I am running the most current release of PO. After import of DB dump from the ITSM alpha2 release, I dont get to see the Domain based login anymore. Is it by design or a flaw?
Thx
Vishal
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
now that ldap authentication is working fine, i have discovrd new problems! :-)
When the auth is successful, even though in the Ldap config driver screen, i have correctly mapped first_names=givenName etc, the same isnt correctly displayed when the user logs in . How to correctly import all LDAP info into PO user DB?
Thx
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ok. Got that sorted out as well! I am using Windows 2k3 AD, and amazingly, even though if you add the info by clicking on the username in the AD Users and computers Snap in, the full name wont appear correctly unless you rename that account as first last format in the initial user list screen.
Now, the next agenda is, how to map other info in the LDAP to info in the OPenacs! Any help wld be greatly appreciated!
Thx
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sorry, i was so damn busy with implementing PO with my Company(I am the One Man Army here!) that I missd on this!
Ok, to start with:
1. You can enable anonymous ldap logon. Steps to do this shld be available from microsoft support or you can google
2. If you dnt want to setup anonymous logon, create a separate user for DN binding, one which isnt used anywhere
3. first, test ur ldpa connection using ldapsearch cmd, I use the following cmd:
ldapsearch -H ldap://<ldap server IP> -b ou=<org_unit>,dc=<companyname>,dc=com -x
Ths shld give a long list of names, which shall ensure that ldapsearch cmd is working, and the BASEDN, IP are working fine. Ths is how ldapauth module wld connect via the PO interface internally.
1. Goto Admin-> LDAP and add a new authority
2. Give any name and select ldap against Auth, User info and Paswd mangmnt
3. Save and select Configure Drivers…
4. give sAMAccountName against Username\
5. give ou=<org name>, dc=<company name>, dc=com against BASEDN
6. give ldap://<IP> against LDAP URI
7. make the entry as below against Infoattribute map
first_names=givenName;last_name=sn;email=mail;screen_name=displayName;cellphone=telephoneNumbe
8. give {username}@<company.com> against BindDN
once done, save, restart server (you may nt need it, but just in case! ) and try logging in as any ldap user other than the AD Administrator.
Tip! As a safety measure, always make the PO Admin as a local user o the native PO domain, since in case ur LDAP server is down, you may get locked out!
Hope this helps…
Thx
vishal
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Looks like you either created a user in native PO auth domain which has the same email id, OR, you havent enetered the emaild id field in ur LDAP entry for this user. Make sure the emailid field is filled in in the AD record for this user. Also, dont login with a user who has admin rights. that wont work.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If I try to execute the ldapsearch on the command line I got the following error:
# ldapsearch -H ldap://ipaddress:port -b ou=<value>,dc=<value>,dc=<value>,dc=de -x
# extended LDIF
#
# LDAPv3
# base <ou=<value>,dc=<value>,dc=<value>,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
The "Show users in this authority" in project-open returns 0 as well. I did everything as described above.
Any idea?
Thanks in advance,
Loki2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I am having problem in configuring LDAP in 2k3 domain;
I followed all the steps mentioned in the guide as follows
o General Name: “LDAP”
o Short Name: “LDAP”
o Enabled: “Yes”
o Authentication: “LDAP”
o Password Management: “LDAP”
o Account Registration: “LDAP”
o User Info: “LDAP”
o Batch sync enabled: “No”
o GetDocument implementation: “-Disabled—“
o ProcessDocument implementation: “-Disabled—“
MY DOMAIN NAME: rainbownew
User created for test: open
I filled the email field in user 'open' properties as "open@rainbownew.com"
Hi!
I'm new in ]po[ and I'm just testing it. For that purpose, I've downloaded ver 3.4 Virtual Machine. Now I'm trying to authenticate my users against Zimbra OpenLDAP server. I read the documents and posts about AD LDAP configuration, followed them but I found some problems.
and I figured out that there is some mistake about ldapsearch version. The document states that the right version of ldapsearch should be the one in OpenLDAP package. The provided VM has a CentOS version with openldap and openldap-clients ver 2.3.27. For that version of ldapsearch, the document suggested test does not work. If I run
#ldapsearch -h
I do have a full help screen. Moreover, the tcl script (/web/projop/packages/auth-ldap-adldapsearch/tcl/auth-ldap-adldapsearch-procs.tcl) builds the ldapsearch authentication string using '-H' option insead of '-h' to specify the ldap host. In order to authenticate against my LDAP server, I modified this script changing the '-H' to '-h' and removing the '-n' option which tells ldpasearch to do nothing.
