Thanks Guys, Confirmed on the DC that the
'sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local' = "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local" (however the DN in AD is Stephen Cottham – with a space) Changed to SEARCHANDBIND, I can put the wrong adm password ins an see it throws an exception, so we know the ADM account and password is correct. DSo now when I do a logon attempt I get DEBUG 04-15 13:51:54.681 o.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-6] - LdapLoginmanager.doLdapLogin WARN 04-15 13:51:54.710 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - Referral LDAP entry found, ignore it ERROR 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:269 [nio-5443-exec-6] - NONE users found in LDAP I thought changing ldap_deref_mode=always Should make it follow but still says ignore? – could this be related? Changing the log level now and trying again. Thanks! Best regards Stephen From: Maxim Solodovnik <[email protected]> Sent: 15 April 2020 14:49 To: Openmeetings user-list <[email protected]> Subject: [Possible Untrusted Sender] Re: Ldap with Microsoft Active Directory On Wed, 15 Apr 2020 at 20:12, Stephen COTTHAM <[email protected]<mailto:[email protected]>> wrote: Thanks Gerald, Ive tried as suggested by using SAM and the UPN, even tried injecting the domain portion after the @ with the domain and email namespace, both result in the - No users was found: Looking at the logs as they are we see this: DEBUG 04-15 12:51:52.393 o.a.o.d.d.u.UserDao:626 [nio-5443-exec-7] - No users was found: stephen.cottham DEBUG 04-15 12:51:52.393 o.a.o.c.l.LdapLoginManager:201 [nio-5443-exec-7] - getByLogin:: authenticated ? false, login = 'stephen.cottham', domain = 1, user = null ERROR 04-15 12:51:52.394 o.a.o.c.l.LdapLoginManager:338 [nio-5443-exec-7] - LDAP entry is null, search or lookup by Dn failed According to your config You have ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local' According to the log login is `stephen.cottham` So Om tries to authenticate using "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local" And unable to find such DN can you confirm LDAP explorer able to find such user? The last line, is it saying the variable is NULL as it returned no results from the bind OR is it saying the initial bind was not successful and therefore the variable is null? (this distinguishes if it’s the DN of the lookup user vs. getting the expected format correct) Sorry I think I missed the debug option, can you please relink that here and I’ll see what else I can find out. Also to confirm, the config file is escaping out the spaces? For example: ldap_admin_dn='CN=Adm some user with spaces,OU=London,OU=Administrative Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local' Assume we don’t need to put the ‘ ‘ after the =’cn…. ? (just ruling this out as a cause) Best regards Stephen From: Rohrbach, Gerald <[email protected]<mailto:[email protected]>> Sent: 15 April 2020 13:41 To: [email protected]<mailto:[email protected]> Subject: AW: Ldap with Microsoft Active Directory Stephen, depends on your AD and how users login. For us this worked ldap_search_query=(userPrincipalName=%s) Go under AD, pik one user account, properties, Attribute Editor. This shows all. ( Probably under view you need to switch on advanced features! Gerald Von: Stephen COTTHAM [mailto:[email protected]] Gesendet: Mittwoch, 15. April 2020 14:22 An: [email protected]<mailto:[email protected]> Betreff: Ldap with Microsoft Active Directory Hey Guys, I am in the same situation as Mathias ldap issue below. My Config: ldap_conn_host=DC ldap_conn_port=389 ldap_conn_secure=false ldap_admin_dn='CN=Adm some user,OU=London,OU=Administrative Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local' ldap_passwd='******' ldap_search_base='OU=Company,DC=domain,DC=local' ldap_search_query=(sAMAccountName=%s) ldap_search_scope=ONELEVEL ldap_auth_type=SIMPLEBIND ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local' ldap_provisionning=AUTOCREATE ldap_deref_mode=always ldap_use_admin_to_get_attrs=true ldap_sync_password_to_om=true ldap_group_mode=NONE ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) ldap_user_attr_login=sAMAccountName ldap_user_attr_lastname=sn ldap_user_attr_firstname=givenName ldap_user_attr_mail=mail ldap_user_attr_street=streetAddress ldap_user_attr_additionalname=description ldap_user_attr_fax=facsimileTelephoneNumber ldap_user_attr_zip=postalCode ldap_user_attr_country=co