I'm trying to move our current web-apps to retreive roles and authentication against and openLDAP system. I'm having a bit of an issue with dynamic groups (groupOfURLs) and openLDAP. I'm using OpenLDAP 2.4.33 and spring 3.2 .
I've got my authentication working successfully, however now i'm having an issue in setting up a system to use dynamic groups for roles using the dynamic group overlay.
On the spring side, I'm attempting to use a DefaultLdapAuthoritiesPopulator with a groupSearchFilter = “(member={0})”. The issue i'm having is that spring does not find any members in my dynamic group, however it can find members of static groups (groupofnames) (.
This doesn't seem to be a spring issue as I have the same issue using the ldapsearch command. The issue i'm having is best illustrated by example.
I'm using the following LDIF
dn: ou=Groups,dc=myapp,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
dn: ou=Users,dc=myapp,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Users
dn: uid=userA,ou=Users,dc=myapp,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: userA
cn: test-forename
sn: test-surname
mail: userA#mail.com
userPassword:: e1NTSEF9bVpJVGxZRlFYdnhBemhLQkdxWll0VnlRQjRUdjBaelhEZkpaZnc9PQ==
dn: uid=userB,ou=Users,dc=myapp,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: userB
cn: test-forename
sn: test-surname
mail: userB#mail.com
userPassword:: e1NTSEF9bVpJVGxZRlFYdnhBemhLQkdxWll0VnlRQjRUdjBaelhEZkpaZnc9PQ==
dn: cn=DynamicGroup,ou=Groups,dc=myapp,dc=com
cn: DynamicGroup
objectClass: top
objectClass: groupOfURLs
ou: Groups
memberURL: ldap:///ou=Users,dc=myapp,dc=com??sub?mail=userA#mail.com
dn: cn=StaticGroup,ou=Groups,dc=myapp,dc=com
cn: StaticGroup
objectClass: top
objectClass: groupofnames
ou: Groups
member: uid=userA,ou=Users,dc=myapp,dc=com
This creates two users and two groups, one static and one dynamic.
If I do a simple search I get
ldapsearch.exe -v -x -h localhost -p 389 -D "cn=admin,dc=myapp,dc=com" -w secret -LL -b "ou=Groups,dc=myapp,dc=com" "(objectClass=*)" dn member
In this i'm searching using ("(objectClass=*)" dn member), I get the following result
ldap_initialize( ldap://localhost:389 )
filter: (objectClass=*)
requesting: dn member
version: 1
dn: ou=Groups,dc=myapp,dc=com
dn: cn=DynamicGroup,ou=Groups,dc=myapp,dc=com
member: uid=dbunit,ou=Users,dc=myapp,dc=com
member: uid=userA,ou=Users,dc=myapp,dc=com
member: uid=userB,ou=Users,dc=myapp,dc=com
dn: cn=StaticGroup,ou=Groups,dc=myapp,dc=com
member: uid=dbunit,ou=Users,dc=myapp,dc=com
Clearly this illustrates that the query returns results for both the static and dynamic group. This indicates that it is correctly configured and that it has an attribute member.
The issue that I have is when I add a filter on the member attributrs.
ldapsearch.exe -v -x -h localhost -p 389 -D "cn=admin,dc=myapp,dc=com" -w secret -LL -b "ou=Groups,dc=myapp,dc=com" "(member=*)" dn member
In this case I'm applying the filter "(member=*)".
ldap_initialize( ldap://localhost:389 )
filter: (member=*)
requesting: dn member
version: 1
dn: cn=StaticGroup,ou=Groups,dc=myapp,dc=com
member: uid=dbunit,ou=Users,dc=myapp,dc=com
In this case all that is returned is the static group. It appears that the filter doesn't seem to have access to the member attribute.
Has anyone else come accross this issue?
Any help would be appreciated.
Its clear that this is not how dynamic groups don't work. In the end I decided to use static groups.
A good answer can be found at : stackoverflow.com/questions/4603570/openldap-dynlist-posixgroup
Related
We're using RocketChat via a Docker image rocketchat/rocket.chat:0.68.4 and the Ruby rocketchat gem.
