Help to configure LDAP

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Help to configure LDAP

RemiKoutcherawy
Hi list,

I am lost with the doc
http://exist-db.org/exist/apps/doc/security.xml#ldap-realm

What should I change, or can I discard ?

My /db/system/security/config.xml is :
<security-manager xmlns="http://exist-db.org/Configuration"
last-account-id="10" last-group-id="10" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
     <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
         <context>
             <authentication>simple</authentication>
             <url>ldap://localhost:389</url>
             <domain>localhost</domain>
<principal-pattern>"cn={0},ou=people,dc=localhost"</principal-pattern>
             <search>
                 <base>ou=people,dc=localhost</base>
                 <default-username>me</default-username>
<default-password>secret</default-password>
                 <account>
<search-filter-prefix>cn={user}</search-filter-prefix>
                     <search-attribute key="name">cn</search-attribute>
                 </account>
             </search>
         </context>
     </realm>
</security-manager>

Testing with
http://localhost:8080/exist/apps/demo/examples/urlrewriting/protected.html
I always get :
2014-02-03 22:25:13,428 [eXistThread-32] DEBUG (SecurityManagerImpl.java
[authenticate]:406) - Authentication try for 'me'.
2014-02-03 22:25:13,428 [eXistThread-32] DEBUG (LdapContextFactory.java
[getLdapContext]:142) - Initializing LDAP context using URL
[ldap://localhost:389] and username [cn=me,ou=people,dc=localhost] with
pooling [enabled]
2014-02-03 22:25:13,431 [eXistThread-32] DEBUG (LDAPRealm.java
[getAccount]:482) - Get request for account 'me'.
2014-02-03 22:25:13,432 [eXistThread-32] DEBUG (LDAPRealm.java
[getAccount]:522) - Missing 'equals'
javax.naming.directory.InvalidSearchFilterException: Missing 'equals';
remaining name 'ou=people,dc=localhost'


My ldap server configured with http://www.openldap.org on my Mac (not
ActiveDirectory).
with the bare minimum, is just one user.

$ ldapsearch -H ldap://localhost:389 -x -D
"cn=me,ou=people,dc=localhost" -w secret -b "dc=localhost"
# extended LDIF
#
# LDAPv3
# base <dc=localhost> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# localhost
dn: dc=localhost
objectClass: dcObject
objectClass: organizationalUnit
dc: localhost
ou: localhost

# people, localhost
dn: ou=people,dc=localhost
objectClass: organizationalUnit
ou: people

# me, people, localhost
dn: cn=me,ou=people,dc=localhost
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: me
givenName: ME
sn: Me
mail: [hidden email]
uid: 2
userPassword:: c2VjcmV0

Remarks :
1/ I guessed {0} in
<principal-pattern>"cn={0},ou=people,dc=localhost"</principal-pattern>
from
https://github.com/eXist-db/exist/blob/4bcf01592ce06130dff89c5523a10197a6f238e5/extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java#L104
2/ I removed line 126 env.put("java.naming.ldap.attributes.binary",
"objectSid");
https://github.com/eXist-db/exist/commit/196c63b1328f52b5238d8ab9ece32686bc87fb91#diff-59706f9678490b63535b1e84631c9905R126
as openldap is not active directory.
3/ I uncommented
         // the following is helpful in debugging errors
         env.put("com.sun.jndi.ldap.trace.ber", System.err);
and get :
-> localhost:389
0000: 30 2E 02 01 01 60 29 02   01 03 04 1C 63 6E 3D 6D 0....`).....cn=m
0010: 65 2C 6F 75 3D 70 65 6F   70 6C 65 2C 64 63 3D 6C e,ou=people,dc=l
0020: 6F 63 61 6C 68 6F 73 74   80 06 73 65 63 72 65 74 ocalhost..secret
<- localhost:389
0000: 30 0C 02 01 01 61 07 0A   01 00 04 00 04 00 0....a........
-> localhost:389
0000: 30 22 02 01 03 42 00 A0   1B 30 19 04 17 32 2E 31 0"...B...0...2.1
0010: 36 2E 38 34 30 2E 31 2E   31 31 33 37 33 30 2E 33 6.840.1.113730.3
0020: 2E 34 2E 32                                        .4.2

Well, I guess my error should be obvious for who wrote the code ;-)
Please can someone explain me ?

Rémi

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Help to configure LDAP

Dmitriy Shabanov
Hard to say exacly where the problem, but you missing "group" part.


On Tue, Feb 4, 2014 at 1:38 AM, Rémi Koutchérawy <[hidden email]> wrote:
Hi list,

I am lost with the doc
http://exist-db.org/exist/apps/doc/security.xml#ldap-realm

What should I change, or can I discard ?

My /db/system/security/config.xml is :
<security-manager xmlns="http://exist-db.org/Configuration"
last-account-id="10" last-group-id="10" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
     <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
         <context>
             <authentication>simple</authentication>
             <url>ldap://localhost:389</url>
             <domain>localhost</domain>
<principal-pattern>"cn={0},ou=people,dc=localhost"</principal-pattern>
             <search>
                 <base>ou=people,dc=localhost</base>
                 <default-username>me</default-username>
<default-password>secret</default-password>
                 <account>
<search-filter-prefix>cn={user}</search-filter-prefix>
                     <search-attribute key="name">cn</search-attribute>
                 </account>
             </search>
         </context>
     </realm>
</security-manager>

Testing with
http://localhost:8080/exist/apps/demo/examples/urlrewriting/protected.html
I always get :
2014-02-03 22:25:13,428 [eXistThread-32] DEBUG (SecurityManagerImpl.java
[authenticate]:406) - Authentication try for 'me'.
2014-02-03 22:25:13,428 [eXistThread-32] DEBUG (LdapContextFactory.java
[getLdapContext]:142) - Initializing LDAP context using URL
[ldap://localhost:389] and username [cn=me,ou=people,dc=localhost] with
pooling [enabled]
2014-02-03 22:25:13,431 [eXistThread-32] DEBUG (LDAPRealm.java
[getAccount]:482) - Get request for account 'me'.
2014-02-03 22:25:13,432 [eXistThread-32] DEBUG (LDAPRealm.java
[getAccount]:522) - Missing 'equals'
javax.naming.directory.InvalidSearchFilterException: Missing 'equals';
remaining name 'ou=people,dc=localhost'


My ldap server configured with http://www.openldap.org on my Mac (not
ActiveDirectory).
with the bare minimum, is just one user.

$ ldapsearch -H ldap://localhost:389 -x -D
"cn=me,ou=people,dc=localhost" -w secret -b "dc=localhost"
# extended LDIF
#
# LDAPv3
# base <dc=localhost> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# localhost
dn: dc=localhost
objectClass: dcObject
objectClass: organizationalUnit
dc: localhost
ou: localhost

# people, localhost
dn: ou=people,dc=localhost
objectClass: organizationalUnit
ou: people

# me, people, localhost
dn: cn=me,ou=people,dc=localhost
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: me
givenName: ME
sn: Me
mail: [hidden email]
uid: 2
userPassword:: c2VjcmV0

