Of cause I can add simple check "if-login-contains-domain-do-not-add-another-one" but I would prefer to create simulation of real LDAP :)
On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <solomax...@gmail.com> wrote: > > > On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > >> Maxim, >> >> >> >> that was a good hint with the logging. >> >> I think it is just a understanding and config issue. >> >> >> >> SearchRequest >> >> baseDn : 'CN=Users,DC=company,DC=de' >> >> filter : '(uid=x...@compay.de)' >> >> >> >> In ADS uid attribute is not filled. Instead in ADS we need to user >> UserPrincipalName or something else. >> > > for ADS `samlAccountName` or something like this should be used > > >> >> >> So authentication works fine, but eyery time someone logs in a new user >> account is created. >> >> >> >> It looks like we still have an issue, as the create user login is wrong. >> >> testu...@company.de@company.de >> > > This is the issue > I'm using this > > https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif > Schema for tests > Maybe you can help me to create schema for the case with "suffixed" users? > > >> >> >> I hope I get the rest also figured out. >> >> >> >> >> >> Gerald >> >> >> >> >> >> >> >> >> >> >> >> *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] >> *Gesendet:* Montag, 30. März 2020 11:50 >> *An:* Openmeetings user-list <user@openmeetings.apache.org> >> *Betreff:* Re: ldap config problems with authentication >> >> >> >> Your log is hard to read due to formatting issues :(( >> >> Googling `DSID-0C090442` results something about "searching between >> forests" which I don't understand :( >> >> >> >> Admin->LDAP has setting "Add domain to user name" >> >> Do you have it checked? (domain to add should be specified) >> >> >> >> What is your LDAP provider? Is it ADS? >> >> >> >> To make logging more verbose you can >> >> 1) stop OM >> >> 2) add following line to logback-config.xml >> >> <logger name="org.apache.directory" level="DEBUG" /> >> >> 3) restart OM >> >> >> >> According to my previous experience SEARCHANDBIND might work better >> >> >> >> >> >> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> >> wrote: >> >> Also having LDAP issues: >> >> >> >> It seems not to work. >> >> >> >> Below is the om_ldap.cfg, that is used in the config file: >> >> >> >> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 >> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin >> >> ^[[39mDEBUG^[[0;39m >> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 >> [Bean#0_Worker-8]^[[0;39m - Rss disabled by >> Admin >> >> ^[[39mDEBUG^[[0;39m >> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 >> [Bean#0_Worker-5]^[[0;39m - Rss disabled by >> Admin >> ^[[39mDEBUG^[[0;39m >> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 >> [io-5443-exec-10]^[[0;39m - >> getActiveLdapConfigs >> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 >> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - >> getActiveLdapConfigs >> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 >> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - >> LdapLoginmanager.doLdapLogin >> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 >> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not >> authenticated. >> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: >> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, >> data 52e, >> v3839^@ >> at >> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995) >> >> >> >> >> >> >> What does the LdapLogin Manager message means, was the query user not >> able to connect or was the end user password wrong. >> >> How I can make visible, what the query for the user ist. >> >> It should be in the form u...@domain.de , maybe the mapping is just >> wrong. >> >> >> >> >> >> >> >> >> >> >> >> This is the modified >> >> ldap_conn_host=DESVR-DC01.firma.de >> >> ldap_conn_port=389 >> >> ldap_conn_secure=false >> >> >> >> # Login distinguished name (DN) for Authentication on LDAP Server - keep >> empty if not required >> >> # Use full qualified LDAP DN >> >> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de >> >> >> >> # Loginpass for Authentication on LDAP Server - keep empty if not required >> >> ldap_passwd=#password# >> >> >> >> # base to search for userdata(of user, that wants to login) >> >> ldap_search_base=CN=Users,DC=firma,DC=de >> >> >> >> # Fieldnames (can differ between Ldap servers) >> >> ldap_search_query=(uid=%s) >> >> >> >> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE >> >> ldap_search_scope=SUBTREE >> >> >> >> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) >> >> # When using SIMPLEBIND a simple bind is performed on the LDAP server to >> check user authentication >> >> # When using NONE, the Ldap server is not used for authentication >> >> ldap_auth_type=SIMPLEBIND >> >> >> >> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND >> >> # might be used to get provisionningDn in case ldap_auth_type=NONE >> >> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de >> >> >> >> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) >> >> ldap_provisionning=AUTOCREATE >> >> >> >> # Ldap deref mode (never, searching, finding, always) >> >> ldap_deref_mode=always >> >> ldap_use_admin_to_get_attrs=true >> >> >> >> # Ldap-password synchronization to OM DB >> >> # Set this to 'true' if you want OM to synchronize the user >> Ldap-password to OM's internal DB >> >> # If you want to disable the feature, set this to any other string. >> >> # Defautl value is 'true' >> >> ldap_sync_password_to_om=false >> >> >> >> # Ldap group mode (NONE, ATTRIBUTE, QUERY) >> >> # NONE means group associations will be ignored >> >> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr' >> attribute (M$ AD mode) >> >> # QUERY means group associations will be taken as a result of >> 'ldap_group_query' query >> >> ldap_group_mode=NONE >> >> >> >> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) >> >> >> >> # Ldap user attributes mapping >> >> # Set the following internal OM user attributes to their corresponding >> Ldap-attribute >> >> >> >> ldap_user_attr_login=uid >> >> ldap_user_attr_lastname=sn >> >> ldap_user_attr_firstname=givenName >> >> ldap_user_attr_mail=mail >> >> ldap_user_attr_street=streetAddress >> >> ldap_user_attr_additionalname=description >> >> ldap_user_attr_fax=facsimileTelephoneNumber >> >> ldap_user_attr_zip=postalCode >> >> ldap_user_attr_country=co >> >> ldap_user_attr_town=l >> >> ldap_user_attr_phone=telephoneNumber >> >> # optional attribute for user picture >> >> #ldap_user_attr_picture= >> >> ldap_group_attr=memberOf >> >> >> >> # optional, absolute URL will be used as user picture if >> #ldap_user_attr_picture will be empty >> >> #ldap_user_picture_uri=picture_uri >> >> >> >> # optional >> >> # the timezone has to match any timezone available in Java, otherwise the >> timezone defined in the value of >> >> # the conf_key "default.timezone" in OpenMeetings "configurations" table >> >> #ldap_user_timezone=timezone >> >> >> >> # Ldap ignore upper/lower case, convert all input to lower case >> >> ldap_use_lower_case=false >> >> >> >> # Ldap import query, this query should retrieve all LDAP users >> >> ldap_import_query=(objectClass=inetOrgPerson) >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> > > > -- > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
