OpenAM / OpenDJ custom username field works with less than 4000 users - ldap

I am currently working on a project that uses OpenAM 12.0.2 with OpenDJ 2.6
We had a requirement to make the username editable. So, we ended up creating a custom ldap attribute called loginId and updating OpenAM config to use this attribute instead of uid.
When I import less than 4000 users, login works fine. When I import 4000+ users login doesn't work for any user, even 1 of the first 4000 users in the directory.
I can manually ldapsearch for the users and they exist in the directory, but I can't login with any of them.
We get an "Authorization failed!!" error, which is different to the usual username/password doesn't match error.
If anyone could shed any light on this, I would appreciate it.
Thanks
Edit
Here is the attribute definition I am now using.
attributeTypes: ( 1.3.6.1.4.1.37238.2.9 NAME 'loginId' DESC 'username (that can be updated)' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'project schema')
I have rebuilt the indices and still having the same problem :(

That is probably because your instance of OpenDJ is configured to reject unindexed search request and you haven't defined and built an index for the loginID attribute.

Related

How to enable Streamset Mutitenancy using LDAP Authentication

I am using Streamset Data Collector version 3.19.1, currently am trying to integrate Streamset with LDAP server for authentication, I am successful with the integration however we are facing difficulties in configuring the roles and groups like the way it is in File based.
i.e in file based you have three things to configure a)user b)role c) group
<user name>: MD5:<md5-text>, user, <role> [, <additional role>, <additional role>...] [, group:<group>, group:<additional group>...]
if you look at above syntax, there is user name which can be user defined, then there is user which is fixed value, then we have role it can be one of (Admin,Manager,Creator and guest) and last we have group which us again user defined this can be used for Multitenancy.
however now comparing to LDAP configuration provided by streamset we have only following attributes to configure.
<ldap group>:<SDC role>,<additional SDC role>,<additional SDC role>);<ldap group>:<SDC role>,<additional SDC role>...
from above syntax we can see can be configured which is user defined and SDC role which can be one of the following(Admin,Manager,Creator and guest) with this the configuration will look like
DEV:creator;OPS:manager;
how can I configure LDAP rule mapping for group and role, currently i can only map for role in LDAP, requesting anyone to help here, i tried all my best to resolve unfortunately couldnt find any solution.
You can use the same configuration for groups as well. Following from my environment.
http.authentication.ldap.role.mapping=operators:admin;
To get the groups ldap-login-conf needs to be configured like following:-
roleBaseDn="OU=operations,OU=test_groups,OU=groups,OU=sdc,DC=example,DC=COM"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group"
roleFilter="member={dn}";

Use sAMAcountName from ldap as username

I connected our active directory to keycloak (4.0.0.Beta1) and imported the users - this works fine.
But the username should be filled from sAMAccountName. So i changed the Username LDAP attribute to that.
But after clicking Synchronize all users i am getting this error in the console window:
8:20:13,372 ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default task-119) Failed during import user from LDAP: org.keycloak.models.ModelException: User returned from LDAP has null username! Check configuration of your LDA
mappings. Mapped username LDAP attribute: cn, user DN: CN=Mustermann Max,OU=Normung,OU=Mech,OU=Konstruktion,OU=Abteilungen,DC=company,DC=org, attributes from LDAP: {whenChanged=[2017037125253.0Z], whenCreated=[20140520092805.0
], mail=[Max.Mustermann#company.org], givenName=[Max], sn=[Mustermann], userAccountControl=[66048], pwdLastSet=[130750516258418527]}
at org.keycloak.storage.ldap.LDAPUtils.getUsername(LDAPUtils.java:113)
at org.keycloak.storage.ldap.LDAPStorageProviderFactory$3.run(LDAPStorageProviderFactory.java:521)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at org.keycloak.storage.ldap.LDAPStorageProviderFactory.importLdapUsers(LDAPStorageProviderFactory.java:514)
at org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncImpl(LDAPStorageProviderFactory.java:469)
at org.keycloak.storage.ldap.LDAPStorageProviderFactory.sync(LDAPStorageProviderFactory.java:407)
...
I tried some mappers (especially username) but with no luck. It seems that there are only a few attributes read from the ldap server (see attributes from LDAP:... in the output).
Namely: whenChanged, whenCreated, mail, givenName, sn, userAccountControl, pwdLastSet.
How can i get the sAMAcountName attribute as username?
I have just tested it in 4.1.0.Final and there it works when you change the Username LDAP attribute to sAMAccountName and additionally the
LDAP Attribute in the username mapper also to sAMAccountName.
I tried some mappers (especially username) but with no luck.
Your question suggest, that you already tried doing something in the username mappers. So you were definetly on the right track. Either there was a bug in your version, or the two fields didn't match correctly.
For me, it worked. Please find the below process:
1) In User Federation -> LDAP Provider -> There is a setting called "UserName LDAP Attribute". (as shown here ldap provider settings)
2) Select Mappers tab and edit "username" mapper and change to following settings: username mapper settings

