I've install FR3LdapBundle & FOSUserBundle with Symfony3 successfully as per my blog, and I'm able to authenticate against this test LDAP server; but now I'm trying to authenticate against our internal Active Directory Server.
Here is the change in config (I have obsfucated the config information on purpose):
fr3d_ldap:
driver:
host: somehost
username: administrateur
password: somepass
port: 389
accountDomainName: somedom.local
accountDomainNameShort: somedom
user:
usernameAttribute: administrateur
baseDn: ou=utilisateurs,dc=somedom,dc=local
attributes:
- { ldap_attr: administrateur, user_method: setUsername }
- { ldap_attr: mail, user_method: setEmail }
filter: (&(ObjectClass=person))
The above is the only change I made. In my DEV logs, when I log in I get these important messages:
[2017-05-09 15:56:54] ldap_driver.DEBUG: ldap_search(ou=utilisateurs,dc=somedom,dc=local, (&(&(ObjectClass=person)) (sAMAccountName=somedom\5cadministrateur)), [array]) {"action":"ldap_search","base_dn":"ou=utilisateurs,dc=somedom,dc=local","filter":"(&(&(ObjectClass=person))(sAMAccountName=somedom\\5cadministrateur))","attributes":[]} []
[2017-05-09 15:56:54] security.INFO: User somedom\administrateur not found on LDAP {"action":"loadUserByUsername","username":"somedom\\administrateur","result":"not found"} []
So I wonder if I need a special config?
Login as:
administrateur
instead, in the log it shows you are trying to login as "somedom\administrateur", but you don't need to add the domain.
I think that's the problem. Can you try it and if it doesn't work, I'll get you to try something else.
EDIT #2
I also see you have this set in your config.yml code:
attributes:
- { ldap_attr: administrateur, user_method: setUsername }
But instead should be:
attributes:
- { ldap_attr: samaccountname, user_method: setUsername }
Then if you use the LDAP browser, verify that the user exists in the baseDn you specified, and look for the attribute sAMAccountName and this is the user string you should enter in the login name field.
Related
I configured SAML2 registrations according to the docs and got SAML2 login working. Unfortunately I could not figure out how to get the logout working. When sending a POST to /logout, the user is logged out of the system itself, but not logged out at the AP. There is no saml2:LogoutRequest sent to the AP and the SAML session attributes are not cleared.
Debugging shows, Saml2LogoutRequestFilter is not used first-hand, since the endpoints do not match and - of course - the user does not send a saml2:LogoutRequest object; so this is expected. Saml2LogoutResponseFilter also is not utilized, since this whould only be used processing logout answers from the AP.
What is utilized, is the LogoutFilter. What I unserstood reading the docs was, this would first log out the user from the system itself (which is fine), and afterward send a saml2:LogoutRequest to the AP, which is never done.
The configuration reads as:
spring:
security:
saml2:
relyingparty:
registration:
saml:
acs:
binding: POST
location: "{baseUrl}/sso/{registrationId}/response"
assertingparty:
entity-id: "http://localhost:8000/saml2/idp/metadata.php"
metadata-uri: "http://localhost:8000/saml2/idp/metadata.php"
singlesignon:
url: "http://localhost:8000/saml2/idp/SSOService.php"
sign-request: false
singlelogout:
url: "http://localhost:8000/saml2/idp/SingleLogoutService.php"
binding: REDIRECT
entity-id: "localhost"
singlelogout:
url: "{baseUrl}/sso/logout/saml"
binding: POST
response-url: "{baseUrl}/sso/logout/saml"
and the filter config looks like that:
#Bean
fun filterChain(http: HttpSecurity/*, registrations: RelyingPartyRegistrationRepository*/): SecurityFilterChain {
...
// saml login
http.saml2Login { saml2LoginConfigurer ->
saml2LoginConfigurer
.authenticationRequestUri("/sso/{registrationId}/login")
.loginProcessingUrl(samlResponseUrl.replace("{baseUrl}", ""))
.authenticationManager(ProviderManager(samlAuthenticationProvider()))
.defaultSuccessUrl(samlRedirectUrl)
.failureUrl(samlRedirectUrlNewUser)
}
// saml (sso) logout
http.saml2Logout { saml2LogoutConfigurer ->
saml2LogoutConfigurer
.logoutRequest { request -> request.logoutUrl("/sso/logout/saml") }
.logoutResponse { response -> response.logoutUrl("/sso/logout/saml") }
}
I am trying to find a way to use the roles I manage in Okta to work with Jenkins. I have been trying to get role-strategy plugin to work, but when I log in, I get <user> is missing the Overall/Read permission.
My configuration includes OIDC for Okta, using oic-auth plugin, and I am specifying the authorizationStrategy config via JCasC. For example I have this on my JCasC okta.yaml:
authorizationStrategy:
roleBased:
roles:
global:
- name: "my_okta_group"
permissions:
- "Overall/Administer"
I see this properly getting converted into $JENKINS_HOME/config.xml.
What I don't specify, but seems to be required, is assignments:, because - it's RBAC after all, and the user assignments into roles should be made in Okta, not Jenkins.
After browsing the plug-in code, it appears hard-wired for an explicit user SID list to be specified in the JCasC. That's not going to work for me.
Is there a different way to use this plug-in to achieve the goal?
Is there another RBAC plug-in that would work better?
The above is very close to a working solution. assignments: is indeed required, and it supports username or group. Also the 'name' of 'authorizationStrategy.roleBased.roles' is the Jenkins role name, not the OIDC group name.
The oic-auth configuration maps OIDC token fields to Jenkins user properties, and then the role-strategy checks for the OIDC token's username, as well as its group(s).
My working config is:
jenkins:
securityRealm:
oic:
clientId: "${clientId}"
clientSecret: "${clientSecret}"
wellKnownOpenIDConfigurationUrl: "${oidcIssuerUrl}/.well-known/openid-configuration"
userInfoServerUrl: "${oidcIssuerUrl}/oauth2/v1/userinfo"
tokenFieldToCheckKey: ""
tokenFieldToCheckValue: ""
fullNameFieldName: "name"
groupsFieldName: "groups"
disableSslVerification: false
logoutFromOpenidProvider: true
endSessionEndpoint: "${oidcIssuerUrl}/oauth2/v1/logout"
postLogoutRedirectUrl: "https://${dns_name_full}"
escapeHatchEnabled: false
escapeHatchUsername: ""
escapeHatchSecret: "my-unused-password"
escapeHatchGroup: ""
automanualconfigure: "auto"
emailFieldName: "email"
userNameField: "name"
tokenServerUrl: "${oidcIssuerUrl}/oauth2/v1/token"
authorizationServerUrl: "${oidcIssuerUrl}/oauth2/v1/authorize"
scopes: "address phone openid profile offline_access groups email"
authorizationStrategy:
roleBased:
roles:
global:
- name: "my_jenkins_role"
permissions:
- "Overall/Administer"
assignments:
- "my_okta_group"
BTW, I specify the yaml with Helm:
...
JCasC:
configScripts:
okta: |
jenkins:
securityRealm:
...
This question is about Jenkins LDAP root DN & Display Name LDAP attribute
Environment:-
Jenkins Version - 2.235.5(LTS)
LDAP Plugin - 1.24
I am trying to configure LDAP(AD) Authentication in our Jenkins, Below is the configuration settings.
root DN - DC=Company,DC=domain,DC=com
User search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
User search filter: sAMAccountName={0}
Group search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Group search filter: (&(objectclass=group)(cn={0}))
Group membership
Group membership filter - (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
Manager DN: CN=jenkins,OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Manager Password: password
Display Name LDAP attribute: displayname
Email Address LDAP attribute: mail
But while testing the LDAP connection it fails below error.
Login
Authentication: failed for user "jenkins-user"
Lookup
User lookup: failed for user "jenkins-user"
LdapCallback;[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; remaining name 'OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com'
LDAP Group lookup: could not verify.
Please try with a user that is a member of at least one LDAP group.
Lockout
The user "jenkins-user" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?
Suppose if i keep the root DN as empty and enabled the tick mark - Allow blank rootDN. my test connection is getting successful.
But i would like to know that currently i am running root DN as empty and enabled - Allow blank rootDN in plugin section. Is this is fine for production environment?
Also for the logged in users, The display name shown as below which is too lengthy.
First-Name/Sur-Name/Team-Name/Location/Title/Company-Name
i would like to display only First-Name + Sur-Name. For this i tried to change Display Name LDAP attribute: with name, givenName, cn & sn but none of them were worked. So is it possible to display only First name + Sur-name in Jenkins?
I have fixed it. Each time when we change/update the Display Name LDAP attribute value in LDAP configuration section, We need to delete the user from people category and need to login. Post that it displays the configured settings.
I have already migrate Jenkins to use LDAP login, and have no problem.
But when I tried to migrate phabricator to use LDAP, I got "Username or password are incorrect." every time, and I'm sure the same username and passwd can login Jenkins. I was using the same OpenLDAP server, and the LDAP has a readonly DN: cn=readonly,dc=my-company,dc=com. Phabricator configurations list below:
Allow: "Allow Login"
LDAP Hostname & Port: exactly the same with my Jenkins configuration
Base Distinguished Name: ou=user,dc=my-company,dc=com (while Jenkins root DN was dc=my-company,dc=com)
Search Attributes: empty
Always Search: unchecked
Anonymous Username: cn=readonly, dc=my-company, dc=com (same with Jenkins Manager DN)
Anonymous Password: the password (same with Jenkins Manager password)
Username Attribute: uid
Realname Attributes: empty
LDAP Version: 3
This has block me two days, is there something I missed?
Thanks for your answer~
Oh, I figure it out. Phabricator has a different LDAP login mechanism with Jenkins. Phabricator always bind LDAP with the user's DN and password (to verify login), then search the user's DN itself. Below is the comment in the LDAP login code:
// This is unusual (since the bind succeeded) but we've seen it at least
// once in the wild, where the anonymous user is allowed to search but
// the credentialed user is not.
// If we don't have anonymous credentials, raise an explicit exception
// here since we'll fail a typehint if we don't return an array anyway
// and this is a more useful error.
// If we do have anonymous credentials, we'll rebind and try the search
// again below. Doing this automatically means things work correctly more
// often without requiring additional configuration.
So, LDAP users must have search acl, like:
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=my-company,dc=com" write
by dn="cn=readonly,dc=my-company,dc=com" read
by users search
by * none
I didn't have 'by users search' option, so login failed.
i'm using Grails 2.5.1 and mail:1.0.7 plugin to send emails , but when i'm using it i always getting the bellow error :
Class:javax.mail.AuthenticationFailedExceptionMessage:535-5.7.8 Username and Password not accepted. Learn more at 535 5.7.8 https://support.google.com/mail/answer/14257 qq4sm4579366wjc.14 - gsmtp
although i can login with the provided credentials successfully from the browser !!
here are my configurations in the Config file :
grails {
mail {
host = "smtp.gmail.com"
port =465
username = "****"
password = "***"
props = ["mail.smtp.auth":"true",
"mail.smtp.socketFactory.port":"465",
"mail.smtp.socketFactory.class":"javax.net.ssl.SSLSocketFactory",
"mail.smtp.socketFactory.fallback":"false"]
}
}
and here is the action :
mailService.sendMail{
to userInstance.toEmail
subject userInstance.subject
html "<strong>Test</strong> "
}
anything i'm missing ?
It may be because of gmail's security feature for less secure apps to get authenticated. Just turn on the access for less secure apps.
Follow below steps:
1 Login to your gmail account
2 Access the url:
https://www.google.com/settings/security/lesssecureapps
3 Select "Turn on"
If you have gmail - settings for plugin are correct (i have the same and they are working) , but if your email is not gmail you must have other config.
By the way if you gmail :
Username and Password not accepted.
your username or password is wrong, try to login with this Username and password, watch out for register of letters.
https://grails.org/plugin/mail