I am making some application in rails in which user needs to be log-in first to see the content. I used devise and ldap_devise_authenticatable to make user log-in through existing LDAP account.
However, when I tried to log in with my account into my application then log-in failure occurs(401 error unauthorized) even though I already have account on ldap.
I am following this tutorial
And following is the screenshot of my ldap server page:
I know the problem is in my ldap configuration file. How can i configure it properly so that my application send correct string to ldap server like in above screenshot
Code of my ldap.yml is as follows:
authorizations: &AUTHORIZATIONS
group_base: ou=groups,dc=test,dc=com
required_groups:
- cn=admins,ou=groups,dc=test,dc=com
- cn=users,ou=groups,dc=test,dc=com
- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
## Environment
development:
host: 172.16.100.6
port: 389
attribute: cn
base: ou=People,dc=iitj,dc=ac,dc=in
#admin_user: cn=admin,dc=test,dc=com
#admin_password: admin_password
ssl: false
Have you tried setting attribute: sAMAccountName?
Also you need to set admin_ser and admin_password to match the credentials of the account you have in LDAP.
Related
I'm try to integrate Zabbix UI with Keycloak SSO, using keycloak-proxy.
My setup is the following:
Nginx is the entry point: it handles the "virtual host", forwarding the requests to keycloak-proxy.
Keyclock-proxy is configured with client_id, client_secret, etc. to authenticate the users to Keycloak;
Zabbix dashboard on Apache, default setup: I enable the HTTP authentication.
I've created a test user both in Keycloak and Zabbix.
The authentication flow is ok: I'm redirected to KeyCloak, I do the authentication, but I always get "Login name or password is incorrect." from Zabbix UI.
What am I doing wrong?
Has anyone tried to use OIDC authentication with Zabbix?
I'm using Zabbix 4.0, KeyCloak 4.4, Keycloak-proxy 2.3.0.
keycloak-proxy configuration:
client-id: zabbix-client
client-secret: <secret>
discovery-url: http://keycloak.my.domain:8080/auth/realms/myrealm
enable-default-deny: true
enable-logout-redirect: true
enable-logging: true
encryption_key: <secret>
listen: 127.0.0.1:10080
redirection-url: http://testbed-zabbix.my.domain
upstream-url: http://a.b.c.d:80/zabbix
secure-cookie: false
enable-authorization-header: true
resources:
- uri: /*
roles:
- zabbix
Zabbix expects PHP_AUTH_USER (or REMOTE_USER or AUTH_USER) header with the username, but keycloak-proxy doesn't provide it. Let's use email as a username (you can use any claim from the access token in theory). Add email to the request header in the keycloak-proxy config:
add-claims:
- email
And create PHP_AUTH_USER variable from email header in the Zabbix Apache config:
SetEnvIfNoCase X-Auth-Email "(.*)" PHP_AUTH_USER=$1
Note: Conf syntax can be incorrect because it is off the top of my head - it may need some tweaks.
BTW: there is a (hackish) user patch available - https://support.zabbix.com/browse/ZBXNEXT-4640, but keycloak-gatekeeper is a better solution
For the record: keycloak-proxy = keycloak-gatekeeper (the project was renamed and migrated to keycloak org recently)
I'm having a problem getting LDAP authentication to work. Looking at the logs it seems to bind ok, but when i try to login it doesn't look like its hitting ldap at all and i get authentication failed.
In the logs I see:
2017.03.28 17:17:46 INFO web[org.sonar.INFO] Security realm: LDAP
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=ou=people,o=intra,dc=sears,dc=com, request=(&(objectClass=*searsorgperson)(uid={0})), realNameAttribute=cn, emailAttribute=mail}
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapSettingsManager] Groups will not be synchronized, because property 'ldap.group.baseDn' is empty.
