-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Active Directory LDAP Issues #348
Comments
Yes, we've seen errors like this in MS AD environments. Some AD servers need a bind() with valid credentials before they allow queries of the AD DB. Please try settings like this:
Sometimes this syntax works for authentication: Please report back if this works for you. |
One more thing: I see you have not set an "inactive user" setting... Please ask your LDAP admin and consider something like: Otherwise users switched to inactive in LDAP will be able to login to 4Minitz. |
Nope this didn't seem to do anything, does it matter what the format is? Based on the sample config it looks different than you have described (neither has worked)
Am happy to star you guys am really excited to get this going. |
I have been doing a bit of wiresharking and it looks like active directory accepts a bind like this: But depending on your setup what is being sent by 4minitz is: without being able to specify that the suffix is @workplace.local I think AD will not work till something is changed I am happy to do testing, currently I am using the docker version so not sure how I would make code changes though. |
Thanks for checking @derwok 's suggestion. Let me take a look and I'll get back to you when I find something. |
@terryb8s I just pushed a potential fix for this issue (19792c8). @derwok will build a new docker image with a specific tag for you to check out. This fix introduces a new ldap setting, that enables the use of a user's email address. This assumes that The new setting is called
|
@migerh I had a look as its not the mail attribute its using, it appears to be userPrincipalName. For example: Thanks for the quick response to all this. |
Hi,
Then inside the settings.json
See his branch commit for details: 19792c8 Please report back if this goes into the right direction? |
@derwok unfortunately, the patch in the new image is not sufficient.
@terryb8s thanks for the update, i'll have another look.
Am So., 8. Okt. 2017, 21:52 schrieb Wolfram Esser <notifications@github.com
…:
Hi,
please try the docker image with the tag ldap-email-348 (long line! keep
scrolling!):
docker run -it --rm -v $(pwd)/4minitz_storage:/4minitz_storage -p 3100:3333 4minitz/4minitz:ldap-email-348
Then inside the settings.json ldapsection use Michaels new setting:
ldap: {
// ... blabla
"bindWith": "mail"
"authentication": {
"userDn": ***@***.***",
"password": "XXX"
}
}
See his branch commit for details: 19792c8
<19792c8>
Please report back if this goes into the right direction?
It seems LDAP leaves quite some room for interpretation - we see different
behaviour all over the place...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#348 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAWgS4mg6wjvPa5VUolFLCsxpPfHldojks5sqSfggaJpZM4Pu7ZL>
.
|
I'm sorry for the delay @terryb8s We now have a new docker image available, you can pull it with the ldap-email-348 label: The ldap |
I must be missing something here but I have no idea how to run importUsers.js there is no ./private so note sure where its supposed to run from. |
Yeah i'm really confused sorry, it doesn't seem to work, the authentication method has the username and password and my wireshark doesn't show any form of authentication happening. Exception while invoking method 'login' TypeError: Cannot read property 'profile' of undefined bindWith is set to userPrincipalName like you suggest. |
Is it possible to just have it so I can set the userDn to ldap@workplace.local and have it send that somehow? Would it then use that to auth users or try and construct the userPrincipalName itself? e.g. user@workplace.local? |
I can clarify on the importUsers.js: 1.) Good news: to just check LDAP config it is not necessary to import LDAP users. Simply try to login with a valid LDAP account. If the bind succeeds, then 4minitz will create an internal user account (only name & long name, no password - this will be checked against ldap). we need this local 4minitz account to store - e.g. user roles/access rights and settings. 2.) The importUsers script has the purpose to import all(!) LDAP users (at least those that survive your configured LDAP search filter in settings.json) into 4minitz. The advantage of doing so on a production server is that 4minitz users can assign action item responsibles and invite other users to meetings very easy with a "TypeAhead" / "Name Completion" user interface once 4minitz knows all users. 3.) Unfortunately we never tested how/if importUsers works in a docker deployment (we run some instances without docker). And the sad news is: currently it does not work. I have opened a second issue for that and will take care for this: #359 - but this is currently not your problem So, basically you are still stuck with step#1. And I would hope that @migerh can further help you there. |
1.) This is not correct. With |
Oh! I see. Then I have to fix #359 first. |
Hi, yes -the docker image is available. Sorry. I forgot to comment here. So, @terryb8s please perform
And make sure the new image is downloaded from docker hub. If not (or in doubt), this image label should work also: The new image will not overwrite, but use your existing settings.json. Make sure you insert the new setting Line 158 in b52bb85
Some "back ground info" for the new setting:
So, to support scenario#2 for docker deployment, we introduced the above new setting. So, when LDAP is "enabled" and So, please give the new image a try. |
@derwok I should be thanking you for working on this problem I appreciate it. So this is the result good and bad. Success with the importOnLaunch setting but only when setup like this, users are imported.
