I've tried your hint and it works. The question is: Why do we have such regression? In the older version, it worked as defined in my first post and as described in this article https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#
Le lun. 15 nov. 2021 à 17:52, Emmanuel Lécharny <elecha...@gmail.com> a écrit : > Hi Meissa, > > I can confirm this is a buig the the Apache Directory server. the > comparison of the RDN does not work properly when providing a RDN like > "cn=Meissa Sakho+uid=msakho". > > The added entry has this normalized DN: > > 0.9.2342.19200300.100.1.1= msakho +2.5.4.3= meissa sakho > ,0.9.2342.19200300.100.1.25= example ,0.9.2342.19200300.100.1.25= com > > while the Bind dn is normalized this way : > > 2.5.4.3= meissa sakho +0.9.2342.19200300.100.1.1= msakho > ,0.9.2342.19200300.100.1.25= example ,0.9.2342.19200300.100.1.25= com > > As you can see, the two values are inverted (cn+uid in one case, and > uid+cn in the other case). That should not be the case. > > This is the rreason why it fails. > > Funny enough, would you try to login using "uid=msakho+cn=Meissa > SAKHO,ou=users,dc=example,dc=com", it would work... > > On 15/11/2021 05:16, Emmanuel Lécharny wrote: > > Hi, > > > > Still, the first LDAP entry (with cn: meissa sakho) should work, as CN > > is case insensitive. > > > > I'll investigate. > > > > Thanks for the inffo ! > > > > On 14/11/2021 18:57, Meissa Sakho wrote: > >> I'm using the latest version: > >> > >> Version: 2.0.0.v20210717-M17 > >> > >> I was able to make it work by changing this section: > >> > >> *dn: cn=Meissa SAKHO+uid=msakho,ou=Users,dc=example,dc=com > >> objectClass: organizationalPerson > >> objectClass: person > >> objectClass: inetOrgPerson > >> objectClass: top > >> cn: meissa sakho > >> sn: sakho > >> title: cn=Administrator,ou=Groups,dc=example,dc=com > >> uid: msakho > >> userpassword: meissa* > >> > >> * > >> * > >> > >> *with this section:* > >> > >> dn: cn=Meissa SAKHO,ou=Users,dc=example,dc=com > >> objectclass: person > >> objectclass: organizationalPerson > >> objectclass: inetOrgPerson > >> objectclass: top > >> cn: Meissa SAKHO > >> description: Capt. Meissa SAKHO, R.N > >> givenname: Meissa > >> sn: Sakho > >> uid: msakho > >> mail: msa...@redhat.com <mailto:msa...@redhat.com> > >> userpassword: meissa* > >> * > >> > >> > >> The difference between the two is in the cn. > >> > >> The first version worked once. I've borrowed it from this article[1] > >> written by one of my colleagues. > >> > >> It seems like there are some differences. > >> > >> > >> [1]= > https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console# > >> < > https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#> > > >> > >> > >> > >> > >> > >> Le sam. 13 nov. 2021 à 19:51, Emmanuel Lécharny <elecha...@gmail.com > >> <mailto:elecha...@gmail.com>> a écrit : > >> > >> Thanks. > >> > >> Will do a test with the data you've provided. > >> > >> Which is the LDAP DS version you are using ? > >> > >> On 12/11/2021 08:55, Meissa Sakho wrote: > >> > Hi Emmanuel, > >> > below is the complete ldif and in bold the corresponding user > >> whose > >> > password (uid=msakho, password=meissa) is in clear: > >> > version: 1 > >> > > >> > dn: dc=example,dc=com > >> > objectclass: top > >> > objectclass: domain > >> > dc: example > >> > > >> > dn: ou=Groups,dc=example,dc=com > >> > objectClass: organizationalUnit > >> > objectClass: top > >> > ou: Groups > >> > > >> > > >> > dn: ou=Users,dc=example,dc=com > >> > objectClass: organizationalUnit > >> > objectClass: top > >> > ou: Users > >> > > >> > > >> > dn: cn=Administrator,ou=Groups,dc=example,dc=com > >> > objectClass: groupOfNames > >> > objectClass: top > >> > cn: Administrator > >> > member: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com > >> > member: cn=Elvadas NONO,ou=Users,dc=example,dc=com > >> > > >> > dn: cn=AMQGroup,ou=Groups,dc=example,dc=com > >> > objectClass: groupOfNames > >> > objectClass: top > >> > cn: AMQGroup > >> > member: cn=Elvadas > >> Nono+sn=WOGUIA+uid=nelvadas,ou=Users,dc=example,dc=com > >> > member: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com > >> > member: cn=Meissa+sn=Sakho+uid=msakho,ou=Users,dc=example,dc=com > >> > > >> > dn: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com > >> > objectClass: organizationalPerson > >> > objectClass: person > >> > objectClass: inetOrgPerson > >> > objectClass: top > >> > cn: John > >> > sn: Doe > >> > title: cn=Administrator,ou=Groups,dc=example,dc=com > >> > uid: jdoe > >> > userPassword: redhat > >> > > >> > > >> > dn: cn=Elvadas NONO+uid=enonowoguia,ou=Users,dc=example,dc=com > >> > objectClass: organizationalPerson > >> > objectClass: person > >> > objectClass: inetOrgPerson > >> > objectClass: top > >> > cn: elvadas nono > >> > sn: Woguia > >> > title: cn=Administrator,ou=Groups,dc=example,dc=com > >> > uid: enonowoguia > >> > userpassword:: > >> e1NTSEF9dlMzVU95V1Bnek9JMUhreG5IV290My9jS0NxZWlGNmlDSlh1SEE9P > >> > Q== > >> > > >> > *dn: cn=Meissa SAKHO+uid=msakho,ou=Users,dc=example,dc=com > >> > objectClass: organizationalPerson > >> > objectClass: person > >> > objectClass: inetOrgPerson > >> > objectClass: top > >> > cn: meissa sakho > >> > sn: sakho > >> > title: cn=Administrator,ou=Groups,dc=example,dc=com > >> > uid: msakho > >> > userpassword: meissa > >> > * > >> > * > >> > * > >> > Thanks > >> > > >> > Le ven. 12 nov. 2021 à 04:03, Emmanuel Lécharny > >> <elecha...@gmail.com <mailto:elecha...@gmail.com> > >> > <mailto:elecha...@gmail.com <mailto:elecha...@gmail.com>>> a > >> écrit : > >> > > >> > Hi, > >> > > >> > can you provide the entry associated to this user (with > >> password > >> > redacted, of course)? > >> > > >> > Thanks ! > >> > > >> > On 11/11/2021 18:53, Meissa Sakho wrote: > >> > > Hello everyone, > >> > > I'm trying to connect to my Ldap DS server from ActiveMq . > >> > > The connection setting is configured via a login.config > >> file like > >> > below: > >> > > activemq { > >> > > > >> > > > >> org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule > >> > > required > >> > > debug=true > >> > > > >> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory > >> > > connectionURL="ldap://localhost:10389"; > >> > > connectionUsername="uid=admin,ou=system" > >> > > connectionPassword=secret > >> > > connectionProtocol=s > >> > > authentication=simple > >> > > userBase="ou=Users,dc=example,dc=com" > >> > > userSearchMatching="(uid={0})" > >> > > userSearchSubtree=true > >> > > roleBase="ou=Groups,dc=example,dc=com" > >> > > roleName=cn > >> > > roleSearchMatching="(member={0})" > >> > > roleSearchSubtree=false > >> > > reload=true > >> > > ; > >> > > > >> > > }; > >> > > I've imported a sample ldiff file and double checked that > >> every user > >> > > connection is correct. > >> > > When I try to get connected via the ActiveMq admin > >> console, I'm > >> > getting a > >> > > login failed error message because of a password that does > >> not match. > >> > > > >> > > 2021-11-11 18:38:29,436 DEBUG > >> > > > >> > > >> [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] > >> > LDAP > >> > > returned a relative name: cn=Meissa > >> SAKHO+uid=msakho,ou=Users > >> > > > >> > > 2021-11-11 18:38:29,436 DEBUG > >> > > > >> > > >> [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] > >> > Using > >> > > DN [cn=Meissa > >> SAKHO+uid=msakho,ou=Users,dc=example,dc=com] for > >> > binding. > >> > > > >> > > 2021-11-11 18:38:29,436 DEBUG > >> > > > >> [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] > >> > > Binding the user. > >> > > > >> > > 2021-11-11 18:38:29,438 DEBUG > >> > > > >> [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] > >> > > Authentication failed for dn=cn=Meissa > >> > > SAKHO+uid=msakho,ou=Users,dc=example,dc=com > >> > > > >> > > WARN | qtp2029780820-35 | Login failed due to: Password > >> does not > >> > match for > >> > > user: msakh > >> > > When I check the password test connection via the DS > >> Studio, it > >> > works fine. > >> > > I don't know what's wrong and where. > >> > > Any idea? > >> > > > >> > > >> > -- > >> > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 > >> NICE > >> > T. +33 (0)4 89 97 36 50 > >> > P. +33 (0)6 08 33 32 61 > >> > emmanuel.lecha...@busit.com <mailto:emmanuel.lecha...@busit.com> > >> <mailto:emmanuel.lecha...@busit.com > >> <mailto:emmanuel.lecha...@busit.com>> > >> > https://www.busit.com/ <https://www.busit.com/> > >> <https://www.busit.com/ <https://www.busit.com/>> > >> > > >> > > >> --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: > >> users-unsubscr...@directory.apache.org > >> <mailto:users-unsubscr...@directory.apache.org> > >> > <mailto:users-unsubscr...@directory.apache.org > >> <mailto:users-unsubscr...@directory.apache.org>> > >> > For additional commands, e-mail: > >> users-h...@directory.apache.org > >> <mailto:users-h...@directory.apache.org> > >> > <mailto:users-h...@directory.apache.org > >> <mailto:users-h...@directory.apache.org>> > >> > > >> > >> -- *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 > >> NICE > >> T. +33 (0)4 89 97 36 50 > >> P. +33 (0)6 08 33 32 61 > >> emmanuel.lecha...@busit.com <mailto:emmanuel.lecha...@busit.com> > >> https://www.busit.com/ <https://www.busit.com/> > >> > > > > -- > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > T. +33 (0)4 89 97 36 50 > P. +33 (0)6 08 33 32 61 > emmanuel.lecha...@busit.com https://www.busit.com/ >
