You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by "Rohrbach, Gerald" <G....@funkegruppe.de> on 2020/04/10 17:44:01 UTC
Sending E-Mail to guests / Guest Invitation / LDAP Login only from
defined IP ranges
Maxim,
finally I got it working with certificates, you solution was the easiest one.
Our sales team is interested to use OM with customers.
Currently we only use internal, it’s a good help with all the home offices now.
I saw you add some changes to allow e-mail to unregistered users. I will test this,
this sounds like it will fulfil our needs.
The login authentication on our internal server is against LDAP. AD
If we put our machine in a DMZ, is there a way to protect Login from external IP`s but allow
that a meeting link will come to the invited room session?
The OM-db is on a separate sever already on MySQL.
I know, openMeetings is more for schools and trainings, but I guess during this time a lots of companies are interested.
MS-Teams is heavy, expensive and from my point of view OM delivers nearly all needed functionality.
And probably a lot of companies don´t want the data somewhere stored in the cloud.
I have tested some of this tools in the past weeks….
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
Gesendet: Dienstag, 7. April 2020 16:42
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: wildcard certificate
Well,
I would suggest to take original server.xml from M4
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L76
And change nothing but <Certificate ...> tag
use this one
<Certificate certificateKeyFile="conf/your_key.pem"
certificateFile="conf/your_crt.pem"
certificateChainFile="conf/your_ca.pem"
type="RSA" />
with your own paths
no native libraries, conversions etc.
one easy step :))
Please ensure cert paths are readable by OM :))
On Tue, 7 Apr 2020 at 19:50, K. Kamhamea <ka...@googlemail.com>> wrote:
In my manual I covered wildcard certificates under System Administrator > SSL
https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpemMeetings+5+Manual
Am Di., 7. Apr. 2020 um 12:43 Uhr schrieb Rohrbach, Gerald <G....@funkegruppe.de>>:
Maxim,
so far our openMeetings server for internal use is working fine.
I found a lots of manuals using letsencrypt certificates, but this seem not to be that easy and we need to repeat the procedure every 90 days.
To make it more comfortable for the users I think we need to get the certificate in plac.e
Unfortunately my knowledge about this certificate stuff is going to zero…
We have an official wildcard certificate, that we can use.
But I did not found a manual how this is to install.
Is there any docu I can use? Is that specific to openMeetings or is that
more specific for tomcat?
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 17:19
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication solved - Database move to different server
First of all clustering is not working in M3 https://issues.apache.org/jira/browse/OPENMEETINGS-2186
You need M4 SNAPSHOT for this
Then, I'm afraid, there is misunderstanding: `localDB` is UI term means DB as opposite to LDAP
To change DB location you need to change localhost to some external IP in persistence.xml
Latest SNAPSHOT is here: https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/
Latest docs here: https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html
I hope were will be no DB updates before M4 release, so most probably DB will be compatible
On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Well, I need another hint….
As we have now tested a lot and do think we can use it for more users probably we
need more than one server. I interested in the clustering.
But I know this is sometimes difficult on our core switch to setup.
First step would be to have the database separated on a different server.
We have already created a lots of users in the M3 release.
For testing of the M4 I have made already a backup and restored it.
But in this case the database was also local.
Probably I need to change somewhere in a config file, where the new database is
Located, if it is not local.
Because in the backup there was a localDB, on the new server I would like a different machine.
Which file I need to edit?
Regards
Gerald.
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 16:19
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication solved
Great news :)
I don't have to fix it :)))
Thanks a lot!
On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
I found the solution:
This are the settings:
ldap_search_query=(userPrincipalName=%s)
ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de
ldap_user_attr_login=sAMAccountName
Then the users are created in the right way userid@company.de<ma...@company.de>
No duplicates anymore.
Regards
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 14:37
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Of cause I can add simple check "if-login-contains-domain-do-not-add-another-one" but I would prefer to create simulation of real LDAP :)
On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>> wrote:
On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
that was a good hint with the logging.
I think it is just a understanding and config issue.
SearchRequest
baseDn : 'CN=Users,DC=company,DC=de'
filter : '(uid=xxxx@compay.de<ma...@compay.de>)'
In ADS uid attribute is not filled. Instead in ADS we need to user UserPrincipalName or something else.
for ADS `samlAccountName` or something like this should be used
So authentication works fine, but eyery time someone logs in a new user account is created.
It looks like we still have an issue, as the create user login is wrong.
testuser@company.de@company.de<http://company.de>
This is the issue
I'm using this
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
Schema for tests
Maybe you can help me to create schema for the case with "suffixed" users?
I hope I get the rest also figured out.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 11:50
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Your log is hard to read due to formatting issues :((
Googling `DSID-0C090442` results something about "searching between forests" which I don't understand :(
Admin->LDAP has setting "Add domain to user name"
Do you have it checked? (domain to add should be specified)
What is your LDAP provider? Is it ADS?
To make logging more verbose you can
1) stop OM
2) add following line to logback-config.xml
<logger name="org.apache.directory" level="DEBUG" />
3) restart OM
According to my previous experience SEARCHANDBIND might work better
On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Also having LDAP issues:
It seems not to work.
Below is the om_ldap.cfg, that is used in the config file:
^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-8]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-5]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [io-5443-exec-10]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - LdapLoginmanager.doLdapLogin ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not authenticated. org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839^@ at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
What does the LdapLogin Manager message means, was the query user not able to connect or was the end user password wrong.
How I can make visible, what the query for the user ist.
It should be in the form user@domain.de<ma...@domain.de> , maybe the mapping is just wrong.
This is the modified
ldap_conn_host=DESVR-DC01.firma.de<http://DESVR-DC01.firma.de>
ldap_conn_port=389
ldap_conn_secure=false
# Login distinguished name (DN) for Authentication on LDAP Server - keep empty if not required
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
# Loginpass for Authentication on LDAP Server - keep empty if not required
ldap_passwd=#password#
# base to search for userdata(of user, that wants to login)
ldap_search_base=CN=Users,DC=firma,DC=de
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(uid=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
