>
>
>
> On Wed, 15 Apr 2020 at 21:01, Stephen COTTHAM <
> stephen.cottham@robertbird.com.au> wrote:
>
> Thanks Guys,
>
>
>
> Confirmed on the DC that the
>
>
>
> 'sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
> =
> "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local"
>
>
>
> (however the DN in AD is Stephen Cottham – with a space)
>
>
>
> so perhaps you should enter `Stephen Cottham` in login field?
>
>
>
>
>
> Changed to SEARCHANDBIND, I can put the wrong adm password ins an see it
> throws an exception, so we know the ADM account and password is correct.
>
>
>
> DSo now when I do a logon attempt I get
>
>
>
> DEBUG 04-15 13:51:54.681 o.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-6]
> - LdapLoginmanager.doLdapLogin
>
> WARN 04-15 13:51:54.710 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral
> LDAP entry found, ignore it
>
> WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral
> LDAP entry found, ignore it
>
> WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral
> LDAP entry found, ignore it
>
> ERROR 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:269 [nio-5443-exec-6]
> - NONE users found in LDAP
>
>
>
> I thought changing *ldap_deref_mode=always* Should make it follow but
> still says ignore? – could this be related?
>
>
>
> Actually this part is not tested :(
>
> I have no idea what "Referral LDAP entry" means, i guess it is sort of
> link to correct entry?
>
> Maybe it worth to update search query to get real entry as a result?
>
> Please file JIRA
>
> I'll try to improve this
>
>
>
>
>
> Changing the log level now and trying again.
>
>
>
> Thanks!
>
>
>
> Best regards
>
>
> Stephen
>
>
>
>
>
> *From:* Maxim Solodovnik <so...@gmail.com>
> *Sent:* 15 April 2020 14:49
> *To:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Subject:* [Possible Untrusted Sender] Re: Ldap with Microsoft Active
> Directory
>
>
>
>
>
>
>
> On Wed, 15 Apr 2020 at 20:12, Stephen COTTHAM <
> stephen.cottham@robertbird.com.au> wrote:
>
> Thanks Gerald,
>
>
>
> Ive tried as suggested by using SAM and the UPN, even tried injecting the
> domain portion after the @ with the domain and email namespace, both result
> in the - No users was found:
>
>
>
> Looking at the logs as they are we see this:
>
>
>
> DEBUG 04-15 12:51:52.393 o.a.o.d.d.u.UserDao:626 [nio-5443-exec-7] - No
> users was found: stephen.cottham
>
> DEBUG 04-15 12:51:52.393 o.a.o.c.l.LdapLoginManager:201 [nio-5443-exec-7]
> - getByLogin:: authenticated ? false, login = 'stephen.cottham', domain =
> 1, user = null
>
> ERROR 04-15 12:51:52.394 o.a.o.c.l.LdapLoginManager:338 [nio-5443-exec-7]
> - LDAP entry is null, search or lookup by Dn failed
>
>
>
> According to your config
>
> You have
> ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
>
>
>
> According to the log login is `stephen.cottham`
>
> So Om tries to authenticate using
> "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local"
>
> And unable to find such DN
>
>
>
> can you confirm LDAP explorer able to find such user?
>
>
>
>
>
> The last line, is it saying the variable is NULL as it returned no results
> from the bind *OR* is it saying the initial bind was not successful and
> therefore the variable is null? (this distinguishes if it’s the DN of the
> lookup user vs. getting the expected format correct)
>
>
>
> Sorry I think I missed the debug option, can you please relink that here
> and I’ll see what else I can find out.
>
>
>
> Also to confirm, the config file is escaping out the spaces?
>
>
>
> For example:
>
>
>
> ldap_admin_dn='CN=Adm some user with spaces,OU=London,OU=Administrative
> Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local'
>
>
>
> Assume we don’t need to put the ‘ ‘ after the =’cn…. ? (just ruling this
> out as a cause)
>
>
>
> Best regards
>
>
>
> Stephen
>
>
>
>
>
> *From:* Rohrbach, Gerald <G....@funkegruppe.de>
> *Sent:* 15 April 2020 13:41
> *To:* user@openmeetings.apache.org
> *Subject:* AW: Ldap with Microsoft Active Directory
>
>
>
> Stephen, depends on your AD and how users login.
