You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by "Rohrbach, Gerald" <G....@funkegruppe.de> on 2020/03/30 09:30:49 UTC
Re: ldap config problems with authentication
Also having LDAP issues:
It seems not to work.
Below is the om_ldap.cfg, that is used in the config file:
^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-8]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-5]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [io-5443-exec-10]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - LdapLoginmanager.doLdapLogin ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not authenticated. org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839^@ at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
What does the LdapLogin Manager message means, was the query user not able to connect or was the end user password wrong.
How I can make visible, what the query for the user ist.
It should be in the form user@domain.de<ma...@domain.de> , maybe the mapping is just wrong.
This is the modified
ldap_conn_host=DESVR-DC01.firma.de
ldap_conn_port=389
ldap_conn_secure=false
# Login distinguished name (DN) for Authentication on LDAP Server - keep empty if not required
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
# Loginpass for Authentication on LDAP Server - keep empty if not required
ldap_passwd=#password#
# base to search for userdata(of user, that wants to login)
ldap_search_base=CN=Users,DC=firma,DC=de
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(uid=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
# When using SIMPLEBIND a simple bind is performed on the LDAP server to check user authentication
# When using NONE, the Ldap server is not used for authentication
ldap_auth_type=SIMPLEBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
# might be used to get provisionningDn in case ldap_auth_type=NONE
ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
# Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
ldap_provisionning=AUTOCREATE
# Ldap deref mode (never, searching, finding, always)
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
# Ldap-password synchronization to OM DB
# Set this to 'true' if you want OM to synchronize the user Ldap-password to OM's internal DB
# If you want to disable the feature, set this to any other string.
# Defautl value is 'true'
ldap_sync_password_to_om=false
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding Ldap-attribute
ldap_user_attr_login=uid
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
# optional attribute for user picture
#ldap_user_attr_picture=
ldap_group_attr=memberOf
# optional, absolute URL will be used as user picture if #ldap_user_attr_picture will be empty
#ldap_user_picture_uri=picture_uri
# optional
# the timezone has to match any timezone available in Java, otherwise the timezone defined in the value of
# the conf_key "default.timezone" in OpenMeetings "configurations" table
#ldap_user_timezone=timezone
# Ldap ignore upper/lower case, convert all input to lower case
ldap_use_lower_case=false
# Ldap import query, this query should retrieve all LDAP users
ldap_import_query=(objectClass=inetOrgPerson)
Re: ldap config problems with authentication
Posted by Maxim Solodovnik <so...@gmail.com>.
On Tue, 31 Mar 2020 at 15:26, Rohrbach, Gerald <G....@funkegruppe.de>
wrote:
> Maxim,
>
>
>
> two small questions/ issues.
>
>
>
> Is it simple possible to set in the Login the LDAP as default and localDB
> as option.
>
> So just the other way round?
>
This one should be easy:
Just set default.ldap.id
https://openmeetings.apache.org/GeneralConfiguration.html
>
>
> If we do use LDAP ADS it seems not to work, that a user can change his own
> setting,
>
> If we set ldap password sync we will run into the password complexity
> problem.
>
Not sure I get this :((
>
>
> Can we somewhere switch of the password complexity?
>
> We are using just internal, so it is no security issue in our case.
>
"Complexity" == Uppercase+lowercase+alpha+special symbol ?
If so, I'm afraid you have to tweek sources and re-compile :(
>
>
>
>
>
>
> Regards
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 15:19
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Just have created test and there is only one user after 2 sign-ins
>
> Can you query DB (something like `select id,login,type,domain_id from
> om_user where login = your_multiplied_login`) and show here?
>
>
>
> On Mon, 30 Mar 2020 at 20:09, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>
>
>
>
> On Mon, 30 Mar 2020 at 20:05, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> I have no problem how the userID is, if user@domain.de or just user.
>
>
>
> The problem I have is that every time a user logs in a new account is
> created.
>
> So if userA logs in 3 times I have userA 3 times in the database.
>
> Probably simple config issue.
>
>
>
> This shouldn't work like this
>
> I'll do some tests and will get back
>
>
>
>
>
> I understood now, that users are created from ADS when a user Logs in.
>
> That’s fine.
>
> Unfortunately the country from ADS does not apply.
>
> In the ADS for the user is Deutschland, but when the user is created this
> is not picked up.
>
> I would need to know how to set defaults.
>
>
>
> Om expects country as 2 letter country code:
> https://www.iban.com/country-codes
>
> So I guess DE should work
>
>
>
>
>
>
>
> As I had now several users deleted, because duplicate they are marked as
> purged.
>
> But still shown. How can I get rid of this?
>
>
>
> The only way to remove "purged" users is to perform export/import
>
> These users are "ghosts" doesn't appear in searches, unable to login etc.
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 14:37
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Of cause I can add simple check
> "if-login-contains-domain-do-not-add-another-one" but I would prefer to
> create simulation of real LDAP :)
>
>
>
> On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>
>
>
>
> On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> that was a good hint with the logging.
>
> I think it is just a understanding and config issue.
>
>
>
> SearchRequest
>
> baseDn : 'CN=Users,DC=company,DC=de'
>
> filter : '(uid=xxxx@compay.de)'
>
>
>
> In ADS uid attribute is not filled. Instead in ADS we need to user
> UserPrincipalName or something else.
>
>
>
> for ADS `samlAccountName` or something like this should be used
>
>
>
>
>
> So authentication works fine, but eyery time someone logs in a new user
> account is created.
>
>
>
> It looks like we still have an issue, as the create user login is wrong.
>
> testuser@company.de@company.de
>
>
>
> This is the issue
>
> I'm using this
>
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
>
> Schema for tests
>
> Maybe you can help me to create schema for the case with "suffixed" users?
>
>
>
>
>
> I hope I get the rest also figured out.
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 11:50
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Your log is hard to read due to formatting issues :((
>
> Googling `DSID-0C090442` results something about "searching between
> forests" which I don't understand :(
>
>
>
> Admin->LDAP has setting "Add domain to user name"
>
> Do you have it checked? (domain to add should be specified)
>
>
>
> What is your LDAP provider? Is it ADS?
>
>
>
> To make logging more verbose you can
>
> 1) stop OM
>
> 2) add following line to logback-config.xml
>
> <logger name="org.apache.directory" level="DEBUG" />
>
> 3) restart OM
>
>
>
> According to my previous experience SEARCHANDBIND might work better
>
>
>
>
>
> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Also having LDAP issues:
>
>
>
> It seems not to work.
