Config is OK according to the log 3 referral entries were fond, but skipped: WARN 09-23 10:10:58.300 o.a.o.l.LdapLoginManagement:287 [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it WARN 09-23 10:10:58.301 o.a.o.l.LdapLoginManagement:287 [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it WARN 09-23 10:10:58.301 o.a.o.l.LdapLoginManagement:287 [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it
not sure why :( Unfortunately I'm not very good in LDAP, and nor sure what referral entries are ... and why they are not "dereferred" I'll try to check the code ldap_deref_mode=always On Wed, Sep 23, 2015 at 9:35 PM, Thirumal Karra <tka...@deepsea-tech.com> wrote: > Here's the configuration > > > ldap_conn_host=IP Address > ldap_conn_port=389 > ldap_conn_secure=false > > # Login distinguished name (DN) for Authentication on LDAP Server - keep > empty if not required > # Use full qualified LDAP DN > ldap_admin_dn=CN=Firstname Lastname,CN=Users,DC=DOMAIN,DC=com > > # Loginpass for Authentication on LDAP Server - keep empty if not required > ldap_passwd=Password > > # base to search for userdata(of user, that wants to login) > ldap_search_base=DC=DOMAIN,DC=com > > # Fieldnames (can differ between Ldap servers) > ldap_search_query=(sAMAccountName=%s) > > # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE > ldap_search_scope=SUBTREE > > # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) > # When using SIMPLEBIND a simple bind is performed on the LDAP server to > check user authentication > # When using NONE, the Ldap server is not used for authentication > ldap_auth_type=SEARCHANDBIND > > # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND > # might be used to get provisionningDn in case ldap_auth_type=NONE > ldap_userdn_format=sAMAccountName=%s,DC=DOMAIN,DC=com > > # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) > ldap_provisionning=AUTOCREATE > > # Ldap deref mode (never, searching, finding, always) > ldap_deref_mode=always > > # Set this to 'true' if you want to use admin_dn to get user attributes > # If any other value is set, user_dn will be used > ldap_use_admin_to_get_attrs=true > > # Ldap-password synchronization to OM DB > # Set this to 'true' if you want OM to synchronize the user Ldap-password > to OM's internal DB > # If you want to disable the feature, set this to any other string. > # Defautl value is 'true' > ldap_sync_password_to_om=true > > # Ldap user attributes mapping > # Set the following internal OM user attributes to their corresponding > Ldap-attribute > ldap_user_attr_lastname=sn > ldap_user_attr_firstname=givenName > ldap_user_attr_mail=mail > ldap_user_attr_street=streetAddress > ldap_user_attr_additionalname=description > ldap_user_attr_fax=facsimileTelephoneNumber > ldap_user_attr_zip=postalCode > ldap_user_attr_country=co > ldap_user_attr_town=l > ldap_user_attr_phone=telephoneNumber > > # optional, only absolute URLs make sense > #ldap_user_picture_uri=profile.jpg > > # optional > # the timezone has to match any timezone available in Java, otherwise the > timezone defined in the value of > # the conf_key "default.timezone" in OpenMeetings "configurations" table > #ldap_user_timezone=timezone > > # Ldap ignore upper/lower case, convert all input to lower case > ldap_use_lower_case=false > > > > > ------------------------------ > *From:* Thirumal Karra <tka...@deepsea-tech.com> > *Sent:* Wednesday, September 23, 2015 10:31 AM > *To:* user@openmeetings.apache.org > *Subject:* RE: [HELP NEEDED] LDAP import AD groups > > > I am 100% sure the password is correct. I tried with multiple users and > got the same error. > > > > Best Regards > > Thirumal > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Wednesday, September 23, 2015 10:30 AM > *To:* Openmeetings user-list <user@openmeetings.apache.org> > *Subject:* Re: [HELP NEEDED] LDAP import AD groups > > > > "Invalid password" I guess something wrong with the password > > > > On Wed, Sep 23, 2015 at 9:20 PM, Thirumal Karra <tka...