Re: [gitorious] Gitorious & Active Directory (Windows 2008 R2 domain)
Thanks Ken, I'll give this a try over the weekend. I appreciate your help.
Bobby
On Tuesday, March 19, 2013 2:00:55 PM UTC-4, Ken Dreyer wrote:
>
> Hi Bobbie,
>
> You may be able to get more information out of the production.log
> file. Here's some things to check:
>
> On Mon, Mar 11, 2013 at 2:37 PM, Bobby
> >
> wrote:
> > When trying to authenticate through the web interface, I have tried the
> > following options below and keep getting the error message "Email and/or
> > password did not match, please try again:
> >
> > 1) DOMAIN\username
> > 2) username by iteself
> > 3) username@domain.local
>
> You'll only want to use #2, "username by itself". I'm pretty sure you
> can't authenticate to LDAP with the older-style "DOMAIN\username", and
> for #3, I'm not sure Gitorious supports "@" signs in usernames. During
> an LDAP login, the username will be substituted for the "{}" bit of
> the distinguished_name_template setting, and that should include the
> "@" sign for you.
>
>
> > Can someone please tell me what I might be doing wrong here?My
> > authentication.yml file is below:
>
> [snip]
>
> > # IP/hostname to LDAP server
> > host: dc.domain.local
>
> Hopefully this is the fully-qualified name of your domain controller?
>
>
> > # Override the default port (389)
> > #port: 1999
> >
> > # The base DN to search
> > base_dn: DC=domain,DC=local
>
> Hopefully this is correct base DN for your LDAP setup?
>
>
> > # The base DN when searching for groups (for authorization)
> > # If unspecified, base_dn is used
> > # group_search_dn: OU=groups,dc=gitorious,dc=org
> >
> > # What LDAP attribute to use for user authentication. Default is
> CN
> > #login_attribute: uid
>
> Do your users have "uid" attributes on their accounts? You probably
> want to use "samaccountname" instead for Active Directory.
>
> > # How to build a user's DN. Default: $LOGIN_ATTRIBUTE={},$BASE_DN,
> > # e.g. CN=chris,DC=gitorious,DC=org
> > distinguished_name_template: "{}@domain.local"
>
> This needs to match the "userPrincipalName" attribute on any AD
> account. So you should check in ADUC or ASDI Edit or whatever that
> this domain matches the userPrincipalName attribute on your account.
>
> > # Map LDAP fields to database fields.
> > # Default: displayname => fullname, mail => email
> > # attribute_mapping:
> > # givenName: fullname
> > # publicEmail: email
>
> This probably needs to be adjusted, because "givenName" and
> "publicEmail" attributes probably don't exist in your AD schema.
> Here's what I use with my AD setup:
>
> attribute_mapping:
> cn: fullname
> mail: email
>
> > # See Net-LDAP for other options, or use "none" for no encryption.
> > # Defaults to "simple_tls" if not set.
> > encryption: none
>
> Please note this is not secure, and once you get the other pieces
> working, you should change it as soon as possible :)
>
>
> > # A class/object that will be called after successful
> authentication
> > # through LDAP. Will be "constantized", post_authenticate will be
> > called
> > # with an options hash. See LdapAuthenticationTest.
> > #callback_class: SampleCallback
> >
> > # Specify a username/password to use for authenticated bind
> > # NOTE: This is required when using LDAP for authorization
> > bind_user:
> > username: ldap_svc@domain.local
> > password: ldap_svc_password
>
> If you're at a dead end, you may want to comment out the bind_user
> section while you're troubleshooting. It shouldn't affect simple
> password authentication for users, and you can add it back in when
> you've got the password auth working.
>
> If you still have problems, I recommend doing a test with "ldapsearch
> -x -W ..." just to confirm that you can properly authenticate to AD
> from your system.