>
>
>
> Below is the om_ldap.cfg, that is used in the config file:
>
>
>
> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
> [io-5443-exec-10]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
> LdapLoginmanager.doLdapLogin
> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
> authenticated.
> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
> data 52e,
> v3839^@
> at
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>
>
>
>
>
>
> What does the LdapLogin Manager message means, was the query user not able
> to connect or was the end user password wrong.
>
> How I can make visible, what the query for the user ist.
>
> It should be in the form user@domain.de , maybe the mapping is just wrong.
>
>
>
>
>
>
>
>
>
>
>
> This is the modified
>
> ldap_conn_host=DESVR-DC01.firma.de
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server - keep
> empty if not required
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>
>
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
>
> ldap_passwd=#password#
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=CN=Users,DC=firma,DC=de
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
> ldap_search_query=(uid=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
> check user authentication
>
> # When using NONE, the Ldap server is not used for authentication
>
> ldap_auth_type=SIMPLEBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> # might be used to get provisionningDn in case ldap_auth_type=NONE
>
> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>
> ldap_provisionning=AUTOCREATE
>
>
>
> # Ldap deref mode (never, searching, finding, always)
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
>
>
> # Ldap-password synchronization to OM DB
>
> # Set this to 'true' if you want OM to synchronize the user Ldap-password
> to OM's internal DB
>
> # If you want to disable the feature, set this to any other string.
>
> # Defautl value is 'true'
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
>
>
>
> ldap_user_attr_login=uid
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> # optional attribute for user picture
>
> #ldap_user_attr_picture=
>
> ldap_group_attr=memberOf
>
>
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
>
> #ldap_user_picture_uri=picture_uri
>
>
>
> # optional
>
> # the timezone has to match any timezone available in Java, otherwise the
> timezone defined in the value of
>
> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>
> #ldap_user_timezone=timezone
>
>
>
> # Ldap ignore upper/lower case, convert all input to lower case
>
> ldap_use_lower_case=false
>
>
>
> # Ldap import query, this query should retrieve all LDAP users
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
AW: ldap config problems with authentication
Posted by "Rohrbach, Gerald" <G....@funkegruppe.de>.
Maxim,
two small questions/ issues.
Is it simple possible to set in the Login the LDAP as default and localDB as option.
So just the other way round?
If we do use LDAP ADS it seems not to work, that a user can change his own setting,
If we set ldap password sync we will run into the password complexity problem.
Can we somewhere switch of the password complexity?
We are using just internal, so it is no security issue in our case.
Regards
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
Gesendet: Montag, 30. März 2020 15:19
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: ldap config problems with authentication
Just have created test and there is only one user after 2 sign-ins
Can you query DB (something like `select id,login,type,domain_id from om_user where login = your_multiplied_login`) and show here?
On Mon, 30 Mar 2020 at 20:09, Maxim Solodovnik <so...@gmail.com>> wrote:
On Mon, 30 Mar 2020 at 20:05, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
I have no problem how the userID is, if user@domain.de<ma...@domain.de> or just user.
The problem I have is that every time a user logs in a new account is created.
So if userA logs in 3 times I have userA 3 times in the database.
Probably simple config issue.
This shouldn't work like this
I'll do some tests and will get back
I understood now, that users are created from ADS when a user Logs in.
That’s fine.
Unfortunately the country from ADS does not apply.
In the ADS for the user is Deutschland, but when the user is created this is not picked up.
I would need to know how to set defaults.
Om expects country as 2 letter country code: https://www.iban.com/country-codes
So I guess DE should work
As I had now several users deleted, because duplicate they are marked as purged.
But still shown. How can I get rid of this?
The only way to remove "purged" users is to perform export/import
These users are "ghosts" doesn't appear in searches, unable to login etc.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 14:37
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Of cause I can add simple check "if-login-contains-domain-do-not-add-another-one" but I would prefer to create simulation of real LDAP :)
On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>> wrote:
On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
that was a good hint with the logging.
I think it is just a understanding and config issue.
SearchRequest
baseDn : 'CN=Users,DC=company,DC=de'
filter : '(uid=xxxx@compay.de<ma...@compay.de>)'
In ADS uid attribute is not filled. Instead in ADS we need to user UserPrincipalName or something else.
for ADS `samlAccountName` or something like this should be used
So authentication works fine, but eyery time someone logs in a new user account is created.
It looks like we still have an issue, as the create user login is wrong.
testuser@company.de@company.de<http://company.de>
This is the issue
I'm using this
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
Schema for tests
Maybe you can help me to create schema for the case with "suffixed" users?
I hope I get the rest also figured out.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 11:50
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Your log is hard to read due to formatting issues :((
Googling `DSID-0C090442` results something about "searching between forests" which I don't understand :(
Admin->LDAP has setting "Add domain to user name"
Do you have it checked? (domain to add should be specified)
What is your LDAP provider? Is it ADS?
To make logging more verbose you can
1) stop OM
2) add following line to logback-config.xml
<logger name="org.apache.directory" level="DEBUG" />
3) restart OM
According to my previous experience SEARCHANDBIND might work better
On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Also having LDAP issues:
It seems not to work.
Below is the om_ldap.cfg, that is used in the config file:
^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-8]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-5]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [io-5443-exec-10]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - LdapLoginmanager.doLdapLogin ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not authenticated. org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839^@ at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
What does the LdapLogin Manager message means, was the query user not able to connect or was the end user password wrong.
How I can make visible, what the query for the user ist.
It should be in the form user@domain.de<ma...@domain.de> , maybe the mapping is just wrong.
This is the modified
ldap_conn_host=DESVR-DC01.firma.de<http://DESVR-DC01.firma.de>
ldap_conn_port=389
ldap_conn_secure=false
# Login distinguished name (DN) for Authentication on LDAP Server - keep empty if not required
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
# Loginpass for Authentication on LDAP Server - keep empty if not required
ldap_passwd=#password#
# base to search for userdata(of user, that wants to login)
ldap_search_base=CN=Users,DC=firma,DC=de
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(uid=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
# When using SIMPLEBIND a simple bind is performed on the LDAP server to check user authentication
# When using NONE, the Ldap server is not used for authentication
ldap_auth_type=SIMPLEBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
# might be used to get provisionningDn in case ldap_auth_type=NONE
ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
# Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
ldap_provisionning=AUTOCREATE
# Ldap deref mode (never, searching, finding, always)
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
# Ldap-password synchronization to OM DB
# Set this to 'true' if you want OM to synchronize the user Ldap-password to OM's internal DB
# If you want to disable the feature, set this to any other string.
# Defautl value is 'true'
ldap_sync_password_to_om=false
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding Ldap-attribute
ldap_user_attr_login=uid
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
# optional attribute for user picture
#ldap_user_attr_picture=
ldap_group_attr=memberOf
# optional, absolute URL will be used as user picture if #ldap_user_attr_picture will be empty
#ldap_user_picture_uri=picture_uri
# optional
# the timezone has to match any timezone available in Java, otherwise the timezone defined in the value of
# the conf_key "default.timezone" in OpenMeetings "configurations" table
#ldap_user_timezone=timezone
# Ldap ignore upper/lower case, convert all input to lower case
ldap_use_lower_case=false
# Ldap import query, this query should retrieve all LDAP users
ldap_import_query=(objectClass=inetOrgPerson)
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
Re: ldap config problems with authentication
Posted by Maxim Solodovnik <so...@gmail.com>.
