I have installed OpenAM in my ubuntu machine and installed LDAP.
I could able to authenticate with the Datastore (default : embedded) credentials, but couldn't able to connect with LDAP server.
My issues are -
When I add authentication chains with multiple(3) LDAP servers and Datastore which is default to 'Top Level Realm', I need to submit the form 4 (3 LDAP+ 1 Datastore) times to autheticate (I have added Datastore as 4th and first 3 were my LDAP servers).
Even I have tried multiple(3) possible configurations (uid, cn) for same LDAP server, nothing authenticating from the external LDAP.
Added another realm and tried passing arguments (REALM=newName) to use the new realm and it still authenticating from 'Top Level Realm'.
I am using dc=nodomain(verified) and cn=admin with admin password to bind user. OpenAm is accessing through http://localhost:8080/openam and LDAP through PhpLDAPAdmin installed at http://localhost:50389.
Please help!
Related
I'm a newbie in the LDAP + Liferay + OpenAM world, so I wonder if someone could point me in the right direction in a problem I have. In a real life environment, there are 2 LDAP servers, a OpenAM server and a Liferay application. What the customer needs is to authenticate users in Liferay against OpenAM, and OpenAM should use the LDAP servers. Problem is, the user exists only in one of the LDAP servers (it will be moved from one to the other in one point of the future). What the customer wants is:
Users must be able to authenticate independently of what LDAP contains the user.
The obtained token must be valid for both LDAP servers, as it will be used in a different service (I have no control over it) against only one of them to validate authentication.
As I said, I'm new to this world so, if the answer is too complex (I'm afraid it will be for me), maybe you could point me to books or docs that could resolve this scenario.
Thanks
You should configure LifeRay to use OpenAM for all authentications and you can configure OpenAM to use both LDAP servers (use different realms).
Details for OpenAM configuration will be in the OpenAM documentation.
As the previous answer states you should route all your authentication requests to the OpenAM server and let it validate the credentials against the right LDAP server. Using two different realms (one for each LDAP server) won't work in your case since that will require LifeRay to know where to find the user before hand. Also, sessions are linked to a specific realm.
There are multiple solutions to your problem. Here are just a couple:
Option 1
If you have control over the authentication flow. That is, if your application uses a custom UI and communicates with OpenAM via REST, you could create two different authentication module instances under a single realm (let's say two instances of the DataStore authentication module) each one pointing to a different LDAP server.
Let's call this module instances DataStore1 and DataStore2. Your application can collect the user credentials (username and password) and submit them to DataStore1. If authentication succeeds the user is already logged in. If it fails, the application can try with DataStore2.
Of course this is not ideal since you'll be making two authentication requests per login instead of just one.
Option 2
A better option (though more complicated to implement) would be creating a custom authentication module. This module can try authenticating the user against LDAP Server 1 and then try with LDAP Server 2 if the first authentication failed. Notice that with this option you don't need custom logic on the application side since it will only send a single authentication request to the OpenAM server. In fact, you can protect your application with an OpenAM Policy Agent.
Another advantage of this approach over Option 1 is that you can migrate your users behind the scenes assuming that the end goal is to migrate users from LDAP Server 1 to LDAP Server 2. If the first authentication succeeds your custom code could read the user entry from LDAP Server 1 and copy it over to LDAP Server 2.
Hope this helps you solve the problem.
Our system is using a LDAP server (OUD) and we're bringing Zimbra to the system. However, Zimbra use its default LDAP server (OpenLDAP). That's is paintul with 2 LDAP servers which store same user information.
Is there any way that Zimbra store its users in an external LDAP server?
Many thanks
Nope, zimbra needs his own internal LDAP server. Zimbra LDAP server stores user accounts, Class of Services, global settings and servers configuration.
The best practice is to manage user accounts in an external LDAP server (OpenLdap, Active Directory...) and then sync data beetwen external LDAP and Zimbra internal LDAP. There are many scripts on the Internet you'll find to do that.
You can either configure "Delegated Auth", zimbra will validate user auth against you external LDAP server and not internal LDAP (unless you activate the fallback). The point is to manage user passwords in your external LDAP server, so users won't be confused.
I am using MarkLogic version 8.04 on CentOS 6. I am trying to do external authentication/authorization using LDAP.
I've created an external security authentication object:
name ldap-config-simple
authentication ldap
authorization ldap
ldap server url ldap://<my server address>:389
ldap base ou=<mycompany>,dc=<info>,dc=<my org>
ldap attribute sAMAccountName
ldap default user cn=<user id>,ou=xxxx,ou=yyyyy,dc=<info>,dc=<my org>
ldap bind method simple
and associated it with an HTML App server (here are the pertinent settings):
authentication basic
internal security true
external security ldap-config-simple
And I have associated an LDAP group to a role (here are the pertinent settings):
external name cn=marklogic,ou=groups,dc=<info>,dc=<my org>
The problem is that authentication fails when I try to access the App server using my LDAP user. The log for the external LDAP server shows that the search string that MarkLogic sends looks like this:
(member=cn=marklogic,ou=groups,dc=<info>,dc=<my org>)
But the LDAP server is expecting the search to be:
(memberOf=cn=marklogic,ou=groups,dc=<info>,dc=<my org>)
The LDAP Server admin assures me that "memberOf" is the accepted standard for this type of query. We are using an OpenLDAP server - it is a pretty standard LDAP installation. Is there a way to have MarkLogic send "memberOf=" for the search rather than "member=" ?
Note that I was able to authenticate with my LDAP user ID through the App Server when I associated my user's DN in the LDAP server to a configured MarkLogic user. But I would prefer to use the Role based authentication since that puts the access controls in the LDAP server.
Any help appreciated.
Answering my own question. It is working now with the configuration above - although I didn't make any changes. MarkLogic support told me that a previous configuration may have been cached. In the process of debugging this I did a network packet trace to see exactly what MarkLogic was sending and it looks like it actually requests both the "memberOf" and "member" groups - I guess the LDAP admin only saw the latter in the logs.
We have several custom developed online applications as well as open source application such as KOHA, moodle and bugzilla.
We are attempting to integrate their authentication using a Single Sign-On service. So far we have tried JASIG CAS and this seems to solve most of our issues.
However we would also like to link the authentication to an LDAP compatible directory service.
My questions are:
1. Why do we need to use CAS with LDAP?
2. Can a LDAP only service work? (all of our application either directly supports LDAP or can be modified to work with LDAP)
3. Assuming CAS is running on a MySQL database, can LDAP compatible sysmtem such as Active Directory, contact the CAS server to login?
With CAS, you centralize your security in one place, instead of having each application integrated with your LDAP
Yes, it's generally more work and a lot less secure (see 1)
CAS relies on your LDAP for authentication, applications connected to CAS benefit from SSO, but applications can directly authenticate users via your LDAP (without SSO)
I am doing external authentication using LDAP. I have to authenticate a user via LDAP and allow the user to access many app servers. I want to know how to map all the ldap user ( users in ldap server Example:ldap://company1.local:389) with users in Database. I have created a external configuration object and assigned to a new http server with application level authentication. I dont want to store ldap user password in database. Do I have to create all users(same as in active directory) in database with some password and map them?
Yes, it's possible to configure ML to use external authentication via LDAP:
http://docs.marklogic.com/guide/security/external-auth