Hi, I'm new and I don't know the etiquette: If I have a problem with Active Directory-Integration as well - do I start a new "thread" by sending an email with a new subject, or should I respond to this existing one?
In case responding to an existierung one is right, I would like to describe the problem: Right now, if I try to authenticate as domain-user, I don't get a login-error (like: wrong username or password), but an internal error page instead (the browser tab shows "Internal Error" pretty fast, it takes a few more seconds until the page is openend (https://myopenmeetingsserver:5443/openmeetings/wicket/bookmarkable/org.apache.wicket.markup.html.pages.InternalErrorPage). Is this supposed to happen? As far as I remember, this was different in OpenMeetings 3 (I tried LDAP before with OM3, but the login was always denied, saying user oder password was wrong - the login kinda wiggled a few times, sort of like shaking it's head). Question 1: is there something wrong with my OpenMeetings-installation? Or is this just the behaviour caused by a wrong om_ldap.conf? --> I figured this one out! The sample-om_ldap.conf was in /opt/open504/webapps/openmeetings/data/conf/, but the LDAP-configuration said, the file should be in /opt/open504/webapps/openmeetings/conf [no DATA], after I copied/moved the conf, I got the regular "wrong username/wrong password"-message. So ist still not working, but there's no internal error anymore. Question 2: I still can't login using AD-credentials, no matter if I use username, [email protected] oder [email protected]. I add some info on my environment and my configuration, since I'm not sure, I understand all of it. Can someone have a look and help me with this? Here is my scenario: OpenMeeting 5.04 on Ubuntu Server 18.04 (English), NOT a domain member Active Directory on Windows Server 2012 R2 Here is my configuration (this file is also set in OpenMeetings in LDAP-configuration; I tried with and without "add Domain to username"): ldap_conn_host=192.168.0.10 ldap_conn_port=389 ldap_conn_secure=false ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern ldap_passwd=SomeSuperPassword ldap_search_base=OU=myfirm,DC=domain,DC=intern --> so far, I can use these infos in order to get an ldap-bind (using Apache Directory Studio), THAT works. --> The om-ldap-user is NOT in the same OU as my users, that is intentionally, since there are no restricting group-policies on "Users", but on "myfirm". --> After creating an ldap-bind in Apache Directory Studio, I can also use this search-base, so that works too. ldap_search_query=(uid=%s) --> I left this unchanged, this means, OpenMeetings searches my AD for the entered string, right? ldap_search_scopes=SUBTREE --> I changed that to SUBTREE, since i have more OUs below "myfirm" (such as "users", "computers", "servers" and so on) ldap_auth_type=SEARCHANDBIND --> I tried SEARCHANDBIND as well as SIMPLEBIND. Wrong username/password keeps showing, no matter the ldap_auth_type. Can I also use NONE instead? ldap_userdn_format=uid=%s,OU=myfirm,DC=domain,DC=intern --> this is the parameter I don't understand. Is this how the DN of the useraccout, creating the ldap-bind, is created? But why is this necessary? I thought, I already told openmeetings what account to use (namely ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern). Since a lot of my users are in different OUs, I cannot supply ONE string, that matches all. In order to get a syntax that fits everyone, I would rather use an ldap-attribute like "userPrincipalName" (that's always: [email protected]). If I use SEARCHANDBIND and/or ldap_use_admin_to_get_attrs=true, can I just ignore this setting? Or is this the username-syntax OpenMeetings uses in order to check if the password is right? In that case, I would have to provide a DN-string, that would fit every user, which is not possible, when users are in different OUs. ldap_use_admin_to_get_attrs=true --> that means, the aforementioned ldap_admin_dsn is used in order to search the AD, right? (...) ldap_user_attr_login=uid --> is this an attribute used by OpenMeetings? That is not an attribute used in my Active Directory. It is always empty/not set! If this is supposed to be the loginname, should I change this to userPrincipalName ([email protected]) or sAMAccountName (loginname) instead? All the other attributes (sn, givenName, etc.) are used and filled. Best regards, Alex -----Ursprüngliche Nachricht----- Von: Maxim Solodovnik <[email protected]> Gesendet: Dienstag, 5. Mai 2020 04:57 An: Openmeetings user-list <[email protected]> Betreff: Re: Integration problems with Active Directory Hello Osvaldo, since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND should be replaced with SEARCHANDBIND In this case your users will be searched using search-base and search-query, then authenticated ... On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga <[email protected] <mailto:[email protected]> > wrote: yes. I have managed to authenticate well with the user that declared (support) and authenticate well with the users that are in the same organizational unit (CN). Now the problem is with users who are in other organizational units. For example, those in the Domain Users OU El 4/5/2020 a las 12:09, Maxim Solodovnik escribió: > Have you tested it with LDAP explorer as I suggest? -- Best regards, Maxim
