I've tried your hint and it works.
The question is: Why do we have such regression?
In the older version, it worked as defined in my first post and as
described in this article
https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#

Le lun. 15 nov. 2021 à 17:52, Emmanuel Lécharny <elecha...@gmail.com> a
écrit :

> Hi Meissa,
>
> I can confirm this is a buig the the Apache Directory server. the
> comparison of the RDN does not work properly when providing a RDN like
> "cn=Meissa Sakho+uid=msakho".
>
> The added entry has this normalized DN:
>
> 0.9.2342.19200300.100.1.1= msakho +2.5.4.3= meissa  sakho
> ,0.9.2342.19200300.100.1.25= example ,0.9.2342.19200300.100.1.25= com
>
> while the Bind dn is normalized this way :
>
> 2.5.4.3= meissa  sakho +0.9.2342.19200300.100.1.1= msakho
> ,0.9.2342.19200300.100.1.25= example ,0.9.2342.19200300.100.1.25= com
>
> As you can see, the two values are inverted (cn+uid in one case, and
> uid+cn in the other case). That should not be the case.
>
> This is the rreason why it fails.
>
> Funny enough, would you try to login using "uid=msakho+cn=Meissa
> SAKHO,ou=users,dc=example,dc=com", it would work...
>
> On 15/11/2021 05:16, Emmanuel Lécharny wrote:
> > Hi,
> >
> > Still, the first LDAP entry (with cn: meissa sakho) should work, as CN
> > is case insensitive.
> >
> > I'll investigate.
> >
> > Thanks for the inffo !
> >
> > On 14/11/2021 18:57, Meissa Sakho wrote:
> >> I'm using the latest version:
> >>
> >> Version: 2.0.0.v20210717-M17
> >>
> >> I was able to make it work by changing this section:
> >>
> >> *dn: cn=Meissa SAKHO+uid=msakho,ou=Users,dc=example,dc=com
> >> objectClass: organizationalPerson
> >> objectClass: person
> >> objectClass: inetOrgPerson
> >> objectClass: top
> >> cn: meissa sakho
> >> sn: sakho
> >> title: cn=Administrator,ou=Groups,dc=example,dc=com
> >> uid: msakho
> >> userpassword: meissa*
> >>
> >> *
> >> *
> >>
> >> *with this section:*
> >>
> >> dn: cn=Meissa SAKHO,ou=Users,dc=example,dc=com
> >> objectclass: person
> >> objectclass: organizationalPerson
> >> objectclass: inetOrgPerson
> >> objectclass: top
> >> cn: Meissa SAKHO
> >> description: Capt. Meissa SAKHO, R.N
> >> givenname: Meissa
> >> sn: Sakho
> >> uid: msakho
> >> mail: msa...@redhat.com <mailto:msa...@redhat.com>
> >> userpassword: meissa*
> >> *
> >>
> >>
> >> The difference between the two is in the cn.
> >>
> >> The first version worked once. I've borrowed it from this article[1]
> >> written by one of my colleagues.
> >>
> >> It seems like there are some differences.
> >>
> >>
> >> [1]=
> https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#
> >> <
> https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#>
>
> >>
> >>
> >>
> >>
> >>
> >> Le sam. 13 nov. 2021 à 19:51, Emmanuel Lécharny <elecha...@gmail.com
> >> <mailto:elecha...@gmail.com>> a écrit :
> >>
> >>     Thanks.
> >>
> >>     Will do a test with the data you've provided.
> >>
> >>     Which is the LDAP DS version you are using ?
