I'm having a problem getting LDAP authentication to work. Looking at the logs it seems to bind ok, but when i try to login it doesn't look like its hitting ldap at all and i get authentication failed.
In the logs I see:
2017.03.28 17:17:46 INFO web[org.sonar.INFO] Security realm: LDAP
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=ou=people,o=intra,dc=sears,dc=com, request=(&(objectClass=*searsorgperson)(uid={0})), realNameAttribute=cn, emailAttribute=mail}
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapSettingsManager] Groups will not be synchronized, because property 'ldap.group.baseDn' is empty.
2017.03.28 17:17:46 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapContextFactory] Test LDAP connection on ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com: OK
2017.03.28 17:17:46 INFO web[org.sonar.INFO] Security realm started
My config has the following:
# General Configuration
sonar.security.realm=LDAP
sonar.authenticator.createUsers=true
sonar.authenticator.class: org.sonar.plugins.ldap.LdapAuthenticator
sonar.security.savePassword=true
sonar.security.updateUserAttributes=true
ldap.url=ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com
# User Configuration
ldap.user.baseDn=ou=people,o=intra,dc=sears,dc=com
ldap.user.request=(&(objectClass=*searsorgperson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
According to my LDAP admin, it does an anonumous check when it first comes up, but nothing is else done after that. So for some reason it doesn't seem to be hitting the LDAP server when i login. I don't have any local IDs setup besides admin.
You have not configured an authenticated user to do the search.
That is, the first test, anonymous bind tests the connectivity. But to search for the users DN, you need more than anonymous permissions. Then once the DN is found, bind as the logging in user. But first you need to provide the LDAP DN of the user who is the proxy that can search and its password.
Also you have an asterisk (wildcard) in your objectlass search filter:
ldap.user.request=(&(objectClass=*searsorgperson)(uid={login}))
Or is that formatting symbol? I am not sure ObjectClass can usually be searched that way).
Related
sonar.security.realm=LDAP
ldap.url=ldap://ldap-company.com
ldap.bindDn=CN=xxxxx,OU=Restricted,OU=xxxx,DC=company,DC=com
ldap.bindPassword=none
# User Configuration
ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
# Group Configuration
ldap.group.baseDn=OU=Groups,OU=companyname,DC=comapany,DC=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
These are my configurations----sonarqube version-6.2
Database-Embedded
Do you guys have any idea how to integrate LDAP with Sonarqube. I tried different ways but couldn't get succeeded. this I my configuration for sonar.properties
I got an error 2017.03.15 15:57:25 ERROR web[AVrTij8L9uoXNT8qAAAK][o.s.s.a.RealmAuthenticator] Error during authentication
org.sonar.plugins.ldap.LdapException: Unable to retrieve details for user xxx in <default> and also Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection., dat
2017.03.15 15:55:05 INFO web[][o.s.s.a.EmbeddedTomcat] HTTP connector enabled on port 9000
2017.03.15 15:55:49 ERROR web[AVrTij8L9uoXNT8qAAAJ][o.s.s.a.RealmAuthenticator] Error during authentication
org.sonar.plugins.ldap.LdapException: Unable to retrieve details for user xxxxx in <default>
at org.sonar.plugins.ldap.LdapUsersProvider.getUserDetails(LdapUsersProvider.java:84)
at org.sonar.plugins.ldap.LdapUsersProvider.doGetUserDetails(LdapUsersProvider.java:58)
at org.sonar.server.authentication.RealmAuthenticator.doAuthenticate(RealmAuthenticator.java:89)
at org.sonar.server.authentication.RealmAuthenticator.authenticate(RealmAuthenticator.java:83)
at org.sonar.server.authentication.CredentialsAuthenticator.authenticate(CredentialsAuthenticator.java:56)
at org.sonar.server.authentication.CredentialsAuthenticator.authenticate(CredentialsAuthenticator.java:45)
at org.sonar.server.authentication.ws.LoginAction.authenticate(LoginAction.java:91)
This is my web.log
2017.03.16 13:10:09 INFO web[][o.s.s.p.UpdateCenterClient] Update center: https://update.sonarsource.org/update-center.properties (no proxy)
