Re: [gitorious] Gitorious & Active Directory (Windows 2008 R2 domain)
Thanks Ken, I'll give this a try over the weekend. I appreciate your help. Bobby On Tuesday, March 19, 2013 2:00:55 PM UTC-4, Ken Dreyer wrote: > > Hi Bobbie, > > You may be able to get more information out of the production.log > file. Here's some things to check: > > On Mon, Mar 11, 2013 at 2:37 PM, Bobby > > > wrote: > > When trying to authenticate through the web interface, I have tried the > > following options below and keep getting the error message "Email and/or > > password did not match, please try again: > > > > 1) DOMAIN\username > > 2) username by iteself > > 3) username@domain.local > > You'll only want to use #2, "username by itself". I'm pretty sure you > can't authenticate to LDAP with the older-style "DOMAIN\username", and > for #3, I'm not sure Gitorious supports "@" signs in usernames. During > an LDAP login, the username will be substituted for the "{}" bit of > the distinguished_name_template setting, and that should include the > "@" sign for you. > > > > Can someone please tell me what I might be doing wrong here?My > > authentication.yml file is below: > > [snip] > > > # IP/hostname to LDAP server > > host: dc.domain.local > > Hopefully this is the fully-qualified name of your domain controller? > > > > # Override the default port (389) > > #port: 1999 > > > > # The base DN to search > > base_dn: DC=domain,DC=local > > Hopefully this is correct base DN for your LDAP setup? > > > > # The base DN when searching for groups (for authorization) > > # If unspecified, base_dn is used > > # group_search_dn: OU=groups,dc=gitorious,dc=org > > > > # What LDAP attribute to use for user authentication. Default is > CN > > #login_attribute: uid > > Do your users have "uid" attributes on their accounts? You probably > want to use "samaccountname" instead for Active Directory. > > > # How to build a user's DN. Default: $LOGIN_ATTRIBUTE={},$BASE_DN, > > # e.g. CN=chris,DC=gitorious,DC=org > > distinguished_name_template: "{}@domain.local" > > This needs to match the "userPrincipalName" attribute on any AD > account. So you should check in ADUC or ASDI Edit or whatever that > this domain matches the userPrincipalName attribute on your account. > > > # Map LDAP fields to database fields. > > # Default: displayname => fullname, mail => email > > # attribute_mapping: > > # givenName: fullname > > # publicEmail: email > > This probably needs to be adjusted, because "givenName" and > "publicEmail" attributes probably don't exist in your AD schema. > Here's what I use with my AD setup: > > attribute_mapping: > cn: fullname > mail: email > > > # See Net-LDAP for other options, or use "none" for no encryption. > > # Defaults to "simple_tls" if not set. > > encryption: none > > Please note this is not secure, and once you get the other pieces > working, you should change it as soon as possible :) > > > > # A class/object that will be called after successful > authentication > > # through LDAP. Will be "constantized", post_authenticate will be > > called > > # with an options hash. See LdapAuthenticationTest. > > #callback_class: SampleCallback > > > > # Specify a username/password to use for authenticated bind > > # NOTE: This is required when using LDAP for authorization > > bind_user: > > username: ldap_svc@domain.local > > password: ldap_svc_password > > If you're at a dead end, you may want to comment out the bind_user > section while you're troubleshooting. It shouldn't affect simple > password authentication for users, and you can add it back in when > you've got the password auth working. > > If you still have problems, I recommend doing a test with "ldapsearch > -x -W ..." just to confirm that you can properly authenticate to AD > from your system. > > - Ken > -- -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitorious+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [gitorious] Gitorious & Active Directory (Windows 2008 R2 domain)
Hi Bobbie, You may be able to get more information out of the production.log file. Here's some things to check: On Mon, Mar 11, 2013 at 2:37 PM, Bobby wrote: > When trying to authenticate through the web interface, I have tried the > following options below and keep getting the error message "Email and/or > password did not match, please try again: > > 1) DOMAIN\username > 2) username by iteself > 3) username@domain.local You'll only want to use #2, "username by itself". I'm pretty sure you can't authenticate to LDAP with the older-style "DOMAIN\username", and for #3, I'm not sure Gitorious supports "@" signs in usernames. During an LDAP login, the username will be substituted for the "{}" bit of the distinguished_name_template setting, and that should include the "@" sign for you. > Can someone please tell me what I might be doing wrong here?My > authentication.yml file is below: [snip] > # IP/hostname to LDAP server > host: dc.domain.local Hopefully this is the fully-qualified name of your domain controller? > # Override the default port (389) > #port: 1999 > > # The base DN to search > base_dn: DC=domain,DC=local Hopefully this is correct base DN for your LDAP setup? > # The base DN when searching for groups (for authorization) > # If unspecified, base_dn is used > # group_search_dn: OU=groups,dc=gitorious,dc=org > > # What LDAP attribute to use for user authentication. Default is CN > #login_attribute: uid Do your users have "uid" attributes on their accounts? You probably want to use "samaccountname" instead for Active Directory. > # How to build a user's DN. Default: $LOGIN_ATTRIBUTE={},$BASE_DN, > # e.g. CN=chris,DC=gitorious,DC=org > distinguished_name_template: "{}@domain.local" This needs to match the "userPrincipalName" attribute on any AD account. So you should check in ADUC or ASDI Edit or whatever that this domain matches the userPrincipalName attribute on your account. > # Map LDAP fields to database fields. > # Default: displayname => fullname, mail => email > # attribute_mapping: > # givenName: fullname > # publicEmail: email This probably needs to be adjusted, because "givenName" and "publicEmail" attributes probably don't exist in your AD schema. Here's what I use with my AD setup: attribute_mapping: cn: fullname mail: email > # See Net-LDAP for other options, or use "none" for no encryption. > # Defaults to "simple_tls" if not set. > encryption: none Please note this is not secure, and once you get the other pieces working, you should change it as soon as possible :) > # A class/object that will be called after successful authentication > # through LDAP. Will be "constantized", post_authenticate will be > called > # with an options hash. See LdapAuthenticationTest. > #callback_class: SampleCallback > > # Specify a username/password to use for authenticated bind > # NOTE: This is required when using LDAP for authorization > bind_user: > username: ldap_svc@domain.local > password: ldap_svc_password If you're at a dead end, you may want to comment out the bind_user section while you're troubleshooting. It shouldn't affect simple password authentication for users, and you can add it back in when you've got the password auth working. If you still have problems, I recommend doing a test with "ldapsearch -x -W ..." just to confirm that you can properly authenticate to AD from your system. - Ken -- -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitorious+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[gitorious] Gitorious & Active Directory (Windows 2008 R2 domain)
Hello, I've installed Gitorious on a CentOS 6.3 system using the install script last week I've been trying to get Active Directory authentication to work for the last few days with no luck. I keep getting "Not there yet." with the LDAP test script. We are running Windows 2008 R2 domain controllers in our environment. When trying to authenticate through the web interface, I have tried the following options below and keep getting the error message "Email and/or password did not match, please try again: 1) DOMAIN\username 2) username by iteself 3) username@domain.local Can someone please tell me what I might be doing wrong here?My authentication.yml file is below: # Configure authentication by saving this file as authentication.yml One section # for each RAILS_ENV, like database.yml # # If you just want straight database backed authentication you don't need this # file at all. # #development: production: # Disable database authentication altogether disable_default: true # Disable OpenID authentication by uncommenting the next line. It's on by default enable_openid: false # additional methods, an array of hashes methods: # An adapter is a class that implements an authentication mechanism. You # can roll your own, or use one of Gitorious' prepackaged ones. # Available implementations are: # Gitorious::Authentication::LDAPAuthentication # Gitorious::Authentication::Crowd # Example of configuring LDAP authentication - adapter: Gitorious::Authentication::LDAPAuthentication # IP/hostname to LDAP server host: dc.domain.local # Override the default port (389) #port: 1999 # The base DN to search base_dn: DC=domain,DC=local # The base DN when searching for groups (for authorization) # If unspecified, base_dn is used # group_search_dn: OU=groups,dc=gitorious,dc=org # What LDAP attribute to use for user authentication. Default is CN #login_attribute: uid # How to build a user's DN. Default: $LOGIN_ATTRIBUTE={},$BASE_DN, # e.g. CN=chris,DC=gitorious,DC=org distinguished_name_template: "{}@domain.local" # Map LDAP fields to database fields. # Default: displayname => fullname, mail => email # attribute_mapping: # givenName: fullname # publicEmail: email # See Net-LDAP for other options, or use "none" for no encryption. # Defaults to "simple_tls" if not set. encryption: none # A class/object that will be called after successful authentication # through LDAP. Will be "constantized", post_authenticate will be called # with an options hash. See LdapAuthenticationTest. #callback_class: SampleCallback # Specify a username/password to use for authenticated bind # NOTE: This is required when using LDAP for authorization bind_user: username: ldap_svc@domain.local password: ldap_svc_password # When using LDAP authorization: which attribute in a user # record specifies groups a user is member of # This will depend on your schema/LDAP server implementation # but in 9/10 cases, it will be memberof #membership_attribute_name: memberof # When using LDAP authorization: which attribute in a group # record specifies users that are member of the group # This will depend on your LDAP schema, but will usually be # member or uniquemember #members_attribute_name: member # To increase performance, Gitorious supports caching the result # of group lookups. Enter how many minutes these results should # be cached, default is 0 (no caching) #cache_expiry: 60 # End LDAP configuration example --- -- -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitorious+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [gitorious] Gitorious+Active Directory
I had same issue trying AD with Gitorious. Use Active Directory Explorer (or similar tool for you LDAP server) and compare path to your user with path printed by test_ldap_connection script (if this script is not printing debuging path then you need to do update as Marius is pointing out). Change distinquished_name_template in authentification.yml and it should work. Work for me at least ;) On Monday, December 10, 2012 11:50:17 AM UTC+1, Phuong Doan wrote: > > hi Marius, > I'm in same situation with above guy, and I installed gitorious from > mainline. > Tried your advice, no luck. My code is up to date already > > Best regards > > On Tuesday, October 16, 2012 4:00:05 PM UTC+7, Marius Mårnes Mathiesen > wrote: >> >> On Mon, Oct 15, 2012 at 8:55 PM, DevOps wrote: >> >>> Hello Everyone, >>> >>> I have read the various LDAP and AD threads regarding this topic, >>> followed instructions, ensured the latest version is being run, and >>> re-installed several times using different methods without any success. >>> >>> I am trying to integrate gitorious with a Windows 2008 active directory >>> on Cent6.3 installed via the scripted installer from getgetorious.org. >>> >>> Here is my authentication.yml as suggested: >>> production: >>> disable_default: true >>> methods: >>> - adapter: Gitorious::Authentication::LDAPAuthentication >>> host: the.domain.controller >>> port: 389 >>> base_dn: DC=wdtinc,DC=com >>> bind_username: administrator@domaincontroller >>> bind_password: B1indingP@Sw0rd! >>> user_filter: >>> username_attribute: sAMAccountName >>> encryption: none >>> login_attribute: uid >>> distinguished_name_template: "CN=Users,DC=thedomain,DC=com" >>> attribute_mapping: >>> mail: email >>> >>> I've also tried various distingued_name_templates such as: uid={}@ >>> mydomain.com, uid={}. CN={}. $BASE_DN to no avail. >>> >>> Here is what the script/test_ldap_connection says: >>> [root@gitorious app]# export RAILS_ENV=production; bundle exec >>> script/test_ldap_connection ddu...@thedomain.com * >>> Not there yet. >>> script/test_ldap_connection:22: private method `build_username' called >>> for # >>> (NoMethodError) >>> >>> And whenever I try to login the authentication is simply rejected. I >>> know my domain settings are correct as other things have been successfully >>> integrated such as sugarcrm, dokuwiki, nexus, jenkins.. >>> >>> Please advise and thanks in advance. >>> >> >> Devon, >> We made some changes in Gitorious' LDAP support quite recently, and the >> installer will pull a version of Gitorious which doesn't include this. >> Would you mind trying to check out the master branch on your server and try >> it from there? The steps involved would be: >> >> - cd /var/www/gitorious/app >> - git pull origin master >> - bundle install >> - RAILS_ENV=production bundle exec rake db:migrate >> - touch tmp/restart.txt >> >> Then try again and let us know what happens. >> >> Cheers, >> - Marius >> > -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] Gitorious+Active Directory
hi Marius, I'm in same situation with above guy, and I installed gitorious from mainline. Tried your advice, no luck. My code is up to date already Best regards On Tuesday, October 16, 2012 4:00:05 PM UTC+7, Marius Mårnes Mathiesen wrote: > > On Mon, Oct 15, 2012 at 8:55 PM, DevOps >wrote: > >> Hello Everyone, >> >> I have read the various LDAP and AD threads regarding this topic, >> followed instructions, ensured the latest version is being run, and >> re-installed several times using different methods without any success. >> >> I am trying to integrate gitorious with a Windows 2008 active directory >> on Cent6.3 installed via the scripted installer from getgetorious.org. >> >> Here is my authentication.yml as suggested: >> production: >> disable_default: true >> methods: >> - adapter: Gitorious::Authentication::LDAPAuthentication >> host: the.domain.controller >> port: 389 >> base_dn: DC=wdtinc,DC=com >> bind_username: administrator@domaincontroller >> bind_password: B1indingP@Sw0rd! >> user_filter: >> username_attribute: sAMAccountName >> encryption: none >> login_attribute: uid >> distinguished_name_template: "CN=Users,DC=thedomain,DC=com" >> attribute_mapping: >> mail: email >> >> I've also tried various distingued_name_templates such as: uid={}@ >> mydomain.com, uid={}. CN={}. $BASE_DN to no avail. >> >> Here is what the script/test_ldap_connection says: >> [root@gitorious app]# export RAILS_ENV=production; bundle exec >> script/test_ldap_connection ddu...