I don't see how ldap search can be insecure :( User provides credentials and they are being checked inside some private network And user is authenticated only if there was a match
Maybe you can modify the search to search only inside group? On Sun, Apr 12, 2020, 14:31 Rohrbach, Gerald <g.rohrb...@funkegruppe.de> wrote: > Maxim, > > > > we only allow LDAP User, no registration. That´s fine. Probably the FW > stuff is too complicate. > > > > I did not figured out the LDAP groups from the config file As our users > are stored in different AD containers, we need to set the search base > > In the AD root. With that every account can be used, what internal is okay > but putting this frontend n a DMZ or internet access > > it´s very unsecure. > > So probably an easy way is to put OM users in an AD group and limit access > to this. > > > > But what I need to fill in the LDAP config file. E.g. the UserGroup is > name OM-Users? > > > > # Ldap group mode (NONE, ATTRIBUTE, QUERY) > > # NONE means group associations will be ignored > > # ATTRIBUTE means group associations will be taken from 'ldap_group_attr' > attribute (M$ AD mode) > > # QUERY means group associations will be taken as a result of > 'ldap_group_query' query > > ldap_group_mode=NONE > > > > ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) > > > > > > Happy Eastern > > > > Gerald > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Samstag, 11. April 2020 18:07 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: Sending E-Mail to guests / Guest Invitation / LDAP Login > only from defined IP ranges > > > > Hello Gerald, > > > > No sure I get what is required :( > > You can set-up FW to reject some IPs, but this way all traffic will be > filtered > > You can disable front-end registration, this way only LDAP users or > invited guests can use OM > > (invited guests can only access room they were invited to, and invitation > can be limited: one time/period/endless ...) > > > > On Sat, 11 Apr 2020 at 00:44, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Maxim, > > finally I got it working with certificates, you solution was the easiest > one. > > > > Our sales team is interested to use OM with customers. > > Currently we only use internal, it’s a good help with all the home offices > now. > > I saw you add some changes to allow e-mail to unregistered users. I will > test this, > > this sounds like it will fulfil our needs. > > > > The login authentication on our internal server is against LDAP. AD > > If we put our machine in a DMZ, is there a way to protect Login from > external IP`s but allow > > that a meeting link will come to the invited room session? > > The OM-db is on a separate sever already on MySQL. > > > > I know, openMeetings is more for schools and trainings, but I guess during > this time a lots of companies are interested. > > MS-Teams is heavy, expensive and from my point of view OM delivers nearly > all needed functionality. > > And probably a lot of companies don´t want the data somewhere stored in > the cloud. > > I have tested some of this tools in the past weeks…. > > > > Gerald > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Dienstag, 7. April 2020 16:42 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: wildcard certificate > > > > Well, > > > > I would suggest to take original server.xml from M4 > > > https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L76 > > And change nothing but <Certificate ...> tag > > use this one > > <Certificate certificateKeyFile="conf/your_key.pem" > certificateFile="conf/your_crt.pem" > certificateChainFile="conf/your_ca.pem" > type="RSA" /> > > with your own paths > > > > no native libraries, conversions etc. > > one easy step :)) > > > > Please ensure cert paths are readable by OM :)) > > > > On Tue, 7 Apr 2020 at 19:50, K. Kamhamea <kamha...@googlemail.com> wrote: > > In my manual I covered wildcard certificates under System Administrator > > SSL > > > > > https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpemMeetings+5+Manual > > > > Am Di., 7. Apr. 2020 um 12:43 Uhr schrieb Rohrbach, Gerald < > g.rohrb...