You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Wicus <wi...@webmail.co.za> on 2008/07/21 14:38:47 UTC
LDAP - Active Directory Integration
Hi,
1.) Using JXplorer with the following connection parameters:- :working:
Base DN: ou=it,ou=head-office,dc=domain*,dc=co,dc=uk
User DN: cn=John Doe,ou=it,ou=head-office,dc=domain*,dc=co,dc=uk
I get the Windows 2000 Server's Active Directory entries starting from
the "Base DN:" as mentioned above
(**** I noticed that the short username i.e. "John" does not work!
One has to specify the whole user name i.e "John Doe" to get AD access ****)
2.) Now on to OFBIZ ...
When I however, substitute the "User DN:" within ${ofbiz install
dir}/framework/security/config/jndiLdap.properties as follows:-
ldap.dn.template=cn=%u,OU=IT,OU=head-office,DC=domain*,DC=co,DC=uk
Active Directory authentication for OFBIZ fails, with the following in
the logs:-
2008-07-21 14:13:12,470 (http-0.0.0.0-8443-1) [
RequestHandler.java:243:INFO ] [Processing Request]: login
sessionId=D2EB68F2022C7F9076581E957EF5376D.jvm1
2008-07-21 14:13:12,498 (http-0.0.0.0-8443-1) [
LoginServices.java:363:INFO ] [LoginServices.userLogin] : Invalid User :
User not found.
2008-07-21 14:13:12,498 (http-0.0.0.0-8443-1) [
ServiceDispatcher.java:522:ERROR] Error in Service [userLogin]: User not
found.
2008-07-21 14:13:12,499 (http-0.0.0.0-8443-1) [
TransactionUtil.java:275:ERROR]
I have tried logging into OFBIZ with all of the following options:-
a.) John
b.) John Doe
c.) John@domain*.co.uk
d.) domain*.co.uk\John
e.) domain*\John
It just keeps on stating that it cannot find the user .......
:confused:
(What is the correct syntax to use for logon ?? - domain*\John is
what I presume)
3.) One more Q please: When adjusting ANY of OFBIZ's configuration files,
is it sufficient to (restart ofbiz via) ./stopofbiz and ./startofbiz for the
changes to take effect?....
--
View this message in context: http://www.nabble.com/LDAP---Active-Directory-Integration-tp18567334p18567334.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: LDAP - Active Directory Integration
Posted by BJ Freeman <bj...@free-man.net>.
I was thinking more along the lines of having a conversion or
interpretation layer that displays ofbiz in LDAP format.
http://www.faqs.org/rfcs/rfc2849.html
This way it is a layer upon ofbiz but does not effect ofbiz internals
The problem is that LDAP does not support the way ofbiz works.
so there would be a lot of operation not available.
the CRUD operation would have to be mapped to the services.
Before I get to deep in this have to study it more :)
Adrian Crum sent the following on 7/22/2008 7:41 AM:
> I had suggested an approach that was a little less drastic, but would
> still require a lot of work: instead of switching the entire OFBiz
> database to LDAP, just switch all of the OFBiz security, permissions
> checking, etc over to Apache Directory (an open source LDAP library).
> The rest of the OFBiz entities would remain unchanged. There would have
> to be considerable interest in making that change before anything would
> happen though.
>
> -Adrian
>
> BJ Freeman wrote:
>> it is more that people don't understand that ofbiz is not a db driven
>> application. This had me going when I first got started.
>>
>> Ofbiz generates the DB from the entityengine. So if you could have an
>> LDAP db source it would be populated by Ofbiz.
>> http://ofbiz.apache.org/docs/entity.html
>>
>> Therefore the DB would have the ofbiz type of security.
>> Without User Login, and Security defined by Ofbiz. the DB should not be
>> accessible.
>>
>> Having access to the LDAP db thru any other channel would break the
>> ofbiz security.
>>
>> To my knowledge, LDAP has not advanced that far in ofbiz yet.
>>
>> Shi Jinghai sent the following on 7/21/2008 9:52 PM:
>>> So the current design is ambiguous.
>>>
>>> If you want LDAP to be the source db of user management, then the user
>>> info should be synchronized from LDAP to OFBiz when he/she wants to
>>> login OFBiz.
>>>
>>> Shi Jinghai/Beijing Langhua Ltd.
>>>
>>> 在 2008-07-21一的 10:50 -0700,Wicus写道:
>>>> Hi Adrian,
>>>>
>>>> Errrr; no users have been created within OFBIZ. (except for Admin
>>>> etc @
>>>> present)
>>>>
>>>> I was under the impression that users would be created automagically
>>>> within
>>>> OFBIZ (the Postgres SQL database) once they are authenticated via
>>>> the LDAP
>>>> server (or Active Directory in this case)
>>>>
>>>> Soooo, all OFBIZ users needs to be created manually within OFBIZ,
>>>> before
>>>> LDAP authentication can take place...?
