I have uncommented the LDAP and UserMapper connectors in application.xml
I know my LDAP credentials (binddn, hostname, etc) are all working, because I use LDAP authentication and authorization for other apps on my server.
All I've done, is make the changes to application.xml and security.properties. Is there something else I'm supposed to do?
When I try to login with a user from LDAP, it is unsuccessful. Is there a log file I can check to see what's going wrong? I find the archiva documentation to be sparse and laconic.
Here is my security.properties file - some values have been altered, maybe someone can verify the structure is in-tact:
# LDAP
user.manager.impl=ldap
ldap.bind.authenticator.enabled=true
redback.default.admin=admin
security.policy.password.expiration.enabled=false
ldap.config.hostname=localhost
ldap.config.port=389
ldap.config.base.dn=domainName=mydomain.com,o=domains,dc=mydomain,dc=com
ldap.config.context.factory=com.sun.jndi.ldap.LdapCtxFactory
ldap.config.bind.dn=cn=Manager,dc=mydomain,dc=com
ldap.config.password=mypass
ldap.config.mapper.attribute.email=mail
ldap.config.mapper.attribute.fullname=displayName
ldap.config.mapper.attribute.password=userPassword
ldap.config.mapper.attribute.user.id=mail
ldap.config.mapper.attribute.user.base.dn=ou=Users
ldap.config.mapper.attribute.user.object.class=inetOrgPerson
ldap.config.mapper.attribute.user.filter=(objectclass=inetOrgPerson)
Also, the config.mapper.attribute.user.base.dn confuses me. The basedn of my users is here:
ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
So does that mean for base DN I put: domainName=scoresecret.com,o=domains,dc=scoresecret,dc=com
and for config.mapper.attribute.user.base.dn: ou=Users
Let me know if I'm doing something wrong, if I'm forgetting to do something to "switch LDAP on", and if I can find some logs to point me in the right direction. Thanks a ton
Make sure you have configured an admin user that exists in LDAP - at the moment there's no way to use an internal user for that.
redback.default.admin=admin
Replace admin with a role account in your LDAP server that can be used for this.
Here is a configuration template I use which should show the values you'd need to populate:
https://github.com/maestrodev/puppet-archiva/blob/master/templates/security.properties.erb
It seems the main difference could be the user filter being empty?
(See also thread on users#archiva.apache.org: http://s.apache.org/KDj)
Related
Im trying to conect gitlab with ldap to centralize my authentication.
Im having a problem when i try to log in because gitlab blocks the users.
The base_dn where the users are is ou=People,dc=dominio,dc=com
When i try to log in all works fine until Gitlab make a sync and block the user because on the gitlab database the base_dn is saved in lowcase.
LDAP account "uid=user1,ou=people,dc=dominio,dc=com" does not exist anymore, blocking GitLab user "Usuario" (user1#dominio.com)
Gitlab is able to read all the info from the user in theLDAP and also create the user on the gitlab system(full name, email, etc).
User "Usuario" (user1#dominio.com) was created
But later block the user and im not able to log in, every time i unblock manually, the gitlab block again.
Here all the process:
User "Usuario" (user1#dominio.com) was created
(LDAP) saving user user1#dominio.com from login with admin => false, extern_uid => uid=user1,ou=people,dc=dominio,dc=com
LDAP account "uid=user1,ou=people,dc=dominio,dc=com" does not exist anymore, blocking GitLab user "Usuario" (user1#dominio.com)
When i check in the user profile they show this info:
LDAP uid: uid=user1,ou=people,dc=dominio,dc=com
In the LDAP the real path is:
uid=user1,ou=People,dc=dominio,dc=com
Some idea how i said to gitlab rescpect the upercase or not be case sensitive?
LDAP itself is case-insensitive, so in queries against LDAP it doesn't matter. GitLab tries to normalize all DNs to lowercase before comparing values on its side since GitLab itself is case-sensitive.
With that in mind, I'm not clear where you're running into problems. It sounds like it's probably a bug if it really is related to the case. It's also possible there's another issue causing the user sync to block your user(s).
If you have clear reproduction steps the best bet is probably to create an issue at https://gitlab.com/gitlab-org/gitlab-ce/issues. Tag the issue with ~ldap and ping me (#dblessing). Happy to try to reproduce.
Finally i found the solution.
the user_filter: i used have some issue, dont support omniauth-ldap's custom filter syntax.
I was using
user_filter: '(&(objectclass=*)(memberof=cn=gitlab,ou=Groups,dc=dominio,dc=com)(uid=%{username}))'
But i change for somnething simple as:
user_filter: '(memberof=cn=infra_gitlab,ou=Groups,dc=dominio,dc=com)'
And start to works...
I am doing LDAP with websphere setup. I did all the priamary setps in the DN am using OU=Users, O= O=IN.
for the federated repository in websphere for PersonAccount i gave the same DN name and in filters i used (objectclass=user). But in the manage user, no user is getting listed.
Turn on the following trace: com.ibm.ws.wim.*=all.
Restart your server. Go to admin console and click Manage Users.
Look in the logs for "JNDI_CALL search"
You will see the filter being used, eg. (&(objectClass=inetorgperson)(uid=*)) and the baseDn being searched on. Verify these are correct by comparing to your ldif of a user you expect to see or by using the ldapsearch utility. It is probably not correct, so take action to fix the filter.