# When using SIMPLEBIND a simple bind is performed on the LDAP server to check user authentication
# When using NONE, the Ldap server is not used for authentication
ldap_auth_type=SIMPLEBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
# might be used to get provisionningDn in case ldap_auth_type=NONE
ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
# Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
ldap_provisionning=AUTOCREATE
# Ldap deref mode (never, searching, finding, always)
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
# Ldap-password synchronization to OM DB
# Set this to 'true' if you want OM to synchronize the user Ldap-password to OM's internal DB
# If you want to disable the feature, set this to any other string.
# Defautl value is 'true'
ldap_sync_password_to_om=false
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding Ldap-attribute
ldap_user_attr_login=uid
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
# optional attribute for user picture
#ldap_user_attr_picture=
ldap_group_attr=memberOf
# optional, absolute URL will be used as user picture if #ldap_user_attr_picture will be empty
#ldap_user_picture_uri=picture_uri
# optional
# the timezone has to match any timezone available in Java, otherwise the timezone defined in the value of
# the conf_key "default.timezone" in OpenMeetings "configurations" table
#ldap_user_timezone=timezone
# Ldap ignore upper/lower case, convert all input to lower case
ldap_use_lower_case=false
# Ldap import query, this query should retrieve all LDAP users
ldap_import_query=(objectClass=inetOrgPerson)
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
Best regards,
Maxim
Re: Sending E-Mail to guests / Guest Invitation / LDAP Login only
from defined IP ranges
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello,
I guess you can use
ldap_auth_type=SEARCHANDBIND
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/main/webapp/data/conf/om_ldap.cfg#L52
With
ldap_search_query=(uid=%s)
containing your LDAP group
I usually test the query using some LDAP explorer :)
On Sun, 12 Apr 2020 at 18:44, Rohrbach, Gerald <G....@funkegruppe.de>
wrote:
> Well, at least what is possible that hackers try to get accounts hacked.
>
>
>
> After 3 wrongs passwords the ADS account is disabled. In case of simple
> users that is no big problem if
>
> this happens for a low number of accounts.
>
> If also service accounts are involved it´s more difficult.
>
>
>
> That`s why I would like to setup an AD group where the OM users are listed.
>
> Only this should be allowed by LDAP to check against ldap password.
>
> But I do not understand the logic of the ldap-query below.
>
>
>
> Gerald.
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Sonntag, 12. April 2020 12:56
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: Sending E-Mail to guests / Guest Invitation / LDAP Login
> only from defined IP ranges
>
>
>
> I don't see how ldap search can be insecure :(
>
> User provides credentials and they are being checked inside some private
> network
>
> And user is authenticated only if there was a match
>
>
>
> Maybe you can modify the search to search only inside group?
>
>
>
> On Sun, Apr 12, 2020, 14:31 Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> we only allow LDAP User, no registration. That´s fine. Probably the FW
> stuff is too complicate.
>
>
>
> I did not figured out the LDAP groups from the config file As our users
> are stored in different AD containers, we need to set the search base
>
> In the AD root. With that every account can be used, what internal is okay
> but putting this frontend n a DMZ or internet access
>
> it´s very unsecure.
>
> So probably an easy way is to put OM users in an AD group and limit access
> to this.
>
>
>
> But what I need to fill in the LDAP config file. E.g. the UserGroup is
> name OM-Users?
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
>
>
> Happy Eastern
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Samstag, 11. April 2020 18:07
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: Sending E-Mail to guests / Guest Invitation / LDAP Login
> only from defined IP ranges
>
>
>
> Hello Gerald,
>
>
>
> No sure I get what is required :(
>
> You can set-up FW to reject some IPs, but this way all traffic will be
> filtered
>
> You can disable front-end registration, this way only LDAP users or
> invited guests can use OM
>
> (invited guests can only access room they were invited to, and invitation
> can be limited: one time/period/endless ...)
>
>
>
> On Sat, 11 Apr 2020 at 00:44, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
> finally I got it working with certificates, you solution was the easiest
> one.
>
>
>
> Our sales team is interested to use OM with customers.
>
> Currently we only use internal, it’s a good help with all the home offices
> now.
>
> I saw you add some changes to allow e-mail to unregistered users. I will
> test this,
>
> this sounds like it will fulfil our needs.
>
>
>
> The login authentication on our internal server is against LDAP. AD
>
> If we put our machine in a DMZ, is there a way to protect Login from
> external IP`s but allow
>
> that a meeting link will come to the invited room session?
>
> The OM-db is on a separate sever already on MySQL.
>
>
>
> I know, openMeetings is more for schools and trainings, but I guess during
> this time a lots of companies are interested.
>
> MS-Teams is heavy, expensive and from my point of view OM delivers nearly
> all needed functionality.
>
> And probably a lot of companies don´t want the data somewhere stored in
> the cloud.
>
> I have tested some of this tools in the past weeks….
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Dienstag, 7. April 2020 16:42
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: wildcard certificate
>
>
>
> Well,
>
>
>
> I would suggest to take original server.xml from M4
>
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L76
>
> And change nothing but <Certificate ...> tag
>
> use this one
>
> <Certificate certificateKeyFile="conf/your_key.pem"
> certificateFile="conf/your_crt.pem"
> certificateChainFile="conf/your_ca.pem"
> type="RSA" />
>
> with your own paths
>
>
>
> no native libraries, conversions etc.
>
> one easy step :))
>
>
>
> Please ensure cert paths are readable by OM :))
>
>
>
> On Tue, 7 Apr 2020 at 19:50, K. Kamhamea <ka...@googlemail.com> wrote:
>
> In my manual I covered wildcard certificates under System Administrator >
> SSL
>
>
>
>
> https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpemMeetings+5+Manual
>
>
>
> Am Di., 7. Apr. 2020 um 12:43 Uhr schrieb Rohrbach, Gerald <
> G.Rohrbach@funkegruppe.de>:
>
> Maxim,
>
>
>
> so far our openMeetings server for internal use is working fine.
>
>
>
> I found a lots of manuals using letsencrypt certificates, but this seem
> not to be that easy and we need to repeat the procedure every 90 days.
>
> To make it more comfortable for the users I think we need to get the
> certificate in plac.e
>
> Unfortunately my knowledge about this certificate stuff is going to zero…
>
>
>
> We have an official wildcard certificate, that we can use.
>
> But I did not found a manual how this is to install.
>
>
>
> Is there any docu I can use? Is that specific to openMeetings or is that
>
> more specific for tomcat?
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 17:19
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication solved - Database
> move to different server
>
>
>
> First of all clustering is not working in M3
> https://issues.apache.org/jira/browse/OPENMEETINGS-2186
>
> You need M4 SNAPSHOT for this
>
>
>
> Then, I'm afraid, there is misunderstanding: `localDB` is UI term means DB
> as opposite to LDAP
>
> To change DB location you need to change localhost to some external IP in
> persistence.xml
>
>
>
> Latest SNAPSHOT is here:
> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/
>
> Latest docs here:
> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html
>
>
>
> I hope were will be no DB updates before M4 release, so most probably DB
> will be compatible
>
>
>
>
>
>
>
> On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Well, I need another hint….
>
>
>
> As we have now tested a lot and do think we can use it for more users
> probably we
>
> need more than one server. I interested in the clustering.
>
> But I know this is sometimes difficult on our core switch to setup.
>
>
>
> First step would be to have the database separated on a different server.
>
> We have already created a lots of users in the M3 release.
>
>
>
> For testing of the M4 I have made already a backup and restored it.
>
> But in this case the database was also local.
>
>
>
> Probably I need to change somewhere in a config file, where the new
> database is
>
> Located, if it is not local.
