I am trying since days to configure the search filter for OpenLDAP connection with a tool that I am using.
But I always get the error message: DN-Syntax error (34) Authentication failed
My Searchfilter looks like this:
Base DN: ou=myorganizationunit2,ou=myorganizationunit,o=myorganizationname,c=DE
User search filter: (&(|(objectClass=inetOrgPerson)(objectClass=user)) (uid=#LDAP_LOGIN#)))
What am I doing wrong?
Thankful for any help
Related
New to WSO2 so be gentle. I'm building an instance of Ellucian's Ethos wso2 identity server (version 5.10.0) and when I point it to Active Directory the Tomcat server does start and I can login as the admin user I created in Active Directory for Ethos, but when I run "wso2server.bat -Dsetup" I see errors like the following in the wso2carbon.log file and I want to know if I should be worried.
ERROR {org.wso2.carbon.identity.scim.common.internal.SCIMCommonComponent} - Error occurred while setting SCIM attributes for the Admin org.wso2.carbon.user.core.UserStoreException: Error in adding SCIM metadata to the admin in tenant domain: carbon.super
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C090D77, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'CN=ouruser,OU=OurContainer'
ERROR {org.wso2.carbon.identity.scim2.common.utils.AdminAttributeUtil} - Error occurred while updating the admin user's attributes in Tenant ID : -1234, Error : One or more attributes you are trying to add/update are not supported by underlying LDAP for user : ouruser org.wso2.carbon.user.core.UserStoreException: One or more attributes you are trying to add/update are not supported by underlying LDAP for user : ouruser
I intend for AD to be treated as a read-only LDAP database so I have "eis.admin.create.user" set to false in the eis_config.properties file and the Ethos admin user I created in AD does not have AD admin privileges. AD is only being used for authentication and for pulling attributes and releasing them to service providers. Could it be trying to write attributes to the Ethos admin user I created in AD?
Or is it an attribute mapping issue (mapping AD attributes back into Ethos?). I noticed in the eis_config.properties file the following mappings section
eis.add.claim.logonname=sAMAccountName
eis.add.claim.upn=userPrincipalName
eis.add.claim.objectguid=objectGUID
eis.add.claim.udcid=udcid
eis.add.claim.personid=employeeNumber
eis.add.claim.challenge.question.uris=
eis.add.claim.challenge.question.1=
eis.add.claim.challenge.question.2=
eis.add.claim.resource.type=pager
And i know for a fact that attributes like "udcid" are specific to Ellucian products and are not an LDAP attribute in AD so I set it to "cn". And for the attribute mappings above that are blank I mapped them to real AD attributes to see if I could get rid of the errors but they remain.
Any thoughts?
Have you tried eis.add.claim.employeeType=memberOf in your eis_config.properties file?
And are the AD values correct for:
eis.admin.role.name=,
eis.admin.username=,
eis.userstore.ConnectionURL=,
eis.userstore.ConnectionName=,
eis.userstore.ConnectionPassword=,
eis.userstore.UserSearchBase=,
eis.userstore.UserNameAttribute=,
eis.userstore.GroupSearchBase=,
eis.userstore.SharedGroupSearchBase=,
eis.userstore.defaultRealmName=,
along with the user-mgt.xml settings?
I am trying to configure authentication based on LDAP with Vault, however, when trying to login, I am getting Status 400 with Ldap Operation Failed.
vault write auth/ldap/config url=“ldap://192.165.165.68:10389” userdn=“ou=users,ou=system,dc=myorg,dc=com” binddn=“uid=admin,ou=system,dc=myorg,dc=com” bindpass=“secret” userattr=“uid” insecure_tls=true starttls=false
When tried login, I am gettng following response:
[mftadmin#host01v amf]$ vault login -method=ldap username=user1
Password (will be hidden):
Error authenticating: Error making API request.
URL: PUT http://ldaphost:8200/v1/auth/ldap/login/user1
Code: 400. Errors:
ldap operation failed
Have you created this username previously?
vault write auth/ldap/users/user1 groups="group1"
I've integrated Tuleap ldap, and successfully connected with user/password, but when I try to search a user (during log-in), I get a line in tuleap log:
[warning] LDAP search error: sAMAccountName=[what i type in tuleap login screen] [string from ldap server field] ***ERROR:No such object ***ERROR no:32
It looks like front login page forwards my dcserver name to the ldap query filter?
I did try to do the ldapsearch directly from shell and it works flawlesly.
It is really odd, if I add more dc servers separated by coma, then I get all of them in the log
[warning] LDAP search error: sAMAccountName=[what i type in tuleap login screen] dc1,dc2,dc3 ***ERROR:No such object ***ERROR no:32
Why does it forward my dc name to the ldap query?
Not able to run any command that requires authentication from keystone, including logging in horizon. Every command fails with below error:
keystone user-list
Authorization Failed: An unexpected error prevented the server from fulfilling your request. (OperationalError) (1045, "Access denied for user 'keystone_admin'#'controllerip' (using password: YES)") None None (HTTP 500)
Please look into keystone log first and see what's the issue brought HTTP 500.
Your keystone database Credentials(user-keystone_admin) may be wrong.Try changing them with the actual database credentials in /etc/keystone/keystone.conf file.
[sql]
connection = mysql://<username>:<password>#<ip>/keystone
In my organization, some users don't have an e-mail address. At the e-mail field in ActiveDirectory, they have a fake (malformed) e-mail address, something like "user.name#xx".
When these users try to login into Gitlab, they get the following error:
'Could not authorize you from LDAP because "Validation failed: email is invalid, email is invalid".'
Is there any configuration to ignore email adress checking with LDAP?
The issue 6230 has been tracking this:
The mail validation on user model is performed by validation here: app/models/user.rb.
I think you can configure your own regexp here: config/initializers/devise.rb.
However, the official statement is:
Disabling validation is not something that will be done on GitLab side. This can lead to inconsistencies in the database and could cause a plethora of issues.
I suggest you :
either fix your LDAP
or have allow_username_or_email_login setting enabled: https://github.com/gitlabhq/gitlabhq/blob/master/config/gitlab.yml.example#L130
This is issue is a support question so I will point you to the contributing guide and close it.
Not directly with GitLab itself, because that error message is the result of an omniauth callback: see config/locales/devise.en.yml:
omniauth_callbacks:
success: 'Successfully authorized from %{kind} account.'
failure: 'Could not authorize you from %{kind} because "%{reason}".'
Yet, the Rodrigo Carvalho reports in the comments:
I actually discovered this is a Gitlab behaviour.
I changed the "/lib/gitlab/oauth/user.rb" (Gitlab code) to append a ".com" in the end of the invalid email address and it worked.