@funkegruppe.de>: > > Maxim, > > > > so far our openMeetings server for internal use is working fine. > > > > I found a lots of manuals using letsencrypt certificates, but this seem > not to be that easy and we need to repeat the procedure every 90 days. > > To make it more comfortable for the users I think we need to get the > certificate in plac.e > > Unfortunately my knowledge about this certificate stuff is going to zero… > > > > We have an official wildcard certificate, that we can use. > > But I did not found a manual how this is to install. > > > > Is there any docu I can use? Is that specific to openMeetings or is that > > more specific for tomcat? > > > > > > Gerald > > > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 30. März 2020 17:19 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: ldap config problems with authentication solved - Database > move to different server > > > > First of all clustering is not working in M3 > https://issues.apache.org/jira/browse/OPENMEETINGS-2186 > > You need M4 SNAPSHOT for this > > > > Then, I'm afraid, there is misunderstanding: `localDB` is UI term means DB > as opposite to LDAP > > To change DB location you need to change localhost to some external IP in > persistence.xml > > > > Latest SNAPSHOT is here: > https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/ > > Latest docs here: > https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html > > > > I hope were will be no DB updates before M4 release, so most probably DB > will be compatible > > > > > > > > On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Well, I need another hint…. > > > > As we have now tested a lot and do think we can use it for more users > probably we > > need more than one server. I interested in the clustering. > > But I know this is sometimes difficult on our core switch to setup. > > > > First step would be to have the database separated on a different server. > > We have already created a lots of users in the M3 release. > > > > For testing of the M4 I have made already a backup and restored it. > > But in this case the database was also local. > > > > Probably I need to change somewhere in a config file, where the new > database is > > Located, if it is not local. > > Because in the backup there was a localDB, on the new server I would like > a different machine. > > Which file I need to edit? > > > > > > > > Regards > > > > Gerald. > > > > > > > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 30. März 2020 16:19 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: ldap config problems with authentication solved > > > > Great news :) > > I don't have to fix it :))) > > > > Thanks a lot! > > > > On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Maxim, > > > > I found the solution: > > > > This are the settings: > > > > ldap_search_query=(userPrincipalName=%s) > > ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de > > > > ldap_user_attr_login=sAMAccountName > > > > Then the users are created in the right way use...@company.de > > No duplicates anymore. > > > > > > Regards > > > > Gerald > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 30. März 2020 14:37 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: ldap config problems with authentication > > > > Of cause I can add simple check > "if-login-contains-domain-do-not-add-another-one" but I would prefer to > create simulation of real LDAP :) > > > > On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <solomax...@gmail.com> > wrote: > > > > > > On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Maxim, > > > > that was a good hint with the logging. > > I think it is just a understanding and config issue. > > > > SearchRequest > > baseDn : 'CN=Users,DC=company,DC=de' > > filter : '(uid=x...@compay.de)' > > > > In ADS uid attribute is not filled. Instead in ADS we need to user > UserPrincipalName or something else. > > > > for ADS `samlAccountName` or something like this should be used > > > > > > So authentication works fine, but eyery time someone logs in a new user > account is created. > > > > It looks like we still have an issue, as the create user login is wrong. > > testu...@company.de@company.de > > > > This is the issue > > I'm using this > > > https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif > > Schema for tests > > Maybe you can help me to create schema for the case with "suffixed" users? > > > > > > I hope I get the rest also figured out. > > > > > > Gerald > > > > > > > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 30. März 2020 11:50 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: ldap config problems with authentication > > > > Your log is hard to read due to formatting issues :(( > > Googling `DSID-0C090442` results something about "searching between > forests" which I don't understand :( > > > > Admin->LDAP has setting "Add domain to user name" > > Do you have it checked? (domain to add should be specified) > > > > What is your LDAP provider? Is it ADS? > > > > To make logging more verbose you can > > 1) stop OM > > 2) add following line to logback-config.xml > > <logger name="org.apache.directory" level="DEBUG" /> > > 3) restart OM > > > > According to my previous experience SEARCHANDBIND might work better > > > > > > On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > Also having LDAP issues: > > > > It seems not to work. > > > > Below is the om_ldap.cfg, that is used in the config file: > > > > ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin > > ^[[39mDEBUG^[[0;39m > 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-8]^[[0;39m - Rss disabled by > Admin > > ^[[39mDEBUG^[[0;39m > 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 > [Bean#0_Worker-5]^[[0;39m - Rss disabled by > Admin > ^[[39mDEBUG^[[0;39m > 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 > [io-5443-exec-10]^[[0;39m - > getActiveLdapConfigs > ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 > ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - > getActiveLdapConfigs > ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 > ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - > LdapLoginmanager.doLdapLogin > ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 > ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not > authenticated. > org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: > 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, > data 52e, > v3839^@ > at > org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995) > > > > > > > What does the LdapLogin Manager message means, was the query user not able > to connect or was the end user password wrong. > > How I can make visible, what the query for the user ist. > > It should be in the form u...@domain.de , maybe the mapping is just wrong. > > > > > > > > > > > > This is the modified > > ldap_conn_host=DESVR-DC01.firma.de > > ldap_conn_port=389 > > ldap_conn_secure=false > > > > # Login distinguished name (DN) for Authentication on LDAP Server - keep > empty if not required > > # Use full qualified LDAP DN > > ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de > > > > # Loginpass for Authentication on LDAP Server - keep empty if not required > > ldap_passwd=#password# > > > > # base to search for userdata(of user, that wants to login) > > ldap_search_base=CN=Users,DC=firma,DC=de > > > > # Fieldnames (can differ between Ldap servers) > > ldap_search_query=(uid=%s) > > > > # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE > > ldap_search_scope=SUBTREE > > > > # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) > > # When using SIMPLEBIND a simple bind is performed on the LDAP server to > check user authentication > > # When using NONE, the Ldap server is not used for authentication > > ldap_auth_type=SIMPLEBIND > > > > # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND > > # might be used to get provisionningDn in case ldap_auth_type=NONE > > ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de > > > > # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) > > ldap_provisionning=AUTOCREATE > > > > # Ldap deref mode (never, searching, finding, always) > > ldap_deref_mode=always > > ldap_use_admin_to_get_attrs=true > > > > # Ldap-password synchronization to OM DB > > # Set this to 'true' if you want OM to synchronize the user Ldap-password > to OM's internal DB > > # If you want to disable the feature, set this to any other string. > > # Defautl value is 'true' > > ldap_sync_password_to_om=false > > > > # Ldap group mode (NONE, ATTRIBUTE, QUERY) > > # NONE means group associations will be ignored > > # ATTRIBUTE means group associations will be taken from 'ldap_group_attr' > attribute (M$ AD mode) > > # QUERY means group associations will be taken as a result of > 'ldap_group_query' query > > ldap_group_mode=NONE > > > > ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) > > > > # Ldap user attributes mapping > > # Set the following internal OM user attributes to their corresponding > Ldap-attribute > > > > ldap_user_attr_login=uid > > ldap_user_attr_lastname=sn > > ldap_user_attr_firstname=givenName > > ldap_user_attr_mail=mail > > ldap_user_attr_street=streetAddress > > ldap_user_attr_additionalname=description > > ldap_user_attr_fax=facsimileTelephoneNumber > > ldap_user_attr_zip=postalCode > > ldap_user_attr_country=co > > ldap_user_attr_town=l > > ldap_user_attr_phone=telephoneNumber > > # optional attribute for user picture > > #ldap_user_attr_picture= > > ldap_group_attr=memberOf > > > > # optional, absolute URL will be used as user picture if > #ldap_user_attr_picture will be empty > > #ldap_user_picture_uri=picture_uri > > > > # optional > > # the timezone has to match any timezone available in Java, otherwise the > timezone defined in the value of > > # the conf_key "default.timezone" in OpenMeetings "configurations" table > > #ldap_user_timezone=timezone > > > > # Ldap ignore upper/lower case, convert all input to lower case > > ldap_use_lower_case=false > > > > # Ldap import query, this query should retrieve all LDAP users > > ldap_import_query=(objectClass=inetOrgPerson) > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > WBR > Maxim aka solomax > > > > > -- > > Best regards, > Maxim > > > > > -- > > Best regards, > Maxim >
