You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by "Rohrbach, Gerald" <G....@funkegruppe.de> on 2020/04/14 07:31:37 UTC
AW: Country from Active Directory Deutschland not mapped because OM
expexts DE.
Maxim,
now I remember you wrote this already…. I´m getting old…
I think I can’t change what is stored in ActiveDirectory. It’s a predefined list from MS.
But what you wrote means you are doing a mapping in OM.
So maybe I have a chance to add just Deutschland to the list.
But my code reading is for beginners only…
I looked in the db, so there is no table.
Where is the list of countries coming from?
I hope it´s from an XML, so that I can just add the entry.
Another way, I just use the first 2 characters from Deutschland, this is DE , mapping should work then.
Quick and dirty….
/apache/openmeetings/db/util/LocaleHelper.java
[cid:image001.png@01D6123E.DD26FB00]
Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
Gesendet: Montag, 13. April 2020 18:44
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: LDAP config Manual, Limit access to AD Group members
Hello,
On Mon, 13 Apr 2020 at 20:49, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim, Orm
finally I found the solution after reading openldap manuals and doing some testing.
As expected, very easy….., but I took a while to understand the logic.
Now only members of the AD group appOpenmeetings can login.
ldap_search_query=(&(userPrincipalName=%s)(memberOf=CN=appOpenMeetings,OU=Groups,DC=mydomain,DC=de))
Still I have a problem with the country, that is not right transferred from the AD.
But I think this is an openLdap issue, not OM.
I can see in the debug log co = Deutschland is read from AD, so that’s okay.
Countrycode = 276
Later on this line:
WARN 04-13 15:14:35.964 o.a.o.d.u.LocaleHelper:54 [nio-5443-exec-7] - Invalid country found: DEUTSCHLAND, will be replaced with: AD
I do remember I wrote this before: OM expects country code NOT country name
if country wasn't found the first country from the list is taken
So OM expects LDAP to return "DE" as country NOT "Deutschland"
AD means Andorra, so that´s wrong.
AD probably is the first entry. Probably GERMANY is listed.
I do not think the mapping is done in OM
But this is a cosmetic issue only and in OM no real problem.
Maybe I will find sometimes a fix for that.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 13. April 2020 12:48
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: LDAP config Manual, 1st draft - extension
On Mon, Apr 13, 2020, 17:40 Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
I do not remember, but I have to do some testing anyway tomorrow. So I'll check.
I have to figure out, how to setup that only members of an AD group om-users get access to om.
Can you use SEARCHANDBIND
and set up search query to return results from this group only?
Gerald
-----Ursprüngliche Nachricht-----
Von: Orm Finnendahl [mailto:orm.finnendahl@selma.hfmdk-frankfurt.de<ma...@selma.hfmdk-frankfurt.de>]
Gesendet: Montag, 13. April 2020 12:31
An: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Betreff: Re: LDAP config Manual, 1st draft - extension
Hi Gerald,
thanks, I'll incorporate your suggestions into the HOWTO before submitting the pull request. Are the verbose debug logs also written to "catalina.out"?
--
Orm
Am Montag, den 13. April 2020 um 09:20:26 Uhr (+0000) schrieb Rohrbach, Gerald:
> Orm,
>
> I had the same issues with LDAP. It tooks a long time to figure it out.
>
> A very good hint was from Maxim to switch debug logging on.
> With that it was much easier. So probably it’s good to add this to you documentation.
> Somehow the LDAP config is related how in a corporate user accounts
> are setup, that needs some understanding about this ldap config.
>
> To make logging more verbose you can
> 1) stop OM
> 2) add following line to logback-config.xml <logger
> name="org.apache.directory" level="DEBUG" />
> 3) restart OM
>
> Here my config., I marked changes with ##########
>
>
> #LDAP URL
> # This is the URL used to access your LDAP server.
