Hello, On Mon, 13 Apr 2020 at 20:49, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> wrote:
> Maxim, Orm > > > > finally I found the solution after reading openldap manuals and doing some > testing. > > As expected, very easy….., but I took a while to understand the logic. > > > > Now only members of the AD group appOpenmeetings can login. > > > > > ldap_search_query=(&(userPrincipalName=%s)(memberOf=CN=appOpenMeetings,OU=Groups,DC=mydomain,DC=de)) > > > > > > Still I have a problem with the country, that is not right transferred > from the AD. > > But I think this is an openLdap issue, not OM. > > > > I can see in the debug log co = Deutschland is read from AD, so that’s > okay. > > Countrycode = 276 > > > > Later on this line: > > WARN 04-13 15:14:35.964 o.a.o.d.u.LocaleHelper:54 [nio-5443-exec-7] - > Invalid country found: DEUTSCHLAND, will be replaced with: AD > I do remember I wrote this before: OM expects country code NOT country name if country wasn't found the first country from the list is taken So OM expects LDAP to return "DE" as country NOT "Deutschland" > > > AD means Andorra, so that´s wrong. > > > > AD probably is the first entry. Probably GERMANY is listed. > > I do not think the mapping is done in OM > > > > But this is a cosmetic issue only and in OM no real problem. > > Maybe I will find sometimes a fix for that. > > > > > > > > Gerald > > > > > > *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Gesendet:* Montag, 13. April 2020 12:48 > *An:* Openmeetings user-list <user@openmeetings.apache.org> > *Betreff:* Re: LDAP config Manual, 1st draft - extension > > > > > > On Mon, Apr 13, 2020, 17:40 Rohrbach, Gerald <g.rohrb...@funkegruppe.de> > wrote: > > I do not remember, but I have to do some testing anyway tomorrow. So I'll > check. > I have to figure out, how to setup that only members of an AD group > om-users get access to om. > > > > Can you use SEARCHANDBIND > > and set up search query to return results from this group only? > > > > > > Gerald > > > -----Ursprüngliche Nachricht----- > Von: Orm Finnendahl [mailto:orm.finnend...@selma.hfmdk-frankfurt.de] > Gesendet: Montag, 13. April 2020 12:31 > An: user@openmeetings.apache.org > Betreff: Re: LDAP config Manual, 1st draft - extension > > Hi Gerald, > > thanks, I'll incorporate your suggestions into the HOWTO before > submitting the pull request. Are the verbose debug logs also written to > "catalina.out"? > > -- > Orm > > > Am Montag, den 13. April 2020 um 09:20:26 Uhr (+0000) schrieb Rohrbach, > Gerald: > > Orm, > > > > I had the same issues with LDAP. It tooks a long time to figure it out. > > > > A very good hint was from Maxim to switch debug logging on. > > With that it was much easier. So probably it’s good to add this to you > documentation. > > Somehow the LDAP config is related how in a corporate user accounts > > are setup, that needs some understanding about this ldap config. > > > > To make logging more verbose you can > > 1) stop OM > > 2) add following line to logback-config.xml <logger > > name="org.apache.directory" level="DEBUG" /> > > 3) restart OM > > > > Here my config., I marked changes with ########## > > > > > > #LDAP URL > > # This is the URL used to access your LDAP server. > > # if you want to use "ldaps://" links, please be aware that you need > > to import your CA certificate # to a java keystore and add the > > -Djavax.net.ssl.keyStore, -Djavax.net.ssl.keyStorePassword, # > > -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword > > parameters to your # JAVA_OPT environment > > ldap_conn_host=DomainController.mydomain.de ########## > > > > ldap_conn_port=389 > > ldap_conn_secure=false > > > > # Login distinguished name (DN) for Authentication on LDAP Server - > > keep empty if not required # Use full qualified LDAP DN > > ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=mydomai > > n,DC=de ########## > > > > # Loginpass for Authentication on LDAP Server - keep empty if not > required > > ldap_passwd=#mypassword# > ########## > > > > # base to search for userdata(of user, that wants to login) > > ldap_search_base=DC=mydomain,DC=de > ########## > > > > # Fieldnames (can differ between Ldap servers) # > > ldap_search_query=(uid=%s) > > ldap_search_query=(userPrincipalName=%s) > ########## > > > > > > # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE > > ldap_search_scope=SUBTREE > ########## > > > > > > # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) # When using > > SIMPLEBIND a simple bind is performed on the LDAP server to check user > > authentication # When using NONE, the Ldap server is not used for > authentication > > ldap_auth_type=SEARCHANDBIND > ########## > > > > > > # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND # > > might be used to get provisionningDn in case ldap_auth_type=NONE # > > ldap_userdn_format=uid=%s,CN=Users,DC=mydomain,DC=de > > ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=mydomain,DC=de > ########## > > > > > > # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) > > ldap_provisionning=AUTOCREATE > ########## > > > > > > # Ldap deref mode (never, searching, finding, always) > > ldap_deref_mode=always > > > > # Set this to 'true' if you want to use admin_dn to get user > > attributes # If any other value is set, user_dn will be used > > ldap_use_admin_to_get_attrs=true > > > > # Ldap-password synchronization to OM DB # Set this to 'true' if you > > want OM to synchronize the user Ldap-password to OM's internal DB # > > If you want to disable the feature, set this to any other string. > > # Defautl value is 'true' > > ldap_sync_password_to_om=true > ########## > > > > > > # Ldap group mode (NONE, ATTRIBUTE, QUERY) # NONE means group > > associations will be ignored # ATTRIBUTE means group associations will > > be taken from 'ldap_group_attr' attribute (M$ AD mode) # QUERY means > > group associations will be taken as a result of 'ldap_group_query' > > query ldap_group_mode=NONE > > > > ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) > > > > # Ldap user attributes mapping > > # Set the following internal OM user attributes to their corresponding > Ldap-attribute > > ldap_user_attr_login=sAMAccountName > ########## > > ldap_user_attr_lastname=sn > > ldap_user_attr_firstname=givenName > > ldap_user_attr_mail=mail > > ldap_user_attr_street=streetAddress > > ldap_user_attr_additionalname=description > > ldap_user_attr_fax=facsimileTelephoneNumber > > ldap_user_attr_zip=postalCode > > ldap_user_attr_country=co > > ldap_user_attr_town=l > > ldap_user_attr_phone=telephoneNumber > > # optional attribute for user picture > > #ldap_user_attr_picture= > > ldap_group_attr=memberOf > > > > # optional, absolute URL will be used as user picture if > > #ldap_user_attr_picture will be empty > > #ldap_user_picture_uri=picture_uri > > > > # optional > > # the timezone has to match any timezone available in Java, otherwise > > the timezone defined in the value of # the conf_key "default.timezone" > > in OpenMeetings "configurations" table #ldap_user_timezone=timezone > > > > # Ldap ignore upper/lower case, convert all input to lower case > > ldap_use_lower_case=false > > > > # Ldap import query, this query should retrieve all LDAP users > > ldap_import_query=(objectClass=inetOrgPerson) > > > > > > Von: Maxim Solodovnik [mailto:solomax...@gmail.com] > > Gesendet: Montag, 13. April 2020 05:53 > > An: Openmeetings user-list <user@openmeetings.apache.org> > > Betreff: Re: LDAP config Manual, 1st draft > > > > Hello Orm, > > > > On Mon, 13 Apr 2020 at 03:20, Orm Finnendahl < > orm.finnend...@selma.hfmdk-frankfurt.de<mailto: > orm.finnend...@selma.hfmdk-frankfurt.de>> wrote: > > Hi, > > > > I made a draft of a LDAP config howto and uploaded it here for > > review: > > > > https://selma.hfmdk-frankfurt.de/howtos/OM-ldap-howto.html > > > > I hope it's not too verbose, but since I had problems figuring out the > > ldap config in OM from the docs found online I tried to write up > > something in a way that even somebody like me with little ldap > > experience and knowledge would've understood without having to ask > > this mailing list and spend a lot of time trying to figure it out. > > > > I already forked the OM github repo and can issue a pull request, but > > I'm unsure about the preferred format of the document (XML, MD, pdf?). > > Please let me know what you'd prefer. The original is in org format > > but I can provide any format. > > > > I love PRs :))) > > The current version is here > > https://github.com/apache/openmeetings/blob/master/openmeetings-server > > /src/site/xdoc/LdapAndADS.xml Please create LdapAndADS.md in > > https://github.com/apache/openmeetings/tree/master/openmeetings-server > > /src/site/markdown Fill free to re-use any part of original > > instructions :) We can discuss contents during PR review :)) > > > > > > As I read about the manual draft for OM 5 on this mailing list, feel > > free to incorporate this in case it isn't already present or needs > > improvement. I'd be willing to do it myself if you find it useful and > > someone provides access for me to the current state. > > > > User Manual is here > > https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpenMeetings+ > > 5+Manual Please tell me you Confluence ID and all grant you with > > permissions (not sure how those binary files can be edited :((( ) > > > > > > -- > > Orm > > > > > > -- > > Best regards, > > Maxim > > -- Best regards, Maxim