>
> For us this worked
>
> ldap_search_query=(userPrincipalName=%s)
>
>
>
> Go under AD, pik one user account, properties, Attribute Editor. This
> shows all.
>
> (
>
> Probably under view you need to switch on advanced features!
>
>
>
> Gerald
>
>
>
>
>
> *Von:* Stephen COTTHAM [mailto:stephen.cottham@robertbird.com.au
> <st...@robertbird.com.au>]
> *Gesendet:* Mittwoch, 15. April 2020 14:22
> *An:* user@openmeetings.apache.org
> *Betreff:* Ldap with Microsoft Active Directory
>
>
>
> Hey Guys,
>
>
>
> *I am in the same situation as Mathias ldap issue below.*
>
>
>
> *My Config:*
>
>
>
> ldap_conn_host=DC
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
> ldap_admin_dn='CN=Adm some user,OU=London,OU=Administrative
> Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local'
>
> ldap_passwd='******'
>
> ldap_search_base='OU=Company,DC=domain,DC=local'
>
> ldap_search_query=(sAMAccountName=%s)
>
> ldap_search_scope=ONELEVEL
>
> ldap_auth_type=SIMPLEBIND
>
>
> ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
>
> ldap_provisionning=AUTOCREATE
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
> ldap_sync_password_to_om=true
>
> ldap_group_mode=NONE
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
> ldap_user_attr_login=sAMAccountName
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> ldap_group_attr=memberOf
>
> ldap_use_lower_case=false
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
>
> Always returns:
>
>
>
> *No users was found:*
>
>
>
> Checked with ldapsearch and I can retrieve them fine, other systems that
> use LDAP from Linux such as Apache Guacamole and Next Cloud both have
> working AD integration using the same values I set there.
>
>
>
> Is there a way to get a better debug logs from open Meetings? About what
> it is sending to the DC? The initial bind status, error code from the DC
> etc..
>
>
>
> I rem in old versions of OM we could run it in debug mode to stdout?
>
>
>
> Otherwise is there anything obviously I’m missing here?
>
>
>
> Best regards
>
>
>
> Stephen
>
>
>
>
>
>
>
>
>
> *From:* Mathias Kocks <ko...@labmed.de>
> *Sent:* 15 April 2020 13:06
> *To:* user@openmeetings.apache.org
> *Subject:* [Possible Untrusted Sender] Can not use LDAP-Sync with
> Microsoft Active Directory
>
>
>
> Hello,
>
> i am new to this project and a have a problem with the LDAP-Sync. I even
> can not find any good documentations...
>
>
>
> My problem is, that slapd does not find any user in my AD. I am not even
> shure, if it is searching for real. I found in the mailing list archive
> some example configs, but they does not work for me.
>
> I found this one:
>
>
>
> #LDAP URL
>
> ldap_conn_host=LDAP_server.Company.com
> <https://urldefense.com/v3/__http:/LDAP_server.Company.com__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x50tz6JPw$>
>
> ldap_conn_port=636
>
> ldap_conn_secure=true
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com
>
>
>
> # Loginpass for Authentication on LDAP Server
>
> ldap_passwd=ldapauthpasswd
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=OU=Users,DC=Company,DC=com
>
> #ldap_search_base=DC=Company,DC=com
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
>
> ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s))
>
> #ldap_search_query=(sAMAccountName=%s)
>
> #ldap_search_query=(CN=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> ldap_auth_type=SEARCHANDBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de
> <https://urldefense.com/v3/__http:/beuth-hochschule.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4wOw-oZw$>
> ,DC=com
>
> #ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com
>
> #ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com
>
> #ldap_userdn_format=CN=%s,DC=Company,DC=com
>
>
>
> # Ldap-password synchronization to OM DB
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
>
> Ldap-attribute
>
> ldap_user_attr_lastname=sn
>
>
>
> But even after i changed it to my AD and tried several changes, no users
> were found.