2017.03.28 17:17:46 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapContextFactory] Test LDAP connection on ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com: OK
2017.03.28 17:17:46 INFO web[org.sonar.INFO] Security realm started
My config has the following:
# General Configuration
sonar.security.realm=LDAP
sonar.authenticator.createUsers=true
sonar.authenticator.class: org.sonar.plugins.ldap.LdapAuthenticator
sonar.security.savePassword=true
sonar.security.updateUserAttributes=true
ldap.url=ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com
# User Configuration
ldap.user.baseDn=ou=people,o=intra,dc=sears,dc=com
ldap.user.request=(&(objectClass=*searsorgperson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
According to my LDAP admin, it does an anonumous check when it first comes up, but nothing is else done after that. So for some reason it doesn't seem to be hitting the LDAP server when i login. I don't have any local IDs setup besides admin.
You have not configured an authenticated user to do the search.
That is, the first test, anonymous bind tests the connectivity. But to search for the users DN, you need more than anonymous permissions. Then once the DN is found, bind as the logging in user. But first you need to provide the LDAP DN of the user who is the proxy that can search and its password.
Also you have an asterisk (wildcard) in your objectlass search filter:
ldap.user.request=(&(objectClass=*searsorgperson)(uid={login}))
Or is that formatting symbol? I am not sure ObjectClass can usually be searched that way).
Can someone point me to documentation and/or describe what the LDAP configuration options mean for gerrit's configuration?
Ex: ou= and dc= etc.
I found these details on google's site about ldap configuration for accountBase and groupBase however it too lacks details about what the options/parameters are and what their values should be based on.
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap
Luckily I blindly copied a co-worker's gerrit server configuration, he's using version 2.1.x. Initially I thought his options were different due to version differences, but then I tried adding his extra fields and my unique ldap account worked with the additional 'ou=' and additional 'dc=' parameters. Error, bad-config and good-config below.
Note: Our company has a single ldap server, but my co-worker's gerrit has a separate ldap log-in than mine. I didn't copy his log-in to get mine working, it was simply the accountBase and groupBase options that made the difference.
Error:
cat log/error_log | tail -n 1
[2015-12-16 17:21:24,144] INFO com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'cxxxxt\myaccount' failed to sign in: No such user: cxxxxt\myaccount
Bad config:
[ldap]
server = ldap://crcxxxxt.rxxxxxxxxxxxxxs.com
username = ldap_username_here#crcxxxxt.rxxxxxxxxxxxxxs.com
accountBase = DC=rxxxxxxxxxxxxxs,DC=com
groupBase = DC=rxxxxxxxxxxxxxs,DC=com
Good config:
[ldap]
server = ldap://crcxxxxt.rxxxxxxxxxxxxxs.com
username = ldap_username_here#cxxxxt.rxxxxxxxxxxxxxs.com
accountBase = ou=Cxxxxxs,dc=cxxxxt,dc=rxxxxxxxxxxxxxs,dc=com
groupBase = ou=Cxxxxxs,dc=cxxxxt,dc=rxxxxxxxxxxxxxs,dc=com
http://www.ldapman.org/articles/intro_to_ldap.html
This page describes ou= as organizational unit and dc= as domain components. I'll confirm these with my IT's LDAP configuration settings after the holidays.
Gerrit's site mentions what the separate row/options are but doesn't describe what the syntax of each line should be or what the options are for. For most configuration topics which aren't covered by gerrit's site, external links are provided. This was the only one I found missing for my chosen configuration.