I succeeded in authentication but I still cannot login into ]po[.
If I use any invalid user/pass pair, I obtain:
**Bad user or password:
ldap_bind: Invalid credentials (49) **
which is right, and if I use a valid user/pass pair, I obtain:
**Error in include template "/web/projop/packages/acs-subsite/lib/login": Query did not return any rows. **
Can anyone help me about this issue?
Should I downgrade the openldap package version installed in the VM? To which version?
How can I debug the problem?
Thank you very much!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just so you know. the adldap module is actually designed for authing against an MS AD server and not actual LDAP. However, I will be working a bit on the code to include generic LDAP support (version string checks of the ldapsearch client and custom filters).
seeing as how I do all my auth against a modified OX LDAP server I am in a situation where a standard LDAP module won't work correctly. much less an AD module.
chuck
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
and as far as your error is concerned. if I remember correctly you need to update you user account records in postgres to reflect that the LDAP server is the login authority for that account.
see post # 19
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi chuck
Thank you very much. I succeeded in authentication and login into ]po[!!!
I've already read the post #19 but I thought it was a different problem because the user I was testing with was already in both databases, local and OpenLDAP.
So, if I've understood correctly, should I register all my OpenLDAP users in the ]po[ database and change for everyone of them its authority_id field?
Thank you again!
carlos
PS.: also thanks for working in the generic LDAP support and on the ldapsearch version check.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
yes. all users must have their authority id changed to LDAP after registration. otherwise you will have only problems. also be carefull if your LDAP server is base64 encoding special characters as it will lead to problems by login.
I submitted a bug regarding this in the tracker but as it mostly effects installs that are using standard LDAP servers and not MS AD servers it may not make it into the code base until I have the generic LDAP support finished.
chuck
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi
I am running the most current release of PO. After import of DB dump from the ITSM alpha2 release, I dont get to see the Domain based login anymore. Is it by design or a flaw?
Thx
Vishal
Vishal,
Do you want to post a quick message how you got LDAP/AD working with v3.4?
Thanks,
Venkat
Check if "UseEmailForLoginP" parameter is set to 1. If so, email is used instead of username, and domain dropbox is not shown.
Many Thanks! It shows up now, whats better is, that I have been able to integrate LDAP with PO!
Now Windows users can login using their AD sign-ins.
Cheers
Vishal
Hi
now that ldap authentication is working fine, i have discovrd new problems! :-)
When the auth is successful, even though in the Ldap config driver screen, i have correctly mapped first_names=givenName etc, the same isnt correctly displayed when the user logs in . How to correctly import all LDAP info into PO user DB?
Thx
Ok. Got that sorted out as well! I am using Windows 2k3 AD, and amazingly, even though if you add the info by clicking on the username in the AD Users and computers Snap in, the full name wont appear correctly unless you rename that account as first last format in the initial user list screen.
Now, the next agenda is, how to map other info in the LDAP to info in the OPenacs! Any help wld be greatly appreciated!
Thx
Sorry, i was so damn busy with implementing PO with my Company(I am the One Man Army here!) that I missd on this!
Ok, to start with:
1. You can enable anonymous ldap logon. Steps to do this shld be available from microsoft support or you can google
2. If you dnt want to setup anonymous logon, create a separate user for DN binding, one which isnt used anywhere
3. first, test ur ldpa connection using ldapsearch cmd, I use the following cmd:
ldapsearch -H ldap://<ldap server IP> -b ou=<org_unit>,dc=<companyname>,dc=com -x
Ths shld give a long list of names, which shall ensure that ldapsearch cmd is working, and the BASEDN, IP are working fine. Ths is how ldapauth module wld connect via the PO interface internally.
1. Goto Admin-> LDAP and add a new authority
2. Give any name and select ldap against Auth, User info and Paswd mangmnt
3. Save and select Configure Drivers…
4. give sAMAccountName against Username\
5. give ou=<org name>, dc=<company name>, dc=com against BASEDN
6. give ldap://<IP> against LDAP URI
7. make the entry as below against Infoattribute map
first_names=givenName;last_name=sn;email=mail;screen_name=displayName;cellphone=telephoneNumbe
8. give {username}@<company.com> against BindDN
once done, save, restart server (you may nt need it, but just in case! ) and try logging in as any ldap user other than the AD Administrator.