>
> Because in the backup there was a localDB, on the new server I would like
> a different machine.
>
> Which file I need to edit?
>
>
>
>
>
>
>
> Regards
>
>
>
> Gerald.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 16:19
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication solved
>
>
>
> Great news :)
>
> I don't have to fix it :)))
>
>
>
> Thanks a lot!
>
>
>
> On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> I found the solution:
>
>
>
> This are the settings:
>
>
>
> ldap_search_query=(userPrincipalName=%s)
>
> ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de
>
>
>
> ldap_user_attr_login=sAMAccountName
>
>
>
> Then the users are created in the right way userid@company.de
>
> No duplicates anymore.
>
>
>
>
>
> Regards
>
>
>
> Gerald
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 14:37
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Of cause I can add simple check
> "if-login-contains-domain-do-not-add-another-one" but I would prefer to
> create simulation of real LDAP :)
>
>
>
> On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>
>
>
>
> On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> that was a good hint with the logging.
>
> I think it is just a understanding and config issue.
>
>
>
> SearchRequest
>
> baseDn : 'CN=Users,DC=company,DC=de'
>
> filter : '(uid=xxxx@compay.de)'
>
>
>
> In ADS uid attribute is not filled. Instead in ADS we need to user
> UserPrincipalName or something else.
>
>
>
> for ADS `samlAccountName` or something like this should be used
>
>
>
>
>
> So authentication works fine, but eyery time someone logs in a new user
> account is created.
>
>
>
> It looks like we still have an issue, as the create user login is wrong.
>
> testuser@company.de@company.de
>
>
>
> This is the issue
>
> I'm using this
>
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
>
> Schema for tests
>
> Maybe you can help me to create schema for the case with "suffixed" users?
>
>
>
>
>
> I hope I get the rest also figured out.
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 11:50
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Your log is hard to read due to formatting issues :((
>
> Googling `DSID-0C090442` results something about "searching between
> forests" which I don't understand :(
>
>
>
> Admin->LDAP has setting "Add domain to user name"
>
> Do you have it checked? (domain to add should be specified)
>
>
>
> What is your LDAP provider? Is it ADS?
>
>
>
> To make logging more verbose you can
>
> 1) stop OM
>
> 2) add following line to logback-config.xml
>
> <logger name="org.apache.directory" level="DEBUG" />
>
> 3) restart OM
>
>
>
> According to my previous experience SEARCHANDBIND might work better
>
>
>
>
>
> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Also having LDAP issues:
>
>
>
> It seems not to work.
>
>
>
> Below is the om_ldap.cfg, that is used in the config file:
>
>
>
> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
> [io-5443-exec-10]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
> LdapLoginmanager.doLdapLogin
> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
> authenticated.
> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
> data 52e,
> v3839^@
> at
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>
>
>
>
>
>
> What does the LdapLogin Manager message means, was the query user not able
> to connect or was the end user password wrong.
>
> How I can make visible, what the query for the user ist.
>
> It should be in the form user@domain.de , maybe the mapping is just wrong.
>
>
>
>
>
>
>
>
>
>
>
> This is the modified
>
> ldap_conn_host=DESVR-DC01.firma.de
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server - keep
> empty if not required
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>
>
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
>
> ldap_passwd=#password#
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=CN=Users,DC=firma,DC=de
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
> ldap_search_query=(uid=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
> check user authentication
>
> # When using NONE, the Ldap server is not used for authentication
>
> ldap_auth_type=SIMPLEBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> # might be used to get provisionningDn in case ldap_auth_type=NONE
>
> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>
> ldap_provisionning=AUTOCREATE
>
>
>
> # Ldap deref mode (never, searching, finding, always)
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
>
>
> # Ldap-password synchronization to OM DB
>
> # Set this to 'true' if you want OM to synchronize the user Ldap-password
> to OM's internal DB
>
> # If you want to disable the feature, set this to any other string.
>
> # Defautl value is 'true'
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
>
>
>
> ldap_user_attr_login=uid
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> # optional attribute for user picture
>
> #ldap_user_attr_picture=
>
> ldap_group_attr=memberOf
>
>
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
>
> #ldap_user_picture_uri=picture_uri
>
>
>
> # optional
>
> # the timezone has to match any timezone available in Java, otherwise the
> timezone defined in the value of
>
> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>
> #ldap_user_timezone=timezone
>
>
>
> # Ldap ignore upper/lower case, convert all input to lower case
>
> ldap_use_lower_case=false
>
>
>
> # Ldap import query, this query should retrieve all LDAP users
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> Best regards,
> Maxim
>
>
>
>
> --
>
> Best regards,
> Maxim
>
>
--
Best regards,
Maxim
AW: Sending E-Mail to guests / Guest Invitation / LDAP Login only
from defined IP ranges
Posted by "Rohrbach, Gerald" <G....@funkegruppe.de>.
Well, at least what is possible that hackers try to get accounts hacked.
After 3 wrongs passwords the ADS account is disabled. In case of simple users that is no big problem if
this happens for a low number of accounts.
If also service accounts are involved it´s more difficult.
That`s why I would like to setup an AD group where the OM users are listed.
Only this should be allowed by LDAP to check against ldap password.
But I do not understand the logic of the ldap-query below.
Gerald.
Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
Gesendet: Sonntag, 12. April 2020 12:56
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: Sending E-Mail to guests / Guest Invitation / LDAP Login only from defined IP ranges
I don't see how ldap search can be insecure :(
User provides credentials and they are being checked inside some private network
And user is authenticated only if there was a match
Maybe you can modify the search to search only inside group?
On Sun, Apr 12, 2020, 14:31 Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
we only allow LDAP User, no registration. That´s fine. Probably the FW stuff is too complicate.
I did not figured out the LDAP groups from the config file As our users are stored in different AD containers, we need to set the search base
In the AD root. With that every account can be used, what internal is okay but putting this frontend n a DMZ or internet access
it´s very unsecure.
So probably an easy way is to put OM users in an AD group and limit access to this.
But what I need to fill in the LDAP config file. E.g. the UserGroup is name OM-Users?
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
Happy Eastern
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Samstag, 11. April 2020 18:07
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: Sending E-Mail to guests / Guest Invitation / LDAP Login only from defined IP ranges
Hello Gerald,
No sure I get what is required :(
You can set-up FW to reject some IPs, but this way all traffic will be filtered
You can disable front-end registration, this way only LDAP users or invited guests can use OM
(invited guests can only access room they were invited to, and invitation can be limited: one time/period/endless ...)
On Sat, 11 Apr 2020 at 00:44, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
finally I got it working with certificates, you solution was the easiest one.
Our sales team is interested to use OM with customers.
Currently we only use internal, it’s a good help with all the home offices now.
I saw you add some changes to allow e-mail to unregistered users. I will test this,
this sounds like it will fulfil our needs.
