Here's the configuration
ldap_conn_host=IP Address ldap_conn_port=389 ldap_conn_secure=false # Login distinguished name (DN) for Authentication on LDAP Server - keep empty if not required # Use full qualified LDAP DN ldap_admin_dn=CN=Firstname Lastname,CN=Users,DC=DOMAIN,DC=com # Loginpass for Authentication on LDAP Server - keep empty if not required ldap_passwd=Password # base to search for userdata(of user, that wants to login) ldap_search_base=DC=DOMAIN,DC=com # Fieldnames (can differ between Ldap servers) ldap_search_query=(sAMAccountName=%s) # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE ldap_search_scope=SUBTREE # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) # When using SIMPLEBIND a simple bind is performed on the LDAP server to check user authentication # When using NONE, the Ldap server is not used for authentication ldap_auth_type=SEARCHANDBIND # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND # might be used to get provisionningDn in case ldap_auth_type=NONE ldap_userdn_format=sAMAccountName=%s,DC=DOMAIN,DC=com # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) ldap_provisionning=AUTOCREATE # Ldap deref mode (never, searching, finding, always) ldap_deref_mode=always # Set this to 'true' if you want to use admin_dn to get user attributes # If any other value is set, user_dn will be used ldap_use_admin_to_get_attrs=true # Ldap-password synchronization to OM DB # Set this to 'true' if you want OM to synchronize the user Ldap-password to OM's internal DB # If you want to disable the feature, set this to any other string. # Defautl value is 'true' ldap_sync_password_to_om=true # Ldap user attributes mapping # Set the following internal OM user attributes to their corresponding Ldap-attribute ldap_user_attr_lastname=sn ldap_user_attr_firstname=givenName ldap_user_attr_mail=mail ldap_user_attr_street=streetAddress ldap_user_attr_additionalname=description ldap_user_attr_fax=facsimileTelephoneNumber ldap_user_attr_zip=postalCode ldap_user_attr_country=co ldap_user_attr_town=l ldap_user_attr_phone=telephoneNumber # optional, only absolute URLs make sense #ldap_user_picture_uri=profile.jpg # optional # the timezone has to match any timezone available in Java, otherwise the timezone defined in the value of # the conf_key "default.timezone" in OpenMeetings "configurations" table #ldap_user_timezone=timezone # Ldap ignore upper/lower case, convert all input to lower case ldap_use_lower_case=false ________________________________ From: Thirumal Karra <[email protected]> Sent: Wednesday, September 23, 2015 10:31 AM To: [email protected] Subject: RE: [HELP NEEDED] LDAP import AD groups I am 100% sure the password is correct. I tried with multiple users and got the same error. Best Regards Thirumal From: Maxim Solodovnik [mailto:[email protected]] Sent: Wednesday, September 23, 2015 10:30 AM To: Openmeetings user-list <[email protected]> Subject: Re: [HELP NEEDED] LDAP import AD groups "Invalid password" I guess something wrong with the password On Wed, Sep 23, 2015 at 9:20 PM, Thirumal Karra <[email protected]<mailto:[email protected]>> wrote: I am trying to setup LDAP but it didn't work. Please look at the log below DEBUG 09-23 10:10:58.266 o.a.o.l.LdapLoginManagement:168 [http-nio-0.0.0.0-5080-exec-7] - LdapLoginmanagement.doLdapLogin WARN 09-23 10:10:58.300 o.a.o.l.LdapLoginManagement:287 [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it WARN 09-23 10:10:58.301 o.a.o.l.LdapLoginManagement:287 [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it WARN 09-23 10:10:58.301 o.a.o.l.LdapLoginManagement:287 [http-nio-0.0.0.0-5080-exec-7] - Referral LDAP entry found, ignore it ERROR 09-23 10:10:58.301 o.a.o.l.LdapLoginManagement:292 [http-nio-0.0.0.0-5080-exec-7] - NONE users found in LDAP DEBUG 09-23 10:10:58.303 