Which results in this in wireshark
The problem with this is that neither sAMAccountName or userPrincipalName work in the bindWith setting and the user DN I am using is the only workaround I could think of as otherwise the result is like this in wireshark. With sAMAccountName: With userPrincipalName: sAMAccountName is incorrect I think as it should be more like this which is an attempt from a bug tracker project called Mantis
Which I think works as opposed to userPrincipalName because its the full path to the user in AD. Mantis appears to do a search for the user first using the bindwith user then when it finds a matching result it uses it to do a bind. I get the feeling that in the end if you had a setting like "domainSufix": "workplace.local", then you could create the bind string required using sAMAccountName@domainSufix which Active directory appears to accept. Hope this all makes sense its late here, |
I don't get past the "Exception while invoking method 'login' TypeError: Cannot read property 'profile' of undefined error". What did I miss? |
@terryb8s
This is what @bmachek Can you please elaborate? E.g. with your (redacted if necessary) ldap settings? But please do so in a separate issue? It gets hard quickly if we try to discuss two possibly independent problems in the same issue. Thanks! |
sorry for the confusion, it's working now... helps to edit the configuration file not the backup copy :) |
Ok, now I'm confused. I just tried to set this up, knowing that I won't be authenticated by the test ldap server. But I already get an exception on the client side with ldapjs complaining about "InvalidDnSyntax". Apparently, ldapjs does not support using e.g. |
Hi @migerh have done some more work on this and have got it going thank you so much! These are the settings I used for Active Directory, "username": "sAMAccountName" and the "userDn": "..." are the important parts that made it work.
I notice you can't have importcrontab along with a importonlaunch? Is there a reason for this? would be good to have it update as users are added rather then having restart to populate every time, or is importonlaunch intended for initial population then change to importcrontab from there? Also it appears I can't add more than one searchfilter otherwise it complains about to incorrect use of parentheses, maybe I just don't understand the syntax for this? |
Do you need anything more from me? I think I am happy for this to be closed otherwise? |
No, I think we're done here. Thanks again for checking this and being persistent. I'll open up separate issues about the |
Reopened because a merge was requested in #385. We first need to check if a merge is necessary or if the config above works with what is already present on our develop branch. |
I finally had the time to check if there is anything we need on our feature branch for this issue. @derwok Can you please create a new docker image of that branch? Then @terryb8s can check if it still works, even without the |
The docker image is published as If everything OK on your end, then we can merge the branch to develop. We are currently in collecting the stuff that goes to the next master release 1.1. |
Hi Guys, I moved to the dev version when @migerh mentioned that we need to check if a merge is necessary and he was correct in thinking this as everything seems to be working, . I have tested the 4minitz/4minitz:gitcommit-5d6fd3f4 image though and this doesn't work. SyntaxError: Unexpected token { |
Ah, alright. The only difference between develop and this branch is the "importOnLaunch" LDAP setting. So if you already moved to the develop branch it should be fine. I'll take a look at the image @derwok created of this branch but my guess is something unrelated went wrong during build or image creation. Thanks again for your help and your patience! |
Hi there, I am also trying to hook up 4minitz with our corporate Active Directory. But so far I am stuck with the following error messages in the log {"dn":"","code":49,"name":"InvalidCredentialsError","message":"80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000"} I am using the docker image from the development branch (4minitz/4minitz:develop) and have the ldap section of the config json set up as follows:
I also tried to set the userDn to I am sure that the bind credentials are correct since I tested it with JXplorer. Any idea what is going wrong or what I have to do differently? Thanx for your support, |
Hi Felix, First thing I see: there is a leading space in your userDn config. Should not make problems - but maybe your server is picky? Then some quick suggestions:
So maybe you give this a shot? If this does not work - is there a possibility to talk to an admin (if you are not the admin) and get access to some AD/LDAP server logs to gather more information what goes wrong - so e.g. bind with your JXplorer then with 4Minitz and find differences? Last, could you state what exact AD/LDAP server (brand name, incl. version) you are using in your company? |
Hi Wolfram, thanks for your feedback. I tried all the different options that you mentioned but so far none of them solved the problem. I also got access to the log files of our Active Directory but this did not really helped a lot. The binds from 4Minitz do not generate any events in here. This is a pattern that I observe from other systems if the try to bind with an unknown user. In these cases the logs do not record any events. This is different for bind attempt with an existing user but a wrong password. In this case two events are logged (4776, 4625). So I guess it really is a problem with specifying the binding user in a format that works for our Active Directory. We us a Microsoft Windows Server 2012. Any further suggestions? Thanks a lot for your support, |
...or is there a way to get more detailed logs from 4minitz.
Thanx |
According to this wiki, |
I just realized I forgot the link to the wiki: If you search for
|
I'm closing this issue because we already have two issues that are discussed in here. @felixmw if you still have problems connecting 4minitz to LDAP please open a new issue. |
Maybe its just me but at the moment I feel like I have tried everything.
Is it possible to get 4minitz working with active directory ldap? at the moment all I receieve is "Login error Invalid credentials [403]"
the logs say something along the lines of:
{"dn":"","code":49,"name":"InvalidCredentialsError","message":"80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52e, v3839\u0000"}
Current cut down ldap settings.
The text was updated successfully, but these errors were encountered: