I´m trying to configure my Nexus instance, 2.11, to integrate with LDAP, OpenLDAP, with SSL.
It appears to work with the settings bellow:
Connection Protocol: ldaps Hostname: mydomain.local Port: 636 Search Base: dc=mydomain,dc=local
Authentication Auth. Method: Simple Authentication SASL Realm: Username: dc=admi,dc=mydomain,dc=local
Password: MySuperSecretPassword
When I click on Check Authentication it returns:
LDAP connection and authentication test completed Successfully.
Then in sections:
User element Mapping Base DN: ou=users User subtree: (but it doesn´t appear to affect something) Object
class: inetOrgPerson User filter: User UD Attribute:
uid Real Name Attribute: cn E-Mail Attribute: mail
Password Attribute: Group Element Mapping
Then clicking on Check User Mapping, it return all the users on LDAP directory.
It´s good, but... When I´m trying to Log-In with any user, it returns:
Incorrect username, password or no permission to use Nexus User
Interface. Try again. Please login before attempting further requests.
I´d try to mapp a user from LDAP, in User Manegement interface, and give this user a Nexus Administrator Rule, I tried to put all roles to this user, but always get the same error above.
Is there any other configuration nedded to make it work?
Thanks!
In the administration sidebar, click 'server'
Enable "OSS LDAP Authentication Realm" in the security realm.
There is a feature request to make this more visible.
https://issues.sonatype.org/browse/NEXUS-4062
Related
I installed Openldap in server and after that added the user into the ldap,below screen show show the added user through Apache Active Directory
Now in keycloak i added user federation as a openLdap and its connecting to ldap without any issue,but when i am trying to sync the user i am getting message
Success! Sync of users finished successfully. 0 imported users, 0
updated users
So no user import from ldap to keycloak ,below is the related ldap connection information in keycloak .
Thanks to #EricLavault and one of company colleague at last Keycloak able to import the user successfully. Below changes i have done to fix the issue.
Change the User Object Classes=*
Created a new entry ou=People then created user under it
In Keycloak used Users DN = ou=user,ou=people,dc=suredev20
After this its start throwing below exception
ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-1931) Failed during import user from LDAP:
org.keycloak.models.ModelException: User returned from LDAP has null
username! Check configuration of your LDAP mappings. Mapped username
LDAP attribute: uid, user DN:
cn=subodh123,ou=user,ou=People,dc=suredev20, attributes from LDAP:
{sn=[joshi123], cn=[subodh123], createTimestamp=[20191118180647Z],
modifyTimestamp=[20191118180647Z]}
Which is fixed by using Username LDAP attribute = cn as ldap username Attribute description in openldap case bydefault cn
User entries are not stored correctly in your directory. In fact you shouldn't use cn=root as a container as it's supposed to represent the directory manager and should be used for binding and other operations but not for structuring your directory.
Instead, you should use the default user container (at least for OpenLDAP and Apache DS) that is ou=people,dc=suredev20, ie. you need to move cn=subodh
from cn=subodh,ou=user,cn=root,dc=suredev
to cn=subodh,ou=people,dc=suredev20
Also, in Keycloack you need to set users dn accordingly : ou=people,dc=suredev20
(you can try with ou=user,cn=root,dc=suredev without moving subodh entry but not recommended).
I currently try to configure Discourse to only allow users in a specific ldap group to log in. Discourse has a plugin called discourse-ldap auth ( https://github.com/jonmbake/discourse-ldap-auth ). This plugin uses the omniauth ldap module: https://github.com/omniauth/omniauth-ldap
My discourse plugin configuration (the configuration is actually used by the discourse plugin for the omniauth ldap module):
ldap enabled: true
ldap hostname: the hostname of my ldap server
ldap port: 389
ldap method: plain
ldap base: the base of my ldap server
ldap uid: userPrincipalName
ldap bind dn: Nothing
ldap password: Nothing
ldap filter: (&(userPrincipalName=%{username})(memberOf=cn=[the name of the required group],ou=....,[base]))
When using this configuration, nobody can log in to the forum. When I use the bind dn and password, everybody can log in.
I also tried this filter without success (copied from my ldap servers filter):
(&(&(&(userPrincipalName=%{username})(memberOf=[dn of the group]))))
What do I have to configure, to only allow users in that specific group to log in?
I didn't found any errors or indicators in the log. Please help!
Thanks fou your help and attention!