> >>
> >>     On 12/11/2021 08:55, Meissa Sakho wrote:
> >>      > Hi Emmanuel,
> >>      > below is the complete ldif and in bold the corresponding user
> >> whose
> >>      > password (uid=msakho, password=meissa) is in clear:
> >>      > version: 1
> >>      >
> >>      > dn: dc=example,dc=com
> >>      > objectclass: top
> >>      > objectclass: domain
> >>      > dc: example
> >>      >
> >>      > dn: ou=Groups,dc=example,dc=com
> >>      > objectClass: organizationalUnit
> >>      > objectClass: top
> >>      > ou: Groups
> >>      >
> >>      >
> >>      > dn: ou=Users,dc=example,dc=com
> >>      > objectClass: organizationalUnit
> >>      > objectClass: top
> >>      > ou: Users
> >>      >
> >>      >
> >>      > dn: cn=Administrator,ou=Groups,dc=example,dc=com
> >>      > objectClass: groupOfNames
> >>      > objectClass: top
> >>      > cn: Administrator
> >>      > member: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
> >>      > member: cn=Elvadas NONO,ou=Users,dc=example,dc=com
> >>      >
> >>      > dn: cn=AMQGroup,ou=Groups,dc=example,dc=com
> >>      > objectClass: groupOfNames
> >>      > objectClass: top
> >>      > cn: AMQGroup
> >>      > member: cn=Elvadas
> >>     Nono+sn=WOGUIA+uid=nelvadas,ou=Users,dc=example,dc=com
> >>      > member: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
> >>      > member: cn=Meissa+sn=Sakho+uid=msakho,ou=Users,dc=example,dc=com
> >>      >
> >>      > dn: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
> >>      > objectClass: organizationalPerson
> >>      > objectClass: person
> >>      > objectClass: inetOrgPerson
> >>      > objectClass: top
> >>      > cn: John
> >>      > sn: Doe
> >>      > title: cn=Administrator,ou=Groups,dc=example,dc=com
> >>      > uid: jdoe
> >>      > userPassword: redhat
> >>      >
> >>      >
> >>      > dn: cn=Elvadas NONO+uid=enonowoguia,ou=Users,dc=example,dc=com
> >>      > objectClass: organizationalPerson
> >>      > objectClass: person
> >>      > objectClass: inetOrgPerson
> >>      > objectClass: top
> >>      > cn: elvadas nono
> >>      > sn: Woguia
> >>      > title: cn=Administrator,ou=Groups,dc=example,dc=com
> >>      > uid: enonowoguia
> >>      > userpassword::
> >>     e1NTSEF9dlMzVU95V1Bnek9JMUhreG5IV290My9jS0NxZWlGNmlDSlh1SEE9P
> >>      >   Q==
> >>      >
> >>      > *dn: cn=Meissa SAKHO+uid=msakho,ou=Users,dc=example,dc=com
> >>      > objectClass: organizationalPerson
> >>      > objectClass: person
> >>      > objectClass: inetOrgPerson
> >>      > objectClass: top
> >>      > cn: meissa sakho
> >>      > sn: sakho
> >>      > title: cn=Administrator,ou=Groups,dc=example,dc=com
> >>      > uid: msakho
> >>      > userpassword: meissa
> >>      > *
> >>      > *
> >>      > *
> >>      > Thanks
> >>      >
> >>      > Le ven. 12 nov. 2021 à 04:03, Emmanuel Lécharny
> >>     <elecha...@gmail.com <mailto:elecha...@gmail.com>
> >>      > <mailto:elecha...@gmail.com <mailto:elecha...@gmail.com>>> a
> >> écrit :
> >>      >
> >>      >     Hi,
> >>      >
> >>      >     can you provide the entry associated to this user (with
> >> password
> >>      >     redacted, of course)?
> >>      >
> >>      >     Thanks !
> >>      >
> >>      >     On 11/11/2021 18:53, Meissa Sakho wrote:
> >>      >      > Hello everyone,
> >>      >      > I'm trying to connect to my Ldap DS server from ActiveMq .