The login authentication on our internal server is against LDAP. AD
If we put our machine in a DMZ, is there a way to protect Login from external IP`s but allow
that a meeting link will come to the invited room session?
The OM-db is on a separate sever already on MySQL.
I know, openMeetings is more for schools and trainings, but I guess during this time a lots of companies are interested.
MS-Teams is heavy, expensive and from my point of view OM delivers nearly all needed functionality.
And probably a lot of companies don´t want the data somewhere stored in the cloud.
I have tested some of this tools in the past weeks….
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Dienstag, 7. April 2020 16:42
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: wildcard certificate
Well,
I would suggest to take original server.xml from M4
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L76
And change nothing but <Certificate ...> tag
use this one
<Certificate certificateKeyFile="conf/your_key.pem"
certificateFile="conf/your_crt.pem"
certificateChainFile="conf/your_ca.pem"
type="RSA" />
with your own paths
no native libraries, conversions etc.
one easy step :))
Please ensure cert paths are readable by OM :))
On Tue, 7 Apr 2020 at 19:50, K. Kamhamea <ka...@googlemail.com>> wrote:
In my manual I covered wildcard certificates under System Administrator > SSL
https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpemMeetings+5+Manual
Am Di., 7. Apr. 2020 um 12:43 Uhr schrieb Rohrbach, Gerald <G....@funkegruppe.de>>:
Maxim,
so far our openMeetings server for internal use is working fine.
I found a lots of manuals using letsencrypt certificates, but this seem not to be that easy and we need to repeat the procedure every 90 days.
To make it more comfortable for the users I think we need to get the certificate in plac.e
Unfortunately my knowledge about this certificate stuff is going to zero…
We have an official wildcard certificate, that we can use.
But I did not found a manual how this is to install.
Is there any docu I can use? Is that specific to openMeetings or is that
more specific for tomcat?
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 17:19
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication solved - Database move to different server
First of all clustering is not working in M3 https://issues.apache.org/jira/browse/OPENMEETINGS-2186
You need M4 SNAPSHOT for this
Then, I'm afraid, there is misunderstanding: `localDB` is UI term means DB as opposite to LDAP
To change DB location you need to change localhost to some external IP in persistence.xml
Latest SNAPSHOT is here: https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/
Latest docs here: https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html
I hope were will be no DB updates before M4 release, so most probably DB will be compatible
On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Well, I need another hint….
As we have now tested a lot and do think we can use it for more users probably we
need more than one server. I interested in the clustering.
But I know this is sometimes difficult on our core switch to setup.
First step would be to have the database separated on a different server.
We have already created a lots of users in the M3 release.
For testing of the M4 I have made already a backup and restored it.
But in this case the database was also local.
Probably I need to change somewhere in a config file, where the new database is
Located, if it is not local.
Because in the backup there was a localDB, on the new server I would like a different machine.
Which file I need to edit?
Regards
Gerald.
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 16:19
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication solved
Great news :)
I don't have to fix it :)))
Thanks a lot!
On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
I found the solution:
This are the settings:
ldap_search_query=(userPrincipalName=%s)
ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de
ldap_user_attr_login=sAMAccountName
Then the users are created in the right way userid@company.de<ma...@company.de>
No duplicates anymore.
Regards
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 14:37
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Of cause I can add simple check "if-login-contains-domain-do-not-add-another-one" but I would prefer to create simulation of real LDAP :)
On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>> wrote:
On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
that was a good hint with the logging.
I think it is just a understanding and config issue.
SearchRequest
baseDn : 'CN=Users,DC=company,DC=de'
filter : '(uid=xxxx@compay.de<ma...@compay.de>)'
In ADS uid attribute is not filled. Instead in ADS we need to user UserPrincipalName or something else.
for ADS `samlAccountName` or something like this should be used
So authentication works fine, but eyery time someone logs in a new user account is created.
It looks like we still have an issue, as the create user login is wrong.
testuser@company.de@company.de<http://company.de>
This is the issue
I'm using this
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
Schema for tests
Maybe you can help me to create schema for the case with "suffixed" users?
I hope I get the rest also figured out.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 11:50
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Your log is hard to read due to formatting issues :((
Googling `DSID-0C090442` results something about "searching between forests" which I don't understand :(
Admin->LDAP has setting "Add domain to user name"
Do you have it checked? (domain to add should be specified)
What is your LDAP provider? Is it ADS?
To make logging more verbose you can
1) stop OM
2) add following line to logback-config.xml
<logger name="org.apache.directory" level="DEBUG" />
3) restart OM
According to my previous experience SEARCHANDBIND might work better
On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Also having LDAP issues:
It seems not to work.
Below is the om_ldap.cfg, that is used in the config file:
^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-8]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-5]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [io-5443-exec-10]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - LdapLoginmanager.doLdapLogin ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not authenticated. org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839^@ at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
What does the LdapLogin Manager message means, was the query user not able to connect or was the end user password wrong.
How I can make visible, what the query for the user ist.
It should be in the form user@domain.de<ma...@domain.de> , maybe the mapping is just wrong.
This is the modified
ldap_conn_host=DESVR-DC01.firma.de<http://DESVR-DC01.firma.de>
ldap_conn_port=389
ldap_conn_secure=false
# Login distinguished name (DN) for Authentication on LDAP Server - keep empty if not required
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
# Loginpass for Authentication on LDAP Server - keep empty if not required
ldap_passwd=#password#
# base to search for userdata(of user, that wants to login)
ldap_search_base=CN=Users,DC=firma,DC=de
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(uid=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
# When using SIMPLEBIND a simple bind is performed on the LDAP server to check user authentication
# When using NONE, the Ldap server is not used for authentication
ldap_auth_type=SIMPLEBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
# might be used to get provisionningDn in case ldap_auth_type=NONE
ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
# Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
ldap_provisionning=AUTOCREATE
# Ldap deref mode (never, searching, finding, always)
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
# Ldap-password synchronization to OM DB
# Set this to 'true' if you want OM to synchronize the user Ldap-password to OM's internal DB
# If you want to disable the feature, set this to any other string.
# Defautl value is 'true'
ldap_sync_password_to_om=false
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding Ldap-attribute
ldap_user_attr_login=uid
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
# optional attribute for user picture
#ldap_user_attr_picture=
ldap_group_attr=memberOf
# optional, absolute URL will be used as user picture if #ldap_user_attr_picture will be empty
#ldap_user_picture_uri=picture_uri
# optional
# the timezone has to match any timezone available in Java, otherwise the timezone defined in the value of
# the conf_key "default.timezone" in OpenMeetings "configurations" table
#ldap_user_timezone=timezone
# Ldap ignore upper/lower case, convert all input to lower case
ldap_use_lower_case=false
# Ldap import query, this query should retrieve all LDAP users
ldap_import_query=(objectClass=inetOrgPerson)
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
Best regards,
Maxim
--
Best regards,
Maxim
Re: Sending E-Mail to guests / Guest Invitation / LDAP Login only
from defined IP ranges
Posted by Maxim Solodovnik <so...@gmail.com>.
