I have a created a ldap server . I registered some users in that server. For now i am able to login through server using username and password of users from my mac system.But now i want to login through server using mail id and password of users instead of username and password.How to change this setting in mappings of ldap in mac.
Go through this link https://help.apple.com/advancedserveradmin/mac/10.7/#apdB5DE1FD6-4D51-4C20-BB66-982DB85DF258. it helped me a lot. we have to give DN as mail=mailaddress,OU=users,dc=example,dc=com.
and password whatever we configured during server configuration.
I'd add a new Mapping-File to the DirectoryServices as stated in http://support.apple.com/kb/PH9293?viewlocale=en_US&locale=en_US. That way you can map not only the UID or the CN for logging into the machine but also the email-address. That way you will only have to store the email-address in the corresponding field that is also used by the mail server and the possibility that one time something gets mixed up due to incomplete changes is reduced.
On the other hand it might be a lengthy process to get everything right
Update: I've just written a blog-post about mapping LDAP-Attributes to DirectoryService-Attributes. It might be helpfull here: http://andreas.heigl.org/2014/06/05/change-opendirectory-mappings/
Related
I have SugarCRM running and able to log in and out using the super admin account. I created a new user with type Regular User and defined it password because I unchecked the auto generation of password.
Even if I change the password through the database I cannot log in. But, if I changed the the type to Administrator that user can now login. Why is that? I want it to be a Regular User only.
Regards,
Ronel
In version 6.5.x I have found that there is a problem with password rules. Perhaps this is the case. Go to config.php and look at passwordsetting array. There is a minpwdlenght and a oneupper. Change 'oneuppper' to 'false' and match minpwdlenght to the lenght you want.
This solved my issue.
I am developing a WCF service which can be consumed by mobile applications to authenticate users against the corporate extranet ActiveDirectory. I am using a customized version of this implementation from Microsoft. I need to implement the account lock out logic so that after n retries the account in the ActiveDirectory should get locked-out.
I tried with state-full WCF service to keep track of the failed log-ins. But the client can start over the next session and continue with the attack.
I know that the ActiveDirectory policy can be set to enforce this, but just querying the AD -like the Microsoft solution does to authenticate the user - does not lock out the user.
So, I am looking forward for a solution which will work like when log-in to Windows with incorrect password for n times the account will get locked-out as per the policy set in the AD.
I have not seen your code. So I'm guessing you have similar solution that is implemented in this example, have a look at this link
In above example, please have look at line
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
this entry object would be used for authentication when you make a search call on active directory.
If you are using user/password that you want to authenticate then you need not to worry about locking it by your code. Active directory policy would be enough.
But after reading your comment I guess you have one specific user that you use to search mobile application users to check if they exist in your active directory or not. If this is the case effectively you are never authenticating against mobile users so those users never going to be blocked automatically.
I would be interested to know your answer.
There are basically two ways of doing this:
You continue the directory search method you are using, but track the number of logins for each user in a custom database, and check this database before doing the directory search.
Use the Windows login instead, and rely on AD to lockout the user. For a description of how to do this check: Active Directory (LDAP) - Check account locked out / Password expired
Edit
After seeing marc_s's comment, I am unsure if doing the directory search will lockout or not. It would actually be a serious security hole if you could try an infinate number of times. But you would need an account that is allowed to query AD before you could use it.
The code you linked to had this line
object obj = entry.NativeObject
Which was to force authentication. Have you included this line?
I have set up a Ldap Server somewhere. I can bind to it, can add, modify, delete entry in the database. Now when it come to authentication isnt it as simple as giving the username and password to the server, asking it to search for an entry matching the two? And furthermore, isnt it the 'userPassword' field that contains the password for a user in there?
Now,
I tried to set up splunk to authenticate from my Ldap server, i provided the username and password, but it failed authentication. Isnt it that 'userPassword' field that splunk checks? What should be the possible reason?
LDAP servers are generally not going to allow you to search on the userPassword attribute, for obvious security reasons. (and the password attribute is likely stored in hashed form anyway, so a straight search would not work.)
Instead, the usual way to do LDAP authentication is:
prompt for username & password
Bind to LDAP with your application's account, search for username to get the full distinguished name (dn) of the user's LDAP entry
Make a new LDAP connection, and attempt to bind using the user's dn & password
(If you know how to construct the dn from the username, you can skip step 2, but it's generally a good idea to search first - that way you're less sensitive to things like changes in the OU structure of the LDAP directory)
Typically you would search using the username value provided on uid or cn values within the LDAP Tree.
-jim
I think this code will help you resolve the issue of authentication. I've answered to resolve the issue. You can check out this Question http://bit.ly/TIJMte
I'm running into a problem using LDAP to authenticate logins.
We are using a Novell edirectory for authentication of other applications like Jira. ( Jira works perfect ).
I have this application that allow these basic LDAP configurations:
My problem is, when I try to log in, it takes my username XXXXXXXX and pre-pends it to the search base as uid. So it tries to log me in as :
uid=XXXXXXXX,ou=people,o=mycompany
Which would work on our Sun LDAP server, but doesn't work on our Novell edirectory LDAP server. edirectory only works when I try to log in as the distinguished name :
cn=XXXXXXXX,ou=people,o=mycompany
Why does edirectory behave like this?
Is it config that we have specified or does edirectory always use cn as distinguished name?
Thanks
I suggest that is is the application that is 'behaving like this', not edirectory. Obviously your edirectoryis structured differently from your Sun LDAP server, yet the application is treating them both the same. LDAP servers only execute queries, they don't construct them. The application does that.
The naming attribute is up to the person making the object. However by default most eDirectory tools set it as cn=. If you want, you can create objects as uid= in your eDirectory. It would be hard to convert existing users.
Many LDAP tools that make this assumption will allow you to specify what the naming attribute might be.
Your app is making a bad assumption.
You can add a UID value on each object, the same as the CN, but that would not help since it is not then a naming attribute.
In other words, if the application was doing a query for (uid=XXXXXXXX) then adding a uid value that matches CN would help.
If however it is doing a bind as a specific user, as uid=XXXXXXXX,ou=users,o=mycompany that won't help.
I am using devise_ldap_authenticable and logging in using uid/username. I also have 'config.ldap_create_user = true' in config/initializers/devise.rb
Now when user logs in for the first time, user entry is created in database. But only username is captured in this entry. However, I would also like to have other details from ldap profile of user such as email address.
How do I do it?
i forked the project and created a method to query LDAP
https://github.com/noel/devise_ldap_authenticatable
used like this to query for the mail parameter
Devise::LdapAdapter.get_ldap_param(self.username,"mail")