o.a.w.u.c.CookieUtils:273 [http-nio-0.0.0.0-5080-exec-7] - Unable to find Cookie with name=LoggedIn and request URI=signin?0-1.IBehaviorListener.2-signin DEBUG 09-23 10:10:58.305 o.a.w.Localizer:378 [http-nio-0.0.0.0-5080-exec-7] - Property found in cache: '336'; Component: 'null'; value: 'Invalid password' DEBUG 09-23 10:10:58.305 o.a.w.f.FeedbackMessages:69 [http-nio-0.0.0.0-5080-exec-7] - Adding feedback message '[FeedbackMessage message = "Invalid password", reporter = signin, level = ERROR]' DEBUG 09-23 10:10:58.305 o.a.w.u.c.CookieUtils:273 [http-nio-0.0.0.0-5080-exec-7] - Unable to find Cookie with name=LoggedIn and request URI=signin?0-1.IBehaviorListener.2-signin DEBUG 09-23 10:10:58.307 o.a.wicket.Page:871 [http-nio-0.0.0.0-5080-exec-7] - ending request for page [Page class = org.apache.openmeetings.web.pages.auth.SignInPage, id = 0, render count = 1], request org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c<mailto:org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c> DEBUG 09-23 10:10:58.307 o.a.wicket.Page:871 [http-nio-0.0.0.0-5080-exec-7] - ending request for page [Page class = org.apache.openmeetings.web.pages.auth.SignInPage, id = 0, render count = 1], request org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c<mailto:org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c> DEBUG 09-23 10:10:58.307 o.a.wicket.Page:871 [http-nio-0.0.0.0-5080-exec-7] - ending request for page [Page class = org.apache.openmeetings.web.pages.auth.SignInPage, id = 0, render count = 1], request org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c<mailto:org.apache.wicket.protocol.http.servlet.ServletWebRequest@3a57191c> DEBUG 09-23 10:10:58.328 o.a.w.p.AsynchronousDataStore$PageSavingRunnable:354 [Wicket-PageSavingThread] - Saving asynchronously: Entry [sessionId=AEA1852D7D73CB3264F353796A510FCE, pageId=0]... DEBUG 09-23 10:10:58.328 o.a.w.p.DiskDataStore:186 [Wicket-PageSavingThread] - Storing data for page with id '0' in session with id 'AEA1852D7D73CB3264F353796A510FCE' DEBUG 09-23 10:10:58.329 o.a.w.p.PageAccessSynchronizer:207 [http-nio-0.0.0.0-5080-exec-7] - 'http-nio-0.0.0.0-5080-exec-7' released lock to page with id '0' Best Regards Thirumal From: Maxim Solodovnik [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, August 10, 2015 10:24 AM To: Openmeetings user-list <[email protected]<mailto:[email protected]>> Subject: Re: [HELP NEEDED] LDAP import AD groups this query will return user DN, NOT groups On Mon, Aug 10, 2015 at 9:10 PM, Wild, Rodney <[email protected]<mailto:[email protected]>> wrote: ldap_search_query=(sAMAccountName=%s) windows Account name according to this. Rodney Wild | IT Support From: Maxim Solodovnik [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, August 10, 2015 12:52 AM To: Openmeetings user-list Subject: Re: [HELP NEEDED] LDAP import AD groups And what is the AD query to get user groups by UID? On Mon, Aug 10, 2015 at 12:25 PM, Dominic Prakash <[email protected]<mailto:[email protected]>> wrote: This config works for me in M$ AD. ldap_conn_host=123.456.789.123 ldap_conn_port=389 ldap_conn_secure=false ldap_admin_dn=CN=ldapuser,OU=Software,OU=Unit-2,DC=sample,DC=co,DC=in ldap_passwd=passwordhere ldap_search_base=DC=sample,DC=co,DC=in ldap_search_query=(sAMAccountName=%s) ldap_search_scope=SUBTREE ldap_auth_type=SEARCHANDBIND ldap_userdn_format=sAMAccountName=%s,DC=sample,DC=co,DC=in ldap_provisionning=AUTOCREATE ldap_deref_mode=always ldap_use_admin_to_get_attrs=true ldap_sync_password_to_om=true ldap_user_attr_lastname=sn ldap_user_attr_firstname=givenName ldap_user_attr_mail=mail ldap_user_attr_street=streetAddress ldap_user_attr_additionalname=description ldap_user_attr_fax=facsimileTelephoneNumber ldap_user_attr_zip=postalCode ldap_user_attr_country=co ldap_user_attr_town=l