I don't see how ldap search can be insecure :(
User provides credentials and they are being checked inside some private
network
And user is authenticated only if there was a match
Maybe you can modify the search to search only inside group?
On Sun, Apr 12, 2020, 14:31 Rohrbach, Gerald <G....@funkegruppe.de>
wrote:
> Maxim,
>
>
>
> we only allow LDAP User, no registration. That´s fine. Probably the FW
> stuff is too complicate.
>
>
>
> I did not figured out the LDAP groups from the config file As our users
> are stored in different AD containers, we need to set the search base
>
> In the AD root. With that every account can be used, what internal is okay
> but putting this frontend n a DMZ or internet access
>
> it´s very unsecure.
>
> So probably an easy way is to put OM users in an AD group and limit access
> to this.
>
>
>
> But what I need to fill in the LDAP config file. E.g. the UserGroup is
> name OM-Users?
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
>
>
> Happy Eastern
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Samstag, 11. April 2020 18:07
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: Sending E-Mail to guests / Guest Invitation / LDAP Login
> only from defined IP ranges
>
>
>
> Hello Gerald,
>
>
>
> No sure I get what is required :(
>
> You can set-up FW to reject some IPs, but this way all traffic will be
> filtered
>
> You can disable front-end registration, this way only LDAP users or
> invited guests can use OM
>
> (invited guests can only access room they were invited to, and invitation
> can be limited: one time/period/endless ...)
>
>
>
> On Sat, 11 Apr 2020 at 00:44, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
> finally I got it working with certificates, you solution was the easiest
> one.
>
>
>
> Our sales team is interested to use OM with customers.
>
> Currently we only use internal, it’s a good help with all the home offices
> now.
>
> I saw you add some changes to allow e-mail to unregistered users. I will
> test this,
>
> this sounds like it will fulfil our needs.
>
>
>
> The login authentication on our internal server is against LDAP. AD
>
> If we put our machine in a DMZ, is there a way to protect Login from
> external IP`s but allow
>
> that a meeting link will come to the invited room session?
>
> The OM-db is on a separate sever already on MySQL.
>
>
>
> I know, openMeetings is more for schools and trainings, but I guess during
> this time a lots of companies are interested.
>
> MS-Teams is heavy, expensive and from my point of view OM delivers nearly
> all needed functionality.
>
> And probably a lot of companies don´t want the data somewhere stored in
> the cloud.
>
> I have tested some of this tools in the past weeks….
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Dienstag, 7. April 2020 16:42
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: wildcard certificate
>
>
>
> Well,
>
>
>
> I would suggest to take original server.xml from M4
>
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L76
>
> And change nothing but <Certificate ...> tag
>
> use this one
>
> <Certificate certificateKeyFile="conf/your_key.pem"
> certificateFile="conf/your_crt.pem"
> certificateChainFile="conf/your_ca.pem"
> type="RSA" />
>
> with your own paths
>
>
>
> no native libraries, conversions etc.
>
> one easy step :))
>
>
>
> Please ensure cert paths are readable by OM :))
>
>
>
> On Tue, 7 Apr 2020 at 19:50, K. Kamhamea <ka...@googlemail.com> wrote:
>
> In my manual I covered wildcard certificates under System Administrator >
> SSL
>
>
>
>
> https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpemMeetings+5+Manual
>
>
>
> Am Di., 7. Apr. 2020 um 12:43 Uhr schrieb Rohrbach, Gerald <
> G.Rohrbach@funkegruppe.de>:
>
> Maxim,
>
>
>
> so far our openMeetings server for internal use is working fine.
>
>
>
> I found a lots of manuals using letsencrypt certificates, but this seem
> not to be that easy and we need to repeat the procedure every 90 days.
>
> To make it more comfortable for the users I think we need to get the
> certificate in plac.e
>
> Unfortunately my knowledge about this certificate stuff is going to zero…
>
>
>
> We have an official wildcard certificate, that we can use.
>
> But I did not found a manual how this is to install.
>
>
>
> Is there any docu I can use? Is that specific to openMeetings or is that
>
> more specific for tomcat?
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 17:19
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication solved - Database
> move to different server
>
>
>
> First of all clustering is not working in M3
> https://issues.apache.org/jira/browse/OPENMEETINGS-2186
>
> You need M4 SNAPSHOT for this
>
>
>
> Then, I'm afraid, there is misunderstanding: `localDB` is UI term means DB
> as opposite to LDAP
>
> To change DB location you need to change localhost to some external IP in
> persistence.xml
>
>
>
> Latest SNAPSHOT is here:
> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/
>
> Latest docs here:
> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html
>
>
>
> I hope were will be no DB updates before M4 release, so most probably DB
> will be compatible
>
>
>
>
>
>
>
> On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Well, I need another hint….
>
>
>
> As we have now tested a lot and do think we can use it for more users
> probably we
>
> need more than one server. I interested in the clustering.
>
> But I know this is sometimes difficult on our core switch to setup.
>
>
>
> First step would be to have the database separated on a different server.
>
> We have already created a lots of users in the M3 release.
>
>
>
> For testing of the M4 I have made already a backup and restored it.
>
> But in this case the database was also local.
>
>
>
> Probably I need to change somewhere in a config file, where the new
> database is
>
> Located, if it is not local.
>
> Because in the backup there was a localDB, on the new server I would like
> a different machine.
>
> Which file I need to edit?
>
>
>
>
>
>
>
> Regards
>
>
>
> Gerald.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 16:19
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication solved
>
>
>
> Great news :)
>
> I don't have to fix it :)))
>
>
>
> Thanks a lot!
>
>
>
> On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> I found the solution:
>
>
>
> This are the settings:
>
>
>
> ldap_search_query=(userPrincipalName=%s)
>
> ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de
>
>
>
> ldap_user_attr_login=sAMAccountName
>
>
>
> Then the users are created in the right way userid@company.de
>
> No duplicates anymore.
>
>
>
>
>
> Regards
>
>
>
> Gerald
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 14:37
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Of cause I can add simple check
> "if-login-contains-domain-do-not-add-another-one" but I would prefer to
> create simulation of real LDAP :)
>
>
>
> On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>
>
>
>
> On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> that was a good hint with the logging.
>
> I think it is just a understanding and config issue.
>
>
>
> SearchRequest
>
> baseDn : 'CN=Users,DC=company,DC=de'
>
> filter : '(uid=xxxx@compay.de)'
>
>
>
> In ADS uid attribute is not filled. Instead in ADS we need to user
> UserPrincipalName or something else.
