I'm not succeeding in LDAP authentication with Redmine. Here follows the description of what I've done:
I've installed Bitnami Redmine on Centos 6.7 and trying to authenticate against AD on MS Windows server 2012.
Environment: Redmine version 3.1.1.stable
Ruby version 2.0.0-p647 (2015-08-18) [x86_64-linux]
Rails version 4.2.4
Environment production
Database adapter Mysql2
SCM:
Subversion 1.6.11
Git 1.7.1
Filesystem
Redmine plugins:
no plugin installed
This is my LDAP configuration on Redmine:
Name: geo-AD
Host: geo-dc.geo.net
Port 389 LDAPS: No
User: ldapuser
DN Base: DC=geo-dc,DC=geo,DC=net
LDAP filter: (objectClass=*)
on the fly: yes
Connection attribute: sAMAccontName
Name: givenName
Surname: sn
Mail: mail
The test is working fine, but when I try to authenticate I always get
invalid password
I traced the authentication phase with Wireshark and I've seen the following:
There is a request from the redmine host to the AD server asking for the following attributes:
dn
givenName
sn
mail
The AD server answer with "no such object" and the authentication stops. I've removed givenName, sn and mail from the LDAP configuration window and the request for DN is still there and cause the failure.
I've checked the AD schema and there is no attribute named "dn".
Any idea why Redmine ask for this during authentication and if there is a way to change this behaviour?
Here follows the LDAP query and LDAP response.
192.168.1.244 is the Centos server with Redmine, 192.168.1.240 is MS Server 2012 with AD.
No. Time Source Destination Protocol Length Info
72 28.269126319 192.168.1.244 192.168.1.240 LDAP 237 searchRequest(2) "DC=geo-dc,DC=geo,DC=net" wholeSubtree
Frame 72: 237 bytes on wire (1896 bits), 237 bytes captured (1896 bits) on interface 0
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "DC=geo-dc,DC=geo,DC=net" wholeSubtree
messageID: 2
protocolOp: searchRequest (3)
searchRequest
baseObject: DC=geo-dc,DC=geo,DC=net
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (&(&(objectClass=*)(objectClass=*))
(sAMAccountName=mlavagna))
filter: and (0)
and: (&(&(objectClass=*)(objectClass=*))
(sAMAccountName=mlavagna))
and: 3 items
Filter: (objectClass=*)
and item: present (7)
present: objectClass
Filter: (objectClass=*)
and item: present (7)
present: objectClass
Filter: (sAMAccountName=mlavagna)
and item: equalityMatch (3)
equalityMatch
attributeDesc: sAMAccountName
assertionValue: mlavagna
attributes: 4 items
AttributeDescription: dn
AttributeDescription: givenName
AttributeDescription: sn
AttributeDescription: mail
[Response In: 73]
controls: 1 item
Control
controlType: 1.2.840.113556.1.4.319 (pagedResultsControl)
criticality: False
SearchControlValue
size: 126
cookie: <MISSING>
No. Time Source Destination Protocol
74 28.269493413 192.168.1.244 192.168.1.240 TCP
Lightweight Directory Access Protocol
LDAPMessage searchResDone(2) noSuchObject (0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=geo,DC=net'
) [0 results]
messageID: 2
protocolOp: searchResDone (5)
searchResDone
resultCode: noSuchObject (32)
matchedDN: DC=geo,DC=net
errorMessage: 0000208D: NameErr: DSID-03100238, problem 2001
(NO_OBJECT), data 0, best match of:\n\t'DC=geo,DC=net'\n
[Response To: 72]
[Time: 0.000264030 seconds]
Do you have an "ou" (organizational unit) in LDAP? For example, if your users are under ou=People, your redmine DN Base might look like this:
DN Base: ou=People,DC=geo-dc,DC=geo,DC=net
Related
I have installed saprfc-1.4.1 on linux 4.0.4-x86_64 (ubuntu14) machine.
PHP Version 5.5.9
RFCSDK 7.20
After installation, I added the extension (extension = saprfc.so) in php.ini file and then restarted apache.
To test if installation was successful i uploaded saprfc_test.php to my www directory.
