Great :)) On Wed, 15 Apr 2020 at 23:02, Stephen COTTHAM < [email protected]> wrote:
> Thanks Maxim, > > > > Changed the referral to *follow* (not sure that’s a valid option or not) > – then removed the *add domain to user name* under administration and > then used the *email address* which in our case is the UPN. > > > > Logged on and working now. > > > > Thanks for your help guys! > > > > I’ll add the JIRA for the referral shortly. > > > > *From:* Maxim Solodovnik <[email protected]> > *Sent:* 15 April 2020 15:32 > *To:* Openmeetings user-list <[email protected]> > *Subject:* [Possible Untrusted Sender] Re: [Possible Untrusted Sender] > Re: Ldap with Microsoft Active Directory > > > > > > > > On Wed, 15 Apr 2020 at 21:01, Stephen COTTHAM < > [email protected]> wrote: > > Thanks Guys, > > > > Confirmed on the DC that the > > > > 'sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local' > = > > "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local" > > > > (however the DN in AD is Stephen Cottham – with a space) > > > > so perhaps you should enter `Stephen Cottham` in login field? > > > > > > Changed to SEARCHANDBIND, I can put the wrong adm password ins an see it > throws an exception, so we know the ADM account and password is correct. > > > > DSo now when I do a logon attempt I get > > > > DEBUG 04-15 13:51:54.681 o.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-6] > - LdapLoginmanager.doLdapLogin > > WARN 04-15 13:51:54.710 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - > Referral > LDAP entry found, ignore it > > WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - > Referral > LDAP entry found, ignore it > > WARN 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:264 [nio-5443-exec-6] - > Referral > LDAP entry found, ignore it > > ERROR 04-15 13:51:54.711 o.a.o.c.l.LdapLoginManager:269 [nio-5443-exec-6] > - NONE users found in LDAP > > > > I thought changing *ldap_deref_mode=always* Should make it follow but > still says ignore? – could this be related? > > > > Actually this part is not tested :( > > I have no idea what "Referral LDAP entry" means, i guess it is sort of > link to correct entry? > > Maybe it worth to update search query to get real entry as a result? > > Please file JIRA > > I'll try to improve this > > > > > > Changing the log level now and trying again. > > > > Thanks! > > > > Best regards > > > Stephen > > > > > > *From:* Maxim Solodovnik <[email protected]> > *Sent:* 15 April 2020 14:49 > *To:* Openmeetings user-list <[email protected]> > *Subject:* [Possible Untrusted Sender] Re: Ldap with Microsoft Active > Directory > > > > > > > > On Wed, 15 Apr 2020 at 20:12, Stephen COTTHAM < > [email protected]> wrote: > > Thanks Gerald, > > > > Ive tried as suggested by using SAM and the UPN, even tried injecting the > domain portion after the @ with the domain and email namespace, both result > in the - No users was found: > > > > Looking at the logs as they are we see this: > > > > DEBUG 04-15 12:51:52.393 o.a.o.d.d.u.UserDao:626 [nio-5443-exec-7] - No > users was found: stephen.cottham > > DEBUG 04-15 12:51:52.393 o.a.o.c.l.LdapLoginManager:201 [nio-5443-exec-7] > - getByLogin:: authenticated ? false, login = 'stephen.cottham', domain = > 1, user = null > > ERROR 04-15 12:51:52.394 o.a.o.c.l.LdapLoginManager:338 [nio-5443-exec-7] > - LDAP entry is null, search or lookup by Dn failed > > > > According to your config > > You have > ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local' > > > > According to the log login is `stephen.cottham` > > So Om tries to authenticate using > "sAMAccountName=stephen.cottham,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local" > > And unable to find such DN > > > > can you confirm LDAP explorer able to find such user? > > > > > > The last line, is it saying the variable is NULL as it returned no results > from the bind *OR* is it saying the initial bind was not successful and > therefore the variable is null? (this distinguishes if it’s the DN of the > lookup user vs. getting the expected format correct) > > > > Sorry I think I missed the debug option, can you please relink that here > and I’ll see what else I can find out. > > > > Also to confirm, the config file is escaping out the spaces? > > > > For example: > > > > ldap_admin_dn='CN=Adm some user with spaces,OU=London,OU=Administrative > Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local' > > > > Assume we don’t need to put the ‘ ‘ after the =’cn…. ? (just ruling this > out as a cause) > > > > Best regards > > > > Stephen > > > > > > *From:* Rohrbach, Gerald <[email protected]> > *Sent:* 15 April 2020 13:41 > *To:* [email protected] > *Subject:* AW: Ldap with Microsoft Active Directory > > > > Stephen, depends on your AD and how users login. > > For us this worked > > ldap_search_query=(userPrincipalName=%s) > > > > Go under AD, pik one user account, properties, Attribute Editor. This > shows all. > > ( > > Probably under view you need to switch on advanced features! > > > > Gerald > > > > > > *Von:* Stephen COTTHAM [mailto:[email protected] > <[email protected]>] > *Gesendet:* Mittwoch, 15. April 2020 14:22 > *An:* [email protected] > *Betreff:* Ldap with Microsoft Active Directory > > > > Hey Guys, > > > > *I am in the same situation as Mathias ldap issue below.* > > > > *My Config:* > > > > ldap_conn_host=DC > > ldap_conn_port=389 > > ldap_conn_secure=false > > ldap_admin_dn='CN=Adm some user,OU=London,OU=Administrative > Users,OU=RBG,OU=Rights Delegation,DC=domain,DC=local' > > ldap_passwd='******' > > ldap_search_base='OU=Company,DC=domain,DC=local' > > ldap_search_query=(sAMAccountName=%s) > > ldap_search_scope=ONELEVEL > > ldap_auth_type=SIMPLEBIND > > > ldap_userdn_format='sAMAccountName=%s,OU=Users,OU=London,OU=UK,OU=Company,DC=domain,DC=local' > > ldap_provisionning=AUTOCREATE > > ldap_deref_mode=always > > ldap_use_admin_to_get_attrs=true > > ldap_sync_password_to_om=true > > ldap_group_mode=NONE > > ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) > > ldap_user_attr_login=sAMAccountName > > ldap_user_attr_lastname=sn > > ldap_user_attr_firstname=givenName > > ldap_user_attr_mail=mail > > ldap_user_attr_street=streetAddress > > ldap_user_attr_additionalname=description > > ldap_user_attr_fax=facsimileTelephoneNumber > > ldap_user_attr_zip=postalCode > > ldap_user_attr_country=co > > ldap_user_attr_town=l > > ldap_user_attr_phone=telephoneNumber > > ldap_group_attr=memberOf > > ldap_use_lower_case=false > > ldap_import_query=(objectClass=inetOrgPerson) > > > > Always returns: > > > > *No users was found:* > > > > Checked with ldapsearch and I can retrieve them fine, other systems that > use LDAP from Linux such as Apache Guacamole and Next Cloud both have > working AD integration using the same values I set there. > > > > Is there a way to get a better debug logs from open Meetings? About what > it is sending to the DC? The initial bind status, error code from the DC > etc.. > > > > I rem in old versions of OM we could run it in debug mode to stdout? > > > > Otherwise is there anything obviously I’m missing here? > > > > Best regards > > > > Stephen > > > > > > > > > > *From:* Mathias Kocks <[email protected]> > *Sent:* 15 April 2020 13:06 > *To:* [email protected] > *Subject:* [Possible Untrusted Sender] Can not use LDAP-Sync with > Microsoft Active Directory > > > > Hello, > > i am new to this project and a have a problem with the LDAP-Sync. I even > can not find any good documentations... > > > > My problem is, that slapd does not find any user in my AD. I am not even > shure, if it is searching for real. I found in the mailing list archive > some example configs, but they does