AD login is not possible after upgrading from LDAP 1.4. In the TRACE log the following error message is logged:
DEBUG web[o.s.p.l.w.WindowsUsersProvider] Requesting details for user: xxxxxx
ERROR web[rails] Error from external users provider: exception Java::Com4j::ExecutionException: com4j.ComException: 8007203a Failed to MkParseDisplayName : The server is not operational. : .\com4j.cpp:217
Removing the LDAP settings from sonar.properties did not help. After downgrading to LDAP 1.4 everything works again. Did we miss some configuration setup?
LDAP plugin 1.5.1 with fix for this issue (LDAP-49 is released and available for download from SonarQube's update center.
Refer to SonarQube LDAP plugin documentation page:
LDAP 1.5.1 – Dec 02, 2015 – Compatible with SonarQube 5.2+
Bug fixes for Active Directory environments
Please go through the new changes and try the below mentioned settings.
LDAP 1.5 plugin is using Waffle to support Windows Authentication and SSO on Windows OS.
LDAP in Windows auth mode supports two ways of login from browser:
1.Single sign On
SSO will be performed on hitting any SonarQube url other than /sessions/login .
Only domain users are supported through SSO.
2.Form based login from /sessions/login page
Domain users
Login: <domain\alias> or alias#domain or alias
Password: <domain credentials>
Technical users
Login: <username>
Password: <password>
On logout, users will be presented login page ( /sessions/login),
where he can choose to login as technical user or domain user by
passing appropriate credentials.
For those users who are already using previous version of LDAP plugin to
connect to Microsoft AD and have already defined authorization in terms of those
users and group name use following settings in Windows OS:
# LDAP configuration
sonar.security.realm=LDAP
ldap.windows.compatibilityMode=true
sonar.log.level=DEBUG (For debugging purpose, remove this if you don't see any issue)
ldap.windows.auth=true
-----------------------------------------------------------------------
Default protocol is NTLM which should work for most of the scenarios.
Troubleshooting NTLM
◦Enabling NTLM Logging
http://goo.gl/3LhU6E
If you want to use Kerberos "Negotiate" protocol please use the following steps.
Negotiate Authentication Steps:
For negotiate authentication to work make sure following steps are followed:
1.Browser Configuration
Waffle link: Configuring Browsers (IE/Firefox)
https://goo.gl/vcPnrk
2.Kerberos setup
Make sure that user has privilege for Kerberos delegation
setspn -L username
To add preivileges to the current user run
setspn -S HTTP/machine:port machine
example:
setspn -S HTTP/machine:9000 machine
3.The SonarQube application is running as a service(NT service)
Troubleshooting Resources
1.Useful Kerberos troubleshooting resources
◦Enabling Kerberos Logging
http://support.microsoft.com/kb/262177/en-us
◦Troubleshooting Kerberos Delegation
http://www.microsoft.com/en-us/download/confirmation.aspx?id=4754
Related
I have integrated the CAS server with Keycloak version 12.0.4. When I go to the CAS login page it redirects me to the keycloak login successfully.
After entering the valid credentials in the keycloak page, it provides an error in the cas logs which is mentioned below:
2021-05-12 08:51:41,865 WARN
[org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] -
<Preferred token endpoint Authentication method: null not available.
Defaulting to: private_key_jwt
Can someone tell me if I'm missing any configuration?
Seems the CAS was not able to take the properties from the cas.properties. I changed the class OidcAuthenticator in the cas package to choose the method "client_secret_basic" manually. After doing this change it's working fine.
Scenario:
Elasticsearch 7.2 (basic license) and Kibana 7.2
xpack.security.enabled: true
I used elasticsearch-setup-passwords interactive to assign passwords to built-in users
I try to access Kibana, and it challenges me for user credentials, as expected.
I log in with the user "elastic" (which should be the super-user, right?), and enter. But:
I cannot see any user icon on top-right
I cannot see the user / role management features
Can you help to understand where I'm wrong, please?