ldap_user_attr_phone=telephoneNumber ldap_user_picture_uri=profile.jpg ldap_use_lower_case=false Best Regards Dominic From: Maxim Solodovnik [mailto:[email protected]<mailto:[email protected]>] Sent: 05 August 2015 19:52 To: Openmeetings user-list Subject: Re: [HELP NEEDED] LDAP import AD groups I need someone who can fix this query for M$ AD :( Or someone who can give me search only test access to AD WBR, Maxim (from mobile, sorry for the typos) On Aug 5, 2015 20:18, "Michael Wuttke" <[email protected]<mailto:[email protected]>> wrote: Hello Maxim, sorry but we use M$ AD and it returns nothing or only errors with this query. ;-( Greetings, Michael Am 05.08.2015 um 15:18 schrieb Maxim Solodovnik: Hello Michael, Thanks for your reply I need query to get all groups of user with some uid. so I get uid for for the user: for ex. "solomax" I need to get all groups this user is part of. On my test LDAP server this query: (&(memberUid=test1)(objectClass=posixGroup)) returns DNs of all groups for given UID On Wed, Aug 5, 2015 at 7:11 PM, Michael Wuttke <[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>> wrote: Hello Maxim, I don't know how to use the ldap_search for your query. But we use owncloud. Here are our LDAP queries we use for owncloud: the ldap query for users: (&(|(objectclass=person)) (|(|(memberof=CN=Owncloud-admins,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz0)) (|(memberof=CN=Students,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz1)) (|(memberof=CN=Employee,OU=Global,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz2)) (|(memberof=CN=Academics,OU=Global,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz3)) )) the ldap query for login attributes: (&(&(|(objectclass=person)) (|(|(memberof=CN=Owncloud-admins,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz0)) (|(memberof=CN=Students,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz1)) (|(memberof=CN=Employee,OU=Global,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz2)) (|(memberof=CN=Academics,OU=Global,OU=Groups,DC=mycompany,DC=de)(primaryGroupID=xyz03)) (|(sAMAccountName=%uid))) and the ldap query for groups: (&(|(objectclass=group))(|(cn=Employee)(cn=Students)(cn=Owncloud-admins)(cn=Academics))) Here is the docu how to configure ldap auth: https://doc.owncloud.org/server/8.1/admin_manual/configuration_user/user_auth_ldap.html and the cowncloud code repo the ldap auth app: https://github.com/owncloud/core/tree/master/apps/user_ldap Maybe it helps you? Thanks & Greetings, Michael Am 05.08.2015 um 14:29 schrieb Maxim Solodovnik: ups, sorry wrong keyboard :((( ---- Can anyone with access to AD check if this query works in AD, and ??????? ?? ??? ?? ?? ???, ++++ Can anyone with access to AD check if this query works in AD, and correct it for AD if not, On Wed, Aug 5, 2015 at 6:28 PM, Maxim Solodovnik <[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> <mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>>> wrote: Hello All, I'm currently trying to implement https://issues.apache.org/jira/browse/OPENMEETINGS-1214 I was able to find query to get all groups in LDAP: The following query seems to be able to list all groups for the user with "uid == test1": (&(memberUid=test1)(objectClass=posixGroup)) Can anyone with access to AD check if this query works in AD, and ??????? ?? ??? ?? ?? ???, Thanks in advance! -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- Vielen Dank & mit freundlichen Grüßen, Michael Wuttke Administration des Lern-Management-Systems Beuth Hochschule Berlin - Hochschulrechenzentrum Luxemburger Str. 10 13353 Berlin Tel: +49 (0)30 45 04 2004 Haus Bauwesen; Raum: D 225a E-Mail: [email protected]<mailto:[email protected]> News: https://lms.beuth-hochschule.de/rss -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax
