I log into mastodon through keycloak's openid, but mastodon's username is a long meaningless string.I have set the email in keycloak,Although the suffix is different from my domain name.This is my .env.
OIDC_ENABLED=true
OMNIAUTH_ONLY=true
OIDC_DISPLAY_NAME=SSO
OIDC_AUTH_ENDPOINT=https://sso.dora.im/realms/mastodon/protocol/openid-connect/auth
OIDC_ISSUER=https://sso.domain.com/realms/mastodon
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile"
OIDC_UID_FIELD=uid
OIDC_CLIENT_ID=mastodon
OIDC_REDIRECT_URI=https://mastodon.domain.com/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET=***
And what does OIDC_UID_FIELD mean?
Related
This question is about Jenkins LDAP root DN & Display Name LDAP attribute
Environment:-
Jenkins Version - 2.235.5(LTS)
LDAP Plugin - 1.24
I am trying to configure LDAP(AD) Authentication in our Jenkins, Below is the configuration settings.
root DN - DC=Company,DC=domain,DC=com
User search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
User search filter: sAMAccountName={0}
Group search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Group search filter: (&(objectclass=group)(cn={0}))
Group membership
Group membership filter - (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
Manager DN: CN=jenkins,OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Manager Password: password
Display Name LDAP attribute: displayname
Email Address LDAP attribute: mail
But while testing the LDAP connection it fails below error.
Login
Authentication: failed for user "jenkins-user"
Lookup
User lookup: failed for user "jenkins-user"
LdapCallback;[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; remaining name 'OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com'
LDAP Group lookup: could not verify.
Please try with a user that is a member of at least one LDAP group.
Lockout
The user "jenkins-user" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?
Suppose if i keep the root DN as empty and enabled the tick mark - Allow blank rootDN. my test connection is getting successful.
But i would like to know that currently i am running root DN as empty and enabled - Allow blank rootDN in plugin section. Is this is fine for production environment?
Also for the logged in users, The display name shown as below which is too lengthy.
First-Name/Sur-Name/Team-Name/Location/Title/Company-Name
i would like to display only First-Name + Sur-Name. For this i tried to change Display Name LDAP attribute: with name, givenName, cn & sn but none of them were worked. So is it possible to display only First name + Sur-name in Jenkins?
I have fixed it. Each time when we change/update the Display Name LDAP attribute value in LDAP configuration section, We need to delete the user from people category and need to login. Post that it displays the configured settings.
I've install FR3LdapBundle & FOSUserBundle with Symfony3 successfully as per my blog, and I'm able to authenticate against this test LDAP server; but now I'm trying to authenticate against our internal Active Directory Server.
Here is the change in config (I have obsfucated the config information on purpose):
fr3d_ldap:
driver:
host: somehost
username: administrateur
password: somepass
port: 389
accountDomainName: somedom.local
accountDomainNameShort: somedom
user:
usernameAttribute: administrateur
baseDn: ou=utilisateurs,dc=somedom,dc=local
attributes:
- { ldap_attr: administrateur, user_method: setUsername }
- { ldap_attr: mail, user_method: setEmail }
filter: (&(ObjectClass=person))
The above is the only change I made. In my DEV logs, when I log in I get these important messages:
[2017-05-09 15:56:54] ldap_driver.DEBUG: ldap_search(ou=utilisateurs,dc=somedom,dc=local, (&(&(ObjectClass=person)) (sAMAccountName=somedom\5cadministrateur)), [array]) {"action":"ldap_search","base_dn":"ou=utilisateurs,dc=somedom,dc=local","filter":"(&(&(ObjectClass=person))(sAMAccountName=somedom\\5cadministrateur))","attributes":[]} []
[2017-05-09 15:56:54] security.INFO: User somedom\administrateur not found on LDAP {"action":"loadUserByUsername","username":"somedom\\administrateur","result":"not found"} []
So I wonder if I need a special config?
Login as:
administrateur
instead, in the log it shows you are trying to login as "somedom\administrateur", but you don't need to add the domain.
I think that's the problem. Can you try it and if it doesn't work, I'll get you to try something else.
EDIT #2
I also see you have this set in your config.yml code:
attributes:
- { ldap_attr: administrateur, user_method: setUsername }
But instead should be:
attributes:
- { ldap_attr: samaccountname, user_method: setUsername }
Then if you use the LDAP browser, verify that the user exists in the baseDn you specified, and look for the attribute sAMAccountName and this is the user string you should enter in the login name field.
I have already migrate Jenkins to use LDAP login, and have no problem.
But when I tried to migrate phabricator to use LDAP, I got "Username or password are incorrect." every time, and I'm sure the same username and passwd can login Jenkins. I was using the same OpenLDAP server, and the LDAP has a readonly DN: cn=readonly,dc=my-company,dc=com. Phabricator configurations list below:
Allow: "Allow Login"
LDAP Hostname & Port: exactly the same with my Jenkins configuration
Base Distinguished Name: ou=user,dc=my-company,dc=com (while Jenkins root DN was dc=my-company,dc=com)
Search Attributes: empty
Always Search: unchecked
Anonymous Username: cn=readonly, dc=my-company, dc=com (same with Jenkins Manager DN)
Anonymous Password: the password (same with Jenkins Manager password)
Username Attribute: uid
Realname Attributes: empty
LDAP Version: 3
This has block me two days, is there something I missed?
Thanks for your answer~
Oh, I figure it out. Phabricator has a different LDAP login mechanism with Jenkins. Phabricator always bind LDAP with the user's DN and password (to verify login), then search the user's DN itself. Below is the comment in the LDAP login code:
// This is unusual (since the bind succeeded) but we've seen it at least
// once in the wild, where the anonymous user is allowed to search but
// the credentialed user is not.
// If we don't have anonymous credentials, raise an explicit exception
// here since we'll fail a typehint if we don't return an array anyway
// and this is a more useful error.
// If we do have anonymous credentials, we'll rebind and try the search
// again below. Doing this automatically means things work correctly more
// often without requiring additional configuration.
So, LDAP users must have search acl, like:
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=my-company,dc=com" write
by dn="cn=readonly,dc=my-company,dc=com" read
by users search
by * none
I didn't have 'by users search' option, so login failed.
i'm using Grails 2.5.1 and mail:1.0.7 plugin to send emails , but when i'm using it i always getting the bellow error :
Class:javax.mail.AuthenticationFailedExceptionMessage:535-5.7.8 Username and Password not accepted. Learn more at 535 5.7.8 https://support.google.com/mail/answer/14257 qq4sm4579366wjc.14 - gsmtp
although i can login with the provided credentials successfully from the browser !!
here are my configurations in the Config file :
grails {
mail {
host = "smtp.gmail.com"
port =465
username = "****"
password = "***"
props = ["mail.smtp.auth":"true",
"mail.smtp.socketFactory.port":"465",
"mail.smtp.socketFactory.class":"javax.net.ssl.SSLSocketFactory",
"mail.smtp.socketFactory.fallback":"false"]
}
}
and here is the action :
mailService.sendMail{
to userInstance.toEmail
subject userInstance.subject
html "<strong>Test</strong> "
}
anything i'm missing ?
It may be because of gmail's security feature for less secure apps to get authenticated. Just turn on the access for less secure apps.
Follow below steps:
1 Login to your gmail account
2 Access the url:
https://www.google.com/settings/security/lesssecureapps
3 Select "Turn on"
If you have gmail - settings for plugin are correct (i have the same and they are working) , but if your email is not gmail you must have other config.
By the way if you gmail :
Username and Password not accepted.
your username or password is wrong, try to login with this Username and password, watch out for register of letters.
https://grails.org/plugin/mail
I'm trying to create an Apple Script for my Apple Users. To configure their e-mail accounts, they only have to use this Script.
The First part with the imap works great, but in the second part I got an error. In German the error is:
"Mail" hat einen Fehler erhalten: password of smtp server "host-cocco.ch"
kann nicht in Typ constant umgewandet werden.
The error in english:
"Mail" got an error: password of smtp server "host-cocco.ch"
can not be changed in typ constant.
Does anyone have an idea?
display dialog "Wie lautet ihre E-Mail-Adresse?" default answer ""
set email to text returned of result
display dialog "Wie lautet ihr Passwort?" default answer ""
set passwort to text returned of result
tell application "Mail"
set AccountName to email
set newacct to make new imap account with properties {name:AccountName, user name:email, server name:"host-cocco.ch"}
tell newacct
set password to passwort
set full name to AccountName
set email addresses to {email}
set port to 995
set uses ssl to true
end tell
set smtpservername to "host-cocco.ch"
set smtpusername to email
set addsmtp to make new smtp server with properties {server name:smtpservername}
tell addsmtp
set authentication to password
set password to passwort
set uses ssl to true
set port to 465
set user name to smtpusername
end tell
set newsmtpserver to smtp server (smtpservername & ":" & smtpusername)
set smtp server of newacct to smtp server newsmtpserver
end tell
set addsmtp to make new smtp server with properties {server name:smtpservername}
tell addsmtp
set authentication to password
set password to passwort
set uses ssl to true
set port to 465
set user name to smtpusername
end tell
Is there some logical reason why you are creating the smtp server with just a server name property and then trying to set its properties afterward? I would suggest that you set all these properties in the with properties clause.