2017.03.16 13:10:09 INFO web[][org.sonar.INFO] Security realm: LDAP
2017.03.16 13:10:09 INFO web[][o.s.p.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=DC=company,DC=com, request=(&(objectClass=inetOrgPerson)(uid={0})), realNameAttribute=cn, emailAttribut
e=mail}
2017.03.16 13:10:09 INFO web[][o.s.p.l.LdapSettingsManager] Group mapping: LdapGroupMapping{baseDn=OU=Groups,OU=comapny,Dc=company,DC=com, idAttribute=cn, requiredUserAttributes=[uid], request=(&(objectC
lass=posixGroup)(memberUid={0}))}
2017.03.16 13:10:09 INFO web[][o.s.p.l.LdapContextFactory] Test LDAP connection: FAIL
2017.03.16 13:10:09 INFO web[][o.s.s.p.d.EmbeddedDatabase] Embedded database stopped
2017.03.16 13:10:09 ERROR web[][o.a.c.c.C.[.[.[/]] Exception sending context initialized event to listener instance of class org.sonar.server.platform.web.PlatformServletContextListener
org.sonar.plugins.ldap.LdapException: Unable to open LDAP connection
at org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:206)
at org.sonar.plugins.ldap.LdapRealm.init(LdapRealm.java:63)
at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.picocontainer.lifecycle.ReflectionLifecycleStrategy.invokeMethod(ReflectionLifecycleStrategy.java:110)
Your bind is failing. You need to test with an external LDAP tool like Apache Directory Studio tool, or Softerra's LDAP Browser.
It could be a firewall issue from your server to the LDAP server. It could be the password is incorrect. It does look like your Sonar server is able to talk to the LDAP server (Which looks like Active Directory) since you get an AD style error message about needing to bind before searching.
If you can get the error on the bind failing it will return an error code 49 with a subcode that is of interest. 525, 52e, 777 or the like that refer to different reasons Active Directory will not let you connect.
Note: Your password is 'none' which is hard to tell if that is you trying to hide the password, or an actual literal password.
I'm working on LDAP authentication support for Sonar. Users can authenticate using Blank password (No password) Or Correct password. If a wrong password entered, authentication fails.
Sonar should not allow any login with a blank password even when this authentication depends on an external system like LDAP, could you help me to find a solution for this problem
Stacktrace in sonar.log:
`2015.04.27 18:39:19 DEBUG o.s.p.l.LdapUsersProvider User admin not found
2015.04.27 18:39:19 DEBUG User admin not found
2015.04.27 18:39:19 DEBUG o.s.p.l.LdapUsersProvider Requesting details for user admin
2015.04.27 18:39:19 DEBUG o.s.p.l.LdapSearch Search: LdapSearch{baseDn=DC=mycompany,DC=mycompany,DC=com, scope=subtree, request=(&(objectClass=user)(memberof=CN=gpfrcip-java,OU=IDC,OU=DSI,OU=DDA - France,OU=Access groups,OU=Groups,OU=Resources,DC=mycompany,DC=mycompany,DC=com)(SAMAccountName={0})), parameters=[admin], attributes=[mail, cn]}
2015.04.27 18:39:19 DEBUG o.s.p.l.LdapContextFactory Initializing LDAP context {java.naming.provider.url= myURL, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2015.04.27 18:39:19 DEBUG Requesting details for user admin
2015.04.27 18:39:19 DEBUG Search: LdapSearch{baseDn=DC=mycompany,DC=mycompany,DC=com, scope=subtree, request=(&(objectClass=user)(memberof=CN=gpfrcip-java,OU=IDC,OU=DSI,OU=DDA - France,OU=Access groups,OU=Groups,OU=Resources,DC=mycompany,DC=mycompany,DC=com)(SAMAccountName={0})), parameters=[admin], attributes=[mail, cn]}
2015.04.27 18:39:19 DEBUG Initializing LDAP context {java.naming.provider.url= myURL, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
`
LDAP Configuration for sonar-ldap-plugin-1.2 :
sonar.security.realm: LDAP
sonar.authenticator.createUsers: false
ldap.url: myURL
ldap.user.baseDn: DC=mycompany,DC=mycompany,DC=com
ldap.bindDn:
ldap.bindPassword:
ldap.user.request: (&(objectClass=user)(memberof=CN=gpfrcip- java,OU=IDC,OU=DSI,OU=DDA - France,OU=Access groups,OU=Groups,OU=Resources,DC=mycompany,DC=mycompany,DC=com)(SAMAccountName={0}))
`
Any feedback will be highly appreciated.
