Hello Alexander, On Tue, 5 May 2020 at 21:06, Ninnig, Alexander < [email protected]> wrote:
> Hi, > > I'm new and I don't know the etiquette: If I have a problem with Active > Directory-Integration as well - do I start a new "thread" by sending an > email with a new subject, or should I respond to this existing one? > > In case responding to an existierung one is right, I would like to > describe the problem: > It is OK to use existing mail thread if topic match :)) > > Right now, if I try to authenticate as domain-user, I don't get a > login-error (like: wrong username or password), but an internal error page > instead (the browser tab shows "Internal Error" pretty fast, it takes a few > more seconds until the page is openend ( > https://myopenmeetingsserver:5443/openmeetings/wicket/bookmarkable/org.apache.wicket.markup.html.pages.InternalErrorPage). > Is this supposed to happen? As far as I remember, this was different in > OpenMeetings 3 (I tried LDAP before with OM3, but the login was always > denied, saying user oder password was wrong - the login kinda wiggled a few > times, sort of like shaking it's head). > This is not good What in the logs? (openmeetings.log) > > Question 1: is there something wrong with my OpenMeetings-installation? Or > is this just the behaviour caused by a wrong om_ldap.conf? > --> I figured this one out! The sample-om_ldap.conf was in > /opt/open504/webapps/openmeetings/data/conf/, but the LDAP-configuration > said, the file should be in /opt/open504/webapps/openmeetings/conf [no > DATA], after I copied/moved the conf, I got the regular "wrong > username/wrong password"-message. So ist still not working, but there's no > internal error anymore. > It is corrected here https://openmeetings.apache.org/LdapAndADS.html#2-an-ldap-config-file Good to know there is no internal error > > Question 2: I still can't login using AD-credentials, no matter if I use > username, [email protected] oder [email protected]. I add > some info on my environment and my configuration, since I'm not sure, I > understand all of it. Can someone have a look and help me with this? > I'll try > > Here is my scenario: > OpenMeeting 5.04 on Ubuntu Server 18.04 (English), NOT a domain member > Active Directory on Windows Server 2012 R2 > > Here is my configuration (this file is also set in OpenMeetings in > LDAP-configuration; I tried with and without "add Domain to username"): > ldap_conn_host=192.168.0.10 > ldap_conn_port=389 > ldap_conn_secure=false > ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern > ldap_passwd=SomeSuperPassword > ldap_search_base=OU=myfirm,DC=domain,DC=intern > > --> so far, I can use these infos in order to get an ldap-bind (using > Apache Directory Studio), THAT works. > --> The om-ldap-user is NOT in the same OU as my users, that is > intentionally, since there are no restricting group-policies on "Users", > but on "myfirm". > --> After creating an ldap-bind in Apache Directory Studio, I can also use > this search-base, so that works too. > thanks for doing initial investigation :) > > ldap_search_query=(uid=%s) > --> I left this unchanged, this means, OpenMeetings searches my AD for the > entered string, right? > this means IF ldap_auth_type=SEARCHANDBIND and bind with ldap_admin_dn ldap_passwd was successful OM will do the search for user DN using "admin" user, ldap_search_base and ldap_search_query substituting %s with user entered login then IF exactly one record found it will try to bind using DN found and password entered > > ldap_search_scopes=SUBTREE > --> I changed that to SUBTREE, since i have more OUs below "myfirm" (such > as "users", "computers", "servers" and so on) > sounds right > > ldap_auth_type=SEARCHANDBIND > --> I tried SEARCHANDBIND as well as SIMPLEBIND. Wrong username/password > keeps showing, no matter the ldap_auth_type. Can I also use NONE instead? > SIMPLEBIND will use ldap_userdn_format, substitute user entered login in place of %s and will try to bind > > ldap_userdn_format=uid=%s,OU=myfirm,DC=domain,DC=intern > --> this is the parameter I don't understand. Is this how the DN of the > useraccout, creating the ldap-bind, is created? But why is this necessary? > I thought, I already told openmeetings what account to use (namely > ldap_admin_dn=CN=openmeetings,CN=Users,DC=domain,DC=intern). Since a lot of > my users are in different OUs, I cannot supply ONE string, that matches > all. In order to get a syntax that fits everyone, I would rather use an > ldap-attribute like "userPrincipalName" (that's always: > [email protected]). If I use SEARCHANDBIND and/or > ldap_use_admin_to_get_attrs=true, can I just ignore this setting? Or is > this the username-syntax OpenMeetings uses in order to check if the > password is right? In that case, I would have to provide a DN-string, that > would fit every user, which is not possible, when users are in different > OUs. > hopefull i have answer this one above :) > > ldap_use_admin_to_get_attrs=true > --> that means, the aforementioned ldap_admin_dsn is used in order to > search the AD, right? > No This means that AFTER successful bind as user (i.e. user exist and password is correct) bind with ldap_admin_dn and ldap_passwd will happen to get user attributes listed here https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/main/webapp/data/conf/om_ldap.cfg#L84 user DN will be used if `false` > > (...) > > ldap_user_attr_login=uid > --> is this an attribute used by OpenMeetings? That is not an attribute > used in my Active Directory. It is always empty/not set! If this is > supposed to be the loginname, should I change this to userPrincipalName > ([email protected]) or sAMAccountName (loginname) instead? All the > other attributes (sn, givenName, etc.) are used and filled. > this LDAP attribute will be used to fill OM internal "login" field > > > > Best regards, > Alex > > -----Ursprüngliche Nachricht----- > Von: Maxim Solodovnik <[email protected]> > Gesendet: Dienstag, 5. Mai 2020 04:57 > An: Openmeetings user-list <[email protected]> > Betreff: Re: Integration problems with Active Directory > > Hello Osvaldo, > > since your users doesn't "fit" into single LDAP DN pattern SIMPLEBIND > should be replaced with SEARCHANDBIND In this case your users will be > searched using search-base and search-query, then authenticated ... > > On Tue, 5 May 2020 at 01:16, Osvaldo OBA. Benítez Aliaga < > [email protected] <mailto:[email protected]> > wrote: > > > yes. > I have managed to authenticate well with the user that declared > (support) and authenticate well with the users that are in the same > organizational unit (CN). Now the problem is with users who are in > other > organizational units. For example, those in the Domain Users OU > > > El 4/5/2020 a las 12:09, Maxim Solodovnik escribió: > > Have you tested it with LDAP explorer as I suggest? > > > > > > -- > > Best regards, > Maxim > -- Best regards, Maxim