LDAP simple bind parameters

I am trying to use ldap for a flask application .
The app.config['LDAP_PROVIDER_URL'] = 'ldaps://appauth.corp.domain.com:636'
(I have replaced the domain for the original name here)
In another script in need the following ldap details
conn.simple_bind_s(
'cn=%s,ou=Users,dc=corp,dc=domain,dc=com' % username,
password
)
How do I find the OU,or can i ignore OU and drop it from above. Please let me know if other parameters are correct. I don't know LDAP
The general idea is that you bind as an application account with search privileges to locate the user account, e.g. by his email address, displayName, etc., and then use that DN to rebind using the password he supplied.

LDAP Authentication failed: Invalid Credentials

In Gforge, when a new user tries to log in; the user is automatically registered by fetching data from LDAP. It works fine for other users but one particular user is not able to log in and gets the error LDAP Authentication failed: Invalid Credentials . I don't understand what could be the issue? Could you please help?
This is the search function I am using.
ldap_bind($ldap, $dn, $pw)
$dn = ldap_get_dn($ldap, $entry);
$entry = ldap_first_entry($ldap,$res);
$res=ldap_search($ldap, $sys_ldap_base,$sys_ldap_id_attribute . '=' . $id,
array());
If it works for some users but not for one specific user, then it's something to do with the LDAP configuration, or with the characters in that user's ID or pwd.
Is the failing user in a different org/OU? Do they have accent characters in their username or password? These things can cause compatibility issues between GForge and the LDAP server.
Does this user have a much longer user name than other users? There is a GForge config setting called "usernameregex" that governs the complexity and length of allowed user names. Even though LDAP logins result in automatic account creation, the validation of the user's unix name might fail due to the regex in place. The error noted above could certainly be the catch-all message when this happens.
The default setting is "^[a-z0-9_.-]{3,15}$". You can change the upper length limit by changing the 15 to something else. The unix_name field in the GForge database is TEXT, so it can be extremely long (1GB?).
In GForge 6.3.x and earlier, you can find that setting in /etc/gforge/gforge.conf. Change the value and then update the system using:
cd /opt/gforge/bin && php create_config_cache.php
In GForge 6.4 and later, you can use the gf-config utility to set the value. It will take effect right away:
/opt/gforge/bin/gf-config set "usernameregex" "new regex value"

SQL70527 error in database project

I have a database-project, created based on my existing database. It also added the scripts for creating users. One of those scripts is =>
CREATE USER [JOOS_NT\Indigo.Development] FOR LOGIN [JOOS_NT\Indigo.Dev.svc];
This script works fine on my database. But in my database-project this script is throwing an error when I build it. The error is:
"SQL70527: 'JOOS_NT\Indigo.Development' is not a valid name because it contains characters that are not valid."
It seems the "\" in the [JOOS_NT\Indigo.Development] is not allowed. However on the database itself I can run the query and it works fine. If I change it to [JOOS_NT/Indigo.Development] I don't get the error, but when comparing the scripts in the project to the existing database, it would drop the user ([JOOS_NT\Indigo.Development]) and replace it with ([JOOS_NT/Indigo.Development])
What am I missing?
Answering for someone who will look in the future.
On the database project, if a '\' character is included in the user name, the login should match the user name.
Because that, this don't work:
CREATE USER [JOOS_NT\Indigo.Development] FOR LOGIN [JOOS_NT\Indigo.Dev.svc];
But this will:
CREATE USER [JOOS_NT\Indigo.Development] FOR LOGIN [JOOS_NT\Indigo.Development];
Or
CREATE USER [JOOS_NT\Indigo.Dev.svc] FOR LOGIN [JOOS_NT\Indigo.Dev.svc];
I'm not sure if this is the expected behavior or a bug.
This is by design. The core issue is that in the "CREATE USER FOR LOGIN" based on a windows user login, if you are using a domain name for the user then this must match the login's domain name + login name. See this post on MSDN