Hi Gerald, thanks, I'll incorporate your suggestions into the HOWTO before submitting the pull request. Are the verbose debug logs also written to "catalina.out"?
-- Orm Am Montag, den 13. April 2020 um 09:20:26 Uhr (+0000) schrieb Rohrbach, Gerald: > Orm, > > I had the same issues with LDAP. It tooks a long time to figure it out. > > A very good hint was from Maxim to switch debug logging on. > With that it was much easier. So probably it’s good to add this to you > documentation. > Somehow the LDAP config is related how in a corporate user accounts are > setup, that needs > some understanding about this ldap config. > > To make logging more verbose you can > 1) stop OM > 2) add following line to logback-config.xml > <logger name="org.apache.directory" level="DEBUG" /> > 3) restart OM > > Here my config., I marked changes with ########## > > > #LDAP URL > # This is the URL used to access your LDAP server. > # if you want to use "ldaps://" links, please be aware that you need to > import your CA certificate > # to a java keystore and add the -Djavax.net.ssl.keyStore, > -Djavax.net.ssl.keyStorePassword, > # -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword > parameters to your > # JAVA_OPT environment > ldap_conn_host=DomainController.mydomain.de ########## > > ldap_conn_port=389 > ldap_conn_secure=false > > # Login distinguished name (DN) for Authentication on LDAP Server - keep > empty if not required > # Use full qualified LDAP DN > ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=mydomain,DC=de > ########## > > # Loginpass for Authentication on LDAP Server - keep empty if not required > ldap_passwd=#mypassword# > ########## > > # base to search for userdata(of user, that wants to login) > ldap_search_base=DC=mydomain,DC=de > ########## > > # Fieldnames (can differ between Ldap servers) > # ldap_search_query=(uid=%s) > ldap_search_query=(userPrincipalName=%s) > ########## > > > # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE > ldap_search_scope=SUBTREE > ########## > > > # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) > # When using SIMPLEBIND a simple bind is performed on the LDAP server to > check user authentication > # When using NONE, the Ldap server is not used for authentication > ldap_auth_type=SEARCHANDBIND > ########## > > > # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND > # might be used to get provisionningDn in case ldap_auth_type=NONE > # ldap_userdn_format=uid=%s,CN=Users,DC=mydomain,DC=de > ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=mydomain,DC=de > ########## > > > # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) > ldap_provisionning=AUTOCREATE > ########## > > > # Ldap deref mode (never, searching, finding, always) > ldap_deref_mode=always > > # Set this to 'true' if you want to use admin_dn to get user attributes > # If any other value is set, user_dn will be used > ldap_use_admin_to_get_attrs=true > > # Ldap-password synchronization to OM DB > # Set this to 'true' if you want OM to synchronize the user Ldap-password to > OM's internal DB > # If you want to disable the feature, set this to any other string. > # Defautl value is 'true' > ldap_sync_password_to_om=true > ########## > > > # Ldap group mode (NONE, ATTRIBUTE, QUERY) > # NONE means group associations will be ignored > # ATTRIBUTE means group associations will be taken from 'ldap_group_attr' > attribute (M$ AD mode) > # QUERY means group associations will be taken as a result of > 'ldap_group_query' query > ldap_group_mode=NONE > > ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) > > # Ldap user attributes mapping > # Set the following internal OM user attributes to their corresponding > Ldap-attribute > ldap_user_attr_login=sAMAccountName > ########## > ldap_user_attr_lastname=sn > ldap_user_attr_firstname=givenName > ldap_user_attr_mail=mail > ldap_user_attr_street=streetAddress > ldap_user_attr_additionalname=description > ldap_user_attr_fax=facsimileTelephoneNumber > ldap_user_attr_zip=postalCode > ldap_user_attr_country=co > ldap_user_attr_town=l > ldap_user_attr_phone=telephoneNumber > # optional attribute for user picture > #ldap_user_attr_picture= > ldap_group_attr=memberOf > > # optional, absolute URL will be used as user picture if > #ldap_user_attr_picture will be empty > #ldap_user_picture_uri=picture_uri > > # optional > # the timezone has to match any timezone available in Java, otherwise the > timezone defined in the value of > # the conf_key "default.timezone" in OpenMeetings "configurations" table > #ldap_user_timezone=timezone > > # Ldap ignore upper/lower case, convert all input to lower case > ldap_use_lower_case=false > > # Ldap import query, this query should retrieve all LDAP users > ldap_import_query=(objectClass=inetOrgPerson) > > > Von: Maxim Solodovnik [mailto:[email protected]] > Gesendet: Montag, 13. April 2020 05:53 > An: Openmeetings user-list <[email protected]> > Betreff: Re: LDAP config Manual, 1st draft > > Hello Orm, > > On Mon, 13 Apr 2020 at 03:20, Orm Finnendahl > <[email protected]<mailto:[email protected]>> > wrote: > Hi, > > I made a draft of a LDAP config howto and uploaded it here for > review: > > https://selma.hfmdk-frankfurt.de/howtos/OM-ldap-howto.html > > I hope it's not too verbose, but since I had problems figuring out the > ldap config in OM from the docs found online I tried to write up > something in a way that even somebody like me with little ldap > experience and knowledge would've understood without having to ask > this mailing list and spend a lot of time trying to figure it out. > > I already forked the OM github repo and can issue a pull request, but > I'm unsure about the preferred format of the document (XML, MD, > pdf?). Please let me know what you'd prefer. The original is in org > format but I can provide any format. > > I love PRs :))) > The current version is here > https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/site/xdoc/LdapAndADS.xml > Please create LdapAndADS.md in > https://github.com/apache/openmeetings/tree/master/openmeetings-server/src/site/markdown > Fill free to re-use any part of original instructions :) > We can discuss contents during PR review :)) > > > As I read about the manual draft for OM 5 on this mailing list, feel > free to incorporate this in case it isn't already present or needs > improvement. I'd be willing to do it myself if you find it useful and > someone provides access for me to the current state. > > User Manual is here > https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpenMeetings+5+Manual > Please tell me you Confluence ID and all grant you with permissions > (not sure how those binary files can be edited :((( ) > > > -- > Orm > > > -- > Best regards, > Maxim
