LDAP / Active Directory Authentication Problem

Having problems with IHMC CmapServer? Think you have found a bug? Let us know!
Forum rules
Before you post a problem or bug, please be sure you have included the version number of IHMC CmapServer, the operating system and version, the amount of RAM, and any other information that allows us to be able to replicate the problem you are having. (i.e. what were you doing when the problem occur? were you running another program (application) by the time you have the problem?)
Post Reply
khanal
Posts: 5
Joined: Mon Aug 24, 2015 6:56 am

LDAP / Active Directory Authentication Problem

Post by khanal »

Hi,
I have hit a wall trying to configure CmapServer 6.01.04 (running on Suse Linux Enterprise Server 12) to use our Active Directory server to authenticate users.

I am entering ldap-related values into serverconfig.txt as follows (some values lightly disguised):

Code: Select all

user.authentication=authentication.standard,authentication.ldap
ldap.root.folder.account=myaccount
ldap.root.folder.password=encrypted
ldap.user.directory.ip=ams-ads-01.ad.my.org
ldap.user.directory.port=636
ldap.user.directory.connection.mode=ssl
ldap.user.directory.usersBaseDN=OU\=PRV,OU\=USR,OU\=AMS,OU\=ORG,DC\=ad,DC\=my,DC\=org
ldap.user.directory.groupsBaseDN=OU\=STD,OU\=GRP,OU\=AMS,OU\=ORG,DC\=ad,DC\=my,DC\=org
ldap.user.directory.userAttr=sAMAccountName
ldap.user.directory.groupAttr=cn
ldap.user.directory.debug=true
This results in the following errors in the log:

Code: Select all

case 0: bindPlain? false
case 2: getUserDN
getUserDN: looking up? false
getUserDN: returning default
trying first bind with sAMAccountName=myaccount,OU=PRV,OU=USR,OU=AMS,OU=ORG,DC=ad,DC=my,DC=org
(CLASS: nlk.acl.directory.ldap.LDAPUserDirectory METHOD: bind LINE: 837)
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
        at us.ihmc.net.ssl.SSLInitialContextFactory.getContext(SSLInitialContextFactory.java:171)
        at us.ihmc.net.ssl.SSLInitialContextFactory.getInitialContext(SSLInitialContextFactory.java:93)
        at nlk.acl.directory.ldap.LDAPHelper.bind(LDAPHelper.java:68)
        at nlk.acl.directory.ldap.LDAPUserDirectory.bind(LDAPUserDirectory.java:830)
        at nlk.acl.directory.ldap.LDAPUserDirectory.authenticateUser(LDAPUserDirectory.java:338)
        at nlk.base.LDAPAuthenticator.authenticateUser(LDAPAuthenticator.java:24)
        at nlk.acl.NewCmapACLManager.checkPermission(NewCmapACLManager.java:148)
        at nlk.acl.NewCmapACLManager.checkPermission(NewCmapACLManager.java:37)
        at nlk.resio.ResourceService.getFolderTOC(ResourceService.java:1107)
        at nlk.resio.ResourceService.handleHashtable(ResourceService.java:161)
        at nlk.resio.ResourceService.requestToService(ResourceService.java:96)
        at edu.uwf.server.ServiceManager.requestToService(ServiceManager.java:317)
        at edu.uwf.server.ConnManager.handleConnection(ConnManager.java:244)
        at edu.uwf.net.socket.ConnHandlerThreadCache$HandlerThread.run(ConnHandlerThreadCache.java:142)
As I know from testing with ldapsearch that I can bind and search successfully with CN=firstname lastname instead of sAMAccount, just to see if this works, I change these entries in serverconfig.txt

Code: Select all

ldap.root.folder.account=myfirstname mylastname
ldap.user.directory.userAttr=CN
And sure enough, no longer any errors, logs show

Code: Select all

case 0: bindPlain? false
case 2: getUserDN
getUserDN: looking up? false
getUserDN: returning default
trying first bind with CN=myfirstname mylastname,OU=PRV,OU=USR,OU=AMS,OU=ORG,DC=ad,DC=my,DC=org
The problem is, I cannot ask users to enter their firstname lastname instead of their logon names, and second, CmapTools won't allow user names with a space in it anyway.

