I have Jira 5.x locally installed and an OpenLDAP Server with Users and Groups. The Syncronisation in Jira get all users and groups perfectly, but the users do not belong to any group. I've set the default groups to enable LDAP users to login to Jira.
What am I doing wrong?
This is the LDAP Schema:
dn: uid=demo.user#domain.com,ou=intern,ou=people,dc=company,dc=local
objectClass: posixAccount
objectClass: account
objectClass: ldapPublicKey
homeDirectory: /home/demouser
loginShell: /bin/bash
cn: Demo User
uidNumber: 10001
gidNumber: 10001
userPassword: {SSHA}xxxxxxxxxxx
uid: demo.user#domain.com
dn: cn=groupname,ou=project,ou=group,dc=company,dc=local
objectClass: posixGroup
description: a funny group for a project
gidNumber: 10018
cn: groupname
memberUid: demo.user#domain.com
memberUid: xyz
memberUid: ...
If I run the Test in Jira, I'm getting the following error Message:
Test get user's memberships with 0 groups retrieved. : Failed
And these are the Settings in Jira:
We experienced a similar problem. It seemed that JIRA insists on including the User Membership Attribute - which is from the user schema - such as "memberOf" regardless of whether you already have the Group Members Attribute. However it should be an either / or option - either Group Membership Attribute (eg. memberUid in the group schema) OR User Membership Attribute (eg. memberOf in the user schema), as they fulfill more or less the same function.
The problem was solved when we noticed there are actually two closely related options for the directory type: "OpenLDAP" and "OpenLDAP (Read-only Posix Schema)". As we were using the posixGroup schema (as in your example), choosing the Read-only Posix Schema solved the issue. If you go to the Server Settings section at the top, you should see both options in the drop down list.
In addition, you should be able to switch from "Read Only, with Local Groups" to "Read Only" in the LDAP Permissions section (if you wanted to). One caveat is that we were using the inetOrgPerson and shadowAccount schemas (rather than account, as in your example) in conjunction with posixAccount for the user schemas.
Related
I'm trying to configure Nexus 3.42.0-01 with OpenLDAP.
I set the configuration as below:
LDAP server address: ldaps://192.168.0.1:636
Search Base DN: dc=my,dc=domain,dc=local
Authentication Method: Simple Authentication
Username: uid=appauth,ou=auth,ou=nexus_cicd,ou=Applications,dc=my,dc=domain,dc=local
Password: ********
User relative DN: <blank>
User subtree: <checked>
Object Class: inetOrgPerson
User filter: <blank>
User ID attribute: uid
Real name attribute: cn
Email attribute: mail
Map LDAP groups roles: <checked>
Group type: Dynamic Groups
Group member of attribute: memberOf
I can view all users, but my problem is how can I restrict access to only users of a specific group?
Thanks for your support.
It depends on your needs, and how you define "restrict access".
You can create an external role mapping (only) for that specific group, role for which you can assign the privileges you want, and the restricted users that are not member of that group would get the role 'anonymous'.
Or, if you don't want the restricted users to appear at all in Nexus and/or if they shouldn't authenticate, you can just use a filter to exclude them, eg.
User filter: (memberOf=<groupDN>)
Optionally, you could also refine the base search eg.
User relative DN: ou=Users
.. but this will probably not be sufficient to apply the restriction.
A table for each API with which privilege is required would be VERY useful - I assume one exists but Googling gives no such thing!
In my case I need to know what (minimal) role privilege(s) is/are required for the https://www.googleapis.com/admin/directory/v1/customers/my_customer API (GET) unless I have "Super Admin" turned on I don't have access to this API (403) the I have tried various combinations of the privileges added with "Super Admin" with no success
Regards
Linden
You are right, Super Admin is necessary in order to call customers.get. Even if a custom role is created with all possible privileges, 403 is given as long as Super Admin role is not set.
Request feature:
Regarding a table relating admin privileges and API methods, you could try request it via Send feedback at the Admin SDK documentation page or at Admin roles for businesses.
I currently try to configure Discourse to only allow users in a specific ldap group to log in. Discourse has a plugin called discourse-ldap auth ( https://github.com/jonmbake/discourse-ldap-auth ). This plugin uses the omniauth ldap module: https://github.com/omniauth/omniauth-ldap
My discourse plugin configuration (the configuration is actually used by the discourse plugin for the omniauth ldap module):
ldap enabled: true
ldap hostname: the hostname of my ldap server
ldap port: 389
ldap method: plain
ldap base: the base of my ldap server
ldap uid: userPrincipalName
ldap bind dn: Nothing
ldap password: Nothing
ldap filter: (&(userPrincipalName=%{username})(memberOf=cn=[the name of the required group],ou=....,[base]))
When using this configuration, nobody can log in to the forum. When I use the bind dn and password, everybody can log in.
I also tried this filter without success (copied from my ldap servers filter):
(&(&(&(userPrincipalName=%{username})(memberOf=[dn of the group]))))
What do I have to configure, to only allow users in that specific group to log in?
I didn't found any errors or indicators in the log. Please help!
Thanks fou your help and attention!
You do need the "ldap dn" and "ldap password". Those are the credentials used to authenticate to LDAP so you can lookup people's accounts. Usually, that is a service account only used by your application.
The filter should probably look something like this:
(&(sAMAccountName=%{username})(memberOf:1.2.840.113556.1.4.1941:=[dn of the group]))
Users will usually log in with the sAMAccountName, which is usually called just the "username". Whenever you see an account in the DOMAIN\username format, that username is the sAMAccountName.
The userPrincipalName is usually in the format of username#domain.com. It is sometimes the same as the email address, but it doesn't have to be.
The crazy number I put in that query tells Active Directory to search recursively through groups. So that would allow you to put groups into your authentication group, and members of that new group would be given access to your application too. Without that, only direct members of that group will have access.
I used liferay 5.2 and I can integrate ldap correctly with liferay and I activated ldap in login.
and I arrived to import only users from ldap wich exists in my groups using this configuration :
my problem now is when I try to login in liferay
it checks user if exist or not in all locations in ldap
I want in login state to check user if exist or not only in my specifics group which is exist in my configuration.
meaning in login state check user only in :
testGroup1 and testGroup2 and not in all locations in ldap
I´m trying to configure my Nexus instance, 2.11, to integrate with LDAP, OpenLDAP, with SSL.
It appears to work with the settings bellow:
Connection Protocol: ldaps Hostname: mydomain.local Port: 636 Search Base: dc=mydomain,dc=local
Authentication Auth. Method: Simple Authentication SASL Realm: Username: dc=admi,dc=mydomain,dc=local
Password: MySuperSecretPassword
When I click on Check Authentication it returns:
LDAP connection and authentication test completed Successfully.
Then in sections:
User element Mapping Base DN: ou=users User subtree: (but it doesn´t appear to affect something) Object
class: inetOrgPerson User filter: User UD Attribute:
uid Real Name Attribute: cn E-Mail Attribute: mail
Password Attribute: Group Element Mapping
Then clicking on Check User Mapping, it return all the users on LDAP directory.
It´s good, but... When I´m trying to Log-In with any user, it returns:
Incorrect username, password or no permission to use Nexus User
Interface. Try again. Please login before attempting further requests.
I´d try to mapp a user from LDAP, in User Manegement interface, and give this user a Nexus Administrator Rule, I tried to put all roles to this user, but always get the same error above.
Is there any other configuration nedded to make it work?
Thanks!
In the administration sidebar, click 'server'
Enable "OSS LDAP Authentication Realm" in the security realm.
There is a feature request to make this more visible.
https://issues.sonatype.org/browse/NEXUS-4062