>
>
>
> My actual config:
>
>
>
> ldap_server_type=AD
>
> ldap_conn_host=dc2.labmed.de
> <https://urldefense.com/v3/__http:/dc2.labmed.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4x1-bceQ$>
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
> ldap_admin_dn=CN=Administrator,CN=Users,DC=labmed,DC=de
>
> ldap_passwd=SuperSecretPassword
>
> ldap_search_base=OU=labmed,DC=labmed,DC=de
>
> #ldap_search_query=(&(objectCategory=*)(objectClass=*)(sAMAccountName=%s))
>
> ldap_search_query=(sAMAccountName=%s)
>
> ldap_search_scope= SUBTREE
>
> ldap_auth_type=SEARCHANDBIND
>
> ldap_deref_mode=never
>
> ldap_userdn_format=sAMAccountName=%s,DC=labmed,DC=de
>
> ldap_provisionning=NONE
>
> ldap_use_admin_to_get_attrs=true
>
> ldap_sync_password_to_om=false
>
> ldap_sync_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> ldap_use_lower_case=false
>
>
>
>
>
> It is the second day by now were i am bursting by happyness....
>
>
>
>
>
>
>
> Mit freundlichen Grüßen
>
>
>
> *Mathias Kocks*
>
> *Teamleitung IT-Infrastruktur*
>
> *Zertifizierter Information Security Officer ISO 27001 (TÜV Süd)*
>
>
>
> Überörtliche Berufsausübungsgemeinschaft
>
> *Medizinisches Versorgungszentrum*
>
> *Dr. Eberhard & Partner Dortmund*
>
> MVZ-Haus 3: Balkenstr. 12-14
>
> 44137 Dortmund, Germany
>
>
>
> Tel.: +49 231 9572 7158
>
> Fax.: +49 231 9572 18 159
>
> E-Mail: kocks@labmed.de
>
> Web: https://www.labmed.de
> <https://urldefense.com/v3/__https:/www.labmed.de/__;!!Bv4Xkg!z5sh0C1R9gGjNPTiHdemYSPR49XGTx-AmD4F8_dWPIXAw6SpTR3u5VSZWX8_PwBU1whiqaubSw$>
>
>
>
>
>
>
> --
>
> Best regards,
> Maxim
>
>
>
>
> --
>
> Best regards,
> Maxim
>
--
Best regards,
Maxim
RE: [Possible Untrusted Sender] Re: [Possible Untrusted Sender] Re:
Ldap with Microsoft Active Directory
Posted by Stephen COTTHAM <st...@robertbird.com.au>.
Thanks Maxim,
Changed the referral to follow (not sure that’s a valid option or not) – then removed the add domain to user name under administration and then used the email address which in our case is the UPN.
Logged on and working now.
Thanks for your help guys!
I’ll add the JIRA for the referral shortly.
From: Maxim Solodovnik <so...@gmail.com>
Sent: 15 April 2020 15:32
To: Openmeetings user-list <us...@openmeetings.apache.org>
Subject: [Possible Untrusted Sender] Re: [Possible Untrusted Sender] Re: Ldap with Microsoft Active Directory
On Wed, 15 Apr 2020 at 21:01, Stephen COTTHAM <st...@robertbird.com.au>> wrote:
Thanks Guys,
Confirmed on the DC that the
'sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local' = "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local"
(however the DN in AD is Stephen Cottham – with a space)
so perhaps you should enter `Stephen Cottham` in login field?
Changed to SEARCHANDBIND, I can put the wrong adm password ins an see it throws an exception, so we know the ADM account and password is correct.
DSo now when I do a logon attempt I get
DEBUG 04-15 13:51:54.681 o.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-6] - LdapLoginmanager.doLdapLogin
WARN 04-15 13:51:54.710 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it
WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it
WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it
ERROR 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:269 [nio-5443-exec-6] - NONE users found in LDAP
I thought changing ldap_deref_mode=always Should make it follow but still says ignore? – could this be related?
Actually this part is not tested :(
I have no idea what "Referral LDAP entry" means, i guess it is sort of link to correct entry?
Maybe it worth to update search query to get real entry as a result?
Please file JIRA
I'll try to improve this
Changing the log level now and trying again.
Thanks!