So, any ideas on how can this problem be addressed? Full log attached for details.

p.s. I have also tried the build of CmapServer 150904-0033 that apparently has a fix for a different ldap / AD bug, referenced in this thread viewtopic.php?f=8&t=3979.
Attachments
log 20160715_1700.txt
Log file
(49.62 KiB) Downloaded 659 times
cmapadmin
Site Admin
Posts: 793
Joined: Sat Dec 13, 2008 2:22 pm

Re: LDAP / Active Directory Authentication Problem

Post by cmapadmin »

In my experience, when binding with the sAMAccountName, ActiveDirectory generally requires it to be of the form:
sAMAccountName@domain
e.g. jlott@IHMC
Notice that when binding with sAMAccountName, ActiveDirectory expects exactly this format, *not* a fully qualified domain name.

You can try it with ldapsearch first and see if it works. If so, you should be able to use "user@domain" for logging in with CmapTools (CmapTools tries both cases for binding: the fully qualified DN as well as the plain userId).

Another possibility you can try, if you don't like the user@domain convention, is using "userPrincipalName" as the attribute, rather than "sAMAccountName", if your AD server is configured to support it. If you run into trouble, try binding like this with ldapsearch and let us know the results.
cmapadmin
Site Admin
Posts: 793
Joined: Sat Dec 13, 2008 2:22 pm

Re: LDAP / Active Directory Authentication Problem

Post by cmapadmin »

Typo -- that should read "not a fully qualified distinguished name" rather than domain name.
khanal
Posts: 5
Joined: Mon Aug 24, 2015 6:56 am

Re: LDAP / Active Directory Authentication Problem

Post by khanal »

I've been trying various things over the last week, still no luck. Here is some further info.

1. On trying with ldapsearch

Here are the ldapsearch commands I've tried:

Code: Select all

ldapsearch -x -W -H ldaps://ip=ams-ads-01.ad.my.org -b DC=ad,DC=my,DC=org -D sAMAccountName uid=somebody
- doesn't work, gives
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580

what works: changing the -D option to the sAMAccountName@domain (i.e. using the example above, somebody@myworks) (as stated in the post above, thanks)
also works: changing the -D option to userPrincipalName (i.e. somebody@ad.my.org) works, but unfortunately userPrincipleName is in that format somebody@ad.my.org (not even email address format which is somebody@my.org)

As an aside, I verified that ldapsearch is indeed using openldap client (as configured on my server in /etc/openldap/ldap.conf) and not other ldap.conf settings:

Code: Select all

strace ldapsearch -x  2>&1 | fgrep .conf | grep -v '\(resolv\|nsswitch\|host\).conf'
or

Code: Select all

strings $(ldd $(readlink -e $(which ldapsearch)) | awk -F'(=>|[[:space:]]\\()' '$2 ~ /ldap/ {print $2}') | fgrep .conf
So I'm out of ideas with ldapsearch, not sure if I can succeed via ldapsearch in finding out how users can authenticate in CmapTools with their usual username (eg somebody) and password, not with @domain or @ad.my.org appended.


2. On this server, there are client settings for openldap (/etc/openldap/ldap.conf) which I installed myself, and for ldap set up by the distro (Suse Linux Enterprise Server 12) (/etc/ldap.conf) as set up by our IT department. For the latter, SSH login to the server is authenticating against AD server correctly using just username and password (there are pam and nss parameters in /etc/ldap.conf). For the former, I have Dokuwiki and Limesurvey on this server also authenticating using just username and password, using openldap.

i.e. Limesurvey has two options, simple bind, and search and bind. Both work when configured in the Limesurvey LDAP plugin settings as follows:

Simple bind...