Entered following details to login to SAP R/3
Application Server - localhost
System Number - 00
Client - 300
User - myusername
Password - *********
Message Server - MSPLECP00_ECP_00
R/3 system Name - ECP
Language - EN
When i tried to Login i got following error:
RFC Error Info : Key : RFC_NOT_INIT Status :
Message : RFC subsystem not yet initialized. Internal:
I'm currently trying to setup Gitlab 6.7 as a fresh install as well as upgrading from version 6.6. While doing so I ran into the following error:
When logging in with an LDAP account, which is not in Gitlab yet, the login fails with the message containing the words
Could not authorize you from LDAP because: "Validation failed username only letters, digits & '_' '-' '.' allowed. Letter should be first".
Hence the upgraded version still works with existing accounts.
After having a look at the code in GitHub I suspect that the root cause is that the generation of the Gitlab username changed.
To me it looks like before it was the first part of the email address (everything up to #) and now it seems to be the uid, but in my case the uid is an email address containing an # character.
As I do not have any other value in LDAP with uniquely identifies a user, I am required to use the uid/mail.
Anyone has a hint how to proceed here?
Thanks
LDAP:
objectClass person
givenName Jane
sn Doe
cn Jane Doe
uid jane.doe#example.com
mail jane.doe#example.com
Gitlab.yml 6.6:
ldap:
enabled: true
host: 'ldaphost.example.com'
base: 'o=example.com'
port: 636
uid: 'uid'
method: 'ssl' # "tls" or "ssl" or "plain"
#bind_dn: ''
#password: '_the_password_of_the_bind_user'
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '#' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe#example.com' and 'p#ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p#ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '#'.
allow_username_or_email_login: false
Gitlab.yml 6.7:
ldap:
enabled: true
host: 'ldaphost.example.com'
port: 636
uid: 'uid'
method: 'ssl' # "tls" or "ssl" or "plain"
#bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
#password: '_the_password_of_the_bind_user'
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '#' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe#example.com' and 'p#ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p#ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '#'.
allow_username_or_email_login: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: 'o=example.com'
# Filter LDAP users
#
# Format: RFC 4515
# Ex. (employeeType=developer)
#
user_filter: ''
I have been doing a lot of research on ssh (openssh) and radius.
What I want to do:
SSH in to equipment with credentials (username and password) stored in either on a radius server or ldap store. I have been reading online and some people point to having an ldap server running in the background of your radius server. This will work, but will only work if the user is found in the local machine.
The problem:
Is there a way for me to ssh (or telnet) in to my equipment by logging in via a radius server that contains the credentials? if not is there a way for the client (the machine I am trying to connect to) get an updated list of credentials and store it locally from a central location (whether it be a radius server or an sql database etc).
I have been able to connect via Radius but only on accounts that are local, but for example if I try to connect with an account that does not exist locally (client-wise) I get "incorrect"
Here is the radius output:
Code:
rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85 User-Name = "klopez"
User-Password = "\010\n\r\177INCORRECT"
NAS-Identifier = "sshd"
NAS-Port = 4033
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.4.200"
Code:
[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> klopez
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap] expand: dc=lab,dc=local -> dc=lab,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "somepass"
[ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
I also have pam_radius installed, and its working (can log in on a account that exists locally). Although I read this and do not know if this is 100% accurate:
http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html
and
http://fhf.org/archives/713
tl:dr:
I need to ssh into a machine that does not have a user/pass locally and that combination will be stored remotely, such as a radius server or ldap.
please advise
P.S.
The solution is preferable using radius server or ldap but not necessary. If there is an alternate please advise.
Thanks,
Kevin
You can configure SSH to authenticate directly against an LDAP server using PAM LDAP.
I've set it up myself on Debian Systems:
https://wiki.debian.org/LDAP/PAM
https://wiki.debian.org/LDAP/NSS
You need to have both PAM and NSS to get SSH working. You also need to enable PAM in your SSH configuration. Install the libnss-ldapd libpam-ldapd and nslcd packages on Debian (or Ubuntu) system.
I am making some application in rails in which user needs to be log-in first to see the content. I used devise and ldap_devise_authenticatable to make user log-in through existing LDAP account.
However, when I tried to log in with my account into my application then log-in failure occurs(401 error unauthorized) even though I already have account on ldap.