> >>      >      > The connection setting is configured via a login.config
> >>     file like
> >>      >     below:
> >>      >      > activemq {
> >>      >      >
> >>      >      >
> >> org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule
> >>      >      > required
> >>      >      >       debug=true
> >>      >      >
> >>  initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
> >>      >      >       connectionURL="ldap://localhost:10389";
> >>      >      >       connectionUsername="uid=admin,ou=system"
> >>      >      >       connectionPassword=secret
> >>      >      >       connectionProtocol=s
> >>      >      >       authentication=simple
> >>      >      >       userBase="ou=Users,dc=example,dc=com"
> >>      >      >       userSearchMatching="(uid={0})"
> >>      >      >       userSearchSubtree=true
> >>      >      >       roleBase="ou=Groups,dc=example,dc=com"
> >>      >      >       roleName=cn
> >>      >      >       roleSearchMatching="(member={0})"
> >>      >      >       roleSearchSubtree=false
> >>      >      >       reload=true
> >>      >      >    ;
> >>      >      >
> >>      >      > };
> >>      >      > I've imported a sample ldiff file and double checked that
> >>     every user
> >>      >      > connection is correct.
> >>      >      > When I try to get connected via the ActiveMq admin
> >>     console, I'm
> >>      >     getting a
> >>      >      > login failed error message because of a password that does
> >>     not match.
> >>      >      >
> >>      >      > 2021-11-11 18:38:29,436 DEBUG
> >>      >      >
> >>      >
> >>  [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
> >>      >     LDAP
> >>      >      > returned a relative name: cn=Meissa
> >> SAKHO+uid=msakho,ou=Users
> >>      >      >
> >>      >      > 2021-11-11 18:38:29,436 DEBUG
> >>      >      >
> >>      >
> >>  [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
> >>      >     Using
> >>      >      > DN [cn=Meissa
> >> SAKHO+uid=msakho,ou=Users,dc=example,dc=com] for
> >>      >     binding.
> >>      >      >
> >>      >      > 2021-11-11 18:38:29,436 DEBUG
> >>      >      >
> >>     [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
> >>      >      > Binding the user.
> >>      >      >
> >>      >      > 2021-11-11 18:38:29,438 DEBUG
> >>      >      >
> >>     [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
> >>      >      > Authentication failed for dn=cn=Meissa
> >>      >      > SAKHO+uid=msakho,ou=Users,dc=example,dc=com
> >>      >      >
> >>      >      > WARN  | qtp2029780820-35 | Login failed due to: Password
> >>     does not
> >>      >     match for
> >>      >      > user: msakh
> >>      >      > When I check the password test connection via the DS
> >>     Studio, it
> >>      >     works fine.
> >>      >      > I don't know what's wrong and where.
> >>      >      > Any idea?
> >>      >      >
> >>      >
> >>      >     --
> >>      >     *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200
> >> NICE
> >>      >     T. +33 (0)4 89 97 36 50
> >>      >     P. +33 (0)6 08 33 32 61
> >>      > emmanuel.lecha...@busit.com <mailto:emmanuel.lecha...@busit.com>
> >>     <mailto:emmanuel.lecha...@busit.com
> >>     <mailto:emmanuel.lecha...@busit.com>>
> >>      > https://www.busit.com/ <https://www.busit.com/>
> >>     <https://www.busit.com/ <https://www.busit.com/>>
> >>      >
> >>      >
> >>  ---------------------------------------------------------------------
> >>      >     To unsubscribe, e-mail:
> >>     users-unsubscr...@directory.apache.org
> >>     <mailto:users-unsubscr...@directory.apache.org>
> >>      >     <mailto:users-unsubscr...@directory.apache.org
> >>     <mailto:users-unsubscr...@directory.apache.org>>
> >>      >     For additional commands, e-mail:
> >>     users-h...@directory.apache.org
> >> <mailto:users-h...@directory.apache.org>
> >>      >     <mailto:users-h...@directory.apache.org
> >>     <mailto:users-h...@directory.apache.org>>
> >>      >
> >>
> >>     --     *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200
> >> NICE
> >>     T. +33 (0)4 89 97 36 50
> >>     P. +33 (0)6 08 33 32 61
> >>     emmanuel.lecha...@busit.com <mailto:emmanuel.lecha...@busit.com>
> >>     https://www.busit.com/ <https://www.busit.com/>
> >>
> >
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecha...@busit.com https://www.busit.com/
>

Reply via email to