You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by "Rohrbach, Gerald" <G....@funkegruppe.de> on 2020/04/13 13:49:11 UTC
AW: LDAP config Manual, Limit access to AD Group members
Maxim, Orm
finally I found the solution after reading openldap manuals and doing some testing.
As expected, very easy….., but I took a while to understand the logic.
Now only members of the AD group appOpenmeetings can login.
ldap_search_query=(&(userPrincipalName=%s)(memberOf=CN=appOpenMeetings,OU=Groups,DC=mydomain,DC=de))
Still I have a problem with the country, that is not right transferred from the AD.
But I think this is an openLdap issue, not OM.
I can see in the debug log co = Deutschland is read from AD, so that’s okay.
Countrycode = 276
Later on this line:
WARN 04-13 15:14:35.964 o.a.o.d.u.LocaleHelper:54 [nio-5443-exec-7] - Invalid country found: DEUTSCHLAND, will be replaced with: AD
AD means Andorra, so that´s wrong.
AD probably is the first entry. Probably GERMANY is listed.
I do not think the mapping is done in OM
But this is a cosmetic issue only and in OM no real problem.
Maybe I will find sometimes a fix for that.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
Gesendet: Montag, 13. April 2020 12:48
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: LDAP config Manual, 1st draft - extension
On Mon, Apr 13, 2020, 17:40 Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
I do not remember, but I have to do some testing anyway tomorrow. So I'll check.
I have to figure out, how to setup that only members of an AD group om-users get access to om.
Can you use SEARCHANDBIND
and set up search query to return results from this group only?
Gerald
-----Ursprüngliche Nachricht-----
Von: Orm Finnendahl [mailto:orm.finnendahl@selma.hfmdk-frankfurt.de<ma...@selma.hfmdk-frankfurt.de>]
Gesendet: Montag, 13. April 2020 12:31
An: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Betreff: Re: LDAP config Manual, 1st draft - extension
Hi Gerald,
thanks, I'll incorporate your suggestions into the HOWTO before submitting the pull request. Are the verbose debug logs also written to "catalina.out"?
--
Orm
Am Montag, den 13. April 2020 um 09:20:26 Uhr (+0000) schrieb Rohrbach, Gerald:
> Orm,
>
> I had the same issues with LDAP. It tooks a long time to figure it out.
>
> A very good hint was from Maxim to switch debug logging on.
> With that it was much easier. So probably it’s good to add this to you documentation.
> Somehow the LDAP config is related how in a corporate user accounts
> are setup, that needs some understanding about this ldap config.
>
> To make logging more verbose you can
> 1) stop OM
> 2) add following line to logback-config.xml <logger
> name="org.apache.directory" level="DEBUG" />
> 3) restart OM
>
> Here my config., I marked changes with ##########
>
>
> #LDAP URL
> # This is the URL used to access your LDAP server.
> # if you want to use "ldaps://" links, please be aware that you need
> to import your CA certificate # to a java keystore and add the
> -Djavax.net.ssl.keyStore, -Djavax.net.ssl.keyStorePassword, #
> -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword
> parameters to your # JAVA_OPT environment
> ldap_conn_host=DomainController.mydomain.de<http://DomainController.mydomain.de> ##########
>
> ldap_conn_port=389
> ldap_conn_secure=false
>
> # Login distinguished name (DN) for Authentication on LDAP Server -
> keep empty if not required # Use full qualified LDAP DN
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=mydomai
> n,DC=de ##########
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
> ldap_passwd=#mypassword# ##########
>
> # base to search for userdata(of user, that wants to login)
> ldap_search_base=DC=mydomain,DC=de ##########
>
> # Fieldnames (can differ between Ldap servers) #
> ldap_search_query=(uid=%s)
> ldap_search_query=(userPrincipalName=%s) ##########
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
> ldap_search_scope=SUBTREE ##########
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) # When using
> SIMPLEBIND a simple bind is performed on the LDAP server to check user
> authentication # When using NONE, the Ldap server is not used for authentication
> ldap_auth_type=SEARCHANDBIND ##########
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND #
> might be used to get provisionningDn in case ldap_auth_type=NONE #
> ldap_userdn_format=uid=%s,CN=Users,DC=mydomain,DC=de
> ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=mydomain,DC=de ##########
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
> ldap_provisionning=AUTOCREATE ##########
>
>
> # Ldap deref mode (never, searching, finding, always)
> ldap_deref_mode=always
>
> # Set this to 'true' if you want to use admin_dn to get user
> attributes # If any other value is set, user_dn will be used
> ldap_use_admin_to_get_attrs=true
>
> # Ldap-password synchronization to OM DB # Set this to 'true' if you
> want OM to synchronize the user Ldap-password to OM's internal DB #
> If you want to disable the feature, set this to any other string.