There's already some working functionality to update a channel's attributes:
# RocketChatService is a wrapper class for a RocketChat::Session object with authentication as admin
channels = RocketChatService.channels
channels.set_attr(name: id, topic: escape_nil(title)) if title_changed?
channels.set_attr(name: id, description: escape_nil(description)) if description_changed?
channels.set_attr(name: id, custom_fields: { project_id: project_id }) if project_id && project_id_was.nil?
But now we also need to add new users to a room, make them owner, or degrade previous owners. The following code works under certain circumstances (which I'm afraid are to complex to be presented here), but sometimes causes errors:
# idempotent
channels.invite(name: id, username: creator_id)
# TODO: already an owner
channels.add_owner(name: id, username: creator_id)
channels.remove_owner(name: id, username: creator_id_was)
The problem is that these error messages aren't very informative:
"exception"=>"Not allowed [error-not-allowed]"
There's no log file in RocketChat and there's nothing written to stdout when this happens. That brings me to my question: How can I debug an error message like the one above?
I am going through this spring LDAP integration article: https://spring.io/guides/gs/authenticating-ldap/
This article contains a sample LDIF file, where the passwords are presented in clear text.
dn: uid=bob,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspassword
But this users password is encrypted
dn: uid=ben,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: $2a$10$c6bSeWPhg06xB1lvmaWNNe4NROmZiSpYhlocU/98HNr2MhIOiSt36
so just wondering, is this something configurable on the LDAP server. And how come one users password is encrypted while other users password or not?
How Ever, i see the spring security in this example is configured to use BCrypt Password Encoder.
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource()
.url("ldap://localhost:8389/dc=springframework,dc=org")
.and()
.passwordCompare()
.passwordEncoder(new BCryptPasswordEncoder())
.passwordAttribute("userPassword");
}
and the demo user suggested for login is ben with password benpassword. Just wondering what would happen if I login as another user, I guess I should be denied as spring's using bcrypt and the passwords of other users in ldap are not encoded.
It would depend on the LDAP server, specifically, how passwords are handled. But, yeah, they're generally stored in some encrypted/hashed fashion. In the Oracle Directory Server, for example, password policies have a "Password storage scheme" which controls how the password is stored. In some directory servers, it's possible to store user passwords in clear text. In that case, anyone with read access to the passwords would be able to pull the password off of the user account. Not something I've seen set up outside of a sandbox.
The LDIF you're looking at feeds the password in to the server as clear text but the server would hash/encrypt the value based on the server / password policy configuration before storing it on the object.
This question is about Jenkins LDAP root DN & Display Name LDAP attribute
Environment:-
Jenkins Version - 2.235.5(LTS)
LDAP Plugin - 1.24
I am trying to configure LDAP(AD) Authentication in our Jenkins, Below is the configuration settings.
root DN - DC=Company,DC=domain,DC=com
User search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
User search filter: sAMAccountName={0}
Group search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Group search filter: (&(objectclass=group)(cn={0}))
Group membership
Group membership filter - (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
Manager DN: CN=jenkins,OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Manager Password: password
Display Name LDAP attribute: displayname
Email Address LDAP attribute: mail
But while testing the LDAP connection it fails below error.
Login
Authentication: failed for user "jenkins-user"
Lookup
User lookup: failed for user "jenkins-user"
LdapCallback;[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; remaining name 'OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com'
LDAP Group lookup: could not verify.
Please try with a user that is a member of at least one LDAP group.
Lockout
The user "jenkins-user" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?
Suppose if i keep the root DN as empty and enabled the tick mark - Allow blank rootDN. my test connection is getting successful.
But i would like to know that currently i am running root DN as empty and enabled - Allow blank rootDN in plugin section. Is this is fine for production environment?
Also for the logged in users, The display name shown as below which is too lengthy.
First-Name/Sur-Name/Team-Name/Location/Title/Company-Name
i would like to display only First-Name + Sur-Name. For this i tried to change Display Name LDAP attribute: with name, givenName, cn & sn but none of them were worked. So is it possible to display only First name + Sur-name in Jenkins?