>
> - Ken
>
--
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups
"Gitorious" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to gitorious+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [gitorious] Gitorious & Active Directory (Windows 2008 R2 domain)
Hi Bobbie,
You may be able to get more information out of the production.log
file. Here's some things to check:
On Mon, Mar 11, 2013 at 2:37 PM, Bobby wrote:
> When trying to authenticate through the web interface, I have tried the
> following options below and keep getting the error message "Email and/or
> password did not match, please try again:
>
> 1) DOMAIN\username
> 2) username by iteself
> 3) username@domain.local
You'll only want to use #2, "username by itself". I'm pretty sure you
can't authenticate to LDAP with the older-style "DOMAIN\username", and
for #3, I'm not sure Gitorious supports "@" signs in usernames. During
an LDAP login, the username will be substituted for the "{}" bit of
the distinguished_name_template setting, and that should include the
"@" sign for you.
> Can someone please tell me what I might be doing wrong here?My
> authentication.yml file is below:
[snip]
> # IP/hostname to LDAP server
> host: dc.domain.local
Hopefully this is the fully-qualified name of your domain controller?
> # Override the default port (389)
> #port: 1999
>
> # The base DN to search
> base_dn: DC=domain,DC=local
Hopefully this is correct base DN for your LDAP setup?
> # The base DN when searching for groups (for authorization)
> # If unspecified, base_dn is used
> # group_search_dn: OU=groups,dc=gitorious,dc=org
>
> # What LDAP attribute to use for user authentication. Default is CN
> #login_attribute: uid
Do your users have "uid" attributes on their accounts? You probably
want to use "samaccountname" instead for Active Directory.
> # How to build a user's DN. Default: $LOGIN_ATTRIBUTE={},$BASE_DN,
> # e.g. CN=chris,DC=gitorious,DC=org
> distinguished_name_template: "{}@domain.local"
This needs to match the "userPrincipalName" attribute on any AD
account. So you should check in ADUC or ASDI Edit or whatever that
this domain matches the userPrincipalName attribute on your account.
> # Map LDAP fields to database fields.
> # Default: displayname => fullname, mail => email
> # attribute_mapping:
> # givenName: fullname
> # publicEmail: email
This probably needs to be adjusted, because "givenName" and
"publicEmail" attributes probably don't exist in your AD schema.
Here's what I use with my AD setup:
attribute_mapping:
cn: fullname
mail: email
> # See Net-LDAP for other options, or use "none" for no encryption.
> # Defaults to "simple_tls" if not set.
> encryption: none
Please note this is not secure, and once you get the other pieces
working, you should change it as soon as possible :)
> # A class/object that will be called after successful authentication
> # through LDAP. Will be "constantized", post_authenticate will be
> called
> # with an options hash. See LdapAuthenticationTest.
> #callback_class: SampleCallback
>
> # Specify a username/password to use for authenticated bind
> # NOTE: This is required when using LDAP for authorization
> bind_user:
> username: ldap_svc@domain.local
> password: ldap_svc_password
If you're at a dead end, you may want to comment out the bind_user
section while you're troubleshooting. It shouldn't affect simple
password authentication for users, and you can add it back in when
you've got the password auth working.
If you still have problems, I recommend doing a test with "ldapsearch
-x -W ..." just to confirm that you can properly authenticate to AD
from your system.
- Ken
--
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups
"Gitorious" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to gitorious+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
[gitorious] Gitorious & Active Directory (Windows 2008 R2 domain)
Hello,
I've installed Gitorious on a CentOS 6.3 system using the install script
last week I've been trying to get Active Directory authentication to work
for the last few days with no luck. I keep getting "Not there yet." with
the LDAP test script. We are running Windows 2008 R2 domain controllers
in our environment.
When trying to authenticate through the web interface, I have tried the
following options below and keep getting the error message "Email and/or
password did not match, please try again:
1) DOMAIN\username
2) username by iteself
3) username@domain.local
Can someone please tell me what I might be doing wrong here?My
authentication.yml file is below:
# Configure authentication by saving this file as authentication.yml One
section
# for each RAILS_ENV, like database.yml
#
# If you just want straight database backed authentication you don't need
this
# file at all.
#
#development:
production:
# Disable database authentication altogether
disable_default: true
# Disable OpenID authentication by uncommenting the next line. It's on by
default
enable_openid: false
# additional methods, an array of hashes
methods:
# An adapter is a class that implements an authentication mechanism. You
# can roll your own, or use one of Gitorious' prepackaged ones.
# Available implementations are:
# Gitorious::Authentication::LDAPAuthentication
# Gitorious::Authentication::Crowd
# Example of configuring LDAP authentication
- adapter: Gitorious::Authentication::LDAPAuthentication
# IP/hostname to LDAP server
host: dc.domain.local
# Override the default port (389)
#port: 1999
# The base DN to search
base_dn: DC=domain,DC=local
# The base DN when searching for groups (for authorization)
# If unspecified, base_dn is used
# group_search_dn: OU=groups,dc=gitorious,dc=org
# What LDAP attribute to use for user authentication. Default is CN
#login_attribute: uid
# How to build a user's DN. Default: $LOGIN_ATTRIBUTE={},$BASE_DN,
# e.g. CN=chris,DC=gitorious,DC=org
distinguished_name_template: "{}@domain.local"
# Map LDAP fields to database fields.
# Default: displayname => fullname, mail => email
# attribute_mapping:
# givenName: fullname
# publicEmail: email
# See Net-LDAP for other options, or use "none" for no encryption.
# Defaults to "simple_tls" if not set.
encryption: none
# A class/object that will be called after successful authentication
# through LDAP. Will be "constantized", post_authenticate will be
called
# with an options hash. See LdapAuthenticationTest.
#callback_class: SampleCallback
# Specify a username/password to use for authenticated bind
# NOTE: This is required when using LDAP for authorization
bind_user:
username: ldap_svc@domain.local
password: ldap_svc_password
# When using LDAP authorization: which attribute in a user
# record specifies groups a user is member of
# This will depend on your schema/LDAP server implementation
# but in 9/10 cases, it will be memberof
#membership_attribute_name: memberof
# When using LDAP authorization: which attribute in a group
# record specifies users that are member of the group
# This will depend on your LDAP schema, but will usually be
# member or uniquemember
#members_attribute_name: member
# To increase performance, Gitorious supports caching the result
# of group lookups. Enter how many minutes these results should
# be cached, default is 0 (no caching)
#cache_expiry: 60
# End LDAP configuration example
---
--
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups
"Gitorious" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to gitorious+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [gitorious] Gitorious+Active Directory
I had same issue trying AD with Gitorious.
Use Active Directory Explorer (or similar tool for you LDAP server) and
compare path to your user with path printed by test_ldap_connection script
(if this script is not printing debuging path then you need to do update as
Marius is pointing out).
Change distinquished_name_template in authentification.yml and it should
work. Work for me at least ;)
On Monday, December 10, 2012 11:50:17 AM UTC+1, Phuong Doan wrote:
>
> hi Marius,
> I'm in same situation with above guy, and I installed gitorious from
> mainline.
> Tried your advice, no luck. My code is up to date already
>
> Best regards
>
> On Tuesday, October 16, 2012 4:00:05 PM UTC+7, Marius Mårnes Mathiesen
> wrote:
>>
>> On Mon, Oct 15, 2012 at 8:55 PM, DevOps wrote:
>>
>>> Hello Everyone,
>>>
>>> I have read the various LDAP and AD threads regarding this topic,
>>> followed instructions, ensured the latest version is being run, and
>>> re-installed several times using different methods without any success.
>>>
>>> I am trying to integrate gitorious with a Windows 2008 active directory
>>> on Cent6.3 installed via the scripted installer from getgetorious.org.
>>>
>>> Here is my authentication.yml as suggested:
>>> production:
>>> disable_default: true
>>> methods:
>>> - adapter: Gitorious::Authentication::LDAPAuthentication
>>> host: the.domain.controller
>>> port: 389
>>> base_dn: DC=wdtinc,DC=com
>>> bind_username: administrator@domaincontroller
>>> bind_password: B1indingP@Sw0rd!