ldap_user_attr_town=l ldap_user_attr_phone=telephoneNumber ldap_group_attr=memberOf ldap_use_lower_case=false ldap_import_query=(objectClass=inetOrgPerson) Always returns: No users was found: Checked with ldapsearch and I can retrieve them fine, other systems that use LDAP from Linux such as Apache Guacamole and Next Cloud both have working AD integration using the same values I set there. Is there a way to get a better debug logs from open Meetings? About what it is sending to the DC? The initial bind status, error code from the DC etc.. I rem in old versions of OM we could run it in debug mode to stdout? Otherwise is there anything obviously I’m missing here? Best regards Stephen From: Mathias Kocks <[email protected]<mailto:[email protected]>> Sent: 15 April 2020 13:06 To: [email protected]<mailto:[email protected]> Subject: [Possible Untrusted Sender] Can not use LDAP-Sync with Microsoft Active Directory Hello, i am new to this project and a have a problem with the LDAP-Sync. I even can not find any good documentations... My problem is, that slapd does not find any user in my AD. I am not even shure, if it is searching for real. I found in the mailing list archive some example configs, but they does not work for me. I found this one: #LDAP URL ldap_conn_host=LDAP_server.Company.com<https://urldefense.com/v3/__http:/LDAP_server.Company.com__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x50tz6JPw$> ldap_conn_port=636 ldap_conn_secure=true # Login distinguished name (DN) for Authentication on LDAP Server # Use full qualified LDAP DN ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com # Loginpass for Authentication on LDAP Server ldap_passwd=ldapauthpasswd # base to search for userdata(of user, that wants to login) ldap_search_base=OU=Users,DC=Company,DC=com #ldap_search_base=DC=Company,DC=com # Fieldnames (can differ between Ldap servers) ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s)) #ldap_search_query=(sAMAccountName=%s) #ldap_search_query=(CN=%s) # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE ldap_search_scope=SUBTREE # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) ldap_auth_type=SEARCHANDBIND # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de<https://urldefense.com/v3/__http:/beuth-hochschule.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4wOw-oZw$>,DC=com #ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com #ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com #ldap_userdn_format=CN=%s,DC=Company,DC=com # Ldap-password synchronization to OM DB ldap_sync_password_to_om=false # Ldap user attributes mapping # Set the following internal OM user attributes to their corresponding Ldap-attribute ldap_user_attr_lastname=sn But even after i changed it to my AD and tried several changes, no users were found. My actual config: ldap_server_type=AD ldap_conn_host=dc2.labmed.de<https://urldefense.com/v3/__http:/dc2.labmed.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4x1-bceQ$> ldap_conn_port=389 ldap_conn_secure=false ldap_admin_dn=CN=Administrator,CN=Users,DC=labmed,DC=de ldap_passwd=SuperSecretPassword ldap_search_base=OU=labmed,DC=labmed,DC=de #ldap_search_query=(&(objectCategory=*)(objectClass=*)(sAMAccountName=%s)) ldap_search_query=(sAMAccountName=%s) ldap_search_scope= SUBTREE ldap_auth_type=SEARCHANDBIND ldap_deref_mode=never ldap_userdn_format=sAMAccountName=%s,DC=labmed,DC=de ldap_provisionning=NONE ldap_use_admin_to_get_attrs=true ldap_sync_password_to_om=false ldap_sync_attr_lastname=sn ldap_user_attr_firstname=givenName ldap_user_attr_mail=mail ldap_user_attr_street=streetAddress ldap_user_attr_additionalname=description ldap_user_attr_fax=facsimileTelephoneNumber ldap_user_attr_zip=postalCode ldap_user_attr_country=co ldap_user_attr_town=l ldap_user_attr_phone=telephoneNumber ldap_use_lower_case=false It is the second day by now were i am bursting by happyness.... Mit freundlichen Grüßen Mathias Kocks Teamleitung IT-Infrastruktur Zertifizierter Information Security Officer ISO 27001 (TÜV Süd) Überörtliche Berufsausübungsgemeinschaft Medizinisches Versorgungszentrum Dr. Eberhard & Partner Dortmund MVZ-Haus 3: Balkenstr. 12-14 44137 Dortmund, Germany Tel.: +49 231 9572 7158 Fax.: +49 231 9572 18 159 E-Mail: [email protected]<mailto:[email protected]> Web: https://www.labmed.de<https://urldefense.com/v3/__https:/www.labmed.de/__;!!Bv4Xkg!z5sh0C1R9gGjNPTiHdemYSPR49XGTx-AmD4F8_dWPIXAw6SpTR3u5VSZWX8_PwBU1whiqaubSw$> -- Best regards, Maxim