>
>
>
> for ADS `samlAccountName` or something like this should be used
>
>
>
>
>
> So authentication works fine, but eyery time someone logs in a new user
> account is created.
>
>
>
> It looks like we still have an issue, as the create user login is wrong.
>
> testuser@company.de@company.de
>
>
>
> This is the issue
>
> I'm using this
>
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
>
> Schema for tests
>
> Maybe you can help me to create schema for the case with "suffixed" users?
>
>
>
>
>
> I hope I get the rest also figured out.
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 11:50
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Your log is hard to read due to formatting issues :((
>
> Googling `DSID-0C090442` results something about "searching between
> forests" which I don't understand :(
>
>
>
> Admin->LDAP has setting "Add domain to user name"
>
> Do you have it checked? (domain to add should be specified)
>
>
>
> What is your LDAP provider? Is it ADS?
>
>
>
> To make logging more verbose you can
>
> 1) stop OM
>
> 2) add following line to logback-config.xml
>
> <logger name="org.apache.directory" level="DEBUG" />
>
> 3) restart OM
>
>
>
> According to my previous experience SEARCHANDBIND might work better
>
>
>
>
>
> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Also having LDAP issues:
>
>
>
> It seems not to work.
>
>
>
> Below is the om_ldap.cfg, that is used in the config file:
>
>
>
> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
> [io-5443-exec-10]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
> LdapLoginmanager.doLdapLogin
> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
> authenticated.
> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
> data 52e,
> v3839^@
> at
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>
>
>
>
>
>
> What does the LdapLogin Manager message means, was the query user not able
> to connect or was the end user password wrong.
>
> How I can make visible, what the query for the user ist.
>
> It should be in the form user@domain.de , maybe the mapping is just wrong.
>
>
>
>
>
>
>
>
>
>
>
> This is the modified
>
> ldap_conn_host=DESVR-DC01.firma.de
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server - keep
> empty if not required
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>
>
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
>
> ldap_passwd=#password#
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=CN=Users,DC=firma,DC=de
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
> ldap_search_query=(uid=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
> check user authentication
>
> # When using NONE, the Ldap server is not used for authentication
>
> ldap_auth_type=SIMPLEBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> # might be used to get provisionningDn in case ldap_auth_type=NONE
>
> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>
> ldap_provisionning=AUTOCREATE
>
>
>
> # Ldap deref mode (never, searching, finding, always)
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
>
>
> # Ldap-password synchronization to OM DB
>
> # Set this to 'true' if you want OM to synchronize the user Ldap-password
> to OM's internal DB
>
> # If you want to disable the feature, set this to any other string.
>
> # Defautl value is 'true'
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
>
>
>
> ldap_user_attr_login=uid
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> # optional attribute for user picture
>
> #ldap_user_attr_picture=
>
> ldap_group_attr=memberOf
>
>
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
>
> #ldap_user_picture_uri=picture_uri
>
>
>
> # optional
>
> # the timezone has to match any timezone available in Java, otherwise the
> timezone defined in the value of
>
> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>
> #ldap_user_timezone=timezone
>
>
>
> # Ldap ignore upper/lower case, convert all input to lower case
>
> ldap_use_lower_case=false
>
>
>
> # Ldap import query, this query should retrieve all LDAP users
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> Best regards,
> Maxim
>
>
>
>
> --
>
> Best regards,
> Maxim
>
AW: Sending E-Mail to guests / Guest Invitation / LDAP Login only
from defined IP ranges
Posted by "Rohrbach, Gerald" <G....@funkegruppe.de>.
Maxim,
we only allow LDAP User, no registration. That´s fine. Probably the FW stuff is too complicate.
I did not figured out the LDAP groups from the config file As our users are stored in different AD containers, we need to set the search base
In the AD root. With that every account can be used, what internal is okay but putting this frontend n a DMZ or internet access
it´s very unsecure.
So probably an easy way is to put OM users in an AD group and limit access to this.
But what I need to fill in the LDAP config file. E.g. the UserGroup is name OM-Users?
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
Happy Eastern
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
Gesendet: Samstag, 11. April 2020 18:07
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: Sending E-Mail to guests / Guest Invitation / LDAP Login only from defined IP ranges
Hello Gerald,
No sure I get what is required :(
You can set-up FW to reject some IPs, but this way all traffic will be filtered
You can disable front-end registration, this way only LDAP users or invited guests can use OM
(invited guests can only access room they were invited to, and invitation can be limited: one time/period/endless ...)
On Sat, 11 Apr 2020 at 00:44, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
finally I got it working with certificates, you solution was the easiest one.
Our sales team is interested to use OM with customers.
Currently we only use internal, it’s a good help with all the home offices now.
I saw you add some changes to allow e-mail to unregistered users. I will test this,
this sounds like it will fulfil our needs.
The login authentication on our internal server is against LDAP. AD
If we put our machine in a DMZ, is there a way to protect Login from external IP`s but allow
that a meeting link will come to the invited room session?
The OM-db is on a separate sever already on MySQL.
I know, openMeetings is more for schools and trainings, but I guess during this time a lots of companies are interested.
MS-Teams is heavy, expensive and from my point of view OM delivers nearly all needed functionality.
And probably a lot of companies don´t want the data somewhere stored in the cloud.
I have tested some of this tools in the past weeks….
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Dienstag, 7. April 2020 16:42
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: wildcard certificate
Well,
I would suggest to take original server.xml from M4
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L76
And change nothing but <Certificate ...> tag
use this one
<Certificate certificateKeyFile="conf/your_key.pem"
certificateFile="conf/your_crt.pem"
certificateChainFile="conf/your_ca.pem"
type="RSA" />
with your own paths
no native libraries, conversions etc.
one easy step :))
Please ensure cert paths are readable by OM :))
On Tue, 7 Apr 2020 at 19:50, K. Kamhamea <ka...@googlemail.com>> wrote:
In my manual I covered wildcard certificates under System Administrator > SSL
https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpemMeetings+5+Manual
Am Di., 7. Apr. 2020 um 12:43 Uhr schrieb Rohrbach, Gerald <G....@funkegruppe.de>>:
Maxim,
so far our openMeetings server for internal use is working fine.
I found a lots of manuals using letsencrypt certificates, but this seem not to be that easy and we need to repeat the procedure every 90 days.
To make it more comfortable for the users I think we need to get the certificate in plac.e
Unfortunately my knowledge about this certificate stuff is going to zero…
We have an official wildcard certificate, that we can use.
But I did not found a manual how this is to install.
Is there any docu I can use? Is that specific to openMeetings or is that
more specific for tomcat?
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 17:19
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication solved - Database move to different server
First of all clustering is not working in M3 https://issues.apache.org/jira/browse/OPENMEETINGS-2186
You need M4 SNAPSHOT for this
Then, I'm afraid, there is misunderstanding: `localDB` is UI term means DB as opposite to LDAP
To change DB location you need to change localhost to some external IP in persistence.xml
Latest SNAPSHOT is here: https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/
Latest docs here: https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html
I hope were will be no DB updates before M4 release, so most probably DB will be compatible
On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Well, I need another hint….