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
Re: LDAP - Active Directory Integration
Posted by Adrian Crum <ad...@hlmksw.com>.
I had suggested an approach that was a little less drastic, but would
still require a lot of work: instead of switching the entire OFBiz
database to LDAP, just switch all of the OFBiz security, permissions
checking, etc over to Apache Directory (an open source LDAP library).
The rest of the OFBiz entities would remain unchanged. There would have
to be considerable interest in making that change before anything would
happen though.
-Adrian
BJ Freeman wrote:
> it is more that people don't understand that ofbiz is not a db driven
> application. This had me going when I first got started.
>
> Ofbiz generates the DB from the entityengine. So if you could have an
> LDAP db source it would be populated by Ofbiz.
> http://ofbiz.apache.org/docs/entity.html
>
> Therefore the DB would have the ofbiz type of security.
> Without User Login, and Security defined by Ofbiz. the DB should not be
> accessible.
>
> Having access to the LDAP db thru any other channel would break the
> ofbiz security.
>
> To my knowledge, LDAP has not advanced that far in ofbiz yet.
>
> Shi Jinghai sent the following on 7/21/2008 9:52 PM:
>> So the current design is ambiguous.
>>
>> If you want LDAP to be the source db of user management, then the user
>> info should be synchronized from LDAP to OFBiz when he/she wants to
>> login OFBiz.
>>
>> Shi Jinghai/Beijing Langhua Ltd.
>>
>> 在 2008-07-21一的 10:50 -0700,Wicus写道:
>>> Hi Adrian,
>>>
>>> Errrr; no users have been created within OFBIZ. (except for Admin etc @
>>> present)
>>>
>>> I was under the impression that users would be created automagically within
>>> OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
>>> server (or Active Directory in this case)
>>>
>>> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
>>> LDAP authentication can take place...?
>>>
>>>
>>
>>
>>
>
>
>
Re: LDAP - Active Directory Integration
Posted by BJ Freeman <bj...@free-man.net>.
it is more that people don't understand that ofbiz is not a db driven
application. This had me going when I first got started.
Ofbiz generates the DB from the entityengine. So if you could have an
LDAP db source it would be populated by Ofbiz.
http://ofbiz.apache.org/docs/entity.html
Therefore the DB would have the ofbiz type of security.
Without User Login, and Security defined by Ofbiz. the DB should not be
accessible.
Having access to the LDAP db thru any other channel would break the
ofbiz security.
To my knowledge, LDAP has not advanced that far in ofbiz yet.
Shi Jinghai sent the following on 7/21/2008 9:52 PM:
> So the current design is ambiguous.
>
> If you want LDAP to be the source db of user management, then the user
> info should be synchronized from LDAP to OFBiz when he/she wants to
> login OFBiz.
>
> Shi Jinghai/Beijing Langhua Ltd.
>
> 在 2008-07-21一的 10:50 -0700,Wicus写道:
>> Hi Adrian,
>>
>> Errrr; no users have been created within OFBIZ. (except for Admin etc @
>> present)
>>
>> I was under the impression that users would be created automagically within
>> OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
>> server (or Active Directory in this case)
>>
>> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
>> LDAP authentication can take place...?
>>
>>
>
>
>
>
Re: LDAP - Active Directory Integration
Posted by Shi Jinghai <sh...@langhua.cn>.
So the current design is ambiguous.
If you want LDAP to be the source db of user management, then the user
info should be synchronized from LDAP to OFBiz when he/she wants to
login OFBiz.
Shi Jinghai/Beijing Langhua Ltd.
在 2008-07-21一的 10:50 -0700,Wicus写道:
> Hi Adrian,
>
> Errrr; no users have been created within OFBIZ. (except for Admin etc @
> present)
>
> I was under the impression that users would be created automagically within
> OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
> server (or Active Directory in this case)
>
> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
> LDAP authentication can take place...?
>
>
Re: LDAP - Active Directory Integration
Posted by BJ Freeman <bj...@free-man.net>.
To add to this
you actually have to create at least a party group or person to put the
User Login, in. It is then the User Login that the security and roles
have to be assigned.
have a look at the user names block
https://demo.hotwaxmedia.com/partymgr/control/viewprofile?partyId=admin
Adrian Crum sent the following on 7/21/2008 10:58 AM:
> Wicus wrote:
>> Hi Adrian,
>>
>> Errrr; no users have been created within OFBIZ. (except for Admin etc @
>> present)
>>
>> I was under the impression that users would be created automagically
>> within
>> OFBIZ (the Postgres SQL database) once they are authenticated via the
>> LDAP
>> server (or Active Directory in this case)
>>
>> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
>> LDAP authentication can take place...?