You do need the "ldap dn" and "ldap password". Those are the credentials used to authenticate to LDAP so you can lookup people's accounts. Usually, that is a service account only used by your application.
The filter should probably look something like this:
(&(sAMAccountName=%{username})(memberOf:1.2.840.113556.1.4.1941:=[dn of the group]))
Users will usually log in with the sAMAccountName, which is usually called just the "username". Whenever you see an account in the DOMAIN\username format, that username is the sAMAccountName.
The userPrincipalName is usually in the format of username#domain.com. It is sometimes the same as the email address, but it doesn't have to be.
The crazy number I put in that query tells Active Directory to search recursively through groups. So that would allow you to put groups into your authentication group, and members of that new group would be given access to your application too. Without that, only direct members of that group will have access.
I am trying to authenticate user logging with AD via LDAPs from an Uniface Application.
Current ASN settings:
[PATHS]
$LDP LDP:host+389:DC=host,DC=co,DC=uk|username|password
[DRIVER_SETTINGS]
LDP = U1.0
USYS$LDP_PARAMS = addbase:off
[ENTITIES]
*.LDAP $LDP:*.*
person.ldap=person#DC=host,DC=co,DC=uk
Now, I am able to retrieve the ldap details by initialising sAMAccountName.
Then trying to open ldap with user's DN and password, which is working fine.
But when I am trying the same thing using port 636, it does not work.
Does anyone know how to make Uniface interact with LDAP using 636 port?
Can I use wldap32.dll to achieve the same?
This post is in connection with UNIFACE LDAP User authentication query.
Thanks,
Dharmesh
My predecessor installed LDAP plug-in for SonarQube and added below configuration in sonar.properties file.
sonar.security.realm: LDAP
sonar.authenticator.createUsers: true
ldap.url: ldap://ldap.company.com:<port>
ldap.user.baseDn: DC=company,DC=com
ldap.bindDn:
ldap.bindPassword:
ldap.user.request: (&(objectClass=user)(memberof=CN=gpnet,OU=Groups,DC=company,DC=com)(SAMAccountName={0}))
He conifgured empty bindDN/bindPassword and when i looked at LDAP documentation in SonarQube under general configuration, it says
"Leave this blank for anonymous access to the LDAP directory."
What it means?
Any user who is part of ldap.url will be able to login? but as he/she is not part of gpnet group, so will not be able to login ?
As per my understanding, we should have service account credentials and set it in bindDN and bindPassword configuration.
It depends on other things in the configuration. It's possible to configure OpenLDAP to allow searches from an anonymous bind, which fits the usual pattern of searching for the use by some criterion such as email address, then attempting to bind as that user with his password as the actual login step.
I have this problem:
I have enabled Liferay to import and export users from/to OpenLDAP server.
When I create a user in Liferay I obtain this page:
So, I have create a new user and Liferay has assigned to it a password (3zbPk6KA).
But.. if I try to login with new user (and generated password) I obtain the error message of incorrect credentials. In LDAP server I can see the new account but, the corresponding password seems to be different from that generated by Liferay..
In Java console i read this warning:
14:20:15,882 WARN [http-bio-8080-exec-6][LDAPAuth:208] Passwords do not match for userDN cn=myUser,ou=users,dc=myProject,dc=com
Some suggestions?
Had this problem too. what's your value for Ldap password policy and what's your liferay version ?
I think you have 2 options :
Disable Ldap password policy, and if your Liferay version has no bug on exporting new user's autogenerated passwords, Your scenario is supposed to work. Else, you'll have to create a patch/hook that sends that password to LDAP
Enable LDAP password policy, setup a fixed default LDAP password, and hook the login process, so that you inform the new registered user (Screen Message + validation email) on her initial password. Note that there's still a security issue here, because of the fixed password, as someone could create accounts for other users if he knows their e-mails and tries to register before them.
You have to unmark "required" in controlpanel→portal→configuration→autenticathion→LDAP to di
I don't know why that specific scenario doesn't work. I have used Liferay 6.1 and know there are a number of bugs with the LDAP function of version 6.1. The problem that I faced was that checking "Use LDAP Password Policy" resulted in a user being created without a password.
However, if your password is being created in Liferay, you can turn off the export in Liferay LDAP wizard and programmatically export users through a hook using Java LDAP look up. I had to do it and it fixed a number of similar issues for me.
The link is a below
http://abhirampal.com/2014/12/20/liferay-ldap-export-to-active-directory-disabled-user-bug/