As we have now tested a lot and do think we can use it for more users probably we
need more than one server. I interested in the clustering.
But I know this is sometimes difficult on our core switch to setup.
First step would be to have the database separated on a different server.
We have already created a lots of users in the M3 release.
For testing of the M4 I have made already a backup and restored it.
But in this case the database was also local.
Probably I need to change somewhere in a config file, where the new database is
Located, if it is not local.
Because in the backup there was a localDB, on the new server I would like a different machine.
Which file I need to edit?
Regards
Gerald.
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 16:19
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication solved
Great news :)
I don't have to fix it :)))
Thanks a lot!
On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
I found the solution:
This are the settings:
ldap_search_query=(userPrincipalName=%s)
ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de
ldap_user_attr_login=sAMAccountName
Then the users are created in the right way userid@company.de<ma...@company.de>
No duplicates anymore.
Regards
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 14:37
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Of cause I can add simple check "if-login-contains-domain-do-not-add-another-one" but I would prefer to create simulation of real LDAP :)
On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>> wrote:
On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
that was a good hint with the logging.
I think it is just a understanding and config issue.
SearchRequest
baseDn : 'CN=Users,DC=company,DC=de'
filter : '(uid=xxxx@compay.de<ma...@compay.de>)'
In ADS uid attribute is not filled. Instead in ADS we need to user UserPrincipalName or something else.
for ADS `samlAccountName` or something like this should be used
So authentication works fine, but eyery time someone logs in a new user account is created.
It looks like we still have an issue, as the create user login is wrong.
testuser@company.de@company.de<http://company.de>
This is the issue
I'm using this
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
Schema for tests
Maybe you can help me to create schema for the case with "suffixed" users?
I hope I get the rest also figured out.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 11:50
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Your log is hard to read due to formatting issues :((
Googling `DSID-0C090442` results something about "searching between forests" which I don't understand :(
Admin->LDAP has setting "Add domain to user name"
Do you have it checked? (domain to add should be specified)
What is your LDAP provider? Is it ADS?
To make logging more verbose you can
1) stop OM
2) add following line to logback-config.xml
<logger name="org.apache.directory" level="DEBUG" />
3) restart OM
According to my previous experience SEARCHANDBIND might work better
On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Also having LDAP issues:
It seems not to work.
Below is the om_ldap.cfg, that is used in the config file:
^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-8]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-5]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [io-5443-exec-10]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - LdapLoginmanager.doLdapLogin ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not authenticated. org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839^@ at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
What does the LdapLogin Manager message means, was the query user not able to connect or was the end user password wrong.
How I can make visible, what the query for the user ist.
It should be in the form user@domain.de<ma...@domain.de> , maybe the mapping is just wrong.
This is the modified
ldap_conn_host=DESVR-DC01.firma.de<http://DESVR-DC01.firma.de>
ldap_conn_port=389
ldap_conn_secure=false
# Login distinguished name (DN) for Authentication on LDAP Server - keep empty if not required
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
# Loginpass for Authentication on LDAP Server - keep empty if not required
ldap_passwd=#password#
# base to search for userdata(of user, that wants to login)
ldap_search_base=CN=Users,DC=firma,DC=de
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(uid=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
# When using SIMPLEBIND a simple bind is performed on the LDAP server to check user authentication
# When using NONE, the Ldap server is not used for authentication
ldap_auth_type=SIMPLEBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
# might be used to get provisionningDn in case ldap_auth_type=NONE
ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
# Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
ldap_provisionning=AUTOCREATE
# Ldap deref mode (never, searching, finding, always)
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
# Ldap-password synchronization to OM DB
# Set this to 'true' if you want OM to synchronize the user Ldap-password to OM's internal DB
# If you want to disable the feature, set this to any other string.
# Defautl value is 'true'
ldap_sync_password_to_om=false
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding Ldap-attribute
ldap_user_attr_login=uid
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
# optional attribute for user picture
#ldap_user_attr_picture=
ldap_group_attr=memberOf
# optional, absolute URL will be used as user picture if #ldap_user_attr_picture will be empty
#ldap_user_picture_uri=picture_uri
# optional
# the timezone has to match any timezone available in Java, otherwise the timezone defined in the value of
# the conf_key "default.timezone" in OpenMeetings "configurations" table
#ldap_user_timezone=timezone
# Ldap ignore upper/lower case, convert all input to lower case
ldap_use_lower_case=false
# Ldap import query, this query should retrieve all LDAP users
ldap_import_query=(objectClass=inetOrgPerson)
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
Best regards,
Maxim
--
Best regards,
Maxim
Re: Sending E-Mail to guests / Guest Invitation / LDAP Login only
from defined IP ranges
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Gerald,
No sure I get what is required :(
You can set-up FW to reject some IPs, but this way all traffic will be
filtered
You can disable front-end registration, this way only LDAP users or invited
guests can use OM
(invited guests can only access room they were invited to, and invitation
can be limited: one time/period/endless ...)
On Sat, 11 Apr 2020 at 00:44, Rohrbach, Gerald <G....@funkegruppe.de>
wrote:
> Maxim,
>
> finally I got it working with certificates, you solution was the easiest
> one.
>
>
>
> Our sales team is interested to use OM with customers.
>
> Currently we only use internal, it’s a good help with all the home offices
> now.
>
> I saw you add some changes to allow e-mail to unregistered users. I will
> test this,
>
> this sounds like it will fulfil our needs.
>
>
>
> The login authentication on our internal server is against LDAP. AD
>
> If we put our machine in a DMZ, is there a way to protect Login from
> external IP`s but allow
>
> that a meeting link will come to the invited room session?
>
> The OM-db is on a separate sever already on MySQL.
>
>
>
> I know, openMeetings is more for schools and trainings, but I guess during
> this time a lots of companies are interested.
>
> MS-Teams is heavy, expensive and from my point of view OM delivers nearly
> all needed functionality.
>
> And probably a lot of companies don´t want the data somewhere stored in
> the cloud.
>
> I have tested some of this tools in the past weeks….
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Dienstag, 7. April 2020 16:42
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: wildcard certificate
>
>
>
> Well,
>
>
>
> I would suggest to take original server.xml from M4
>
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L76
>
> And change nothing but <Certificate ...> tag
>
> use this one
>
> <Certificate certificateKeyFile="conf/your_key.pem"
> certificateFile="conf/your_crt.pem"
> certificateChainFile="conf/your_ca.pem"
> type="RSA" />
>
> with your own paths
>
>
>
> no native libraries, conversions etc.