>>> user_filter:
>>> username_attribute: sAMAccountName
>>> encryption: none
>>> login_attribute: uid
>>> distinguished_name_template: "CN=Users,DC=thedomain,DC=com"
>>> attribute_mapping:
>>> mail: email
>>>
>>> I've also tried various distingued_name_templates such as: uid={}@
>>> mydomain.com, uid={}. CN={}. $BASE_DN to no avail.
>>>
>>> Here is what the script/test_ldap_connection says:
>>> [root@gitorious app]# export RAILS_ENV=production; bundle exec
>>> script/test_ldap_connection ddu...@thedomain.com *
>>> Not there yet.
>>> script/test_ldap_connection:22: private method `build_username' called
>>> for #
>>> (NoMethodError)
>>>
>>> And whenever I try to login the authentication is simply rejected. I
>>> know my domain settings are correct as other things have been successfully
>>> integrated such as sugarcrm, dokuwiki, nexus, jenkins..
>>>
>>> Please advise and thanks in advance.
>>>
>>
>> Devon,
>> We made some changes in Gitorious' LDAP support quite recently, and the
>> installer will pull a version of Gitorious which doesn't include this.
>> Would you mind trying to check out the master branch on your server and try
>> it from there? The steps involved would be:
>>
>> - cd /var/www/gitorious/app
>> - git pull origin master
>> - bundle install
>> - RAILS_ENV=production bundle exec rake db:migrate
>> - touch tmp/restart.txt
>>
>> Then try again and let us know what happens.
>>
>> Cheers,
>> - Marius
>>
>
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
Re: [gitorious] Gitorious+Active Directory
hi Marius,
I'm in same situation with above guy, and I installed gitorious from
mainline.
Tried your advice, no luck. My code is up to date already
Best regards
On Tuesday, October 16, 2012 4:00:05 PM UTC+7, Marius Mårnes Mathiesen
wrote:
>
> On Mon, Oct 15, 2012 at 8:55 PM, DevOps >wrote:
>
>> Hello Everyone,
>>
>> I have read the various LDAP and AD threads regarding this topic,
>> followed instructions, ensured the latest version is being run, and
>> re-installed several times using different methods without any success.
>>
>> I am trying to integrate gitorious with a Windows 2008 active directory
>> on Cent6.3 installed via the scripted installer from getgetorious.org.
>>
>> Here is my authentication.yml as suggested:
>> production:
>> disable_default: true
>> methods:
>> - adapter: Gitorious::Authentication::LDAPAuthentication
>> host: the.domain.controller
>> port: 389
>> base_dn: DC=wdtinc,DC=com
>> bind_username: administrator@domaincontroller
>> bind_password: B1indingP@Sw0rd!
>> user_filter:
>> username_attribute: sAMAccountName
>> encryption: none
>> login_attribute: uid
>> distinguished_name_template: "CN=Users,DC=thedomain,DC=com"
>> attribute_mapping:
>> mail: email
>>
>> I've also tried various distingued_name_templates such as: uid={}@
>> mydomain.com, uid={}. CN={}. $BASE_DN to no avail.
>>
>> Here is what the script/test_ldap_connection says:
>> [root@gitorious app]# export RAILS_ENV=production; bundle exec
>> script/test_ldap_connection ddu...@thedomain.com *
>> Not there yet.
>> script/test_ldap_connection:22: private method `build_username' called
>> for #
>> (NoMethodError)
>>
>> And whenever I try to login the authentication is simply rejected. I know
>> my domain settings are correct as other things have been successfully
>> integrated such as sugarcrm, dokuwiki, nexus, jenkins..
>>
>> Please advise and thanks in advance.
>>
>
> Devon,
> We made some changes in Gitorious' LDAP support quite recently, and the
> installer will pull a version of Gitorious which doesn't include this.