I have set up an ldap authentication using the following configuration. I just need to user to authenticate to the LDAP data store, then have their session get an authentication token. From reading the docs, this is what I am thinking is supposed to happen:
applicationContextSecurity.xml
<ldap-server id="contextSource"
url="ldap://192.168.0.1:389/DC=cn,DC=bleum,DC=com"
manager-dn="cn=buddy,ou=Neil,OU=Development,OU=Micosoft,DC=cn,DC=Micosoft,DC=com"
manager-password="A,1234567890" />
<authentication-manager alias="authenticationManager" erase-credentials="true">
<!--<authentication-provider user-service-ref="securityManagerSupport"/> -->
<ldap-authentication-provider server-ref="contextSource" role-prefix="none" user-search-filter="(uid={0})"
user-search-base="ou=Neil,OU=Development,OU=Micosoft" user-context-mapper-ref="contextMapper">
</ldap-authentication-provider>
</authentication-manager>
<beans:bean id="contextMapper" class="com.micosoft.neil.security.UserDetailsContextMapperSupport"/>
Error:
[DEBUG,FilterBasedLdapUserSearch] Searching for user 'test', with user search [ searchFilter: '(samaccountname={0})', searchBase: 'dc=company,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
[DEBUG,AbstractContextSource] Got Ldap context on server 'ldap://adapps.company.com:389/dc=company,dc=com'
[INFO,SpringSecurityLdapTemplate] Ignoring PartialResultException
[DEBUG,XmlWebApplicationContext] Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken#488b5f0b: Principal: test; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 0718B7EED3F930C63C03DA97C4344CBD; Not granted any authorities]
[DEBUG,UsernamePasswordAuthenticationFilter] Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
[DEBUG,UsernamePasswordAuthenticationFilter] Updated SecurityContextHolder to contain null Authentication
[DEBUG,UsernamePasswordAuthenticationFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#395158
[DEBUG,TokenBasedRememberMeServices] Interactive login attempt was unsuccessful.
[DEBUG,TokenBasedRememberMeServices] Cancelling cookie
From the result, it looks like the password was incorrect, so if you were trying to enter an incorrect user / password, then yes, that is what is expected.
Really not sure what your question is though? Were you expecting something different? Did you pass the correct credentials?
I have the same error with pretty much the same configuration. I can't give you an answer yet (sorry!), but running a debugger through the Spring classes, it seems they're trying to compare the password the user entered as a string (and the debugger confirms it is the correct password) to a password retrieved from LDAP - which is null - which then fails.
I have set up an ldap authentication using the following configuration. I just need to user to authenticate to the LDAP data store, then have their session get an authentication token. From reading the docs, this is what I am thinking is supposed to happen:
Authenticate as the manager, find the users full dn based on search criteria
Attempt to bind as the user (using their full dn) and the provided password
The logs dont seem to give enough information as to why this is failing. It just says invalid credentials - when I know they are valid. My thoughts are one of the following is happening:
The users full DN is not being found, and they are just being authenticated with the username
It is trying to do a password compare, vs actually trying to bind to the directory
Configuration:
<ldap-server
url="ldap://adapps.company.com:389/dc=company,dc=com"
manager-dn="cn=fulluserdn,dc=company,dc=com"
manager-password="password"/>
<ldap-user-service user-search-base="" user-search-filter="(samaccountname={0})"/>
<authentication-manager>
<ldap-authentication-provider user-search-filter="(samaccountname={0})" user-search-base="dc=company,dc=com"/>
</authentication-manager>
Error logs:
[DEBUG,FilterBasedLdapUserSearch] Searching for user 'test', with user search [ searchFilter: '(samaccountname={0})', searchBase: 'dc=company,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
[DEBUG,AbstractContextSource] Got Ldap context on server 'ldap://adapps.company.com:389/dc=company,dc=com'
[INFO,SpringSecurityLdapTemplate] Ignoring PartialResultException
[DEBUG,XmlWebApplicationContext] Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken#488b5f0b: Principal: test; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 0718B7EED3F930C63C03DA97C4344CBD; Not granted any authorities]
[DEBUG,UsernamePasswordAuthenticationFilter] Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
[DEBUG,UsernamePasswordAuthenticationFilter] Updated SecurityContextHolder to contain null Authentication
[DEBUG,UsernamePasswordAuthenticationFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#395158
[DEBUG,TokenBasedRememberMeServices] Interactive login attempt was unsuccessful.
[DEBUG,TokenBasedRememberMeServices] Cancelling cookie
The problem was teat the LDAP server was running on a different port, but the normal port was still open.