Best regards
Stephen
From: Maxim Solodovnik <so...@gmail.com>>
Sent: 15 April 2020 14:49
To: Openmeetings user-list <us...@openmeetings.apache.org>>
Subject: [Possible Untrusted Sender] Re: Ldap with Microsoft Active Directory
On Wed, 15 Apr 2020 at 20:12, Stephen COTTHAM <st...@robertbird.com.au>> wrote:
Thanks Gerald,
Ive tried as suggested by using SAM and the UPN, even tried injecting the domain portion after the @ with the domain and email namespace, both result in the - No users was found:
Looking at the logs as they are we see this:
DEBUG 04-15 12:51:52.393 o.a.o.d.d.u.UserDao:626 [nio-5443-exec-7] - No users was found: stephen.cottham
DEBUG 04-15 12:51:52.393 o.a.o.c.l.LdapLoginManager:201 [nio-5443-exec-7] - getByLogin:: authenticated ? false, login = 'stephen.cottham', domain = 1, user = null
ERROR 04-15 12:51:52.394 o.a.o.c.l.LdapLoginManager:338 [nio-5443-exec-7] - LDAP entry is null, search or lookup by Dn failed
According to your config
You have ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
According to the log login is `stephen.cottham`
So Om tries to authenticate using "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local"
And unable to find such DN
can you confirm LDAP explorer able to find such user?
The last line, is it saying the variable is NULL as it returned no results from the bind OR is it saying the initial bind was not successful and therefore the variable is null? (this distinguishes if it’s the DN of the lookup user vs. getting the expected format correct)
Sorry I think I missed the debug option, can you please relink that here and I’ll see what else I can find out.
Also to confirm, the config file is escaping out the spaces?
For example:
ldap_admin_dn='CN=Adm some user with spaces,OU=London,OU=Administrative Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local'
Assume we don’t need to put the ‘ ‘ after the =’cn…. ? (just ruling this out as a cause)
Best regards
Stephen
From: Rohrbach, Gerald <G....@funkegruppe.de>>
Sent: 15 April 2020 13:41
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Subject: AW: Ldap with Microsoft Active Directory
Stephen, depends on your AD and how users login.
For us this worked
ldap_search_query=(userPrincipalName=%s)
Go under AD, pik one user account, properties, Attribute Editor. This shows all.
(
Probably under view you need to switch on advanced features!
Gerald
Von: Stephen COTTHAM [mailto:stephen.cottham@robertbird.com.au]
Gesendet: Mittwoch, 15. April 2020 14:22
An: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Betreff: Ldap with Microsoft Active Directory
Hey Guys,
I am in the same situation as Mathias ldap issue below.
My Config:
ldap_conn_host=DC
ldap_conn_port=389
ldap_conn_secure=false
ldap_admin_dn='CN=Adm some user,OU=London,OU=Administrative Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local'
ldap_passwd='******'
ldap_search_base='OU=Company,DC=domain,DC=local'
ldap_search_query=(sAMAccountName=%s)
ldap_search_scope=ONELEVEL
ldap_auth_type=SIMPLEBIND
ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
ldap_provisionning=AUTOCREATE
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
ldap_sync_password_to_om=true
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
ldap_user_attr_login=sAMAccountName
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
ldap_group_attr=memberOf
ldap_use_lower_case=false
ldap_import_query=(objectClass=inetOrgPerson)
Always returns:
No users was found:
Checked with ldapsearch and I can retrieve them fine, other systems that use LDAP from Linux such as Apache Guacamole and Next Cloud both have working AD integration using the same values I set there.
Is there a way to get a better debug logs from open Meetings? About what it is sending to the DC? The initial bind status, error code from the DC etc..
I rem in old versions of OM we could run it in debug mode to stdout?
Otherwise is there anything obviously I’m missing here?
Best regards
Stephen
From: Mathias Kocks <ko...@labmed.de>>
Sent: 15 April 2020 13:06
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Subject: [Possible Untrusted Sender] Can not use LDAP-Sync with Microsoft Active Directory
Hello,
i am new to this project and a have a problem with the LDAP-Sync. I even can not find any good documentations...
My problem is, that slapd does not find any user in my AD. I am not even shure, if it is searching for real. I found in the mailing list archive some example configs, but they does not work for me.
I found this one:
#LDAP URL
ldap_conn_host=LDAP_server.Company.com<https://urldefense.com/v3/__http:/LDAP_server.Company.com__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x50tz6JPw$>
ldap_conn_port=636
ldap_conn_secure=true
# Login distinguished name (DN) for Authentication on LDAP Server
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com
# Loginpass for Authentication on LDAP Server
ldap_passwd=ldapauthpasswd
# base to search for userdata(of user, that wants to login)
ldap_search_base=OU=Users,DC=Company,DC=com
#ldap_search_base=DC=Company,DC=com
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s))
#ldap_search_query=(sAMAccountName=%s)
#ldap_search_query=(CN=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
ldap_auth_type=SEARCHANDBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de<https://urldefense.com/v3/__http:/beuth-hochschule.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4wOw-oZw$>,DC=com
#ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com
#ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com
#ldap_userdn_format=CN=%s,DC=Company,DC=com
# Ldap-password synchronization to OM DB
ldap_sync_password_to_om=false
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding
Ldap-attribute
ldap_user_attr_lastname=sn
But even after i changed it to my AD and tried several changes, no users were found.
My actual config:
ldap_server_type=AD
ldap_conn_host=dc2.labmed.de<https://urldefense.com/v3/__http:/dc2.labmed.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4x1-bceQ$>
ldap_conn_port=389
ldap_conn_secure=false
ldap_admin_dn=CN=Administrator,CN=Users,DC=labmed,DC=de
ldap_passwd=SuperSecretPassword
ldap_search_base=OU=labmed,DC=labmed,DC=de
#ldap_search_query=(&(objectCategory=*)(objectClass=*)(sAMAccountName=%s))
ldap_search_query=(sAMAccountName=%s)
ldap_search_scope= SUBTREE
ldap_auth_type=SEARCHANDBIND
ldap_deref_mode=never
ldap_userdn_format=sAMAccountName=%s,DC=labmed,DC=de
ldap_provisionning=NONE
ldap_use_admin_to_get_attrs=true
ldap_sync_password_to_om=false
ldap_sync_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
ldap_use_lower_case=false
It is the second day by now were i am bursting by happyness....
Mit freundlichen Grüßen
Mathias Kocks
Teamleitung IT-Infrastruktur
Zertifizierter Information Security Officer ISO 27001 (TÜV Süd)
Überörtliche Berufsausübungsgemeinschaft
Medizinisches Versorgungszentrum
Dr. Eberhard & Partner Dortmund
MVZ-Haus 3: Balkenstr. 12-14
44137 Dortmund, Germany
Tel.: +49 231 9572 7158
Fax.: +49 231 9572 18 159
E-Mail: kocks@labmed.de<ma...@labmed.de>
Web: https://www.labmed.de<https://urldefense.com/v3/__https:/www.labmed.de/__;!!Bv4Xkg!z5sh0C1R9gGjNPTiHdemYSPR49XGTx-AmD4F8_dWPIXAw6SpTR3u5VSZWX8_PwBU1whiqaubSw$>
--
Best regards,
Maxim
--
Best regards,
Maxim
Re: [Possible Untrusted Sender] Re: Ldap with Microsoft Active Directory
Posted by Maxim Solodovnik <so...@gmail.com>.
On Wed, 15 Apr 2020 at 21:01, Stephen COTTHAM <
stephen.cottham@robertbird.com.au> wrote:
> Thanks Guys,
>
>
>
> Confirmed on the DC that the
>
>
>
> 'sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
> =
> "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local"
>
>
>
> (however the DN in AD is Stephen Cottham – with a space)
>
so perhaps you should enter `Stephen Cottham` in login field?
>
>
> Changed to SEARCHANDBIND, I can put the wrong adm password ins an see it
> throws an exception, so we know the ADM account and password is correct.
>
>
>
> DSo now when I do a logon attempt I get
>
>
>
> DEBUG 04-15 13:51:54.681 o.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-6]
> - LdapLoginmanager.doLdapLogin
>
> WARN 04-15 13:51:54.710 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral
> LDAP entry found, ignore it
>
> WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral
> LDAP entry found, ignore it
>
> WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral
> LDAP entry found, ignore it
>
> ERROR 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:269 [nio-5443-exec-6]
> - NONE users found in LDAP
>
>
>
> I thought changing *ldap_deref_mode=always* Should make it follow but
> still says ignore? – could this be related?
>
Actually this part is not tested :(
I have no idea what "Referral LDAP entry" means, i guess it is sort of link
to correct entry?
Maybe it worth to update search query to get real entry as a result?
Please file JIRA
I'll try to improve this
>
>
> Changing the log level now and trying again.
>
>
>
> Thanks!
>
>
>
> Best regards
>
>
> Stephen
>
>
>
>
>
> *From:* Maxim Solodovnik <so...@gmail.com>
> *Sent:* 15 April 2020 14:49
> *To:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Subject:* [Possible Untrusted Sender] Re: Ldap with Microsoft Active
> Directory
>
>
>
>
>
>
>
> On Wed, 15 Apr 2020 at 20:12, Stephen COTTHAM <
> stephen.cottham@robertbird.com.au> wrote:
>
> Thanks Gerald,
>
>
>
> Ive tried as suggested by using SAM and the UPN, even tried injecting the
> domain portion after the @ with the domain and email namespace, both result
> in the - No users was found:
>
>
>
> Looking at the logs as they are we see this:
>
>
>
> DEBUG 04-15 12:51:52.393 o.a.o.d.d.u.UserDao:626 [nio-5443-exec-7] - No
> users was found: stephen.cottham
>
> DEBUG 04-15 12:51:52.393 o.a.o.c.l.LdapLoginManager:201 [nio-5443-exec-7]
> - getByLogin:: authenticated ? false, login = 'stephen.cottham', domain =
> 1, user = null
>
> ERROR 04-15 12:51:52.394 o.a.o.c.l.LdapLoginManager:338 [nio-5443-exec-7]
> - LDAP entry is null, search or lookup by Dn failed
>
>
>
> According to your config
>
> You have
> ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
>
>
>
> According to the log login is `stephen.cottham`
>
> So Om tries to authenticate using
> "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local"
>
> And unable to find such DN
>
>
>
> can you confirm LDAP explorer able to find such user?
>
>
>
>
>
> The last line, is it saying the variable is NULL as it returned no results
> from the bind *OR* is it saying the initial bind was not successful and
> therefore the variable is null? (this distinguishes if it’s the DN of the
> lookup user vs. getting the expected format correct)
>
>
>
> Sorry I think I missed the debug option, can you please relink that here
> and I’ll see what else I can find out.
>
>
>
> Also to confirm, the config file is escaping out the spaces?
>
>
>
> For example:
>
>
>
> ldap_admin_dn='CN=Adm some user with spaces,OU=London,OU=Administrative
> Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local'
>
>
>
> Assume we don’t need to put the ‘ ‘ after the =’cn…. ? (just ruling this
> out as a cause)
>
>
>
> Best regards
>
>
>
> Stephen
>
>
>
>
>
> *From:* Rohrbach, Gerald <G....@funkegruppe.de>
> *Sent:* 15 April 2020 13:41
> *To:* user@openmeetings.apache.org
> *Subject:* AW: Ldap with Microsoft Active Directory
>
>
>
> Stephen, depends on your AD and how users login.
>
> For us this worked
>
> ldap_search_query=(userPrincipalName=%s)
>
>
>
> Go under AD, pik one user account, properties, Attribute Editor. This
> shows all.
>
> (
>
> Probably under view you need to switch on advanced features!
>
>
>
> Gerald
>
>
>
>
>
> *Von:* Stephen COTTHAM [mailto:stephen.cottham@robertbird.com.au
> <st...@robertbird.com.au>]
> *Gesendet:* Mittwoch, 15. April 2020 14:22
> *An:* user@openmeetings.apache.org
> *Betreff:* Ldap with Microsoft Active Directory
>
>
>
> Hey Guys,
>
>
>
> *I am in the same situation as Mathias ldap issue below.*
>
>
>
> *My Config:*
>
>
>
> ldap_conn_host=DC
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
> ldap_admin_dn='CN=Adm some user,OU=London,OU=Administrative
> Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local'
>
> ldap_passwd='******'
>
> ldap_search_base='OU=Company,DC=domain,DC=local'
>
> ldap_search_query=(sAMAccountName=%s)
>
> ldap_search_scope=ONELEVEL
>
> ldap_auth_type=SIMPLEBIND
>
>
> ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local'
>
> ldap_provisionning=AUTOCREATE
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
> ldap_sync_password_to_om=true
>
> ldap_group_mode=NONE
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
> ldap_user_attr_login=sAMAccountName
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> ldap_group_attr=memberOf
>
> ldap_use_lower_case=false
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
>
> Always returns:
>
>
>
> *No users was found:*
>
>
>
> Checked with ldapsearch and I can retrieve them fine, other systems that
> use LDAP from Linux such as Apache Guacamole and Next Cloud both have
> working AD integration using the same values I set there.
>
>
>
> Is there a way to get a better debug logs from open Meetings? About what
> it is sending to the DC? The initial bind status, error code from the DC
> etc..