> Would you mind trying to check out the master branch on your server and try
> it from there? The steps involved would be:
>
> - cd /var/www/gitorious/app
> - git pull origin master
> - bundle install
> - RAILS_ENV=production bundle exec rake db:migrate
> - touch tmp/restart.txt
>
> Then try again and let us know what happens.
>
> Cheers,
> - Marius
>
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
Re: [gitorious] Gitorious+Active Directory
On Mon, Oct 15, 2012 at 8:55 PM, DevOps wrote:
> Hello Everyone,
>
> I have read the various LDAP and AD threads regarding this topic, followed
> instructions, ensured the latest version is being run, and re-installed
> several times using different methods without any success.
>
> I am trying to integrate gitorious with a Windows 2008 active directory on
> Cent6.3 installed via the scripted installer from getgetorious.org.
>
> Here is my authentication.yml as suggested:
> production:
> disable_default: true
> methods:
> - adapter: Gitorious::Authentication::LDAPAuthentication
> host: the.domain.controller
> port: 389
> base_dn: DC=wdtinc,DC=com
> bind_username: administrator@domaincontroller
> bind_password: B1indingP@Sw0rd!
> user_filter:
> username_attribute: sAMAccountName
> encryption: none
> login_attribute: uid
> distinguished_name_template: "CN=Users,DC=thedomain,DC=com"
> attribute_mapping:
> mail: email
>
> I've also tried various distingued_name_templates such as: uid={}@
> mydomain.com, uid={}. CN={}. $BASE_DN to no avail.
>
> Here is what the script/test_ldap_connection says:
> [root@gitorious app]# export RAILS_ENV=production; bundle exec
> script/test_ldap_connection ddun...@thedomain.com *
> Not there yet.
> script/test_ldap_connection:22: private method `build_username' called for
> #
> (NoMethodError)
>
> And whenever I try to login the authentication is simply rejected. I know
> my domain settings are correct as other things have been successfully
> integrated such as sugarcrm, dokuwiki, nexus, jenkins..
>
> Please advise and thanks in advance.
>
Devon,
We made some changes in Gitorious' LDAP support quite recently, and the
installer will pull a version of Gitorious which doesn't include this.
Would you mind trying to check out the master branch on your server and try
it from there? The steps involved would be:
- cd /var/www/gitorious/app
- git pull origin master
- bundle install
- RAILS_ENV=production bundle exec rake db:migrate
- touch tmp/restart.txt
Then try again and let us know what happens.
Cheers,
- Marius
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
[gitorious] Gitorious+Active Directory
Hello Everyone,
I have read the various LDAP and AD threads regarding this topic, followed
instructions, ensured the latest version is being run, and re-installed
several times using different methods without any success.
I am trying to integrate gitorious with a Windows 2008 active directory on
Cent6.3 installed via the scripted installer from getgetorious.org.
Here is my authentication.yml as suggested:
production:
disable_default: true
methods:
- adapter: Gitorious::Authentication::LDAPAuthentication
host: the.domain.controller
port: 389
base_dn: DC=wdtinc,DC=com
bind_username: administrator@domaincontroller
bind_password: B1indingP@Sw0rd!
user_filter:
username_attribute: sAMAccountName
encryption: none
login_attribute: uid
distinguished_name_template: "CN=Users,DC=thedomain,DC=com"
attribute_mapping:
mail: email
I've also tried various distingued_name_templates such as:
uid={}@mydomain.com, uid={}. CN={}. $BASE_DN to no avail.
Here is what the script/test_ldap_connection says:
[root@gitorious app]# export RAILS_ENV=production; bundle exec
script/test_ldap_connection ddun...@thedomain.com *
Not there yet.
script/test_ldap_connection:22: private method `build_username' called for
#
(NoMethodError)
And whenever I try to login the authentication is simply rejected. I know
my domain settings are correct as other things have been successfully
integrated such as sugarcrm, dokuwiki, nexus, jenkins..
Please advise and thanks in advance.
-Devon
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