@deepsea-tech.com> > wrote: > > I am trying to setup LDAP but it didn't work. Please look at the log below > > > > DEBUG 09-23 10:10:58.266 o.a.o.l.LdapLoginManagement:168 > [http-nio-0.0.0.0-5080-exec-7] - LdapLoginmanagement.doLdapLogin > WARN 09-23 10:10:58.300 o.a.o.l.LdapLoginManagement:287 > [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it > WARN 09-23 10:10:58.301 o.a.o.l.LdapLoginManagement:287 > [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it > WARN 09-23 10:10:58.301 o.a.o.l.LdapLoginManagement:287 > [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it > ERROR 09-23 10:10:58.301 o.a.o.l.LdapLoginManagement:292 > [http-nio-0.0.0.0-5080-exec-7] - NONE users found in LDAP > DEBUG 09-23 10:10:58.303 o.a.w.u.c.CookieUtils:273 > [http-nio-0.0.0.0-5080-exec-7] - Unable to find Cookie with name=LoggedIn > and request URI=signin?0-1.IBehaviorListener.2-signin > DEBUG 09-23 10:10:58.305 o.a.w.Localizer:378 > [http-nio-0.0.0.0-5080-exec-7] - Property found in cache: '336'; Component: > 'null'; value: 'Invalid password' > DEBUG 09-23 10:10:58.305 o.a.w.f.FeedbackMessages:69 > [http-nio-0.0.0.0-5080-exec-7] - Adding feedback message '[FeedbackMessage > message = "Invalid password", reporter = signin, level = ERROR]' > DEBUG 09-23 10:10:58.305 o.a.w.u.c.CookieUtils:273 > [http-nio-0.0.0.0-5080-exec-7] - Unable to find Cookie with name=LoggedIn > and request URI=signin?0-1.IBehaviorListener.2-signin > DEBUG 09-23 10:10:58.307 o.a.wicket.Page:871 > [http-nio-0.0.0.0-5080-exec-7] - ending request for page [Page class = > org.apache.openmeetings.web.pages.auth.SignInPage, id = 0, render count = > 1], request > org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c > DEBUG 09-23 10:10:58.307 o.a.wicket.Page:871 > [http-nio-0.0.0.0-5080-exec-7] - ending request for page [Page class = > org.apache.openmeetings.web.pages.auth.SignInPage, id = 0, render count = > 1], request > org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c > DEBUG 09-23 10:10:58.307 o.a.wicket.Page:871 > [http-nio-0.0.0.0-5080-exec-7] - ending request for page [Page class = > org.apache.openmeetings.web.pages.auth.SignInPage, id = 0, render count = > 1], request > org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c > DEBUG 09-23 10:10:58.328 > o.a.w.p.AsynchronousDataStore$PageSavingRunnable:354 > [Wicket-PageSavingThread] - Saving asynchronously: Entry > [sessionId=AEA1852D7D73CB3264F353796A510FCE, pageId=0]... > DEBUG 09-23 10:10:58.328 o.a.w.p.DiskDataStore:186 > [Wicket-PageSavingThread] - Storing data for page with id '0' in session > with id 'AEA1852D7D73CB3264F353796A510FCE' > DEBUG 09-23 10:10:58.329 o.a.w.p.PageAccessSynchronizer:207 > [http-nio-0.0.0.0-5080-exec-7] - 'http-nio-0.0.0.0-5080-exec-7' released > lock to page with id '0' > > > > > > Best Regards > > Thirumal > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Monday, August 10, 2015 10:24 AM > *To:* Openmeetings user-list <user@openmeetings.apache.org> > *Subject:* Re: [HELP NEEDED] LDAP import AD groups > > > > this query will return user DN, NOT groups > > > > On Mon, Aug 10, 2015 at 9:10 PM, Wild, Rodney <rodney.w...@cybastevens.com> > wrote: > > ldap_search_query=(sAMAccountName=%s) > > windows Account name according to this. > > > > *Rodney Wild | *IT Support > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Monday, August 10, 2015 12:52 AM > > > *To:* Openmeetings user-list > *Subject:* Re: [HELP NEEDED] LDAP import AD groups > > > > And what is the AD query to get user groups by UID? > > > > On Mon, Aug 10, 2015 at 12:25 PM, Dominic Prakash <domi...@sps.co.in> > wrote: > > This config works for me in M$ AD. > > > > ldap_conn_host=123.456.789.123 > > ldap_conn_port=389 > > ldap_conn_secure=false > > > > ldap_admin_dn=CN=ldapuser,OU=Software,OU=Unit-2,DC=sample,DC=co,DC=in > > ldap_passwd=passwordhere > > ldap_search_base=DC=sample,DC=co,DC=in > > > > ldap_search_query=(sAMAccountName=%s) > > ldap_search_scope=SUBTREE > > ldap_auth_type=SEARCHANDBIND > > ldap_userdn_format=sAMAccountName=%s,DC=sample,DC=co,DC=in > > > > ldap_provisionning=AUTOCREATE > > ldap_deref_mode=always > > ldap_use_admin_to_get_attrs=true > > ldap_sync_password_to_om=true > > > > ldap_user_attr_lastname=sn > > ldap_user_attr_firstname=givenName > > ldap_user_attr_mail=mail > > ldap_user_attr_street=streetAddress > > ldap_user_attr_additionalname=description > > ldap_user_attr_fax=facsimileTelephoneNumber > > ldap_user_attr_zip=postalCode > > ldap_user_attr_country=co > > ldap_user_attr_town=l > > ldap_user_attr_phone=telephoneNumber > > > > ldap_user_picture_uri=profile.jpg > > ldap_use_lower_case=false > > > > > > Best Regards > > > > Dominic > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* 05 August 2015 19:52 > *To:* Openmeetings user-list > *Subject:* Re: [HELP NEEDED] LDAP import AD groups > > > > I need someone who can fix this query for M$ AD :( > Or someone who can give me search only test access to AD > > WBR, Maxim > (from mobile, sorry for the typos) > > On Aug 5, 2015 20:18, "Michael Wuttke" <michael.wut...@beuth-hochschule.de> > wrote: > > Hello Maxim, > > sorry but we use M$ AD and it returns nothing or only errors with this > query. ;-( > > Greetings, > Michael > > Am 05.08.2015 um 15:18 schrieb Maxim Solodovnik: > > Hello Michael, > > Thanks for your reply > I need query to get all groups of user with some uid. > > so I get uid for for the user: for ex. "solomax" > I need to get all groups this user is part of. > > On my test LDAP server this query: > (&(memberUid=test1)(objectClass=posixGroup)) returns DNs of all groups > for given UID > > > > On Wed, Aug 5, 2015 at 7:11 PM, Michael Wuttke > <michael.wut...@beuth-hochschule.de > <mailto:michael.wut...@beuth-hochschule.de>> wrote: > > Hello Maxim, > > I don't know how to use the ldap_search for your query. > > But we use owncloud. Here are our LDAP queries we use for owncloud: > > the ldap query for users: > (&(|(objectclass=person)) > > (|(|(memberof=CN=Owncloud-admins,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz0)) > > (|(memberof=CN=Students,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz1)) > > (|(memberof=CN=Employee,OU=Global,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz2)) > > (|(memberof=CN=Academics,OU=Global,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz3)) > )) > > the ldap query for login attributes: > (&(&(|(objectclass=person)) > > (|(|(memberof=CN=Owncloud-admins,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz0)) > > (|(memberof=CN=Students,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz1)) > > (|(memberof=CN=Employee,OU=Global,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz2)) > > (|(memberof=CN=Academics,OU=Global,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz03)) > (|(sAMAccountName=%uid))) > > and the ldap query for groups: > > (&(|(objectclass=group))(|(cn=Employee)(cn=Students)(cn=Owncloud-admins)(cn=Academics))) > > Here is the docu how to configure ldap auth: > > https://doc.owncloud.org/server/8.1/admin_manual/configuration_user/user_auth_ldap.html > > and the cowncloud code repo the ldap auth app: > https://github.com/owncloud/core/tree/master/apps/user_ldap > > Maybe it helps you? > > Thanks & Greetings, > Michael > > Am 05.08.2015 um 14:29 schrieb Maxim Solodovnik: > > ups, sorry wrong keyboard :((( > > ---- Can anyone with access to AD check if this query works in > AD, and > сщккусе ше ащк ФВ ша тще, > ++++ Can anyone with access to AD check if this query works in > AD, and > correct it for AD if not, > > On Wed, Aug 5, 2015 at 6:28 PM, Maxim Solodovnik > <solomax...@gmail.com <mailto:solomax...@gmail.com> > <mailto:solomax...@gmail.com <mailto:solomax...@gmail.com>>> > wrote: > > Hello All, > > I'm currently trying to implement > https://issues.apache.org/jira/browse/OPENMEETINGS-1214 > I was able to find query to get all groups in LDAP: > > The following query seems to be able to list all groups for > the user > with "uid == test1": > (&(memberUid=test1)(objectClass=posixGroup)) > > Can anyone with access to AD check if this query works in > AD, and > сщккусе ше ащк ФВ ша тще, > > Thanks in advance! > > -- > WBR > Maxim aka solomax > > > > > -- > WBR > Maxim aka solomax > > > -- > Vielen Dank & mit freundlichen Grüßen, > Michael Wuttke > > Administration des Lern-Management-Systems > Beuth Hochschule Berlin - Hochschulrechenzentrum > Luxemburger Str. 10 > 13353 Berlin > Tel: +49 (0)30 45 04 2004 > Haus Bauwesen; Raum: D 225a > E-Mail: michael.wut...@beuth-hochschule.de > News: https://lms.beuth-hochschule.de/rss > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