@thedomain.com * >> Not there yet. >> script/test_ldap_connection:22: private method `build_username' called >> for # >> (NoMethodError) >> >> And whenever I try to login the authentication is simply rejected. I know >> my domain settings are correct as other things have been successfully >> integrated such as sugarcrm, dokuwiki, nexus, jenkins.. >> >> Please advise and thanks in advance. >> > > Devon, > We made some changes in Gitorious' LDAP support quite recently, and the > installer will pull a version of Gitorious which doesn't include this. > Would you mind trying to check out the master branch on your server and try > it from there? The steps involved would be: > > - cd /var/www/gitorious/app > - git pull origin master > - bundle install > - RAILS_ENV=production bundle exec rake db:migrate > - touch tmp/restart.txt > > Then try again and let us know what happens. > > Cheers, > - Marius > -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] Gitorious+Active Directory
On Mon, Oct 15, 2012 at 8:55 PM, DevOps wrote: > Hello Everyone, > > I have read the various LDAP and AD threads regarding this topic, followed > instructions, ensured the latest version is being run, and re-installed > several times using different methods without any success. > > I am trying to integrate gitorious with a Windows 2008 active directory on > Cent6.3 installed via the scripted installer from getgetorious.org. > > Here is my authentication.yml as suggested: > production: > disable_default: true > methods: > - adapter: Gitorious::Authentication::LDAPAuthentication > host: the.domain.controller > port: 389 > base_dn: DC=wdtinc,DC=com > bind_username: administrator@domaincontroller > bind_password: B1indingP@Sw0rd! > user_filter: > username_attribute: sAMAccountName > encryption: none > login_attribute: uid > distinguished_name_template: "CN=Users,DC=thedomain,DC=com" > attribute_mapping: > mail: email > > I've also tried various distingued_name_templates such as: uid={}@ > mydomain.com, uid={}. CN={}. $BASE_DN to no avail. > > Here is what the script/test_ldap_connection says: > [root@gitorious app]# export RAILS_ENV=production; bundle exec > script/test_ldap_connection ddun...@thedomain.com * > Not there yet. > script/test_ldap_connection:22: private method `build_username' called for > # > (NoMethodError) > > And whenever I try to login the authentication is simply rejected. I know > my domain settings are correct as other things have been successfully > integrated such as sugarcrm, dokuwiki, nexus, jenkins.. > > Please advise and thanks in advance. > Devon, We made some changes in Gitorious' LDAP support quite recently, and the installer will pull a version of Gitorious which doesn't include this. Would you mind trying to check out the master branch on your server and try it from there? The steps involved would be: - cd /var/www/gitorious/app - git pull origin master - bundle install - RAILS_ENV=production bundle exec rake db:migrate - touch tmp/restart.txt Then try again and let us know what happens. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
[gitorious] Gitorious+Active Directory
Hello Everyone, I have read the various LDAP and AD threads regarding this topic, followed instructions, ensured the latest version is being run, and re-installed several times using different methods without any success. I am trying to integrate gitorious with a Windows 2008 active directory on Cent6.3 installed via the scripted installer from getgetorious.org. Here is my authentication.yml as suggested: production: disable_default: true methods: - adapter: Gitorious::Authentication::LDAPAuthentication host: the.domain.controller port: 389 base_dn: DC=wdtinc,DC=com bind_username: administrator@domaincontroller bind_password: B1indingP@Sw0rd! user_filter: username_attribute: sAMAccountName encryption: none login_attribute: uid distinguished_name_template: "CN=Users,DC=thedomain,DC=com" attribute_mapping: mail: email I've also tried various distingued_name_templates such as: uid={}@mydomain.com, uid={}. CN={}. $BASE_DN to no avail. Here is what the script/test_ldap_connection says: [root@gitorious app]# export RAILS_ENV=production; bundle exec script/test_ldap_connection ddun...@thedomain.com * Not there yet. script/test_ldap_connection:22: private method `build_username' called for # (NoMethodError) And whenever I try to login the authentication is simply rejected. I know my domain settings are correct as other things have been successfully integrated such as sugarcrm, dokuwiki, nexus, jenkins.. Please advise and thanks in advance. -Devon -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com