Remarks :
1/ I guessed {0} in
<principal-pattern>"cn={0},ou=people,dc=localhost"</principal-pattern>
from
<a href="https://github.com/eXist-db/exist/blob/4bcf01592ce06130dff89c5523a10197a6f238e5/extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java#L104 2/" target="_blank">https://github.com/eXist-db/exist/blob/4bcf01592ce06130dff89c5523a10197a6f238e5/extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java#L104
2/ I removed line 126 env.put("java.naming.ldap.attributes.binary",
"objectSid");
https://github.com/eXist-db/exist/commit/196c63b1328f52b5238d8ab9ece32686bc87fb91#diff-59706f9678490b63535b1e84631c9905R126
as openldap is not active directory.
3/ I uncommented
         // the following is helpful in debugging errors
         env.put("com.sun.jndi.ldap.trace.ber", System.err);
and get :
-> localhost:389
0000: 30 2E 02 01 01 60 29 02   01 03 04 1C 63 6E 3D 6D 0....`).....cn=m
0010: 65 2C 6F 75 3D 70 65 6F   70 6C 65 2C 64 63 3D 6C e,ou=people,dc=l
0020: 6F 63 61 6C 68 6F 73 74   80 06 73 65 63 72 65 74 ocalhost..secret
<- localhost:389
0000: 30 0C 02 01 01 61 07 0A   01 00 04 00 04 00 0....a........
-> localhost:389
0000: 30 22 02 01 03 42 00 A0   1B 30 19 04 17 32 2E 31 0"...B...0...2.1
0010: 36 2E 38 34 30 2E 31 2E   31 31 33 37 33 30 2E 33 6.840.1.113730.3
0020: 2E 34 2E 32                                        .4.2

Well, I guess my error should be obvious for who wrote the code ;-)
Please can someone explain me ?

Rémi

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open



--
Dmitriy Shabanov

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Help to configure LDAP

RemiKoutcherawy
Hi, thanks,
yes I know, I also discarded <transformation>
As these features are not documented and as I don't figured out how to customise, I removed.
Does it matters ?

BTW <principal-pattern>"cn={0},ou=people,dc=localhost"</principal-pattern>
Should read <principal-pattern>cn={0},ou=people,dc=localhost</principal-pattern> without the quotes.
I realised my mistake writing the mail.

Rémi

2014-02-04 Dmitriy Shabanov <[hidden email]>:
Hard to say exacly where the problem, but you missing "group" part.


On Tue, Feb 4, 2014 at 1:38 AM, Rémi Koutchérawy <[hidden email]> wrote:
Hi list,

I am lost with the doc
http://exist-db.org/exist/apps/doc/security.xml#ldap-realm

What should I change, or can I discard ?



--
Dmitriy Shabanov


------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Help to configure LDAP

Dmitriy Shabanov
Guess, fastest way will be to copy configuration as it and change

 - realm/context/url
 - realm/context/domain
 - realm/context/search/base
 - realm/context/search/account/search-filter-prefix (maybe)
 - realm/context/search/group/search-filter-prefix (maybe)

remove
 - realm/context/search/default-username
 - realm/context/search/default-password
 - realm/context/transformation


If you fail after that I'm ready for skype call -)


On Tue, Feb 4, 2014 at 4:49 PM, Rémi Koutchérawy <[hidden email]> wrote:
Hi, thanks,
yes I know, I also discarded <transformation>
As these features are not documented and as I don't figured out how to customise, I removed.
Does it matters ?

BTW <principal-pattern>"cn={0},ou=people,dc=localhost"</principal-pattern>
Should read <principal-pattern>cn={0},ou=people,dc=localhost</principal-pattern> without the quotes.
I realised my mistake writing the mail.

--
Dmitriy Shabanov

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Help to configure LDAP

cmisztur
What is the minimum AD perms required by the 'me' user?

Does the transformation element add the AD user to an eXist group?

Im going to try this in a little bit as well.

On Feb 4, 2014, at 7:01 AM, "Dmitriy Shabanov" <[hidden email]> wrote:

Guess, fastest way will be to copy configuration as it and change

 - realm/context/url
 - realm/context/domain
 - realm/context/search/base
 - realm/context/search/account/search-filter-prefix (maybe)
 - realm/context/search/group/search-filter-prefix (maybe)

remove
 - realm/context/search/default-username
 - realm/context/search/default-password
 - realm/context/transformation


If you fail after that I'm ready for skype call -)


On Tue, Feb 4, 2014 at 4:49 PM, Rémi Koutchérawy <[hidden email]> wrote:
Hi, thanks,
yes I know, I also discarded <transformation>
As these features are not documented and as I don't figured out how to customise, I removed.
Does it matters ?