>
> That's correct. The current integration implementation is not that
> sophisticated. It was created to address a single need: allow OFBiz
> users to use the same login name and password that they use for logging
> into the network.
>
> Even if the OFBiz user was created automatically, what would that
> accomplish? Without additional permissions and roles, the user wouldn't
> be able to do anything in OFBiz.
>
> There has been some discussion on the dev mailing list about a more
> comprehensive LDAP integration, but no agreement has been reached on how
> to implement it.
>
> -Adrian
>
>
>
>
Re: LDAP - Active Directory Integration
Posted by Adrian Crum <ad...@hlmksw.com>.
Wicus wrote:
> Hi Adrian,
>
> Errrr; no users have been created within OFBIZ. (except for Admin etc @
> present)
>
> I was under the impression that users would be created automagically within
> OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
> server (or Active Directory in this case)
>
> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
> LDAP authentication can take place...?
That's correct. The current integration implementation is not that
sophisticated. It was created to address a single need: allow OFBiz
users to use the same login name and password that they use for logging
into the network.
Even if the OFBiz user was created automatically, what would that
accomplish? Without additional permissions and roles, the user wouldn't
be able to do anything in OFBiz.
There has been some discussion on the dev mailing list about a more
comprehensive LDAP integration, but no agreement has been reached on how
to implement it.
-Adrian
Re: LDAP - Active Directory Integration
Posted by Wicus <wi...@webmail.co.za>.
Hi Adrian,
Errrr; no users have been created within OFBIZ. (except for Admin etc @
present)
I was under the impression that users would be created automagically within
OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
server (or Active Directory in this case)
Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
LDAP authentication can take place...?
--
View this message in context: http://www.nabble.com/LDAP---Active-Directory-Integration-tp18567334p18573852.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: LDAP - Active Directory Integration
Posted by Adrian Crum <ad...@hlmksw.com>.
Are the LDAP user names and OFBiz user names the same? If not, then
you'll have to use the userLdapDn field in the UserLogin entity.
UserLogin entity example:
userLoginId: john
userLdapDn: cn=John Doe,ou=it,ou=head-office,dc=domain*,dc=co,dc=uk
You can access the field from the Party Manager security area.
The user would log in as john, not John Doe.
-Adrian
Wicus wrote:
> Hi,
>
> 1.) Using JXplorer with the following connection parameters:- :working:
>
> Base DN: ou=it,ou=head-office,dc=domain*,dc=co,dc=uk
> User DN: cn=John Doe,ou=it,ou=head-office,dc=domain*,dc=co,dc=uk
>
> I get the Windows 2000 Server's Active Directory entries starting from
> the "Base DN:" as mentioned above
>
> (**** I noticed that the short username i.e. "John" does not work!
> One has to specify the whole user name i.e "John Doe" to get AD access ****)
>
> 2.) Now on to OFBIZ ...
>
> When I however, substitute the "User DN:" within ${ofbiz install
> dir}/framework/security/config/jndiLdap.properties as follows:-
>
> ldap.dn.template=cn=%u,OU=IT,OU=head-office,DC=domain*,DC=co,DC=uk
>
> Active Directory authentication for OFBIZ fails, with the following in
> the logs:-
>
> 2008-07-21 14:13:12,470 (http-0.0.0.0-8443-1) [
> RequestHandler.java:243:INFO ] [Processing Request]: login
> sessionId=D2EB68F2022C7F9076581E957EF5376D.jvm1
> 2008-07-21 14:13:12,498 (http-0.0.0.0-8443-1) [
> LoginServices.java:363:INFO ] [LoginServices.userLogin] : Invalid User :
> User not found.
> 2008-07-21 14:13:12,498 (http-0.0.0.0-8443-1) [
> ServiceDispatcher.java:522:ERROR] Error in Service [userLogin]: User not
> found.
> 2008-07-21 14:13:12,499 (http-0.0.0.0-8443-1) [
> TransactionUtil.java:275:ERROR]
>
> I have tried logging into OFBIZ with all of the following options:-
>
> a.) John
> b.) John Doe
> c.) John@domain*.co.uk
> d.) domain*.co.uk\John
> e.) domain*\John
>
> It just keeps on stating that it cannot find the user .......
> :confused:
>
> (What is the correct syntax to use for logon ?? - domain*\John is
> what I presume)
>
> 3.) One more Q please: When adjusting ANY of OFBIZ's configuration files,
> is it sufficient to (restart ofbiz via) ./stopofbiz and ./startofbiz for the
> changes to take effect?....
>
>
>
>