Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login ldapActiveDirectory Not Working #4

Closed
murattdogan opened this issue Jun 18, 2018 · 9 comments
Closed

Login ldapActiveDirectory Not Working #4

murattdogan opened this issue Jun 18, 2018 · 9 comments
Assignees
@Nordes
Labels
help wanted Extra attention is needed question Further information is requested

Comments

@murattdogan
Copy link

image

"ldapActiveDirectory": {
// Active directory
"url": "LDAP://79.123.184.30",
"port": 389,
"ssl": false,
"bindDn": "DC=hitit,DC=edu,DC=tr",
"bindCredentials": "******",
"searchBase": "CN=Users,DC=hitit,DC=edu,DC=tr",
// "searchFilter": "(&(objectClass=user)(objectClass=person)(sAMAccountName={0}))",
"searchFilter": "(&(objectClass=user)(SAMAccountName={0}))",
// Example: If you use a redis instead of in-memory
//"redis": "localhost:32771,ssl=false"
}
@Nordes
Copy link
Owner

Nordes commented Jun 18, 2018
edited

By memory you don't need to specify LDAP:// in the URL. Only the ip address will be fine.

I.E.:

"ldapActiveDirectory": {
// Active directory
"url": "79.123.184.30",
"port": 389,
"ssl": false,
"bindDn": "DC=hitit,DC=edu,DC=tr",
"bindCredentials": "******",
"searchBase": "CN=Users,DC=hitit,DC=edu,DC=tr",
// "searchFilter": "(&(objectClass=user)(objectClass=person)(sAMAccountName={0}))",
"searchFilter": "(&(objectClass=user)(SAMAccountName={0}))",
// Example: If you use a redis instead of in-memory
//"redis": "localhost:32771,ssl=false"
}

@Nordes Nordes self-assigned this Jun 18, 2018
@Nordes Nordes added help wanted Extra attention is needed question Further information is requested labels Jun 18, 2018
@murattdogan
Copy link
Author

Can we look at it with remote connectivity? even though it was not

@murattdogan
Copy link
Author

image

@Nordes
Copy link
Owner

Nordes commented Jun 18, 2018
edited

I will try to reproduce locally. I don't have much time recently. But I'll do as fast as I can. However it seems your U/P are wrong.

Are you using Active Directory or you're using OpenLdap ?

@murattdogan
Copy link
Author

Active Directory

@murattdogan
Copy link
Author

services.AddIdentityServer()
.AddDeveloperSigningCredential()
////.AddSigningCredential(...) // Strongly recommended, if you want something more secure than developer signing (Read The Manual since it's highly recommended)
.AddInMemoryIdentityResources(InMemoryInitConfig.GetIdentityResources())
.AddInMemoryApiResources(InMemoryInitConfig.GetApiResources())
.AddInMemoryClients(InMemoryInitConfig.GetClients())
.AddLdapUsers(Configuration.GetSection("ldapActiveDirectory"), UserStore.InMemory);

@murattdogan
Copy link
Author

Hi ,
Test Active Directory ?? login

@murattdogan
Copy link
Author

Hi Nordes
Test Active Directory ?? login

@Nordes
Copy link
Owner

Nordes commented Jul 2, 2018
edited

For me it works with a configuration like the following:

{
  "ldap": {
    "url": "150.17.40.40",
    "bindDn": "CN=ReadOnlyUserInAD,CN=users,DC=dev-svr,DC=local",
    "bindCredentials": "×××××××",
    "searchBase": "cn=users,DC=dev-svr,DC=local",
    "searchFilter": "(&(objectClass=user)(objectClass=person)(sAMAccountName={0}))",
    "redis": "localhost:32778,ssl=false",
    // We keep the user data for about 10 minutes (Is that good?)
    "refreshClaimsInSeconds": 600
  },
  "ConnectionStrings": {
    "DefaultConnection": "server=localhost\\sqlexpress;database=eftest;trusted_connection=yes;MultipleActiveResultSets=true"
  }
}

I think that your issue is the bindDN where it's supposed to be the user who have an access in readonly (or also write) in the LDAP. That account is used to validate that the username exists before doing an authentication under the connecting account.

This is mainly because if in the future we want to have a "add user feature" we could do it using the same connector. The users could be used within an auto-complete, by example.

@Nordes Nordes closed this as completed Jul 2, 2018
@Nordes Nordes mentioned this issue Jul 2, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Nordes Nordes

Labels
help wanted Extra attention is needed question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Nordes @murattdogan