rabbitmq version 3.10.0
tell me how to write rabbitmq.conf correctly without using advanced.config
work BindDN in another server--> uid=myuserinfreeipa,cn=users,cn=accounts,dc=mydc1,dc=mydc2
work SearchFilter in another server ---> "(&(uid=%u)(memberOf=cn=mygroupinfreeipa,cn=groups,cn=accounts,dc=mydc1,dc=mydc2)(!(nsaccountlock=TRUE)))"
work BaseDN in another server --> "cn=users,cn=accounts,dc=mydc1,dc=mydc2"
rabbitmq.conf
auth_backends.1 = ldap
auth_ldap.servers.1 = my.server.com
auth_ldap.timeout = 500
auth_ldap.port = 389
auth_ldap.user_dn_pattern = CN=${username},OU=Users,dc=mydc1,dc=mydc2
auth_ldap.use_ssl = false
ssl_options.cacertfile = /etc/rabbitmq/ca.crt
auth_ldap.dn_lookup_bind.user_dn = test
auth_ldap.dn_lookup_bind.password = password
auth_ldap.dn_lookup_attribute = distinguishedName
auth_ldap.dn_lookup_base = cn=users,cn=accounts,dc=mydc1,dc=mydc2
auth_ldap.log = network
advanced.config
[
{
rabbitmq_auth_backend_ldap,
[
{
tag_queries, [
{administrator,{in_group,"CN=mygroupinfreeipa,dc=mydc1,dc=mydc2","member"}},
{management, {constant, true}}
]
}
]%% rabbitmq_auth_backend_ldap,
}
].
tail -f /var/log/rabbitmq/rabbit#amqptest.log
LDAP CHECK: login for test
LDAP connecting to servers: ["my.server.com"]
LDAP network traffic: bind request = {'BindRequest',3,"xxxx",
{simple,"xxxx"}}
LDAP network traffic: bind reply = {ok,
{'LDAPMessage',1,
{bindResponse,
{'BindResponse',invalidCredentials,
[],[],asn1_NOVALUE,asn1_NOVALUE}},
asn1_NOVALUE}}
LDAP bind returned "invalid credentials": xxxx
LDAP connecting to servers: ["my.server.com"]
LDAP network traffic: bind request = {'BindRequest',3,"xxxx",
{simple,"xxxx"}}
LDAP bind error: "xxxx" {'EXIT',
{{badmatch,
{error,
{asn1,
{function_clause,
[{'ELDAPv3',encode_restricted_string,
[{refused,"test",[]},[<<4>>]]
I was configuring ldap in airflow.
Followed this documentation here - https://flask-appbuilder.readthedocs.io/en/latest/security.html
webserver_config.py
import os
from airflow import configuration as conf
from flask_appbuilder.security.manager import AUTH_LDAP
basedir = os.path.abspath(os.path.dirname(__file__))
SQLALCHEMY_DATABASE_URI = conf.get('core', 'SQL_ALCHEMY_CONN')
CSRF_ENABLED = True
AUTH_TYPE = AUTH_LDAP
AUTH_ROLE_ADMIN = 'Admin'
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
# AUTH_USER_REGISTRATION_ROLE = "Viewer"
AUTH_LDAP_SERVER = 'ldaps://ldap:636/'
AUTH_LDAP_SEARCH = "DC=domain,DC=net"
AUTH_LDAP_BIND_USER = 'CN=admin,DC=domain,DC=net'
AUTH_LDAP_BIND_PASSWORD = 'password'
AUTH_LDAP_UID_FIELD = 'sAMAccountName'
AUTH_LDAP_USE_TLS = False
for running ldap container i used osixia/docker-openldap
but i run webserver and try to login it gives Invalid login. Please try again. No matter what id password i gave.
When not using ldap it is able to login with the user i created using airflow cli create_user
I don't know if i am doing everything right. There is no good documentation/article with the steps.
Can someone help me on this? THANKS!!!
I have configured Ldap with zeppelin with Shiro configuration.now, everything works fine.but, I am able to login with my ldap user with suffix the domain(#company.org).
Is there a possibility to login only with username without suffix.
below is my shiro.ini,
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername=cn=hosting,dc=company,dc=org
ldapRealm.contextFactory.systemPassword=secretpassword
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://ldap.user.base:389
ldapRealm.pagingSize = 200
ldapRealm.authorizationEnabled = true
ldapRealm.searchBase=OU=Users,DC=company,DC=org
ldapRealm.userSearchBase=OU=Users,DC=company,DC=org
ldapRealm.groupSearchBase=OU=Groups,DC=company,DC=org
ldapRealm.memberAttributeValueTemplate=CN={0},OU=Users,DC=company,DC=org
ldapRealm.rolesByGroup = "QC":admin_role
ldapRealm.userLowerCase = true
ldapRealm.groupSearchEnableMatchingRuleInChain = true
The "principalSuffix" is in ActiveDirectoryGroupRealm [1] and is not present in LdapRealm [2].
[1] https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/realm/ActiveDirectoryGroupRealm.java
[2] https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
I am using apacheds (running on port 10389) for LDAP services. My gerrit instance is able to to a handshake with LDAP, however, user authentication is never successful. I always get this error message:
username: name.surname
password: password
INFO com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'name.surname' failed to sign in: No such user: name.surname
My gerrit.conf is as follows:
[gerrit]
basePath = /home/gerrit2/git
canonicalWebUrl = http://gerrit.myorg.com:8080/
[database]
type = mysql
hostname = localhost
database = reviewdb
username = gerrit2
[index]
type = LUCENE
[auth]
type = LDAP
[ldap]
server = ldap://localhost:10389
username = cn=abc def,ou=user,dc=myorg,dc=com
accountBase = ou=user,dc=myorg,dc=com
groupBase = ou=user,dc=myorg,dc=com
referral = follow
accountFullName = cn
accountEmailAddress = mail
[sendemail]
smtpServer = localhost
[container]
user = gerrit2
javaHome = /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.71.x86_64/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://*:8080/
[cache]
directory = cache
The ldif file through which I added the user into partition ou=user,dc=myorg,dc=com is:
dn: cn=name.surname,ou=user,dc=myorg,dc=com
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: name.surname
description: Gerrit Administrator
sn: name.surname
mail: name.surname#myorg.com
userpassword: password
Can anyone explain where's the problem happening? I assume by default the gerrit username is matched against the CN (by appending against the baseDN). Please correct me if I am wrong.
Oh, I got the answer. By default username is matched against uid. To match username against CN, the following line has to be added to [ladp] subsection in gerrit.config file:
(cn=${username})
Right!
I am getting ldap to work with GitLab 7.2.1. I have the correct LDAP connection details posted below:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_host'] = '## company url ##'
gitlab_rails['ldap_port'] = 389
gitlab_rails['ldap_uid'] = 'mail'
gitlab_rails['ldap_method'] = 'plain' # 'ssl' or 'plain'
gitlab_rails['ldap_bind_dn'] = ''
gitlab_rails['ldap_password'] = ''
gitlab_rails['ldap_allow_username_or_email_login'] = false
gitlab_rails['ldap_base'] = '## company bind ##'
gitlab_rails['gitlab_signup_enabled'] = 'true'
gitlab_rails['gitlab_default_projects_limit'] = 0
gitlab_rails['gitlab_default_can_create_group'] = false
I have the right username and password tested with others in my team. I have tried ssl and plain ldap on ports 389 & 636.
After wiresharking the traffic I found this:
However it returns:
Could not authorize you from LDAP because "Invalid credentials".
At the login page. which is a 49 response.
Any ideas?