> # Defautl value is 'true'
> ldap_sync_password_to_om=true ##########
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY) # NONE means group
> associations will be ignored # ATTRIBUTE means group associations will
> be taken from 'ldap_group_attr' attribute (M$ AD mode) # QUERY means
> group associations will be taken as a result of 'ldap_group_query'
> query ldap_group_mode=NONE
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
> # Ldap user attributes mapping
> # Set the following internal OM user attributes to their corresponding Ldap-attribute
> ldap_user_attr_login=sAMAccountName ##########
> ldap_user_attr_lastname=sn
> ldap_user_attr_firstname=givenName
> ldap_user_attr_mail=mail
> ldap_user_attr_street=streetAddress
> ldap_user_attr_additionalname=description
> ldap_user_attr_fax=facsimileTelephoneNumber
> ldap_user_attr_zip=postalCode
> ldap_user_attr_country=co
> ldap_user_attr_town=l
> ldap_user_attr_phone=telephoneNumber
> # optional attribute for user picture
> #ldap_user_attr_picture=
> ldap_group_attr=memberOf
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
> #ldap_user_picture_uri=picture_uri
>
> # optional
> # the timezone has to match any timezone available in Java, otherwise
> the timezone defined in the value of # the conf_key "default.timezone"
> in OpenMeetings "configurations" table #ldap_user_timezone=timezone
>
> # Ldap ignore upper/lower case, convert all input to lower case
> ldap_use_lower_case=false
>
> # Ldap import query, this query should retrieve all LDAP users
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
> Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
> Gesendet: Montag, 13. April 2020 05:53
> An: Openmeetings user-list <us...@openmeetings.apache.org>>
> Betreff: Re: LDAP config Manual, 1st draft
>
> Hello Orm,
>
> On Mon, 13 Apr 2020 at 03:20, Orm Finnendahl <or...@selma.hfmdk-frankfurt.de>>> wrote:
> Hi,
>
> I made a draft of a LDAP config howto and uploaded it here for
> review:
>
> https://selma.hfmdk-frankfurt.de/howtos/OM-ldap-howto.html
>
> I hope it's not too verbose, but since I had problems figuring out the
> ldap config in OM from the docs found online I tried to write up
> something in a way that even somebody like me with little ldap
> experience and knowledge would've understood without having to ask
> this mailing list and spend a lot of time trying to figure it out.
>
> I already forked the OM github repo and can issue a pull request, but
> I'm unsure about the preferred format of the document (XML, MD, pdf?).
> Please let me know what you'd prefer. The original is in org format
> but I can provide any format.
>
> I love PRs :)))
> The current version is here
> https://github.com/apache/openmeetings/blob/master/openmeetings-server
> /src/site/xdoc/LdapAndADS.xml Please create LdapAndADS.md in
> https://github.com/apache/openmeetings/tree/master/openmeetings-server
> /src/site/markdown Fill free to re-use any part of original
> instructions :) We can discuss contents during PR review :))
>
>
> As I read about the manual draft for OM 5 on this mailing list, feel
> free to incorporate this in case it isn't already present or needs
> improvement. I'd be willing to do it myself if you find it useful and
> someone provides access for me to the current state.
>
> User Manual is here
> https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpenMeetings+
> 5+Manual Please tell me you Confluence ID and all grant you with
> permissions (not sure how those binary files can be edited :((( )
>
>
> --
> Orm
>
>
> --
> Best regards,
> Maxim
Re: LDAP config Manual, Limit access to AD Group members
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello,
On Mon, 13 Apr 2020 at 20:49, Rohrbach, Gerald <G....@funkegruppe.de>
wrote:
> Maxim, Orm
>
>
>
> finally I found the solution after reading openldap manuals and doing some
> testing.
>
> As expected, very easy….., but I took a while to understand the logic.
>
>
>
> Now only members of the AD group appOpenmeetings can login.
>
>
>
>
> ldap_search_query=(&(userPrincipalName=%s)(memberOf=CN=appOpenMeetings,OU=Groups,DC=mydomain,DC=de))
>
>
>
>
>
> Still I have a problem with the country, that is not right transferred
> from the AD.
>
> But I think this is an openLdap issue, not OM.