>
> one easy step :))
>
>
>
> Please ensure cert paths are readable by OM :))
>
>
>
> On Tue, 7 Apr 2020 at 19:50, K. Kamhamea <ka...@googlemail.com> wrote:
>
> In my manual I covered wildcard certificates under System Administrator >
> SSL
>
>
>
>
> https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpemMeetings+5+Manual
>
>
>
> Am Di., 7. Apr. 2020 um 12:43 Uhr schrieb Rohrbach, Gerald <
> G.Rohrbach@funkegruppe.de>:
>
> Maxim,
>
>
>
> so far our openMeetings server for internal use is working fine.
>
>
>
> I found a lots of manuals using letsencrypt certificates, but this seem
> not to be that easy and we need to repeat the procedure every 90 days.
>
> To make it more comfortable for the users I think we need to get the
> certificate in plac.e
>
> Unfortunately my knowledge about this certificate stuff is going to zero…
>
>
>
> We have an official wildcard certificate, that we can use.
>
> But I did not found a manual how this is to install.
>
>
>
> Is there any docu I can use? Is that specific to openMeetings or is that
>
> more specific for tomcat?
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 17:19
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication solved - Database
> move to different server
>
>
>
> First of all clustering is not working in M3
> https://issues.apache.org/jira/browse/OPENMEETINGS-2186
>
> You need M4 SNAPSHOT for this
>
>
>
> Then, I'm afraid, there is misunderstanding: `localDB` is UI term means DB
> as opposite to LDAP
>
> To change DB location you need to change localhost to some external IP in
> persistence.xml
>
>
>
> Latest SNAPSHOT is here:
> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/
>
> Latest docs here:
> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html
>
>
>
> I hope were will be no DB updates before M4 release, so most probably DB
> will be compatible
>
>
>
>
>
>
>
> On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Well, I need another hint….
>
>
>
> As we have now tested a lot and do think we can use it for more users
> probably we
>
> need more than one server. I interested in the clustering.
>
> But I know this is sometimes difficult on our core switch to setup.
>
>
>
> First step would be to have the database separated on a different server.
>
> We have already created a lots of users in the M3 release.
>
>
>
> For testing of the M4 I have made already a backup and restored it.
>
> But in this case the database was also local.
>
>
>
> Probably I need to change somewhere in a config file, where the new
> database is
>
> Located, if it is not local.
>
> Because in the backup there was a localDB, on the new server I would like
> a different machine.
>
> Which file I need to edit?
>
>
>
>
>
>
>
> Regards
>
>
>
> Gerald.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 16:19
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication solved
>
>
>
> Great news :)
>
> I don't have to fix it :)))
>
>
>
> Thanks a lot!
>
>
>
> On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> I found the solution:
>
>
>
> This are the settings:
>
>
>
> ldap_search_query=(userPrincipalName=%s)
>
> ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de
>
>
>
> ldap_user_attr_login=sAMAccountName
>
>
>
> Then the users are created in the right way userid@company.de
>
> No duplicates anymore.
>
>
>
>
>
> Regards
>
>
>
> Gerald
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 14:37
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Of cause I can add simple check
> "if-login-contains-domain-do-not-add-another-one" but I would prefer to
> create simulation of real LDAP :)
>
>
>
> On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>
>
>
>
> On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> that was a good hint with the logging.
>
> I think it is just a understanding and config issue.
>
>
>
> SearchRequest
>
> baseDn : 'CN=Users,DC=company,DC=de'
>
> filter : '(uid=xxxx@compay.de)'
>
>
>
> In ADS uid attribute is not filled. Instead in ADS we need to user
> UserPrincipalName or something else.
>
>
>
> for ADS `samlAccountName` or something like this should be used
>
>
>
>
>
> So authentication works fine, but eyery time someone logs in a new user
> account is created.
>
>
>
> It looks like we still have an issue, as the create user login is wrong.
>
> testuser@company.de@company.de
>
>
>
> This is the issue
>
> I'm using this
>
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
>
> Schema for tests
>
> Maybe you can help me to create schema for the case with "suffixed" users?
>
>
>
>
>
> I hope I get the rest also figured out.
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 11:50
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Your log is hard to read due to formatting issues :((
>
> Googling `DSID-0C090442` results something about "searching between
> forests" which I don't understand :(
>
>
>
> Admin->LDAP has setting "Add domain to user name"
>
> Do you have it checked? (domain to add should be specified)
>
>
>
> What is your LDAP provider? Is it ADS?
>
>
>
> To make logging more verbose you can
>
> 1) stop OM
>
> 2) add following line to logback-config.xml
>
> <logger name="org.apache.directory" level="DEBUG" />
>
> 3) restart OM
>
>
>
> According to my previous experience SEARCHANDBIND might work better
>
>
>
>
>
> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Also having LDAP issues:
>
>
>
> It seems not to work.
>
>
>
> Below is the om_ldap.cfg, that is used in the config file:
>
>
>
> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
> [io-5443-exec-10]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
> LdapLoginmanager.doLdapLogin
> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
> authenticated.
> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
> data 52e,
> v3839^@
> at
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>
>
>
>
>
>
> What does the LdapLogin Manager message means, was the query user not able
> to connect or was the end user password wrong.
>
> How I can make visible, what the query for the user ist.
>
> It should be in the form user@domain.de , maybe the mapping is just wrong.
>
>
>
>
>
>
>
>
>
>
>
> This is the modified
>
> ldap_conn_host=DESVR-DC01.firma.de
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server - keep
> empty if not required
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>
>
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
>
> ldap_passwd=#password#
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=CN=Users,DC=firma,DC=de
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
> ldap_search_query=(uid=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
> check user authentication
>
> # When using NONE, the Ldap server is not used for authentication
>
> ldap_auth_type=SIMPLEBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> # might be used to get provisionningDn in case ldap_auth_type=NONE
>
> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>
> ldap_provisionning=AUTOCREATE
>
>
>
> # Ldap deref mode (never, searching, finding, always)
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
>
>
> # Ldap-password synchronization to OM DB
>
> # Set this to 'true' if you want OM to synchronize the user Ldap-password
> to OM's internal DB
>
> # If you want to disable the feature, set this to any other string.
>
> # Defautl value is 'true'
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
>
>
>
> ldap_user_attr_login=uid
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> # optional attribute for user picture
>
> #ldap_user_attr_picture=
>
> ldap_group_attr=memberOf
>
>
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
>
> #ldap_user_picture_uri=picture_uri
>
>
>
> # optional
>
> # the timezone has to match any timezone available in Java, otherwise the
> timezone defined in the value of
>
> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>
> #ldap_user_timezone=timezone
>
>
>
> # Ldap ignore upper/lower case, convert all input to lower case
>
> ldap_use_lower_case=false
>
>
>
> # Ldap import query, this query should retrieve all LDAP users
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> Best regards,
> Maxim
>
--
Best regards,
Maxim