I'm trying to configure LDAP authentication for teamcity but can't get it to work. I already configured some other services on this server to authenticate using LDAP and had no problems (so it's not fault of the DC).
Following describes my config file:
java.naming.provider.url=ldap://192.168.0.123:389/DC=server,DC=example,DC=com
java.naming.security.principal=ldap-user
java.naming.security.credentials=jE&4i.%$lpDr3#?
java.naming.security.authentication=simple
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Group1,CN=Users,DC=server,DC=example,DC=com))
teamcity.users.username=sAMAccountName
teamcity.auth.loginFilter=[^/\\\\#]+
teamcity.options.users.synchronize=false
teamcity.options.groups.synchronize=false
When I set authentication to 'none' it works (but I can't restrict access to a specific group). I also tried using the full user name (incl. domain; i.e. DOMAIN\ldap-user) and also tried to use full DN instead, but it didn't change anything.
In log i see that the ldap server returns error code 49, which means that the binding failed. Like mentioned before I already configured other services on this server to authenticate with the same ldap server and the same binding user and had no problems.
Does anybody know how to solve this issue?
Thanks in advance!
This is my configuration and It working fine. The synchronization is allowed so information like email and name there are no available but enable the login with NT Id and Credentials
java.naming.provider.url=ldap://amer.xxxx.com:389/DC=amer,DC=xxxx,DC=com
java.naming.security.principal=CN=SRVAMR-xxx,OU=CMAPPS,OU=Service,OU=Accounts,DC=amer,DC=xxxx,DC=com
java.naming.security.credentials=Pf867955
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=AMR-GENOME-L,OU=GMA,OU=Security,OU=Groups,DC=amer,DC=xxxx,DC=com))teamcity.users.username=sAMAccountName
I Hope help you
Related
Trying to add AD LDAP authentication in IBM Websphere 9.0.0.7,
the login of application only works with full DN instead of sAmAccountName
No user xxx found
We would need details on your configuration (wimconfig.xml) and possibly logs and trace to resolve this. If you have a support contract with IBM I would suggest opening a support case and we can help determine the issue.
You can open a case at the link below. We would require you upload your wimconfig.xml as well as trace that shows the issue (com.ibm.ws.wim.*=all:com.ibm.websphere.wim.*=all).
https://www.ibm.com/mysupport
Alternatively, you could post the wimconfig.xml file here and I can check for obvious issues, but without trace to see why it is failing it may be a shot in the dark.
I have an issue, I want to enable LDAP on my WAS, like in this article.
But in step number 4 (Test Connection), I always get this error message:
ErrorSECJ7340E: Exception raised trying to connect to LDAP server:
NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772]
I thought that, I must binding the connection or something related about the connection, but I don't know exactly.
Is there any solution for me?
This article talks about standalone ldap configuration. You should rather use LDAP in federated registry. Please follow this link for configuration - Configuring a single LDAP repository under Federated repositories
Based on the error you have, looks like your LDAP requires authenticated user. You need to provide bind user and bind user password.
See also:
LDAP repository settings
I am using Liferay 6.2 and I am trying to do LDAP Authentication. The LDAP Server is provided by another organization and I do not have access to any configuration, I just have credentials for a system account to look up the directory. When I try to log in Liferay with user credentials from the LDAP Server the authentication fails with the following error code:
13:54:05,738 ERROR [http-bio-8080-exec-3][LDAPAuth:341] Problem accessing LDAP server
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr:
DSID-0315270B, problem 2001 (NO_OBJECT), data 0, best match of:
'O=uni,C=de' remaining name 'ou=people,o=uni,c=de'
The same error that occurs when trying to log in with a user that does not exist in the LDAP directory. Nevertheless, the mapping still works. After trying to log in with valid user credentials there is an entry in the liferay database with the corresponding user data. Accessing Liferay is not possible though.