Tip! As a safety measure, always make the PO Admin as a local user o the native PO domain, since in case ur LDAP server is down, you may get locked out!
Hope this helps…
Thx
vishal
Hi,
Thanks for sharing your experience.
We've also set up a page about debugging LDAP:
http://www.project-open.org/documentation/package_auth_ldap_adldapsearch
Thanks!
Frank
projop execute this comand when i use LDAP authentication:
Notice: auth::ldap::authentication::Authenticate: ldapsearch -x -H ldap://ldap.energ.it/ -D uid=dfini,ou=Users,dc=ENERG,dc=IT -w xxxxxxxxx
Debug: NO FULLQUERY FOR dbqd.auth-ldap-adldapsearch.tcl.auth-ldap-adldapsearch-procs.auth::ldap::authentication::Authenticate.uid -> using default SQL
Notice: auth::ldap::authentication::Authenticate: ldapsearch -n -x -H ldap://ldap.energ.it/ -D uid=dfini,ou=Users,dc=ENERG,dc=IT -w xxxxxxxxx
Debug: NO FULLQUERY FOR dbqd.auth-ldap-adldapsearch.tcl.auth-ldap-adldapsearch-procs.auth::ldap::authentication::Sync.manager_id -> using default SQL
but there is a syntax error because it shows me this message:
User and password OK, but there were problems with the values retreived from the LDAP server.
email=, first_names=, last_name=
althought executing this command manually the LDAP query seems correct:
ldapsearch -x -H ldap://ldap.energ.it/ -D uid=xxxx,ou=Users,dc=COMPANY,dc=IT -W uid=xxxx
any idea?
My problem is the same.
Looks like you either created a user in native PO auth domain which has the same email id, OR, you havent enetered the emaild id field in ur LDAP entry for this user. Make sure the emailid field is filled in in the AD record for this user. Also, dont login with a user who has admin rights. that wont work.
I'm not able to use LDAP as well :-(
If I try to execute the ldapsearch on the command line I got the following error:
# ldapsearch -H ldap://ipaddress:port -b ou=<value>,dc=<value>,dc=<value>,dc=de -x
# extended LDIF
#
# LDAPv3
# base <ou=<value>,dc=<value>,dc=<value>,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
The "Show users in this authority" in project-open returns 0 as well. I did everything as described above.
Any idea?
Thanks in advance,
Loki2
i modify manually the file /web/projop/packages/auth-ldap-adldapsearch/tcl/auth-ldap-adldapsearch-procs.tcl and now it runs the command:
ldapsearch -x -H ldap://ldap.domain.it/ -D uid=user,ou=Users,dc=DOMAIN,dc=IT -w xxxxxxx uid=user
but don't work. Running mannualy the command:
ldapsearch -x -H ldap://ldap.domain.it/ -D uid=user,ou=Users,dc=DOMAIN,dc=IT -W uid=user
and put user's password the ldap query work properly.
:(
Hi,
I am having problem in configuring LDAP in 2k3 domain;
I followed all the steps mentioned in the guide as follows
o General Name: “LDAP”
o Short Name: “LDAP”
o Enabled: “Yes”
o Authentication: “LDAP”
o Password Management: “LDAP”
o Account Registration: “LDAP”
o User Info: “LDAP”
o Batch sync enabled: “No”
o GetDocument implementation: “-Disabled—“
o ProcessDocument implementation: “-Disabled—“
MY DOMAIN NAME: rainbownew
User created for test: open
I filled the email field in user 'open' properties as "open@rainbownew.com"
DNPattern: {username}@ctp.com -->open@rainbownew.com
UsernameAttribute: uid ---> I got confused here first I gave "uid" only .Its not working then I gave "open" No use what I have to give here?
BaseDN: ou=People,dc=project-open,dc=com ----> DC=rainbownew,DC=com
LdapURI: “ldap://ldap.project-open.com /” ---> ldap://192.168.100.200 (Is it correct it is my DC IP address)
I installed the PO on windows xp PC for trail pupose
**WHAT IS MISSING PLS LET ME KNOW**
I forgot to mention i am getting "unknown email" when try to login as "open@rainbownew.com" and AD password
is it correct way pls correct me
after the last upgrade, LDAP authentication works better than before, but there is another question to solve:
Invalid user: Your authentication was successful, but your user account does not exist in our database
this error show when i put user e pwd for my LDAP access. How can i import all my LDAP users in projop?
thanks in advance
Hi Alpiq,
Please see http://www.project-open.org/documentation/package_auth_ldap_adldapsearch for "Your authentication was successful".