I am following this tutorial
And following is the screenshot of my ldap server page:
I know the problem is in my ldap configuration file. How can i configure it properly so that my application send correct string to ldap server like in above screenshot
Code of my ldap.yml is as follows:
authorizations: &AUTHORIZATIONS
group_base: ou=groups,dc=test,dc=com
required_groups:
- cn=admins,ou=groups,dc=test,dc=com
- cn=users,ou=groups,dc=test,dc=com
- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
## Environment
development:
host: 172.16.100.6
port: 389
attribute: cn
base: ou=People,dc=iitj,dc=ac,dc=in
#admin_user: cn=admin,dc=test,dc=com
#admin_password: admin_password
ssl: false
Have you tried setting attribute: sAMAccountName?
Also you need to set admin_ser and admin_password to match the credentials of the account you have in LDAP.
I'm currently trying to implement Devise with LDAP Authentication on RAILS3. I've got it setup and it appears to connect and try to auth, but appears to fail. I don't seem to get any sort of real error messages to work with so its very difficult to take it any further.
Log of login session:
Started POST "/users/sign_in" for 192.168.160.1 at Tue Dec 06 05:20:16 +0000 2011
Processing by Devise::SessionsController#create as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond#email.com"}}
User Load (0.1ms) SELECT `users`.* FROM `users` WHERE `users`.`login` = 'richmond#email.com' LIMIT 1
LDAP: LDAP dn lookup: mail=richmond#email.com
LDAP: LDAP search for login: mail=richmond#email.com
LDAP: Authorizing user mail=richmond#email.com,ou=groupxx,o=company.com
LDAP: LDAP dn lookup: mail=richmond#email.com
LDAP: LDAP search for login: mail=richmond#email.com
Completed 401 Unauthorized in 7147ms
Processing by Devise::SessionsController#new as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond#email.com"}}
Rendered devise/shared/_links.erb (0.1ms)
Rendered devise/sessions/new.html.erb within layouts/application (5.0ms)
Completed 200 OK in 23ms (Views: 21.4ms | ActiveRecord: 0.0ms)
Started GET "/assets/defaults.js" for 192.168.160.1 at Tue Dec 06 05:20:23 +0000 2011
Served asset /defaults.js - 404 Not Found (3ms)
ActionController::RoutingError (No route matches [GET] "/assets/defaults.js"):
Rendered /usr/local/lib/ruby/gems/1.8/gems/actionpack-3.1.0/lib/action_dispatch/middleware/templates/rescues/routing_error.erb within rescues/layout (0.5ms)
ldap config:
development:
host: ldap.company.com
port: 636
attribute: mail
base: ou=groupxx,o=company.com
#admin_user: cn=admin,dc=test,dc=com
#admin_password: admin_password
ssl: true
# <<: *AUTHORIZATIONS
I don't have access to the LDAP server so I cannot confirm anything from that end. The main issue I have is that I cannot get any error messages out of the login process - Is it not able to find the user? Does it find the user but fail login? Why does it do 2 LDAP searches?
same issue here. Did a ldapsearch, which works however. Company is running an ActiveDirectory server here:
ldapsearch -Z -h ldap.company.com -p 389 -s sub -D
"cn=somebody,ou=my_ou,dc=ldap,dc=company,dc=com" -W -b
"dc=ldap,dc=company,dc=com" "(&(cn=somebody))" mail
Solution:
I have found the solution: In config/initializers/devise.rb I missed to activate config.ldap_use_admin_to_bind = true. Only with this flag, devise_ldap_authenticatable really uses the BindDN (i.e. admin_user, admin_password which both have to be uncommented) defined at config/ldap.yml.
I found out the problem I had was that the LDAP server my company (IBM) uses was using a different protocol standard to the ones officially supported by NET-LDAP.
You simply need to change the PagedResults Control Type to a slightly different standard:
#PagedResults = "1.2.840.113556.1.4.319" # Microsoft evil from RFC 2696
PagedResults = "2.16.840.1.113730.3.4.2" # IBM Bluepages compatible ControlType
Full code change details here.
I forked it and fixed it over here on GitHub.
I did encounter the same problem on my ActiveDirectory. I tried using the bind user but it didn´t help either. I changed devise according to screencast 210 to use the username field. Here´s my ldap.yml
development:
host: dcburda0
port: 636
attribute: cn
base: OU=Organisation,DC=mydomain,DC=com
admin_user: CN=username,OU=Support Center Muenchen,OU=name GmbH,OU=Organisation,DC=mydomain,DC=com
admin_password: password
ssl: true