The most logical thing is that you follow the thread.
El 5/5/2020 a las 10:06, Ninnig, Alexander escribió: > Hi, > > I'm new and I don't know the etiquette: If I have a problem with Active > Directory-Integration as well - do I start a new "thread" by sending an email > with a new subject, or should I respond to this existing one? > > In case responding to an existierung one is right, I would like to describe > the problem: > > Right now, if I try to authenticate as domain-user, I don't get a login-error > (like: wrong username or password), but an internal error page instead (the > browser tab shows "Internal Error" pretty fast, it takes a few more seconds > until the page is openend > (https://myopenmeetingsserver:5443/openmeetings/wicket/bookmarkable/org.apache.wicket.markup.html.pages.InternalErrorPage). > Is this supposed to happen? As far as I remember, this was different in > OpenMeetings 3 (I tried LDAP before with OM3, but the login was always > denied, saying user oder password was wrong - the login kinda wiggled a few > times, sort of like shaking it's head). > > Question 1: is there something wrong with my OpenMeetings-installation? Or is > this just the behaviour caused by a wrong om_ldap.conf? > --> I figured this one out! The sample-om_ldap.conf was in > /opt/open504/webapps/openmeetings/data/conf/, but the LDAP-configuration > said, the file should be in /opt/open504/webapps/openmeetings/conf [no DATA], > after I copied/moved the conf, I got the regular "wrong username/wrong > password"-message. So ist still not working, but there's no internal error > anymore. > > Question 2: I still can't login using AD-credentials, no matter if I use > username, [email protected] oder [email protected]. I add some > info on my environment and my configuration, since I'm not sure, I understand > all of it. Can someone have a look and help me with this? > > Here is my scenario: > OpenMeeting 5.04 on Ubuntu Server 18.04 (English), NOT a domain member > Active Directory on Windows Server 2012 R2 > > Here is my configuration (this file is also set in OpenMeetings in > LDAP-configuration; I tried with and without "add Domain to username"): > ldap_conn_host=192.168.0.10 > ldap_conn_port=389 > ldap_conn_secure=false > ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern > ldap_passwd=SomeSuperPassword > ldap_search_base=OU=myfirm,DC=domain,DC=intern > > --> so far, I can use these infos in order to get an ldap-bind (using Apache > Directory Studio), THAT works. > --> The om-ldap-user is NOT in the same OU as my users, that is > intentionally, since there are no restricting group-policies on "Users", but > on "myfirm". > --> After creating an ldap-bind in Apache Directory Studio, I can also use > this search-base, so that works too. > > ldap_search_query=(uid=%s) > --> I left this unchanged, this means, OpenMeetings searches my AD for the > entered string, right? > > ldap_search_scopes=SUBTREE > --> I changed that to SUBTREE, since i have more OUs below "myfirm" (such as > "users", "computers", "servers" and so on) > > ldap_auth_type=SEARCHANDBIND > --> I tried SEARCHANDBIND as well as SIMPLEBIND. Wrong username/password > keeps showing, no matter the ldap_auth_type. Can I also use NONE instead? > > ldap_userdn_format=uid=%s,OU=myfirm,DC=domain,DC=intern > --> this is the parameter I don't understand. Is this how the DN of the > useraccout, creating the ldap-bind, is created? But why is this necessary? I > thought, I already told openmeetings what account to use (namely > ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern). Since a lot of > my users are in different OUs, I cannot supply ONE string, that matches all. > In order to get a syntax that fits everyone, I would rather use an > ldap-attribute like "userPrincipalName" (that's always: > [email protected]). If I use SEARCHANDBIND and/or > ldap_use_admin_to_get_attrs=true, can I just ignore this setting? Or is this > the username-syntax OpenMeetings uses in order to check if the password is > right? In that case, I would have to provide a DN-string, that would fit > every user, which is not possible, when users are in different OUs. > > ldap_use_admin_to_get_attrs=true > --> that means, the aforementioned ldap_admin_dsn is used in order to search > the AD, right? > > (...) > > ldap_user_attr_login=uid > --> is this an attribute used by OpenMeetings? That is not an attribute used > in my Active Directory. It is always empty/not set! If this is supposed to be > the loginname, should I change this to userPrincipalName > ([email protected]) or sAMAccountName (loginname) instead? All the > other attributes (sn, givenName, etc.) are used and filled. > > > > Best regards, > Alex > > -----Ursprüngliche Nachricht----- > Von: Maxim Solodovnik <[email protected]> > Gesendet: Dienstag, 5. Mai 2020 04:57 > An: Openmeetings user-list <[email protected]> > Betreff: Re: Integration problems with Active Directory > > Hello Osvaldo, > > since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND should > be replaced with SEARCHANDBIND In this case your users will be searched using > search-base and search-query, then authenticated ... > > On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga > <[email protected] <mailto:[email protected]> > wrote: > > > yes. > I have managed to authenticate well with the user that declared > (support) and authenticate well with the users that are in the same > organizational unit (CN). Now the problem is with users who are in other > organizational units. For example, those in the Domain Users OU > > > El 4/5/2020 a las 12:09, Maxim Solodovnik escribió: > > Have you tested it with LDAP explorer as I suggest? > > > > >