Cheers!
Frank
thanks fraber, but i don't understand very well your post in the documentation. i'm sorry
Hi Alpiq,
You will have to update a field in the "users" table called "authority_id" to your LDAP authority:
Execute: "select authority_id from auth_authorities;"
I get two results: "9" and "32214". "9" is the original/old one, 32214 must be the new one".
Now execute: "update users set authority_id = 32214 where username = 'your_user_name';"
Now the user with the username "your_user_name" should be able to authenticate against LDAP.
Cheers!
Frank
perfect… Now i have my new user in LDAP Authority.. However, when i try to login the system show me again:
User and password OK, but there were problems with the values retreived from the LDAP server.
email=, first_names=, last_name=
in the configuration LDAP driver i've put:
DNPattern";"uid={username}"
UsernameAttribute";"uid"
BaseDN";"ou=Users,dc=xxxxx,dc=IT"
LdapURI";"ldap://ldap.xxxx.it/"
InfoAttributeMap";"first_names=givenName;last_name=sn;email=mail;screen_name=displayName"
Attributes";"uid={username};cn={{first_names} {last_name}};sn={last_name};givenName={first_names};mail={email}"
PasswordHash";"MD5"
BindDN";"uid={username},ou=Users,dc=xxxxx,dc=IT"
have you any idea?
Hi!
I'm new in ]po[ and I'm just testing it. For that purpose, I've downloaded ver 3.4 Virtual Machine. Now I'm trying to authenticate my users against Zimbra OpenLDAP server. I read the documents and posts about AD LDAP configuration, followed them but I found some problems.
First of all, I read this document:
http://www.project-open.org/documentation/package_auth_ldap_adldapsearch
and I figured out that there is some mistake about ldapsearch version. The document states that the right version of ldapsearch should be the one in OpenLDAP package. The provided VM has a CentOS version with openldap and openldap-clients ver 2.3.27. For that version of ldapsearch, the document suggested test does not work. If I run
#ldapsearch -h
I do have a full help screen. Moreover, the tcl script (/web/projop/packages/auth-ldap-adldapsearch/tcl/auth-ldap-adldapsearch-procs.tcl) builds the ldapsearch authentication string using '-H' option insead of '-h' to specify the ldap host. In order to authenticate against my LDAP server, I modified this script changing the '-H' to '-h' and removing the '-n' option which tells ldpasearch to do nothing.
I succeeded in authentication but I still cannot login into ]po[.
If I use any invalid user/pass pair, I obtain:
**Bad user or password:
ldap_bind: Invalid credentials (49) **
which is right, and if I use a valid user/pass pair, I obtain:
**Error in include template "/web/projop/packages/acs-subsite/lib/login": Query did not return any rows. **
Can anyone help me about this issue?
Should I downgrade the openldap package version installed in the VM? To which version?
How can I debug the problem?
Thank you very much!
Just so you know. the adldap module is actually designed for authing against an MS AD server and not actual LDAP. However, I will be working a bit on the code to include generic LDAP support (version string checks of the ldapsearch client and custom filters).
seeing as how I do all my auth against a modified OX LDAP server I am in a situation where a standard LDAP module won't work correctly. much less an AD module.
chuck
and as far as your error is concerned. if I remember correctly you need to update you user account records in postgres to reflect that the LDAP server is the login authority for that account.
see post # 19
Hi chuck
Thank you very much. I succeeded in authentication and login into ]po[!!!
I've already read the post #19 but I thought it was a different problem because the user I was testing with was already in both databases, local and OpenLDAP.
So, if I've understood correctly, should I register all my OpenLDAP users in the ]po[ database and change for everyone of them its authority_id field?
Thank you again!
carlos
PS.: also thanks for working in the generic LDAP support and on the ldapsearch version check.
Carlos,
yes. all users must have their authority id changed to LDAP after registration. otherwise you will have only problems. also be carefull if your LDAP server is base64 encoding special characters as it will lead to problems by login.
I submitted a bug regarding this in the tracker but as it mostly effects installs that are using standard LDAP servers and not MS AD servers it may not make it into the code base until I have the generic LDAP support finished.
chuck