not work for me. > > I found this one: > > > > #LDAP URL > > ldap_conn_host=LDAP_server.Company.com > <https://urldefense.com/v3/__http:/LDAP_server.Company.com__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x50tz6JPw$> > > ldap_conn_port=636 > > ldap_conn_secure=true > > > > # Login distinguished name (DN) for Authentication on LDAP Server > > # Use full qualified LDAP DN > > ldap_admin_dn=CN=ldapauth,OU=Users,DC=Company,DC=com > > > > # Loginpass for Authentication on LDAP Server > > ldap_passwd=ldapauthpasswd > > > > # base to search for userdata(of user, that wants to login) > > ldap_search_base=OU=Users,DC=Company,DC=com > > #ldap_search_base=DC=Company,DC=com > > > > # Fieldnames (can differ between Ldap servers) > > > ldap_search_query=(&(objectCategory=person)(objectClass=person)(sAMAccountName=%1$s)) > > #ldap_search_query=(sAMAccountName=%s) > > #ldap_search_query=(CN=%s) > > > > # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE > > ldap_search_scope=SUBTREE > > > > # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) > > ldap_auth_type=SEARCHANDBIND > > > > # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND > > ldap_userdn_format=sAMAccountName=%s,OU=Users,DC=beuth-hochschule.de > <https://urldefense.com/v3/__http:/beuth-hochschule.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4wOw-oZw$> > ,DC=com > > #ldap_userdn_format=sAMAccountName=%s,DC=Company,DC=com > > #ldap_userdn_format=CN=%s,OU=Users,DC=Company,DC=com > > #ldap_userdn_format=CN=%s,DC=Company,DC=com > > > > # Ldap-password synchronization to OM DB > > ldap_sync_password_to_om=false > > > > # Ldap user attributes mapping > > # Set the following internal OM user attributes to their corresponding > > Ldap-attribute > > ldap_user_attr_lastname=sn > > > > But even after i changed it to my AD and tried several changes, no users > were found. > > > > My actual config: > > > > ldap_server_type=AD > > ldap_conn_host=dc2.labmed.de > <https://urldefense.com/v3/__http:/dc2.labmed.de__;!!Bv4Xkg!2xLNgnIK88W3MdQEntXnQ0HKeF8fWlkjirlDtulG9Sy-A0oLRiosiw6wpzAe40jp_x4x1-bceQ$> > > ldap_conn_port=389 > > ldap_conn_secure=false > > ldap_admin_dn=CN=Administrator,CN=Users,DC=labmed,DC=de > > ldap_passwd=SuperSecretPassword > > ldap_search_base=OU=labmed,DC=labmed,DC=de > > #ldap_search_query=(&(objectCategory=*)(objectClass=*)(sAMAccountName=%s)) > > ldap_search_query=(sAMAccountName=%s) > > ldap_search_scope= SUBTREE > > ldap_auth_type=SEARCHANDBIND > > ldap_deref_mode=never > > ldap_userdn_format=sAMAccountName=%s,DC=labmed,DC=de > > ldap_provisionning=NONE > > ldap_use_admin_to_get_attrs=true > > ldap_sync_password_to_om=false > > ldap_sync_attr_lastname=sn > > ldap_user_attr_firstname=givenName > > ldap_user_attr_mail=mail > > ldap_user_attr_street=streetAddress > > ldap_user_attr_additionalname=description > > ldap_user_attr_fax=facsimileTelephoneNumber > > ldap_user_attr_zip=postalCode > > ldap_user_attr_country=co > > ldap_user_attr_town=l > > ldap_user_attr_phone=telephoneNumber > > ldap_use_lower_case=false > > > > > > It is the second day by now were i am bursting by happyness.... > > > > > > > > Mit freundlichen Grüßen > > > > *Mathias Kocks* > > *Teamleitung IT-Infrastruktur* > > *Zertifizierter Information Security Officer ISO 27001 (TÜV Süd)* > > > > Überörtliche Berufsausübungsgemeinschaft > > *Medizinisches Versorgungszentrum* > > *Dr. Eberhard & Partner Dortmund* > > MVZ-Haus 3: Balkenstr. 12-14 > > 44137 Dortmund, Germany > > > > Tel.: +49 231 9572 7158 > > Fax.: +49 231 9572 18 159 > > E-Mail: [email protected] > > Web: https://www.labmed.de > <https://urldefense.com/v3/__https:/www.labmed.de/__;!!Bv4Xkg!z5sh0C1R9gGjNPTiHdemYSPR49XGTx-AmD4F8_dWPIXAw6SpTR3u5VSZWX8_PwBU1whiqaubSw$> > > > > > > > -- > > Best regards, > Maxim > > > > > -- > > Best regards, > Maxim > -- Best regards, Maxim