Just have created test and there is only one user after 2 sign-ins
Can you query DB (something like `select id,login,type,domain_id from
om_user where login = your_multiplied_login`) and show here?
On Mon, 30 Mar 2020 at 20:09, Maxim Solodovnik <so...@gmail.com> wrote:
>
>
> On Mon, 30 Mar 2020 at 20:05, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
>> Maxim,
>>
>>
>>
>> I have no problem how the userID is, if user@domain.de or just user.
>>
>>
>>
>> The problem I have is that every time a user logs in a new account is
>> created.
>>
>> So if userA logs in 3 times I have userA 3 times in the database.
>>
>> Probably simple config issue.
>>
>
> This shouldn't work like this
> I'll do some tests and will get back
>
>
>>
>>
>> I understood now, that users are created from ADS when a user Logs in.
>>
>> That’s fine.
>>
>> Unfortunately the country from ADS does not apply.
>>
>> In the ADS for the user is Deutschland, but when the user is created this
>> is not picked up.
>>
>> I would need to know how to set defaults.
>>
>
> Om expects country as 2 letter country code:
> https://www.iban.com/country-codes
> So I guess DE should work
>
>
>>
>>
>>
>>
>> As I had now several users deleted, because duplicate they are marked as
>> purged.
>>
>> But still shown. How can I get rid of this?
>>
>
> The only way to remove "purged" users is to perform export/import
> These users are "ghosts" doesn't appear in searches, unable to login etc.
>
>
>>
>>
>> Gerald
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
>> *Gesendet:* Montag, 30. März 2020 14:37
>> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
>> *Betreff:* Re: ldap config problems with authentication
>>
>>
>>
>> Of cause I can add simple check
>> "if-login-contains-domain-do-not-add-another-one" but I would prefer to
>> create simulation of real LDAP :)
>>
>>
>>
>> On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>>
>>
>>
>>
>>
>> On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>
>> wrote:
>>
>> Maxim,
>>
>>
>>
>> that was a good hint with the logging.
>>
>> I think it is just a understanding and config issue.
>>
>>
>>
>> SearchRequest
>>
>> baseDn : 'CN=Users,DC=company,DC=de'
>>
>> filter : '(uid=xxxx@compay.de)'
>>
>>
>>
>> In ADS uid attribute is not filled. Instead in ADS we need to user
>> UserPrincipalName or something else.
>>
>>
>>
>> for ADS `samlAccountName` or something like this should be used
>>
>>
>>
>>
>>
>> So authentication works fine, but eyery time someone logs in a new user
>> account is created.
>>
>>
>>
>> It looks like we still have an issue, as the create user login is wrong.
>>
>> testuser@company.de@company.de
>>
>>
>>
>> This is the issue
>>
>> I'm using this
>>
>>
>> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
>>
>> Schema for tests
>>
>> Maybe you can help me to create schema for the case with "suffixed" users?
>>
>>
>>
>>
>>
>> I hope I get the rest also figured out.
>>
>>
>>
>>
>>
>> Gerald
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
>> *Gesendet:* Montag, 30. März 2020 11:50
>> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
>> *Betreff:* Re: ldap config problems with authentication
>>
>>
>>
>> Your log is hard to read due to formatting issues :((
>>
>> Googling `DSID-0C090442` results something about "searching between
>> forests" which I don't understand :(
>>
>>
>>
>> Admin->LDAP has setting "Add domain to user name"
>>
>> Do you have it checked? (domain to add should be specified)
>>
>>
>>
>> What is your LDAP provider? Is it ADS?
>>
>>
>>
>> To make logging more verbose you can
>>
>> 1) stop OM
>>
>> 2) add following line to logback-config.xml
>>
>> <logger name="org.apache.directory" level="DEBUG" />
>>
>> 3) restart OM
>>
>>
>>
>> According to my previous experience SEARCHANDBIND might work better
>>
>>
>>
>>
>>
>> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
>> wrote:
>>
>> Also having LDAP issues:
>>
>>
>>
>> It seems not to work.
>>
>>
>>
>> Below is the om_ldap.cfg, that is used in the config file:
>>
>>
>>
>> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
>> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
>> ^[[39mDEBUG^[[0;39m
>> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
>> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
>> Admin
>> ^[[39mDEBUG^[[0;39m
>> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
>> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
>> Admin
>> ^[[39mDEBUG^[[0;39m
>> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
>> [io-5443-exec-10]^[[0;39m -
>> getActiveLdapConfigs
>> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
>> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
>> getActiveLdapConfigs
>> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
>> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
>> LdapLoginmanager.doLdapLogin
>> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
>> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
>> authenticated.
>> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
>> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
>> data 52e,
>> v3839^@
>> at
>> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>>
>>
>>
>>
>>
>>
>> What does the LdapLogin Manager message means, was the query user not
>> able to connect or was the end user password wrong.
>>
>> How I can make visible, what the query for the user ist.
>>
>> It should be in the form user@domain.de , maybe the mapping is just
>> wrong.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> This is the modified
>>
>> ldap_conn_host=DESVR-DC01.firma.de
>>
>> ldap_conn_port=389
>>
>> ldap_conn_secure=false
>>
>>
>>
>> # Login distinguished name (DN) for Authentication on LDAP Server - keep
>> empty if not required
>>
>> # Use full qualified LDAP DN
>>
>> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>>
>>
>>
>> # Loginpass for Authentication on LDAP Server - keep empty if not required
>>
>> ldap_passwd=#password#
>>
>>
>>
>> # base to search for userdata(of user, that wants to login)
>>
>> ldap_search_base=CN=Users,DC=firma,DC=de
>>
>>
>>
>> # Fieldnames (can differ between Ldap servers)
>>
>> ldap_search_query=(uid=%s)
>>
>>
>>
>> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>>
>> ldap_search_scope=SUBTREE
>>
>>
>>
>> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>>
>> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
>> check user authentication
>>
>> # When using NONE, the Ldap server is not used for authentication
>>
>> ldap_auth_type=SIMPLEBIND
>>
>>
>>
>> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>>
>> # might be used to get provisionningDn in case ldap_auth_type=NONE
>>
>> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>>
>>
>>
>> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>>
>> ldap_provisionning=AUTOCREATE
>>
>>
>>
>> # Ldap deref mode (never, searching, finding, always)
>>
>> ldap_deref_mode=always
>>
>> ldap_use_admin_to_get_attrs=true
>>
>>
>>
>> # Ldap-password synchronization to OM DB
>>
>> # Set this to 'true' if you want OM to synchronize the user
>> Ldap-password to OM's internal DB
>>
>> # If you want to disable the feature, set this to any other string.
>>
>> # Defautl value is 'true'
>>
>> ldap_sync_password_to_om=false
>>
>>
>>
>> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>>
>> # NONE means group associations will be ignored
>>
>> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
>> attribute (M$ AD mode)
>>
>> # QUERY means group associations will be taken as a result of
>> 'ldap_group_query' query
>>
>> ldap_group_mode=NONE
>>
>>
>>
>> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>>
>>
>>
>> # Ldap user attributes mapping
>>
>> # Set the following internal OM user attributes to their corresponding
>> Ldap-attribute
>>
>>
>>
>> ldap_user_attr_login=uid
>>
>> ldap_user_attr_lastname=sn
>>
>> ldap_user_attr_firstname=givenName
>>
>> ldap_user_attr_mail=mail
>>
>> ldap_user_attr_street=streetAddress
>>
>> ldap_user_attr_additionalname=description
>>
>> ldap_user_attr_fax=facsimileTelephoneNumber
>>
>> ldap_user_attr_zip=postalCode
>>
>> ldap_user_attr_country=co
>>
>> ldap_user_attr_town=l
>>
>> ldap_user_attr_phone=telephoneNumber
>>
>> # optional attribute for user picture
>>
>> #ldap_user_attr_picture=
>>
>> ldap_group_attr=memberOf
>>
>>
>>
>> # optional, absolute URL will be used as user picture if
>> #ldap_user_attr_picture will be empty
>>
>> #ldap_user_picture_uri=picture_uri
>>
>>
>>
>> # optional
>>
>> # the timezone has to match any timezone available in Java, otherwise the
>> timezone defined in the value of
>>
>> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>>
>> #ldap_user_timezone=timezone
>>
>>
>>
>> # Ldap ignore upper/lower case, convert all input to lower case
>>
>> ldap_use_lower_case=false
>>
>>
>>
>> # Ldap import query, this query should retrieve all LDAP users
>>
>> ldap_import_query=(objectClass=inetOrgPerson)
>>
>>
>>
>>
>> --
>>
>> WBR
>> Maxim aka solomax
>>
>>
>>
>>
>> --
>>
>> WBR
>> Maxim aka solomax
>>
>>
>>
>>
>> --
>>
>> WBR
>> Maxim aka solomax
>>
>
>
> --
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
Re: ldap config problems with authentication
Posted by Maxim Solodovnik <so...@gmail.com>.
On Mon, 30 Mar 2020 at 20:05, Rohrbach, Gerald <G....@funkegruppe.de>
wrote:
> Maxim,
>
>
>
> I have no problem how the userID is, if user@domain.de or just user.
>
>
>
> The problem I have is that every time a user logs in a new account is
> created.
>
> So if userA logs in 3 times I have userA 3 times in the database.
>
> Probably simple config issue.
>
This shouldn't work like this
I'll do some tests and will get back
>
>
> I understood now, that users are created from ADS when a user Logs in.
>
> That’s fine.
>
> Unfortunately the country from ADS does not apply.
>
> In the ADS for the user is Deutschland, but when the user is created this
> is not picked up.
>
> I would need to know how to set defaults.
>
Om expects country as 2 letter country code:
https://www.iban.com/country-codes
So I guess DE should work
>
>
>
>
> As I had now several users deleted, because duplicate they are marked as
> purged.
>
> But still shown. How can I get rid of this?
>
The only way to remove "purged" users is to perform export/import
These users are "ghosts" doesn't appear in searches, unable to login etc.
>
>
> Gerald
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 14:37
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Of cause I can add simple check
> "if-login-contains-domain-do-not-add-another-one" but I would prefer to
> create simulation of real LDAP :)
>
>
>
> On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>
>
>
>
> On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Maxim,
>
>
>
> that was a good hint with the logging.
>
> I think it is just a understanding and config issue.
>
>
>
> SearchRequest
>
> baseDn : 'CN=Users,DC=company,DC=de'
>
> filter : '(uid=xxxx@compay.de)'
>
>
>
> In ADS uid attribute is not filled. Instead in ADS we need to user
> UserPrincipalName or something else.
>
>
>
> for ADS `samlAccountName` or something like this should be used
>
>
>
>
>
> So authentication works fine, but eyery time someone logs in a new user
> account is created.
>
>
>
> It looks like we still have an issue, as the create user login is wrong.
>
> testuser@company.de@company.de
>
>
>
> This is the issue
>
> I'm using this
>
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
>
> Schema for tests
>
> Maybe you can help me to create schema for the case with "suffixed" users?
>
>
>
>
>
> I hope I get the rest also figured out.
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 11:50
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Your log is hard to read due to formatting issues :((
>
> Googling `DSID-0C090442` results something about "searching between
> forests" which I don't understand :(
>
>
>
> Admin->LDAP has setting "Add domain to user name"
>
> Do you have it checked? (domain to add should be specified)
>
>
>
> What is your LDAP provider? Is it ADS?
>
>
>
> To make logging more verbose you can
>
> 1) stop OM
>
> 2) add following line to logback-config.xml
>
> <logger name="org.apache.directory" level="DEBUG" />
>
> 3) restart OM
>
>
>
> According to my previous experience SEARCHANDBIND might work better
>
>
>
>
>
> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Also having LDAP issues:
>
>
>
> It seems not to work.
>
>
>
> Below is the om_ldap.cfg, that is used in the config file:
>
>
>
> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
> [io-5443-exec-10]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
> LdapLoginmanager.doLdapLogin
> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
> authenticated.
> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
> data 52e,
> v3839^@
> at
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>
>
>
>
>
>
> What does the LdapLogin Manager message means, was the query user not able
> to connect or was the end user password wrong.
>
> How I can make visible, what the query for the user ist.
>
> It should be in the form user@domain.de , maybe the mapping is just wrong.
>
>
>
>
>
>
>
>
>
>
>
> This is the modified
>
> ldap_conn_host=DESVR-DC01.firma.de
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server - keep
> empty if not required
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>
>
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
>
> ldap_passwd=#password#
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=CN=Users,DC=firma,DC=de
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
> ldap_search_query=(uid=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
> check user authentication
>
> # When using NONE, the Ldap server is not used for authentication
>
> ldap_auth_type=SIMPLEBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> # might be used to get provisionningDn in case ldap_auth_type=NONE
>
> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>
> ldap_provisionning=AUTOCREATE
>
>
>
> # Ldap deref mode (never, searching, finding, always)
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
>
>
> # Ldap-password synchronization to OM DB
>
> # Set this to 'true' if you want OM to synchronize the user Ldap-password
> to OM's internal DB
>
> # If you want to disable the feature, set this to any other string.
>
> # Defautl value is 'true'
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
>
>
>
> ldap_user_attr_login=uid
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> # optional attribute for user picture
>
> #ldap_user_attr_picture=
>
> ldap_group_attr=memberOf
>
>
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
>
> #ldap_user_picture_uri=picture_uri
>
>
>
> # optional
>
> # the timezone has to match any timezone available in Java, otherwise the
> timezone defined in the value of
>
> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>
> #ldap_user_timezone=timezone
>
>
>
> # Ldap ignore upper/lower case, convert all input to lower case
>
> ldap_use_lower_case=false
>
>
>
> # Ldap import query, this query should retrieve all LDAP users
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
AW: ldap config problems with authentication
Posted by "Rohrbach, Gerald" <G....@funkegruppe.de>.
Maxim,
I have no problem how the userID is, if user@domain.de<ma...@domain.de> or just user.
The problem I have is that every time a user logs in a new account is created.
So if userA logs in 3 times I have userA 3 times in the database.
Probably simple config issue.
I understood now, that users are created from ADS when a user Logs in.
That’s fine.
Unfortunately the country from ADS does not apply.
In the ADS for the user is Deutschland, but when the user is created this is not picked up.
I would need to know how to set defaults.
As I had now several users deleted, because duplicate they are marked as purged.
But still shown. How can I get rid of this?
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
Gesendet: Montag, 30. März 2020 14:37
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: ldap config problems with authentication
Of cause I can add simple check "if-login-contains-domain-do-not-add-another-one" but I would prefer to create simulation of real LDAP :)
On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com>> wrote:
On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Maxim,
that was a good hint with the logging.
I think it is just a understanding and config issue.
SearchRequest
baseDn : 'CN=Users,DC=company,DC=de'
filter : '(uid=xxxx@compay.de<ma...@compay.de>)'
In ADS uid attribute is not filled. Instead in ADS we need to user UserPrincipalName or something else.
for ADS `samlAccountName` or something like this should be used
So authentication works fine, but eyery time someone logs in a new user account is created.
It looks like we still have an issue, as the create user login is wrong.
testuser@company.de@company.de<http://company.de>
This is the issue
I'm using this
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
Schema for tests
Maybe you can help me to create schema for the case with "suffixed" users?
I hope I get the rest also figured out.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com<ma...@gmail.com>]
Gesendet: Montag, 30. März 2020 11:50
An: Openmeetings user-list <us...@openmeetings.apache.org>>
Betreff: Re: ldap config problems with authentication
Your log is hard to read due to formatting issues :((
Googling `DSID-0C090442` results something about "searching between forests" which I don't understand :(
Admin->LDAP has setting "Add domain to user name"
Do you have it checked? (domain to add should be specified)
What is your LDAP provider? Is it ADS?
To make logging more verbose you can
1) stop OM
2) add following line to logback-config.xml
<logger name="org.apache.directory" level="DEBUG" />
3) restart OM
According to my previous experience SEARCHANDBIND might work better
On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Also having LDAP issues:
It seems not to work.
Below is the om_ldap.cfg, that is used in the config file:
^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-8]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-5]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [io-5443-exec-10]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - LdapLoginmanager.doLdapLogin ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not authenticated. org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839^@ at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
What does the LdapLogin Manager message means, was the query user not able to connect or was the end user password wrong.
How I can make visible, what the query for the user ist.
It should be in the form user@domain.de<ma...@domain.de> , maybe the mapping is just wrong.
This is the modified
ldap_conn_host=DESVR-DC01.firma.de<http://DESVR-DC01.firma.de>
ldap_conn_port=389
ldap_conn_secure=false
# Login distinguished name (DN) for Authentication on LDAP Server - keep empty if not required
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
# Loginpass for Authentication on LDAP Server - keep empty if not required
ldap_passwd=#password#
# base to search for userdata(of user, that wants to login)
ldap_search_base=CN=Users,DC=firma,DC=de
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(uid=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
# When using SIMPLEBIND a simple bind is performed on the LDAP server to check user authentication
# When using NONE, the Ldap server is not used for authentication
ldap_auth_type=SIMPLEBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
# might be used to get provisionningDn in case ldap_auth_type=NONE
ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
# Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
ldap_provisionning=AUTOCREATE
# Ldap deref mode (never, searching, finding, always)
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
# Ldap-password synchronization to OM DB
# Set this to 'true' if you want OM to synchronize the user Ldap-password to OM's internal DB
# If you want to disable the feature, set this to any other string.
# Defautl value is 'true'
ldap_sync_password_to_om=false
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding Ldap-attribute
ldap_user_attr_login=uid
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
# optional attribute for user picture
#ldap_user_attr_picture=
ldap_group_attr=memberOf
# optional, absolute URL will be used as user picture if #ldap_user_attr_picture will be empty
#ldap_user_picture_uri=picture_uri
# optional
# the timezone has to match any timezone available in Java, otherwise the timezone defined in the value of
# the conf_key "default.timezone" in OpenMeetings "configurations" table
#ldap_user_timezone=timezone
# Ldap ignore upper/lower case, convert all input to lower case
ldap_use_lower_case=false
# Ldap import query, this query should retrieve all LDAP users
ldap_import_query=(objectClass=inetOrgPerson)
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
Re: ldap config problems with authentication
Posted by Maxim Solodovnik <so...@gmail.com>.
Of cause I can add simple check
"if-login-contains-domain-do-not-add-another-one" but I would prefer to
create simulation of real LDAP :)
On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <so...@gmail.com> wrote:
>
>
> On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
>> Maxim,
>>
>>
>>
>> that was a good hint with the logging.
>>
>> I think it is just a understanding and config issue.
>>
>>
>>
>> SearchRequest
>>
>> baseDn : 'CN=Users,DC=company,DC=de'
>>
>> filter : '(uid=xxxx@compay.de)'
>>
>>
>>
>> In ADS uid attribute is not filled. Instead in ADS we need to user
>> UserPrincipalName or something else.
>>
>
> for ADS `samlAccountName` or something like this should be used
>
>
>>
>>
>> So authentication works fine, but eyery time someone logs in a new user
>> account is created.
>>
>>
>>
>> It looks like we still have an issue, as the create user login is wrong.
>>
>> testuser@company.de@company.de
>>
>
> This is the issue
> I'm using this
>
> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
> Schema for tests
> Maybe you can help me to create schema for the case with "suffixed" users?
>
>
>>
>>
>> I hope I get the rest also figured out.
>>
>>
>>
>>
>>
>> Gerald
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
>> *Gesendet:* Montag, 30. März 2020 11:50
>> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
>> *Betreff:* Re: ldap config problems with authentication
>>
>>
>>
>> Your log is hard to read due to formatting issues :((
>>
>> Googling `DSID-0C090442` results something about "searching between
>> forests" which I don't understand :(
>>
>>
>>
>> Admin->LDAP has setting "Add domain to user name"
>>
>> Do you have it checked? (domain to add should be specified)
>>
>>
>>
>> What is your LDAP provider? Is it ADS?
>>
>>
>>
>> To make logging more verbose you can
>>
>> 1) stop OM
>>
>> 2) add following line to logback-config.xml
>>
>> <logger name="org.apache.directory" level="DEBUG" />
>>
>> 3) restart OM
>>
>>
>>
>> According to my previous experience SEARCHANDBIND might work better
>>
>>
>>
>>
>>
>> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
>> wrote:
>>
>> Also having LDAP issues:
>>
>>
>>
>> It seems not to work.
>>
>>
>>
>> Below is the om_ldap.cfg, that is used in the config file:
>>
>>
>>
>> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
>> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
>> ^[[39mDEBUG^[[0;39m
>> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
>> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
>> Admin
>> ^[[39mDEBUG^[[0;39m
>> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
>> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
>> Admin
>> ^[[39mDEBUG^[[0;39m
>> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
>> [io-5443-exec-10]^[[0;39m -
>> getActiveLdapConfigs
>> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
>> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
>> getActiveLdapConfigs
>> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
>> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
>> LdapLoginmanager.doLdapLogin
>> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
>> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
>> authenticated.
>> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
>> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
>> data 52e,
>> v3839^@
>> at
>> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>>
>>
>>
>>
>>
>>
>> What does the LdapLogin Manager message means, was the query user not
>> able to connect or was the end user password wrong.
>>
>> How I can make visible, what the query for the user ist.
>>
>> It should be in the form user@domain.de , maybe the mapping is just
>> wrong.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> This is the modified
>>
>> ldap_conn_host=DESVR-DC01.firma.de
>>
>> ldap_conn_port=389
>>
>> ldap_conn_secure=false
>>
>>
>>
>> # Login distinguished name (DN) for Authentication on LDAP Server - keep
>> empty if not required
>>
>> # Use full qualified LDAP DN
>>
>> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>>
>>
>>
>> # Loginpass for Authentication on LDAP Server - keep empty if not required
>>
>> ldap_passwd=#password#
>>
>>
>>
>> # base to search for userdata(of user, that wants to login)
>>
>> ldap_search_base=CN=Users,DC=firma,DC=de
>>
>>
>>
>> # Fieldnames (can differ between Ldap servers)
>>
>> ldap_search_query=(uid=%s)
>>
>>
>>
>> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>>
>> ldap_search_scope=SUBTREE
>>
>>
>>
>> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>>
>> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
>> check user authentication
>>
>> # When using NONE, the Ldap server is not used for authentication
>>
>> ldap_auth_type=SIMPLEBIND
>>
>>
>>
>> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>>
>> # might be used to get provisionningDn in case ldap_auth_type=NONE
>>
>> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>>
>>
>>
>> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>>
>> ldap_provisionning=AUTOCREATE
>>
>>
>>
>> # Ldap deref mode (never, searching, finding, always)
>>
>> ldap_deref_mode=always
>>
>> ldap_use_admin_to_get_attrs=true
>>
>>
>>
>> # Ldap-password synchronization to OM DB
>>
>> # Set this to 'true' if you want OM to synchronize the user
>> Ldap-password to OM's internal DB
>>
>> # If you want to disable the feature, set this to any other string.
>>
>> # Defautl value is 'true'
>>
>> ldap_sync_password_to_om=false
>>
>>
>>
>> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>>
>> # NONE means group associations will be ignored
>>
>> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
>> attribute (M$ AD mode)
>>
>> # QUERY means group associations will be taken as a result of
>> 'ldap_group_query' query
>>
>> ldap_group_mode=NONE
>>
>>
>>
>> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>>
>>
>>
>> # Ldap user attributes mapping
>>
>> # Set the following internal OM user attributes to their corresponding
>> Ldap-attribute
>>
>>
>>
>> ldap_user_attr_login=uid
>>
>> ldap_user_attr_lastname=sn
>>
>> ldap_user_attr_firstname=givenName
>>
>> ldap_user_attr_mail=mail
>>
>> ldap_user_attr_street=streetAddress
>>
>> ldap_user_attr_additionalname=description
>>
>> ldap_user_attr_fax=facsimileTelephoneNumber
>>
>> ldap_user_attr_zip=postalCode
>>
>> ldap_user_attr_country=co
>>
>> ldap_user_attr_town=l
>>
>> ldap_user_attr_phone=telephoneNumber
>>
>> # optional attribute for user picture
>>
>> #ldap_user_attr_picture=
>>
>> ldap_group_attr=memberOf
>>
>>
>>
>> # optional, absolute URL will be used as user picture if
>> #ldap_user_attr_picture will be empty
>>
>> #ldap_user_picture_uri=picture_uri
>>
>>
>>
>> # optional
>>
>> # the timezone has to match any timezone available in Java, otherwise the
>> timezone defined in the value of
>>
>> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>>
>> #ldap_user_timezone=timezone
>>
>>
>>
>> # Ldap ignore upper/lower case, convert all input to lower case
>>
>> ldap_use_lower_case=false
>>
>>
>>
>> # Ldap import query, this query should retrieve all LDAP users
>>
>> ldap_import_query=(objectClass=inetOrgPerson)
>>
>>
>>
>>
>> --
>>
>> WBR
>> Maxim aka solomax
>>
>
>
> --
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
Re: ldap config problems with authentication
Posted by Maxim Solodovnik <so...@gmail.com>.