I have fixed it. Each time when we change/update the Display Name LDAP attribute value in LDAP configuration section, We need to delete the user from people category and need to login. Post that it displays the configured settings.
I'm in the process of configuring freeRadius to our ldap server. I can authenticate from user perspective to radius client. But when radius is trying query about the to ldap groups we are getting these below error
[ldap] performing search in uid=vchevakula#test.us,ou=users,dc=test,dc=us, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed or if we are changing any in group membership filter we are getting implementation error
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (&(objectClass=GroupOfUniqueNames)(UniqueMember=%{User-Name})) -> (&(objectClass=GroupOfUniqueNames)(UniqueMember=vchevakula#test.us))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=test,dc=us, with filter (&(cn=Dev-Nw)(&(objectClass=GroupOfUniqueNames)(UniqueMember=vchevakula#cstest.us)))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in
uid=vchevakula#cstest.us,ou=users,dc=test,dc=us, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
[ldap] ldap_release_conn: Release Id: 0
users file in free radius
DEFAULT Ldap-Group == "Dev-Nw"
DEFAULT Ldap-Group == "SRE"
Reply-Message = "You are allowed"
modules/ldap in free radius
groupname_attribute = cn
groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(UniqueMember=%{User-Name}))"
groupmembership_attribute = radiusGroupName
I tried changing the groupmembership filter but none of them worked until right now. I'm getting the same error that it couldn't figure out . Freeradius -X keeps failing on the finding groups
groupname_attribute = cn
#groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))"
#groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
#groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(UniqueMember=%{User-Name}))"
groupmembership_attribute = radiusGroupName
ldap attributes from ldap server
dn: cn=SRE,ou=groups,dc=test,dc=us
objectClass: top
objectClass: groupofUniqueNames
cn: SRE
uniqueIdentifier: XXXXXXX
description: SRE Team
uniqueMember: uid=vchevakula#test.us,ou=users,dc=test,dc=us
uniqueMember: uid=nuser#test.us,ou=users,dc=test,dc=us
need some help in configuring ldap groups in freeradius
Hello I have resolved my problem
By adding this below line to my configuration in freeradius server /etc/freeradius/modules/ldap
groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniqueMember=%{control:Ldap-UserDn}))"
I have already migrate Jenkins to use LDAP login, and have no problem.
But when I tried to migrate phabricator to use LDAP, I got "Username or password are incorrect." every time, and I'm sure the same username and passwd can login Jenkins. I was using the same OpenLDAP server, and the LDAP has a readonly DN: cn=readonly,dc=my-company,dc=com. Phabricator configurations list below:
Allow: "Allow Login"
LDAP Hostname & Port: exactly the same with my Jenkins configuration
Base Distinguished Name: ou=user,dc=my-company,dc=com (while Jenkins root DN was dc=my-company,dc=com)
Search Attributes: empty
Always Search: unchecked
Anonymous Username: cn=readonly, dc=my-company, dc=com (same with Jenkins Manager DN)
Anonymous Password: the password (same with Jenkins Manager password)
Username Attribute: uid
Realname Attributes: empty
LDAP Version: 3
This has block me two days, is there something I missed?
Thanks for your answer~
Oh, I figure it out. Phabricator has a different LDAP login mechanism with Jenkins. Phabricator always bind LDAP with the user's DN and password (to verify login), then search the user's DN itself. Below is the comment in the LDAP login code:
// This is unusual (since the bind succeeded) but we've seen it at least
// once in the wild, where the anonymous user is allowed to search but
// the credentialed user is not.
// If we don't have anonymous credentials, raise an explicit exception
// here since we'll fail a typehint if we don't return an array anyway
// and this is a more useful error.
// If we do have anonymous credentials, we'll rebind and try the search
// again below. Doing this automatically means things work correctly more
// often without requiring additional configuration.
So, LDAP users must have search acl, like:
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=my-company,dc=com" write
by dn="cn=readonly,dc=my-company,dc=com" read
by users search
by * none
I didn't have 'by users search' option, so login failed.