BTW <principal-pattern>"cn={0},ou=people,dc=localhost"</principal-pattern>
Should read <principal-pattern>cn={0},ou=people,dc=localhost</principal-pattern> without the quotes.
I realised my mistake writing the mail.

--
Dmitriy Shabanov
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open



The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail


------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Help to configure LDAP

Dmitriy Shabanov
On Tue, Feb 4, 2014 at 5:09 PM, Misztur, Chris <[hidden email]> wrote:
What is the minimum AD perms required by the 'me' user?

it depend on your LDAP server settings. One at docs base on AD setup.
 
Does the transformation element add the AD user to an eXist group?

No, transformation add group to account created in eXist (one that pass LDAP authentication)

--
Dmitriy Shabanov

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Help to configure LDAP

cmisztur
In reply to this post by Dmitriy Shabanov

 

 

Here is mine. And I get ‘An LDAP URL must be specified of the form ldap://:’ when logging into dashboard.

 

 

<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="17" last-group-id="18" version="2.0">

    <authentication-entry-point>/authentication/login</authentication-entry-point>

    <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">

        <context>

            <authentication>simple</authentication>

            <url>ldap://adserver.my-domain.com:389</url>

            <domain>my-domain.com</domain>

            <search>

                <base>OU=Domestic,OU=Vehicle Systems,OU=my-domain,DC=my-domain,DC=com</base>

                <!--<default-username>[hidden email]</default-username>

                <default-password>pass</default-password>-->

                <account>

                    <search-filter-prefix>objectClass=user</search-filter-prefix>

                    <search-attribute key="objectSid">objectSid</search-attribute>

                    <search-attribute key="primaryGroupID">primaryGroupID</search-attribute>

                    <search-attribute key="name">sAMAccountName</search-attribute>

                    <search-attribute key="dn">distinguishedName</search-attribute>

                    <search-attribute key="memberOf">memberOf</search-attribute>

                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>

                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>

                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>

                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>

                </account>

                <group>

                    <search-filter-prefix>objectClass=group</search-filter-prefix>

                    <search-attribute key="member">member</search-attribute>

                    <search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>

                    <search-attribute key="objectSid">objectSid</search-attribute>

                    <search-attribute key="name">sAMAccountName</search-attribute>

                    <search-attribute key="dn">distinguishedName</search-attribute>

                    <whitelist>

                        <principal>Domain Users</principal>

                    </whitelist>

                </group>

            </search>

        <!--<transformation><add-group>group.users</add-group></transformation>-->

        </context>

    </realm>

</security-manager>

 

 

From: Dmitriy Shabanov [mailto:[hidden email]]
Sent: Tuesday, February 04, 2014 7:01 AM
To: Rémi Koutchérawy
Cc: [hidden email] list
Subject: Re: [Exist-open] Help to configure LDAP

 

Guess, fastest way will be to copy configuration as it and change

 - realm/context/url
 - realm/context/domain
 - realm/context/search/base
 - realm/context/search/account/search-filter-prefix (maybe)
 - realm/context/search/group/search-filter-prefix (maybe)

remove
 - realm/context/search/default-username
 - realm/context/search/default-password
 - realm/context/transformation

If you fail after that I'm ready for skype call -)

 

On Tue, Feb 4, 2014 at 4:49 PM, Rémi Koutchérawy <[hidden email]> wrote:

Hi, thanks,

yes I know, I also discarded <transformation>
As these features are not documented and as I don't figured out how to customise, I removed.

Does it matters ?

 

BTW <principal-pattern>"cn={0},ou=people,dc=localhost"</principal-pattern>

Should read <principal-pattern>cn={0},ou=people,dc=localhost</principal-pattern> without the quotes.

I realised my mistake writing the mail.


--
Dmitriy Shabanov




The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail


------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open