On Tue, 31 Mar 2020 at 15:26, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> wrote:
> Maxim, > > > > two small questions/ issues. > > > > Is it simple possible to set in the Login the LDAP as default and localDB > as option. > > So just the other way round? > This one should be easy: Just set default.ldap.id https://openmeetings.apache.org/GeneralConfiguration.html > > > If we do use LDAP ADS it seems not to work, that a user can change his own > setting, > > If we set ldap password sync we will run into the password complexity > problem. > Not sure I get this :(( > > > Can we somewhere switch of the password complexity? > > We are using just internal, so it is no security issue in our case. > "Complexity" == Uppercase+lowercase+alpha+special symbol ? If so, I'm afraid you have to tweek sources and re-compile :( > > > > > > > Regards > > > > Gerald > > > > > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 30. März 2020 15:19 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: ldap config problems with authentication > > > > Just have created test and there is only one user after 2 sign-ins > > Can you query DB (something like `select id,login,type,domain_id from > om_user where login = your_multiplied_login`) and show here? > > > > On Mon, 30 Mar 2020 at 20:09, Maxim Solodovnik <solomax...@gmail.com> > wrote: > > > > > > On Mon, 30 Mar 2020 at 20:05, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Maxim, > > > > I have no problem how the userID is, if u...@domain.de or just user. > > > > The problem I have is that every time a user logs in a new account is > created. > > So if userA logs in 3 times I have userA 3 times in the database. > > Probably simple config issue. > > > > This shouldn't work like this > > I'll do some tests and will get back > > > > > > I understood now, that users are created from ADS when a user Logs in. > > That’s fine. > > Unfortunately the country from ADS does not apply. > > In the ADS for the user is Deutschland, but when the user is created this > is not picked up. > > I would need to know how to set defaults. > > > > Om expects country as 2 letter country code: > https://www.iban.com/country-codes > > So I guess DE should work > > > > > > > > As I had now several users deleted, because duplicate they are marked as > purged. > > But still shown. How can I get rid of this? > > > > The only way to remove "purged" users is to perform export/import > > These users are "ghosts" doesn't appear in searches, unable to login etc. > > > > > > Gerald > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 30. März 2020 14:37 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: ldap config problems with authentication > > > > Of cause I can add simple check > "if-login-contains-domain-do-not-add-another-one" but I would prefer to > create simulation of real LDAP :) > > > > On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <solomax...@gmail.com> > wrote: > > > > > > On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Maxim, > > > > that was a good hint with the logging. > > I think it is just a understanding and config issue. > > > > SearchRequest > > baseDn : 'CN=Users,DC=company,DC=de' > > filter : '(uid=x...@compay.de)' > > > > In ADS uid attribute is not filled. Instead in ADS we need to user > UserPrincipalName or something else. > > > > for ADS `samlAccountName` or something like this should be used > > > > > > So authentication works fine, but eyery time someone logs in a new user > account is created. > > > > It looks like we still have an issue, as the create user login is wrong. > > testu...@company.de@company.de > > > > This is the issue > > I'm using this > > > https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif > > Schema for tests > > Maybe you can help me to create schema for the case with "suffixed" users? > > > > > > I hope I get the rest also figured out. > > > > > > Gerald > > > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 30. März 2020 11:50 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: ldap config problems with authentication > > > > Your log is hard to read due to formatting issues :(( > > Googling `DSID-0C090442` results something about "searching between > forests" which I don't understand :( > > > > Admin->LDAP has setting "Add domain to user name" > > Do you have it checked? (domain to add should be specified) > > > > What is your LDAP provider? Is it ADS? > > > > To make logging more verbose you can > > 1) stop OM > > 2) add following line to logback-config.xml > > <logger name="org.apache.directory" level="DEBUG" /> > > 3) restart OM > > > > According to my previous experience SEARCHANDBIND might work better > > > > > > On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Also having LDAP issues: > > > > It seems not to work. > > > > Below is the om_ldap.cfg, that is used in the config file: > > > > ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin > > ^[[39mDEBUG^[[0;39m > 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-8]^[[0;39m - Rss disabled by > Admin > > ^[[39mDEBUG^[[0;39m > 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-5]^[[0;39m - Rss disabled by > Admin > ^[[39mDEBUG^[[0;39m > 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 > [io-5443-exec-10]^[[0;39m - > getActiveLdapConfigs > ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 > ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - > getActiveLdapConfigs > ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 > ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - > LdapLoginmanager.doLdapLogin > ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 > ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not > authenticated. > org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: > 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, > data 52e, > v3839^@ > at > org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995) > > > > > > > What does the LdapLogin Manager message means, was the query user not able > to connect or was the end user password wrong. > > How I can make visible, what the query for the user ist. > > It should be in the form u...@domain.de , maybe the mapping is just wrong. > > > > > > > > > > > > This is the modified > > ldap_conn_host=DESVR-DC01.firma.de > > ldap_conn_port=389 > > ldap_conn_secure=false > > > > # Login distinguished name (DN) for Authentication on LDAP Server - keep > empty if not required > > # Use full qualified LDAP DN > > ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de > > > > # Loginpass for Authentication on LDAP Server - keep empty if not required > > ldap_passwd=#password# > > > > # base to search for userdata(of user, that wants to login) > > ldap_search_base=CN=Users,DC=firma,DC=de > > > > # Fieldnames (can differ between Ldap servers) > > ldap_search_query=(uid=%s) > > > > # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE > > ldap_search_scope=SUBTREE > > > > # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) > > # When using SIMPLEBIND a simple bind is performed on the LDAP server to > check user authentication > > # When using NONE, the Ldap server is not used for authentication > > ldap_auth_type=SIMPLEBIND > > > > # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND > > # might be used to get provisionningDn in case ldap_auth_type=NONE > > ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de > > > > # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) > > ldap_provisionning=AUTOCREATE > > > > # Ldap deref mode (never, searching, finding, always) > > ldap_deref_mode=always > > ldap_use_admin_to_get_attrs=true > > > > # Ldap-password synchronization to OM DB > > # Set this to 'true' if you want OM to synchronize the user Ldap-password > to OM's internal DB > > # If you want to disable the feature, set this to any other string. > > # Defautl value is 'true' > > ldap_sync_password_to_om=false > > > > # Ldap group mode (NONE, ATTRIBUTE, QUERY) > > # NONE means group associations will be ignored > > # ATTRIBUTE means group associations will be taken from 'ldap_group_attr' > attribute (M$ AD mode) > > # QUERY means group associations will be taken as a result of > 'ldap_group_query' query > > ldap_group_mode=NONE > > > > ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) > > > > # Ldap user attributes mapping > > # Set the following internal OM user attributes to their corresponding > Ldap-attribute > > > > ldap_user_attr_login=uid > > ldap_user_attr_lastname=sn > > ldap_user_attr_firstname=givenName > > ldap_user_attr_mail=mail > > ldap_user_attr_street=streetAddress > > ldap_user_attr_additionalname=description > > ldap_user_attr_fax=facsimileTelephoneNumber > > ldap_user_attr_zip=postalCode > > ldap_user_attr_country=co > > ldap_user_attr_town=l > > ldap_user_attr_phone=telephoneNumber > > # optional attribute for user picture > > #ldap_user_attr_picture= > > ldap_group_attr=memberOf > > > > # optional, absolute URL will be used as user picture if > #ldap_user_attr_picture will be empty > > #ldap_user_picture_uri=picture_uri > > > > # optional > > # the timezone has to match any timezone available in Java, otherwise the > timezone defined in the value of > > # the conf_key "default.timezone" in OpenMeetings "configurations" table > > #ldap_user_timezone=timezone > > > > # Ldap ignore upper/lower case, convert all input to lower case > > ldap_use_lower_case=false > > > > # Ldap import query, this query should retrieve all LDAP users > > ldap_import_query=(objectClass=inetOrgPerson) > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