Thanks in advance for your feedbacks.
Regards
Youssef ALAMI
I found the solution of this problem, i changed the version of the plugin LDAP to sonar-ldap-plugin-1.4 and the authentication was worked correctly.
I've downloaded EMM 1.1.0 and configured a vm with all the pre-requites to run it.
Since I"m working from the local machines and the VM is a ubuntu server setup I have renamed all of the localhost in the config file to reflect the proper domain name so it can reach.
When I point my browser to https://mydomain.com:9443 I am able to login to carbon and change usernames
However when I goto https://mydomain.com:9443/emm/ it asks me to login again... when I do I get the following errors:
500: Something has gone wrong (very helpful!)
On the console/log file I capture the following:
[2014-06-24 10:06:34,041] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2014-06-24 10:06:34,041+0800]
[2014-06-24 10:06:34,321] INFO {JAGGERY.modules.common:js} - New connection was taken
[2014-06-24 10:06:34,618] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2014-06-24 10:06:34,618+0800]
[2014-06-24 10:06:34,630] ERROR {org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject} - Login failed! Please recheck the username and password and try again..
[2014-06-24 10:06:35,154] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2014-06-24 10:06:35,154+0800]
[2014-06-24 10:06:35,156] ERROR {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Login failed! Please recheck the username and password and try again.
[2014-06-24 10:06:35,326] ERROR {org.jaggeryjs.jaggery.core.manager.WebAppManager} - org.mozilla.javascript.EcmaError: TypeError: Cannot read property "prodConsumerKey" from undefined (/emm/modules/startup.js#59)
org.jaggeryjs.scriptengine.exceptions.ScriptException: org.mozilla.javascript.EcmaError: TypeError: Cannot read property "prodConsumerKey" from undefined (/emm/modules/startup.js#59)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:571)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:447)
at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
... many many more
Can someone please point me in the right direction?
If the admin password is changed, you have to modify the api-manager config file.
A good practice should be create new user for the api-manager
This miss-configuration also causes blank page after EMM authentication in multi-tenancy.
/repository/conf/api-manager.xml
<!--
Authentication manager configuration for API publisher and API store. This is
a required configuration for both web applications as their user authentication
logic relies on this.
-->
<AuthManager>
<!--
Server URL of the Authentication service
-->
<ServerURL>https://${carbon.local.ip}:${mgt.transport.https.port}/services/</ServerURL>
<!--
Admin username for the Authentication manager.
-->
<Username>apiuser</Username>
<!--
Admin password for the Authentication manager.
-->
<Password>StrongPassword</Password>
</AuthManager>
If you have changed username and password of the admin you will have to change that in config.json file found in wso2emm-1.1.0\repository\deployment\server\jaggeryapps\emm\config. Just update the username and password in apiManagerConfigurations section and restart the EMM server.
There is a public JIRA regarding this[1].
The workaround is
You have to set admin username and password to admin and admin when first login to EMM.
If you have changed the password of admin please set the password to admin.
You can use chpasswd.sh/chpasswd.bin file in the bin folder to change the password.