>
>
>
> I can see in the debug log co = Deutschland is read from AD, so that’s
> okay.
>
> Countrycode = 276
>
>
>
> Later on this line:
>
> WARN 04-13 15:14:35.964 o.a.o.d.u.LocaleHelper:54 [nio-5443-exec-7] -
> Invalid country found: DEUTSCHLAND, will be replaced with: AD
>
I do remember I wrote this before: OM expects country code NOT country name
if country wasn't found the first country from the list is taken
So OM expects LDAP to return "DE" as country NOT "Deutschland"
>
>
> AD means Andorra, so that´s wrong.
>
>
>
> AD probably is the first entry. Probably GERMANY is listed.
>
> I do not think the mapping is done in OM
>
>
>
> But this is a cosmetic issue only and in OM no real problem.
>
> Maybe I will find sometimes a fix for that.
>
>
>
>
>
>
>
> Gerald
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 13. April 2020 12:48
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: LDAP config Manual, 1st draft - extension
>
>
>
>
>
> On Mon, Apr 13, 2020, 17:40 Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> I do not remember, but I have to do some testing anyway tomorrow. So I'll
> check.
> I have to figure out, how to setup that only members of an AD group
> om-users get access to om.
>
>
>
> Can you use SEARCHANDBIND
>
> and set up search query to return results from this group only?
>
>
>
>
>
> Gerald
>
>
> -----Ursprüngliche Nachricht-----
> Von: Orm Finnendahl [mailto:orm.finnendahl@selma.hfmdk-frankfurt.de]
> Gesendet: Montag, 13. April 2020 12:31
> An: user@openmeetings.apache.org
> Betreff: Re: LDAP config Manual, 1st draft - extension
>
> Hi Gerald,
>
> thanks, I'll incorporate your suggestions into the HOWTO before
> submitting the pull request. Are the verbose debug logs also written to
> "catalina.out"?
>
> --
> Orm
>
>
> Am Montag, den 13. April 2020 um 09:20:26 Uhr (+0000) schrieb Rohrbach,
> Gerald:
> > Orm,
> >
> > I had the same issues with LDAP. It tooks a long time to figure it out.
> >
> > A very good hint was from Maxim to switch debug logging on.
> > With that it was much easier. So probably it’s good to add this to you
> documentation.
> > Somehow the LDAP config is related how in a corporate user accounts
> > are setup, that needs some understanding about this ldap config.
> >
> > To make logging more verbose you can
> > 1) stop OM
> > 2) add following line to logback-config.xml <logger
> > name="org.apache.directory" level="DEBUG" />
> > 3) restart OM
> >
> > Here my config., I marked changes with ##########
> >
> >
> > #LDAP URL
> > # This is the URL used to access your LDAP server.
> > # if you want to use "ldaps://" links, please be aware that you need
> > to import your CA certificate # to a java keystore and add the
> > -Djavax.net.ssl.keyStore, -Djavax.net.ssl.keyStorePassword, #
> > -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword
> > parameters to your # JAVA_OPT environment
> > ldap_conn_host=DomainController.mydomain.de ##########
> >
> > ldap_conn_port=389
> > ldap_conn_secure=false
> >
> > # Login distinguished name (DN) for Authentication on LDAP Server -
> > keep empty if not required # Use full qualified LDAP DN
> > ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=mydomai
> > n,DC=de ##########
> >
> > # Loginpass for Authentication on LDAP Server - keep empty if not
> required
> > ldap_passwd=#mypassword#
> ##########
> >
> > # base to search for userdata(of user, that wants to login)
> > ldap_search_base=DC=mydomain,DC=de
> ##########
> >
> > # Fieldnames (can differ between Ldap servers) #
> > ldap_search_query=(uid=%s)
> > ldap_search_query=(userPrincipalName=%s)
> ##########
> >
> >
> > # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
> > ldap_search_scope=SUBTREE
> ##########
> >
> >
> > # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) # When using
> > SIMPLEBIND a simple bind is performed on the LDAP server to check user
> > authentication # When using NONE, the Ldap server is not used for
> authentication
> > ldap_auth_type=SEARCHANDBIND
> ##########
> >
> >
> > # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND #
> > might be used to get provisionningDn in case ldap_auth_type=NONE #
> > ldap_userdn_format=uid=%s,CN=Users,DC=mydomain,DC=de
> > ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=mydomain,DC=de
> ##########
> >
> >
> > # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
> > ldap_provisionning=AUTOCREATE
> ##########
> >
> >
> > # Ldap deref mode (never, searching, finding, always)
> > ldap_deref_mode=always
> >
> > # Set this to 'true' if you want to use admin_dn to get user
> > attributes # If any other value is set, user_dn will be used
> > ldap_use_admin_to_get_attrs=true
> >
> > # Ldap-password synchronization to OM DB # Set this to 'true' if you
> > want OM to synchronize the user Ldap-password to OM's internal DB #
> > If you want to disable the feature, set this to any other string.
