On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> wrote:
> Maxim, > > > > that was a good hint with the logging. > > I think it is just a understanding and config issue. > > > > SearchRequest > > baseDn : 'CN=Users,DC=company,DC=de' > > filter : '(uid=x...@compay.de)' > > > > In ADS uid attribute is not filled. Instead in ADS we need to user > UserPrincipalName or something else. > for ADS `samlAccountName` or something like this should be used > > > So authentication works fine, but eyery time someone logs in a new user > account is created. > > > > It looks like we still have an issue, as the create user login is wrong. > > testu...@company.de@company.de > This is the issue I'm using this https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif Schema for tests Maybe you can help me to create schema for the case with "suffixed" users? > > > I hope I get the rest also figured out. > > > > > > Gerald > > > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 30. März 2020 11:50 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: ldap config problems with authentication > > > > Your log is hard to read due to formatting issues :(( > > Googling `DSID-0C090442` results something about "searching between > forests" which I don't understand :( > > > > Admin->LDAP has setting "Add domain to user name" > > Do you have it checked? (domain to add should be specified) > > > > What is your LDAP provider? Is it ADS? > > > > To make logging more verbose you can > > 1) stop OM > > 2) add following line to logback-config.xml > > <logger name="org.apache.directory" level="DEBUG" /> > > 3) restart OM > > > > According to my previous experience SEARCHANDBIND might work better > > > > > > On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Also having LDAP issues: > > > > It seems not to work. > > > > Below is the om_ldap.cfg, that is used in the config file: > > > > ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin > > ^[[39mDEBUG^[[0;39m > 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-8]^[[0;39m - Rss disabled by > Admin > > ^[[39mDEBUG^[[0;39m > 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-5]^[[0;39m - Rss disabled by > Admin > ^[[39mDEBUG^[[0;39m > 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 > [io-5443-exec-10]^[[0;39m - > getActiveLdapConfigs > ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 > ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - > getActiveLdapConfigs > ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 > ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - > LdapLoginmanager.doLdapLogin > ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 > ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not > authenticated. > org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: > 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, > data 52e, > v3839^@ > at > org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995) > > > > > > > What does the LdapLogin Manager message means, was the query user not able > to connect or was the end user password wrong. > > How I can make visible, what the query for the user ist. > > It should be in the form u...@domain.de , maybe the mapping is just wrong. > > > > > > > > > > > > This is the modified > > ldap_conn_host=DESVR-DC01.firma.de > > ldap_conn_port=389 > > ldap_conn_secure=false > > > > # Login distinguished name (DN) for Authentication on LDAP Server - keep > empty if not required > > # Use full qualified LDAP DN > > ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de > > > > # Loginpass for Authentication on LDAP Server - keep empty if not required > > ldap_passwd=#password# > > > > # base to search for userdata(of user, that wants to login) > > ldap_search_base=CN=Users,DC=firma,DC=de > > > > # Fieldnames (can differ between Ldap servers) > > ldap_search_query=(uid=%s) > > > > # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE > > ldap_search_scope=SUBTREE > > > > # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) > > # When using SIMPLEBIND a simple bind is performed on the LDAP server to > check user authentication > > # When using NONE, the Ldap server is not used for authentication > > ldap_auth_type=SIMPLEBIND > > > > # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND > > # might be used to get provisionningDn in case ldap_auth_type=NONE > > ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de > > > > # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) > > ldap_provisionning=AUTOCREATE > > > > # Ldap deref mode (never, searching, finding, always) > > ldap_deref_mode=always > > ldap_use_admin_to_get_attrs=true > > > > # Ldap-password synchronization to OM DB > > # Set this to 'true' if you want OM to synchronize the user Ldap-password > to OM's internal DB > > # If you want to disable the feature, set this to any other string. > > # Defautl value is 'true' > > ldap_sync_password_to_om=false > > > > # Ldap group mode (NONE, ATTRIBUTE, QUERY) > > # NONE means group associations will be ignored > > # ATTRIBUTE means group associations will be taken from 'ldap_group_attr' > attribute (M$ AD mode) > > # QUERY means group associations will be taken as a result of > 'ldap_group_query' query > > ldap_group_mode=NONE > > > > ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) > > > > # Ldap user attributes mapping > > # Set the following internal OM user attributes to their corresponding > Ldap-attribute > > > > ldap_user_attr_login=uid > > ldap_user_attr_lastname=sn > > ldap_user_attr_firstname=givenName > > ldap_user_attr_mail=mail > > ldap_user_attr_street=streetAddress > > ldap_user_attr_additionalname=description > > ldap_user_attr_fax=facsimileTelephoneNumber > > ldap_user_attr_zip=postalCode > > ldap_user_attr_country=co > > ldap_user_attr_town=l > > ldap_user_attr_phone=telephoneNumber > > # optional attribute for user picture > > #ldap_user_attr_picture= > > ldap_group_attr=memberOf > > > > # optional, absolute URL will be used as user picture if > #ldap_user_attr_picture will be empty > > #ldap_user_picture_uri=picture_uri > > > > # optional > > # the timezone has to match any timezone available in Java, otherwise the > timezone defined in the value of > > # the conf_key "default.timezone" in OpenMeetings "configurations" table > > #ldap_user_timezone=timezone > > > > # Ldap ignore upper/lower case, convert all input to lower case > > ldap_use_lower_case=false > > > > # Ldap import query, this query should retrieve all LDAP users > > ldap_import_query=(objectClass=inetOrgPerson) > > > > > -- > > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