On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <G....@funkegruppe.de>
wrote:
> Maxim,
>
>
>
> that was a good hint with the logging.
>
> I think it is just a understanding and config issue.
>
>
>
> SearchRequest
>
> baseDn : 'CN=Users,DC=company,DC=de'
>
> filter : '(uid=xxxx@compay.de)'
>
>
>
> In ADS uid attribute is not filled. Instead in ADS we need to user
> UserPrincipalName or something else.
>
for ADS `samlAccountName` or something like this should be used
>
>
> So authentication works fine, but eyery time someone logs in a new user
> account is created.
>
>
>
> It looks like we still have an issue, as the create user login is wrong.
>
> testuser@company.de@company.de
>
This is the issue
I'm using this
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
Schema for tests
Maybe you can help me to create schema for the case with "suffixed" users?
>
>
> I hope I get the rest also figured out.
>
>
>
>
>
> Gerald
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Montag, 30. März 2020 11:50
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication
>
>
>
> Your log is hard to read due to formatting issues :((
>
> Googling `DSID-0C090442` results something about "searching between
> forests" which I don't understand :(
>
>
>
> Admin->LDAP has setting "Add domain to user name"
>
> Do you have it checked? (domain to add should be specified)
>
>
>
> What is your LDAP provider? Is it ADS?
>
>
>
> To make logging more verbose you can
>
> 1) stop OM
>
> 2) add following line to logback-config.xml
>
> <logger name="org.apache.directory" level="DEBUG" />
>
> 3) restart OM
>
>
>
> According to my previous experience SEARCHANDBIND might work better
>
>
>
>
>
> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
> wrote:
>
> Also having LDAP issues:
>
>
>
> It seems not to work.
>
>
>
> Below is the om_ldap.cfg, that is used in the config file:
>
>
>
> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
> [io-5443-exec-10]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
> LdapLoginmanager.doLdapLogin
> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
> authenticated.
> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
> data 52e,
> v3839^@
> at
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>
>
>
>
>
>
> What does the LdapLogin Manager message means, was the query user not able
> to connect or was the end user password wrong.
>
> How I can make visible, what the query for the user ist.
>
> It should be in the form user@domain.de , maybe the mapping is just wrong.
>
>
>
>
>
>
>
>
>
>
>
> This is the modified
>
> ldap_conn_host=DESVR-DC01.firma.de
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server - keep
> empty if not required
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>
>
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
>
> ldap_passwd=#password#
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=CN=Users,DC=firma,DC=de
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
> ldap_search_query=(uid=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
> check user authentication
>
> # When using NONE, the Ldap server is not used for authentication
>
> ldap_auth_type=SIMPLEBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> # might be used to get provisionningDn in case ldap_auth_type=NONE
>
> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>
> ldap_provisionning=AUTOCREATE
>
>
>
> # Ldap deref mode (never, searching, finding, always)
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
>
>
> # Ldap-password synchronization to OM DB
>
> # Set this to 'true' if you want OM to synchronize the user Ldap-password
> to OM's internal DB
>
> # If you want to disable the feature, set this to any other string.
>
> # Defautl value is 'true'
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
>
>
>
> ldap_user_attr_login=uid
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> # optional attribute for user picture
>
> #ldap_user_attr_picture=
>
> ldap_group_attr=memberOf
>
>
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
>
> #ldap_user_picture_uri=picture_uri
>
>
>
> # optional
>
> # the timezone has to match any timezone available in Java, otherwise the
> timezone defined in the value of
>
> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>
> #ldap_user_timezone=timezone
>
>
>
> # Ldap ignore upper/lower case, convert all input to lower case
>
> ldap_use_lower_case=false
>
>
>
> # Ldap import query, this query should retrieve all LDAP users
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
AW: ldap config problems with authentication
Posted by "Rohrbach, Gerald" <G....@funkegruppe.de>.
Maxim,
that was a good hint with the logging.
I think it is just a understanding and config issue.
SearchRequest
baseDn : 'CN=Users,DC=company,DC=de'
filter : '(uid=xxxx@compay.de<ma...@compay.de>)'
In ADS uid attribute is not filled. Instead in ADS we need to user UserPrincipalName or something else.
So authentication works fine, but eyery time someone logs in a new user account is created.
It looks like we still have an issue, as the create user login is wrong.
testuser@company.de@company.de
I hope I get the rest also figured out.
Gerald
Von: Maxim Solodovnik [mailto:solomax666@gmail.com]
Gesendet: Montag, 30. März 2020 11:50
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: ldap config problems with authentication
Your log is hard to read due to formatting issues :((
Googling `DSID-0C090442` results something about "searching between forests" which I don't understand :(
Admin->LDAP has setting "Add domain to user name"
Do you have it checked? (domain to add should be specified)
What is your LDAP provider? Is it ADS?
To make logging more verbose you can
1) stop OM
2) add following line to logback-config.xml
<logger name="org.apache.directory" level="DEBUG" />
3) restart OM
According to my previous experience SEARCHANDBIND might work better
On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>> wrote:
Also having LDAP issues:
It seems not to work.
Below is the om_ldap.cfg, that is used in the config file:
^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-8]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 [Bean#0_Worker-5]^[[0;39m - Rss disabled by Admin ^[[39mDEBUG^[[0;39m 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [io-5443-exec-10]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - getActiveLdapConfigs ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - LdapLoginmanager.doLdapLogin ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not authenticated. org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839^@ at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
What does the LdapLogin Manager message means, was the query user not able to connect or was the end user password wrong.
How I can make visible, what the query for the user ist.
It should be in the form user@domain.de<ma...@domain.de> , maybe the mapping is just wrong.
