Orm,
I had the same issues with LDAP. It tooks a long time to figure it out.
A very good hint was from Maxim to switch debug logging on.
With that it was much easier. So probably it’s good to add this to you
documentation.
Somehow the LDAP config is related how in a corporate user accounts are setup,
that needs
some understanding about this ldap config.
To make logging more verbose you can
1) stop OM
2) add following line to logback-config.xml
<logger name="org.apache.directory" level="DEBUG" />
3) restart OM
Here my config., I marked changes with ##########
#LDAP URL
# This is the URL used to access your LDAP server.
# if you want to use "ldaps://" links, please be aware that you need to import
your CA certificate
# to a java keystore and add the -Djavax.net.ssl.keyStore,
-Djavax.net.ssl.keyStorePassword,
# -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword parameters
to your
# JAVA_OPT environment
ldap_conn_host=DomainController.mydomain.de ##########
ldap_conn_port=389
ldap_conn_secure=false
# Login distinguished name (DN) for Authentication on LDAP Server - keep empty
if not required
# Use full qualified LDAP DN
ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=mydomain,DC=de
##########
# Loginpass for Authentication on LDAP Server - keep empty if not required
ldap_passwd=#mypassword#
##########
# base to search for userdata(of user, that wants to login)
ldap_search_base=DC=mydomain,DC=de
##########
# Fieldnames (can differ between Ldap servers)
# ldap_search_query=(uid=%s)
ldap_search_query=(userPrincipalName=%s)
##########
# the scope of the search might be: OBJECT, ONELEVEL, SUBTREE
ldap_search_scope=SUBTREE
##########
# Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
# When using SIMPLEBIND a simple bind is performed on the LDAP server to check
user authentication
# When using NONE, the Ldap server is not used for authentication
ldap_auth_type=SEARCHANDBIND
##########
# userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND
# might be used to get provisionningDn in case ldap_auth_type=NONE
# ldap_userdn_format=uid=%s,CN=Users,DC=mydomain,DC=de
ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=mydomain,DC=de
##########
# Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
ldap_provisionning=AUTOCREATE
##########
# Ldap deref mode (never, searching, finding, always)
ldap_deref_mode=always
# Set this to 'true' if you want to use admin_dn to get user attributes
# If any other value is set, user_dn will be used
ldap_use_admin_to_get_attrs=true
# Ldap-password synchronization to OM DB
# Set this to 'true' if you want OM to synchronize the user Ldap-password to
OM's internal DB
# If you want to disable the feature, set this to any other string.
# Defautl value is 'true'
ldap_sync_password_to_om=true
##########
# Ldap group mode (NONE, ATTRIBUTE, QUERY)
# NONE means group associations will be ignored
# ATTRIBUTE means group associations will be taken from 'ldap_group_attr'
attribute (M$ AD mode)
# QUERY means group associations will be taken as a result of
'ldap_group_query' query
ldap_group_mode=NONE
ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
# Ldap user attributes mapping
# Set the following internal OM user attributes to their corresponding
Ldap-attribute
ldap_user_attr_login=sAMAccountName
##########
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
# optional attribute for user picture
#ldap_user_attr_picture=
ldap_group_attr=memberOf
# optional, absolute URL will be used as user picture if
#ldap_user_attr_picture will be empty
#ldap_user_picture_uri=picture_uri
# optional
# the timezone has to match any timezone available in Java, otherwise the
timezone defined in the value of
# the conf_key "default.timezone" in OpenMeetings "configurations" table
#ldap_user_timezone=timezone
# Ldap ignore upper/lower case, convert all input to lower case
ldap_use_lower_case=false
# Ldap import query, this query should retrieve all LDAP users
ldap_import_query=(objectClass=inetOrgPerson)
Von: Maxim Solodovnik [mailto:solomax...@gmail.com]
Gesendet: Montag, 13. April 2020 05:53
An: Openmeetings user-list <user@openmeetings.apache.org>
Betreff: Re: LDAP config Manual, 1st draft
Hello Orm,
On Mon, 13 Apr 2020 at 03:20, Orm Finnendahl
<orm.finnend...@selma.hfmdk-frankfurt.de<mailto:orm.finnend...@selma.hfmdk-frankfurt.de>>
wrote:
Hi,
I made a draft of a LDAP config howto and uploaded it here for
review:
https://selma.hfmdk-frankfurt.de/howtos/OM-ldap-howto.html
I hope it's not too verbose, but since I had problems figuring out the
ldap config in OM from the docs found online I tried to write up
something in a way that even somebody like me with little ldap
experience and knowledge would've understood without having to ask
this mailing list and spend a lot of time trying to figure it out.
I already forked the OM github repo and can issue a pull request, but
I'm unsure about the preferred format of the document (XML, MD,
pdf?). Please let me know what you'd prefer. The original is in org
format but I can provide any format.
I love PRs :)))
The current version is here
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/site/xdoc/LdapAndADS.xml
Please create LdapAndADS.md in
https://github.com/apache/openmeetings/tree/master/openmeetings-server/src/site/markdown
Fill free to re-use any part of original instructions :)
We can discuss contents during PR review :))
As I read about the manual draft for OM 5 on this mailing list, feel
free to incorporate this in case it isn't already present or needs
improvement. I'd be willing to do it myself if you find it useful and
someone provides access for me to the current state.
User Manual is here
https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpenMeetings+5+Manual
Please tell me you Confluence ID and all grant you with permissions
(not sure how those binary files can be edited :((( )
--
Orm
--
Best regards,
Maxim