>
>
>
> I rem in old versions of OM we could run it in debug mode to stdout?
>
>
>
> Otherwise is there anything obviously I’m missing here?
>
>
>
> Best regards
>
>
>
> Stephen
>
>
>
>
>
>
>
>
>
> *From:* Mathias Kocks <ko...@labmed.de>
> *Sent:* 15 April 2020 13:06
> *To:* user@openmeetings.apache.org
> *Subject:* [Possible Untrusted Sender] Can not use LDAP-Sync with
> Microsoft Active Directory
>
>
>
> Hello,
>
> i am new to this project and a have a problem with the LDAP-Sync. I even
> can not find any good documentations...
>
>
>
> My problem is, that slapd does not find any user in my AD. I am not even
> shure, if it is searching for real. I found in the mailing list archive
> some example configs, but they does not work for me.
>
> I found this one:
>
>
>
> #LDAP URL
>
> ldap_conn_host=LDAP_server.Company.com
> <https://urldefense.com/v3/__http:/LDAP_server.Company.com__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x50tz6JPw$>
>
> ldap_conn_port=636
>
> ldap_conn_secure=true
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com
>
>
>
> # Loginpass for Authentication on LDAP Server
>
> ldap_passwd=ldapauthpasswd
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=OU=Users,DC=Company,DC=com
>
> #ldap_search_base=DC=Company,DC=com
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
>
> ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s))
>
> #ldap_search_query=(sAMAccountName=%s)
>
> #ldap_search_query=(CN=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> ldap_auth_type=SEARCHANDBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de
> <https://urldefense.com/v3/__http:/beuth-hochschule.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4wOw-oZw$>
> ,DC=com
>
> #ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com
>
> #ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com
>
> #ldap_userdn_format=CN=%s,DC=Company,DC=com
>
>
>
> # Ldap-password synchronization to OM DB
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
>
> Ldap-attribute
>
> ldap_user_attr_lastname=sn
>
>
>
> But even after i changed it to my AD and tried several changes, no users
> were found.
>
>
>
> My actual config:
>
>
>
> ldap_server_type=AD
>
> ldap_conn_host=dc2.labmed.de
> <https://urldefense.com/v3/__http:/dc2.labmed.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4x1-bceQ$>
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
> ldap_admin_dn=CN=Administrator,CN=Users,DC=labmed,DC=de
>
> ldap_passwd=SuperSecretPassword
>
> ldap_search_base=OU=labmed,DC=labmed,DC=de
>
> #ldap_search_query=(&(objectCategory=*)(objectClass=*)(sAMAccountName=%s))
>
> ldap_search_query=(sAMAccountName=%s)
>
> ldap_search_scope= SUBTREE
>
> ldap_auth_type=SEARCHANDBIND
>
> ldap_deref_mode=never
>
> ldap_userdn_format=sAMAccountName=%s,DC=labmed,DC=de
>
> ldap_provisionning=NONE
>
> ldap_use_admin_to_get_attrs=true
>
> ldap_sync_password_to_om=false
>
> ldap_sync_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> ldap_use_lower_case=false
>
>
>
>
>
> It is the second day by now were i am bursting by happyness....
>
>
>
>
>
>
>
> Mit freundlichen Grüßen
>
>
>
> *Mathias Kocks*
>
> *Teamleitung IT-Infrastruktur*
>
> *Zertifizierter Information Security Officer ISO 27001 (TÜV Süd)*
>
>
>
> Überörtliche Berufsausübungsgemeinschaft
>
> *Medizinisches Versorgungszentrum*
>
> *Dr. Eberhard & Partner Dortmund*
>
> MVZ-Haus 3: Balkenstr. 12-14
>
> 44137 Dortmund, Germany
>
>
>
> Tel.: +49 231 9572 7158
>
> Fax.: +49 231 9572 18 159
>
> E-Mail: kocks@labmed.de
>
> Web: https://www.labmed.de
> <https://urldefense.com/v3/__https:/www.labmed.de/__;!!Bv4Xkg!z5sh0C1R9gGjNPTiHdemYSPR49XGTx-AmD4F8_dWPIXAw6SpTR3u5VSZWX8_PwBU1whiqaubSw$>
>
>
>
>
>
>
> --
>
> Best regards,
> Maxim
>
--
Best regards,
Maxim