Eg:
./chpasswd.sh --db-url "jdbc:h2:/repository/database/WSO2CARBON_DB" --db-username wso2carbon -db-password wso2carbon --username admin --new-password admin
Once you login to EMM first time, please use above command to change the password again
[1]. https://wso2.org/jira/browse/EMM-704
I used mysql as my DB: Documentation tell you to place the connector file in ${CARBON_HOME}/repository/components/lib.
Running
${CARBON_HOME}/bin/./chpasswd.sh --db-url jdbc:mysql://ip:3306/wso2emm_db --db-username user_db --db-password pass --username admin --new-password admin
I got this error:
java.sql.SQLException: No suitable driver found for jdbc:mysql://
Copying the connector file to ${CARBON_HOME}/repository/lib solved my issue.
I am making some application in rails in which user needs to be log-in first to see the content. I used devise and ldap_devise_authenticatable to make user log-in through existing LDAP account.
However, when I tried to log in with my account into my application then log-in failure occurs(401 error unauthorized) even though I already have account on ldap.
I am following this tutorial
And following is the screenshot of my ldap server page:
I know the problem is in my ldap configuration file. How can i configure it properly so that my application send correct string to ldap server like in above screenshot
Code of my ldap.yml is as follows:
authorizations: &AUTHORIZATIONS
group_base: ou=groups,dc=test,dc=com
required_groups:
- cn=admins,ou=groups,dc=test,dc=com
- cn=users,ou=groups,dc=test,dc=com
- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
## Environment
development:
host: 172.16.100.6
port: 389
attribute: cn
base: ou=People,dc=iitj,dc=ac,dc=in
#admin_user: cn=admin,dc=test,dc=com
#admin_password: admin_password
ssl: false
Have you tried setting attribute: sAMAccountName?
Also you need to set admin_ser and admin_password to match the credentials of the account you have in LDAP.
I have set up an ldap authentication using the following configuration. I just need to user to authenticate to the LDAP data store, then have their session get an authentication token. From reading the docs, this is what I am thinking is supposed to happen:
Authenticate as the manager, find the users full dn based on search criteria
Attempt to bind as the user (using their full dn) and the provided password
The logs dont seem to give enough information as to why this is failing. It just says invalid credentials - when I know they are valid. My thoughts are one of the following is happening:
The users full DN is not being found, and they are just being authenticated with the username
It is trying to do a password compare, vs actually trying to bind to the directory
Configuration:
<ldap-server
url="ldap://adapps.company.com:389/dc=company,dc=com"
manager-dn="cn=fulluserdn,dc=company,dc=com"
manager-password="password"/>
<ldap-user-service user-search-base="" user-search-filter="(samaccountname={0})"/>
<authentication-manager>
<ldap-authentication-provider user-search-filter="(samaccountname={0})" user-search-base="dc=company,dc=com"/>
</authentication-manager>
Error logs:
[DEBUG,FilterBasedLdapUserSearch] Searching for user 'test', with user search [ searchFilter: '(samaccountname={0})', searchBase: 'dc=company,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
[DEBUG,AbstractContextSource] Got Ldap context on server 'ldap://adapps.company.com:389/dc=company,dc=com'
[INFO,SpringSecurityLdapTemplate] Ignoring PartialResultException
[DEBUG,XmlWebApplicationContext] Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken#488b5f0b: Principal: test; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 0718B7EED3F930C63C03DA97C4344CBD; Not granted any authorities]
[DEBUG,UsernamePasswordAuthenticationFilter] Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
[DEBUG,UsernamePasswordAuthenticationFilter] Updated SecurityContextHolder to contain null Authentication
[DEBUG,UsernamePasswordAuthenticationFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#395158
[DEBUG,TokenBasedRememberMeServices] Interactive login attempt was unsuccessful.
[DEBUG,TokenBasedRememberMeServices] Cancelling cookie
The problem was teat the LDAP server was running on a different port, but the normal port was still open.