> # if you want to use "ldaps://" links, please be aware that you need
> to import your CA certificate # to a java keystore and add the
> -Djavax.net.ssl.keyStore, -Djavax.net.ssl.keyStorePassword, #
> -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword
> parameters to your # JAVA_OPT environment
> ldap_conn_host=DomainController.mydomain.de<http://DomainController.mydomain.de> ##########
>
> ldap_conn_port=389
> ldap_conn_secure=false
>
> # Login distinguished name (DN) for Authentication on LDAP Server -
> keep empty if not required # Use full qualified LDAP DN
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=mydomai
> n,DC=de ##########
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
> ldap_passwd=#mypassword# ##########
>
> # base to search for userdata(of user, that wants to login)
> ldap_search_base=DC=mydomain,DC=de ##########
>
> # Fieldnames (can differ between Ldap servers) #
> ldap_search_query=(uid=%s)
> ldap_search_query=(userPrincipalName=%s) ##########
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
> ldap_search_scope=SUBTREE ##########
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) # When using
> SIMPLEBIND a simple bind is performed on the LDAP server to check user
> authentication # When using NONE, the Ldap server is not used for authentication
> ldap_auth_type=SEARCHANDBIND ##########
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND #
> might be used to get provisionningDn in case ldap_auth_type=NONE #
> ldap_userdn_format=uid=%s,CN=Users,DC=mydomain,DC=de
> ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=mydomain,DC=de ##########
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
> ldap_provisionning=AUTOCREATE ##########
>
>
> # Ldap deref mode (never, searching, finding, always)
> ldap_deref_mode=always
>
> # Set this to 'true' if you want to use admin_dn to get user
> attributes # If any other value is set, user_dn will be used
> ldap_use_admin_to_get_attrs=true
>
> # Ldap-password synchronization to OM DB # Set this to 'true' if you
> want OM to synchronize the user Ldap-password to OM's internal DB #
> If you want to disable the feature, set this to any other string.
> # Defautl value is 'true'
> ldap_sync_password_to_om=true ##########
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY) # NONE means group
> associations will be ignored # ATTRIBUTE means group associations will
> be taken from 'ldap_group_attr' attribute (M$ AD mode) # QUERY means
> group associations will be taken as a result of 'ldap_group_query'
> query ldap_group_mode=NONE
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
> # Ldap user attributes mapping
> # Set the following internal OM user attributes to their corresponding Ldap-attribute
> ldap_user_attr_login=sAMAccountName ##########
> ldap_user_attr_lastname=sn
> ldap_user_attr_firstname=givenName
> ldap_user_attr_mail=mail
> ldap_user_attr_street=streetAddress
> ldap_user_attr_additionalname=description
> ldap_user_attr_fax=facsimileTelephoneNumber
> ldap_user_attr_zip=postalCode
> ldap_user_attr_country=co
> ldap_user_attr_town=l
> ldap_user_attr_phone=telephoneNumber
> # optional attribute for user picture
> #ldap_user_attr_picture=
> ldap_group_attr=memberOf
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
> #ldap_user_picture_uri=picture_uri
>
> # optional
> # the timezone has to match any timezone available in Java, otherwise
> the timezone defined in the value of # the conf_key "default.timezone"
> in OpenMeetings "configurations" table #ldap_user_timezone=timezone
>
> # Ldap ignore upper/lower case, convert all input to lower case
> ldap_use_lower_case=false
>
> # Ldap import query, this query should retrieve all LDAP users
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
> Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
> Gesendet: Montag, 13. April 2020 05:53
> An: Openmeetings user-list <us...@openmeetings.apache.org>>
> Betreff: Re: LDAP config Manual, 1st draft
>
> Hello Orm,
>
> On Mon, 13 Apr 2020 at 03:20, Orm Finnendahl <or...@selma.hfmdk-frankfurt.de>>> wrote:
> Hi,
>
> I made a draft of a LDAP config howto and uploaded it here for
> review:
>
> https://selma.hfmdk-frankfurt.de/howtos/OM-ldap-howto.html
>
> I hope it's not too verbose, but since I had problems figuring out the
> ldap config in OM from the docs found online I tried to write up
> something in a way that even somebody like me with little ldap
> experience and knowledge would've understood without having to ask
> this mailing list and spend a lot of time trying to figure it out.
>
> I already forked the OM github repo and can issue a pull request, but
> I'm unsure about the preferred format of the document (XML, MD, pdf?).
> Please let me know what you'd prefer. The original is in org format
> but I can provide any format.
>
> I love PRs :)))
> The current version is here
> https://github.com/apache/openmeetings/blob/master/openmeetings-server
> /src/site/xdoc/LdapAndADS.xml Please create LdapAndADS.md in
> https://github.com/apache/openmeetings/tree/master/openmeetings-server
> /src/site/markdown Fill free to re-use any part of original
> instructions :) We can discuss contents during PR review :))
>
>
> As I read about the manual draft for OM 5 on this mailing list, feel
> free to incorporate this in case it isn't already present or needs
> improvement. I'd be willing to do it myself if you find it useful and
> someone provides access for me to the current state.
>
> User Manual is here
> https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpenMeetings+
> 5+Manual Please tell me you Confluence ID and all grant you with
> permissions (not sure how those binary files can be edited :((( )
>
>
> --
> Orm
>
>
> --
> Best regards,
> Maxim
--
Best regards,
Maxim