I am using Liferay 6.2 and I am trying to do LDAP Authentication. The LDAP Server is provided by another organization and I do not have access to any configuration, I just have credentials for a system account to look up the directory. When I try to log in Liferay with user credentials from the LDAP Server the authentication fails with the following error code:
13:54:05,738 ERROR [http-bio-8080-exec-3][LDAPAuth:341] Problem accessing LDAP server
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr:
DSID-0315270B, problem 2001 (NO_OBJECT), data 0, best match of:
'O=uni,C=de' remaining name 'ou=people,o=uni,c=de'
The same error that occurs when trying to log in with a user that does not exist in the LDAP directory. Nevertheless, the mapping still works. After trying to log in with valid user credentials there is an entry in the liferay database with the corresponding user data. Accessing Liferay is not possible though.
These are my settings in portal-ext.properties (Test LDAP connections returns success, connection settings are pseudonymised):
ldap.base.provider.url=ldaps://ldap.ldap-server
ldap.base.dn=ou=people,o=uni,c=de
ldap.security.principal=uid=prox,ou=prox,o=uni,c=de
ldap.security.credentials=secret
#auth.pipeline.enable.liferay.check=false
ldap.auth.enabled=true
ldap.auth.required=true
ldap.auth.method=bind
ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10
ldap.export.enabled=false
ldap.export.group.enabled=false
ldap.auth.search.filter=(uid=#screen_name#)
ldap.import.user.search.filter=(objectClass=inetOrgPerson)
ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.DefaultAttributesTransformer
ldap.user.mappings=screenName=cn\npassword=userPassword\nfirstName=givenNam\nlastName=sn\njobTitle=title\ngroup=groupMembership
users.email.address.required=false
users.email.address.auto.suffix=#no-emailaddress.com
users.email.address.generator=com.liferay.portal.security.auth.DefaultEmailAddressGenerator
users.email.address.validator=com.liferay.portal.security.auth.DefaultEmailAddressValidator
ldap.password.policy.enabled=false
ldap.import.user.password.enabled=true
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test
Check the FQDN on the LDAP side, including the prefixes (cn, ou, etc.), and ensure that it matches the directory configuration within Liferay.
You can try configuring it from the control panel it will be easier for you as it allows to check whether the connection is made or not. You can check the users are fetched or not and it doesnt even need a server restart.
It works now. There were two issues:
I changed ldap.base.dn=ou=people,o=uni,c=de to ldap.base.dn=o=uni,c=de and
ldap.import.user.search.filter=(objectClass=inetOrgPerson) to ldap.import.user.search.filter=(objectClass=*)
I'm trying to configure LDAP authentication for teamcity but can't get it to work. I already configured some other services on this server to authenticate using LDAP and had no problems (so it's not fault of the DC).
Following describes my config file:
java.naming.provider.url=ldap://192.168.0.123:389/DC=server,DC=example,DC=com
java.naming.security.principal=ldap-user
java.naming.security.credentials=jE&4i.%$lpDr3#?
java.naming.security.authentication=simple
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Group1,CN=Users,DC=server,DC=example,DC=com))
teamcity.users.username=sAMAccountName
teamcity.auth.loginFilter=[^/\\\\#]+
teamcity.options.users.synchronize=false
teamcity.options.groups.synchronize=false
When I set authentication to 'none' it works (but I can't restrict access to a specific group). I also tried using the full user name (incl. domain; i.e. DOMAIN\ldap-user) and also tried to use full DN instead, but it didn't change anything.
In log i see that the ldap server returns error code 49, which means that the binding failed. Like mentioned before I already configured other services on this server to authenticate with the same ldap server and the same binding user and had no problems.
Does anybody know how to solve this issue?
Thanks in advance!
This is my configuration and It working fine. The synchronization is allowed so information like email and name there are no available but enable the login with NT Id and Credentials
java.naming.provider.url=ldap://amer.xxxx.com:389/DC=amer,DC=xxxx,DC=com
java.naming.security.principal=CN=SRVAMR-xxx,OU=CMAPPS,OU=Service,OU=Accounts,DC=amer,DC=xxxx,DC=com
java.naming.security.credentials=Pf867955
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=AMR-GENOME-L,OU=GMA,OU=Security,OU=Groups,DC=amer,DC=xxxx,DC=com))teamcity.users.username=sAMAccountName
I Hope help you
I configured ldaps by refering http://linuxtechres.blogspot.com/2010/04/how-to-configure-ldaps-or-starttls.html.
after that when I try to ldapsearch, it wont display any resulsts.
entries are there in ldap, as I will get error if I try to ldapadd them .
If I remove TLS related info from ldap.conf and slapd.conf , ldapsearch works nicely and display all entries.
Can someone help please?
Do you have some minimum level of confidentiality required in your config file? Also the way the ACLs work is that they stop processing after the first hit (in general) so if you have an ACL on a specific user type that is extremely limiting that may be what causes your situation. The admin account can always see everything in case you do mess things up.
Probably late for this, but... Have you tried the ldapsearch/ldapadd option "-ZZ"?
What you want to do is look at the slapd.log file and see what error the OpenLDAP server is returning when you try to connect. Then you will have a hint of where to go next.