These are my settings in portal-ext.properties (Test LDAP connections returns success, connection settings are pseudonymised):
ldap.base.provider.url=ldaps://ldap.ldap-server
ldap.base.dn=ou=people,o=uni,c=de
ldap.security.principal=uid=prox,ou=prox,o=uni,c=de
ldap.security.credentials=secret
#auth.pipeline.enable.liferay.check=false
ldap.auth.enabled=true
ldap.auth.required=true
ldap.auth.method=bind
ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10
ldap.export.enabled=false
ldap.export.group.enabled=false
ldap.auth.search.filter=(uid=#screen_name#)
ldap.import.user.search.filter=(objectClass=inetOrgPerson)
ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.DefaultAttributesTransformer
ldap.user.mappings=screenName=cn\npassword=userPassword\nfirstName=givenNam\nlastName=sn\njobTitle=title\ngroup=groupMembership
users.email.address.required=false
users.email.address.auto.suffix=#no-emailaddress.com
users.email.address.generator=com.liferay.portal.security.auth.DefaultEmailAddressGenerator
users.email.address.validator=com.liferay.portal.security.auth.DefaultEmailAddressValidator
ldap.password.policy.enabled=false
ldap.import.user.password.enabled=true
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test
Check the FQDN on the LDAP side, including the prefixes (cn, ou, etc.), and ensure that it matches the directory configuration within Liferay.
You can try configuring it from the control panel it will be easier for you as it allows to check whether the connection is made or not. You can check the users are fetched or not and it doesnt even need a server restart.
It works now. There were two issues:
I changed ldap.base.dn=ou=people,o=uni,c=de to ldap.base.dn=o=uni,c=de and
ldap.import.user.search.filter=(objectClass=inetOrgPerson) to ldap.import.user.search.filter=(objectClass=*)
I have uncommented the LDAP and UserMapper connectors in application.xml
I know my LDAP credentials (binddn, hostname, etc) are all working, because I use LDAP authentication and authorization for other apps on my server.
All I've done, is make the changes to application.xml and security.properties. Is there something else I'm supposed to do?
When I try to login with a user from LDAP, it is unsuccessful. Is there a log file I can check to see what's going wrong? I find the archiva documentation to be sparse and laconic.
Here is my security.properties file - some values have been altered, maybe someone can verify the structure is in-tact:
# LDAP
user.manager.impl=ldap
ldap.bind.authenticator.enabled=true
redback.default.admin=admin
security.policy.password.expiration.enabled=false
ldap.config.hostname=localhost
ldap.config.port=389
ldap.config.base.dn=domainName=mydomain.com,o=domains,dc=mydomain,dc=com
ldap.config.context.factory=com.sun.jndi.ldap.LdapCtxFactory
ldap.config.bind.dn=cn=Manager,dc=mydomain,dc=com
ldap.config.password=mypass
ldap.config.mapper.attribute.email=mail
ldap.config.mapper.attribute.fullname=displayName
ldap.config.mapper.attribute.password=userPassword
ldap.config.mapper.attribute.user.id=mail
ldap.config.mapper.attribute.user.base.dn=ou=Users
ldap.config.mapper.attribute.user.object.class=inetOrgPerson
ldap.config.mapper.attribute.user.filter=(objectclass=inetOrgPerson)
Also, the config.mapper.attribute.user.base.dn confuses me. The basedn of my users is here:
ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
So does that mean for base DN I put: domainName=scoresecret.com,o=domains,dc=scoresecret,dc=com
and for config.mapper.attribute.user.base.dn: ou=Users
Let me know if I'm doing something wrong, if I'm forgetting to do something to "switch LDAP on", and if I can find some logs to point me in the right direction. Thanks a ton
Make sure you have configured an admin user that exists in LDAP - at the moment there's no way to use an internal user for that.
redback.default.admin=admin
Replace admin with a role account in your LDAP server that can be used for this.
Here is a configuration template I use which should show the values you'd need to populate:
https://github.com/maestrodev/puppet-archiva/blob/master/templates/security.properties.erb
It seems the main difference could be the user filter being empty?
(See also thread on users#archiva.apache.org: http://s.apache.org/KDj)
I am currently setting up a dev environment which is an exact copy of our prod environment. The problem is when I try to authenticate a user by using CFLDAP tag in the dev environment, it won't let me authenticate the user without prefixing the username with the domain name while in the prod environment we don't have to prefix the username with the domain name. See example code below:
Details:
Windows 2000 Web Server
ColdFusion 5
Authenticating to a Windows 2003 Active Directory environment
Any help is greatly appreciated.
I have found when using CFLDAP, that using NT style logins for the username will inevitably cause problems and inconsistencies. You are really much better off using the distinguishedName attribute (DN) for a given user:
CN=User,OU=Users,DC=domain,DC=com
Of course your DN will likely be different - but hopefully that illustrates the point.