I encountered the same issue a little while ago. If you get prompted by your browser for basic authorization instead of the kibana login form, it means that you have secured the elasticsearch cluster but you have not enabled security in kibana itself.
This basic auth login prompt you see is actually from Elasticsearch not Kibana (while Kibana makes requests on your behalf to Elasticsearch). Kibana is setup for anonymous access (security implicitly is disabled) and this is why you don't see an icon with your user on the far right as you would expect.
You need to set
xpack.security.enabled: true
in your Kibana environment as well.
Furthermore you have to provide the password for the built-in kibana user in the configuration via the settings:
elasticsearch.username: "kibana"
elasticsearch.password: "kibanapassword"
See this guide (https://www.elastic.co/guide/en/kibana/7.2/using-kibana-with-security.html) on how to configure security in kibana.
i am having some issue with sonarqube 5.6 LTS using LDAP authentication on a AD server.
Before finally managing to configure SQ to work with AD for ldap authentication i had created an user with a login name equal to an AD account.
Then i found out that i could set up in sonar.properties the property sonar.authenticator.createUser=true. So i clicked on the red cross (with a tooltip deactivate) on the user list to remove the the local user created by me so that the user could login via AD authentication.
Unfortunately it seems that SQ does not perform at all any query for the deleted local user. What can i do? (renaming the user account on the AD side is not an option)
thanks
Starting SonarQube 5.6 sonar.authenticator.createUser is indeed not working anymore (see https://jira.sonarsource.com/browse/SONAR-8208 for details).
Then you have 2 options :
Upgrade to SonarQube 6.3 or later version, everything will work fine.
Execute the following SQL request : update users set user_local=false where login = '<LOGIN_TO_LOG_WITH_AD>'
I've installed a DMS called Maarch Courrier, an opensource alternative to SharePoint and Alfresco. I successfully configured my Active Directory to work with it.
But on the first connexion, the software asks AD users to provide a new password to be used in Maarch. So, I'd like to setup Single Sign On with LDAP in the Maarch Courrier DMS. Following this tutorial : http://wiki.maarch.org/Socle_Technique_/_How_to_connect_a_SSO, I tried to configure it but failed. Can anyone help ?
You need to configure the configuration file. You can find it in the ldap module
I have this problem:
I have enabled Liferay to import and export users from/to OpenLDAP server.
When I create a user in Liferay I obtain this page:
So, I have create a new user and Liferay has assigned to it a password (3zbPk6KA).
But.. if I try to login with new user (and generated password) I obtain the error message of incorrect credentials. In LDAP server I can see the new account but, the corresponding password seems to be different from that generated by Liferay..
In Java console i read this warning:
14:20:15,882 WARN [http-bio-8080-exec-6][LDAPAuth:208] Passwords do not match for userDN cn=myUser,ou=users,dc=myProject,dc=com
Some suggestions?
Had this problem too. what's your value for Ldap password policy and what's your liferay version ?
I think you have 2 options :
Disable Ldap password policy, and if your Liferay version has no bug on exporting new user's autogenerated passwords, Your scenario is supposed to work. Else, you'll have to create a patch/hook that sends that password to LDAP
Enable LDAP password policy, setup a fixed default LDAP password, and hook the login process, so that you inform the new registered user (Screen Message + validation email) on her initial password. Note that there's still a security issue here, because of the fixed password, as someone could create accounts for other users if he knows their e-mails and tries to register before them.
You have to unmark "required" in controlpanel→portal→configuration→autenticathion→LDAP to di
I don't know why that specific scenario doesn't work. I have used Liferay 6.1 and know there are a number of bugs with the LDAP function of version 6.1. The problem that I faced was that checking "Use LDAP Password Policy" resulted in a user being created without a password.
However, if your password is being created in Liferay, you can turn off the export in Liferay LDAP wizard and programmatically export users through a hook using Java LDAP look up. I had to do it and it fixed a number of similar issues for me.
The link is a below
http://abhirampal.com/2014/12/20/liferay-ldap-export-to-active-directory-disabled-user-bug/