This is the modified
ldap_conn_host=DESVR-DC01.firma.de<http://DESVR-DC01.firma.de>
ldap_conn_port=389
ldap_conn_secure=false
# Login distinguished name (DN) for Authentication on LDAP Server - keep empty if not required
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
# Loginpass for Authentication on LDAP Server - keep empty if not required
ldap_passwd=#password#
# base to search for userdata(of user, that wants to login)
ldap_search_base=CN=Users,DC=firma,DC=de
# Fieldnames (can differ between Ldap servers)
ldap_search_query=(uid=%s)
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
# When using SIMPLEBIND a simple bind is performed on the LDAP server to check user authentication
# When using NONE, the Ldap server is not used for authentication
ldap_auth_type=SIMPLEBIND
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
# might be used to get provisionningDn in case ldap_auth_type=NONE
ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
# Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
ldap_provisionning=AUTOCREATE
# Ldap deref mode (never, searching, finding, always)
ldap_deref_mode=always
ldap_use_admin_to_get_attrs=true
# Ldap-password synchronization to OM DB
# Set this to 'true' if you want OM to synchronize the user Ldap-password to OM's internal DB
# If you want to disable the feature, set this to any other string.
# Defautl value is 'true'
ldap_sync_password_to_om=false
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr' attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of 'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding Ldap-attribute
ldap_user_attr_login=uid
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
# optional attribute for user picture
#ldap_user_attr_picture=
ldap_group_attr=memberOf
# optional, absolute URL will be used as user picture if #ldap_user_attr_picture will be empty
#ldap_user_picture_uri=picture_uri
# optional
# the timezone has to match any timezone available in Java, otherwise the timezone defined in the value of
# the conf_key "default.timezone" in OpenMeetings "configurations" table
#ldap_user_timezone=timezone
# Ldap ignore upper/lower case, convert all input to lower case
ldap_use_lower_case=false
# Ldap import query, this query should retrieve all LDAP users
ldap_import_query=(objectClass=inetOrgPerson)
--
WBR
Maxim aka solomax
Re: ldap config problems with authentication
Posted by Maxim Solodovnik <so...@gmail.com>.
Your log is hard to read due to formatting issues :((
Googling `DSID-0C090442` results something about "searching between
forests" which I don't understand :(
Admin->LDAP has setting "Add domain to user name"
Do you have it checked? (domain to add should be specified)
What is your LDAP provider? Is it ADS?
To make logging more verbose you can
1) stop OM
2) add following line to logback-config.xml
<logger name="org.apache.directory" level="DEBUG" />
3) restart OM
According to my previous experience SEARCHANDBIND might work better
On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <G....@funkegruppe.de>
wrote:
> Also having LDAP issues:
>
>
>
> It seems not to work.
>
>
>
> Below is the om_ldap.cfg, that is used in the config file:
>
>
>
> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-8]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93
> [Bean#0_Worker-5]^[[0;39m - Rss disabled by
> Admin
> ^[[39mDEBUG^[[0;39m
> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69
> [io-5443-exec-10]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517
> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m -
> getActiveLdapConfigs
> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115
> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m -
> LdapLoginmanager.doLdapLogin
> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not
> authenticated.
> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error,
> data 52e,
> v3839^@
> at
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>
>
>
>
>
>
> What does the LdapLogin Manager message means, was the query user not able
> to connect or was the end user password wrong.
>
> How I can make visible, what the query for the user ist.
>
> It should be in the form user@domain.de , maybe the mapping is just wrong.
>
>
>
>
>
>
>
>
>
>
>
> This is the modified
>
> ldap_conn_host=DESVR-DC01.firma.de
>
> ldap_conn_port=389
>
> ldap_conn_secure=false
>
>
>
> # Login distinguished name (DN) for Authentication on LDAP Server - keep
> empty if not required
>
> # Use full qualified LDAP DN
>
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>
>
>
> # Loginpass for Authentication on LDAP Server - keep empty if not required
>
> ldap_passwd=#password#
>
>
>
> # base to search for userdata(of user, that wants to login)
>
> ldap_search_base=CN=Users,DC=firma,DC=de
>
>
>
> # Fieldnames (can differ between Ldap servers)
>
> ldap_search_query=(uid=%s)
>
>
>
> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
>
> ldap_search_scope=SUBTREE
>
>
>
> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
> # When using SIMPLEBIND a simple bind is performed on the LDAP server to
> check user authentication
>
> # When using NONE, the Ldap server is not used for authentication
>
> ldap_auth_type=SIMPLEBIND
>
>
>
> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
>
> # might be used to get provisionningDn in case ldap_auth_type=NONE
>
> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>
>
>
> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>
> ldap_provisionning=AUTOCREATE
>
>
>
> # Ldap deref mode (never, searching, finding, always)
>
> ldap_deref_mode=always
>
> ldap_use_admin_to_get_attrs=true
>
>
>
> # Ldap-password synchronization to OM DB
>
> # Set this to 'true' if you want OM to synchronize the user Ldap-password
> to OM's internal DB
>
> # If you want to disable the feature, set this to any other string.
>
> # Defautl value is 'true'
>
> ldap_sync_password_to_om=false
>
>
>
> # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
> # NONE means group associations will be ignored
>
> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
> attribute (M$ AD mode)
>
> # QUERY means group associations will be taken as a result of
> 'ldap_group_query' query
>
> ldap_group_mode=NONE
>
>
>
> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>
>
> # Ldap user attributes mapping
>
> # Set the following internal OM user attributes to their corresponding
> Ldap-attribute
>
>
>
> ldap_user_attr_login=uid
>
> ldap_user_attr_lastname=sn
>
> ldap_user_attr_firstname=givenName
>
> ldap_user_attr_mail=mail
>
> ldap_user_attr_street=streetAddress
>
> ldap_user_attr_additionalname=description
>
> ldap_user_attr_fax=facsimileTelephoneNumber
>
> ldap_user_attr_zip=postalCode
>
> ldap_user_attr_country=co
>
> ldap_user_attr_town=l
>
> ldap_user_attr_phone=telephoneNumber
>
> # optional attribute for user picture
>
> #ldap_user_attr_picture=
>
> ldap_group_attr=memberOf
>
>
>
> # optional, absolute URL will be used as user picture if
> #ldap_user_attr_picture will be empty
>
> #ldap_user_picture_uri=picture_uri
>
>
>
> # optional
>
> # the timezone has to match any timezone available in Java, otherwise the
> timezone defined in the value of
>
> # the conf_key "default.timezone" in OpenMeetings "configurations" table
>
> #ldap_user_timezone=timezone
>
>
>
> # Ldap ignore upper/lower case, convert all input to lower case
>
> ldap_use_lower_case=false
>
>
>
> # Ldap import query, this query should retrieve all LDAP users
>
> ldap_import_query=(objectClass=inetOrgPerson)
>
--
WBR
Maxim aka solomax