> > # Defautl value is 'true'
> > ldap_sync_password_to_om=true
> ##########
> >
> >
> > # Ldap group mode (NONE, ATTRIBUTE, QUERY) # NONE means group
> > associations will be ignored # ATTRIBUTE means group associations will
> > be taken from 'ldap_group_attr' attribute (M$ AD mode) # QUERY means
> > group associations will be taken as a result of 'ldap_group_query'
> > query ldap_group_mode=NONE
> >
> > ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
> >
> > # Ldap user attributes mapping
> > # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
> > ldap_user_attr_login=sAMAccountName
> ##########
> > ldap_user_attr_lastname=sn
> > ldap_user_attr_firstname=givenName
> > ldap_user_attr_mail=mail
> > ldap_user_attr_street=streetAddress
> > ldap_user_attr_additionalname=description
> > ldap_user_attr_fax=facsimileTelephoneNumber
> > ldap_user_attr_zip=postalCode
> > ldap_user_attr_country=co
> > ldap_user_attr_town=l
> > ldap_user_attr_phone=telephoneNumber
> > # optional attribute for user picture
> > #ldap_user_attr_picture=
> > ldap_group_attr=memberOf
> >
> > # optional, absolute URL will be used as user picture if
> > #ldap_user_attr_picture will be empty
> > #ldap_user_picture_uri=picture_uri
> >
> > # optional
> > # the timezone has to match any timezone available in Java, otherwise
> > the timezone defined in the value of # the conf_key "default.timezone"
> > in OpenMeetings "configurations" table #ldap_user_timezone=timezone
> >
> > # Ldap ignore upper/lower case, convert all input to lower case
> > ldap_use_lower_case=false
> >
> > # Ldap import query, this query should retrieve all LDAP users
> > ldap_import_query=(objectClass=inetOrgPerson)
> >
> >
> > Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
> > Gesendet: Montag, 13. April 2020 05:53
> > An: Openmeetings user-list <us...@openmeetings.apache.org>
> > Betreff: Re: LDAP config Manual, 1st draft
> >
> > Hello Orm,
> >
> > On Mon, 13 Apr 2020 at 03:20, Orm Finnendahl <
> orm.finnendahl@selma.hfmdk-frankfurt.de<mailto:
> orm.finnendahl@selma.hfmdk-frankfurt.de>> wrote:
> > Hi,
> >
> > I made a draft of a LDAP config howto and uploaded it here for
> > review:
> >
> > https://selma.hfmdk-frankfurt.de/howtos/OM-ldap-howto.html
> >
> > I hope it's not too verbose, but since I had problems figuring out the
> > ldap config in OM from the docs found online I tried to write up
> > something in a way that even somebody like me with little ldap
> > experience and knowledge would've understood without having to ask
> > this mailing list and spend a lot of time trying to figure it out.
> >
> > I already forked the OM github repo and can issue a pull request, but
> > I'm unsure about the preferred format of the document (XML, MD, pdf?).
> > Please let me know what you'd prefer. The original is in org format
> > but I can provide any format.
> >
> > I love PRs :)))
> > The current version is here
> > https://github.com/apache/openmeetings/blob/master/openmeetings-server
> > /src/site/xdoc/LdapAndADS.xml Please create LdapAndADS.md in
> > https://github.com/apache/openmeetings/tree/master/openmeetings-server
> > /src/site/markdown Fill free to re-use any part of original
> > instructions :) We can discuss contents during PR review :))
> >
> >
> > As I read about the manual draft for OM 5 on this mailing list, feel
> > free to incorporate this in case it isn't already present or needs
> > improvement. I'd be willing to do it myself if you find it useful and
> > someone provides access for me to the current state.
> >
> > User Manual is here
> > https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpenMeetings+
> > 5+Manual Please tell me you Confluence ID and all grant you with
> > permissions (not sure how those binary files can be edited :((( )
> >
> >
> > --
> > Orm
> >
> >
> > --
> > Best regards,
> > Maxim
>
>
--
Best regards,
Maxim