Code: Select all

Ldap server: ldaps://ip=ams-ads-01.ad.my.org
Port number: 636
LDAP version: LDAPv3
Select how to perform authentication: Simple bind
Username prefix: (leave blank)
Username suffix: @ad.my.org	
Search and bind...

Code: Select all

Ldap server: ldaps://ip=ams-ads-01.ad.my.org
Port number: 636
LDAP version: LDAPv3
Select true if referrals must be followed (use false for AD): false
Enable Start-TLS: True
Select how to perform authentication: Search and bind
Attribute to compare to the given login: uid
Base DN for the user search operation: DC=ad,DC=my,DC=org
Optional extra LDAP filter: (leave blank)
Optional DN of the LDAP account used to search for the end user's DN (anonymous bind performed if empty): LinuxLDAP
Password of the LDAP account used to search for the end user's DN if previously set: passwordinplaintexthere
LDAP attribute of email address: mail
LDAP attribute of full name: name
When I look at CmapServer log, I see it trying to bind as follows:
user attribute specified in serverconfig.txt eg uid=(value entered by user as their username in CmapTools),DN as entered in serverconfig.txt
or
uid=somebody,OU=PRV,OU=USR,OU=AMS,OU=ORG,DC=ad,DC=my,DC=org

According to these docs, such a bind will only succeed if that happens to be the DN that was initially used to create the entry.
http://www.zytrax.com/books/ldap/apa/binddn.html

As it does not work for me, I suppose that is not the case, nor is it for sAMAttribute or userPrincipalName as using these as the user attribute are also unsuccessful.

I have also tried setting the usersBaseDN to DC=ad,DC=my,DC=org as that is how it was configured for Limesurvey, but still no luck.

Cmapserver log attached showing Cmaptools user that enters somebody as username and their password, when starting Cmaptools, and then when prompted for username and password (as authentication with those credentials fails),entering somebody@ad.my.org and their password, which succeeds.

Grateful for any further ideas...
Attachments
log.cmapserver.20160722.txt
(17.68 KiB) Downloaded 643 times
cmapadmin
Site Admin
Posts: 793
Joined: Sat Dec 13, 2008 2:22 pm

Re: LDAP / Active Directory Authentication Problem

Post by cmapadmin »

Unfortunately the solutions that you have found to be working are probably your best option at this point (e.g. user@domain or user@domain.com). Apparently Limesurvey has some configuration parameters (username suffix) which allow it to append the "@domain" to the username automatically, so it works nicely with AciveDirectory. CmapTools was designed to support standard LDAP servers; however, since we have not specifically targeted ActiveDirectory, we don't currently support this configuration feature. We may consider this in a future version, as it does seem useful for cases like yours.

In the meantime, you have 3 options:
1) just have users add the @domain when logging in (they only have to do this once in their user profile and then it will be saved for future logins)
2) configure ActiveDirectory to allow anonymous binds to lookup the user DN (like Search and Bind from Limesurvey that you described; however we currently only support anonymous lookups rather than specifying an account/password to use)
3) setup an OpenLDAP server which mirrors the accounts from ActiveDirectory, configure it to support plain binds using just the userId, and point the CmapServer to this LDAP server (obviously this one is beyond the scope of this forum)

Thanks for all of your feedback, we will certainly keep it in mind when making future improvements to CmapTools.
kimprince
Posts: 2
Joined: Fri Aug 05, 2016 12:28 am

Re: LDAP / Active Directory Authentication Problem

Post by kimprince »

can someone help me please??????? i cant see the create a new topic button??? im extremely bad with computers and i desperately need to find out how to expand my c-map beyond itis current boarders i have run out of space and need more, please please im so desprate and confused, and have to finish this assignment and no-one can help me!!!
thank you so much in advance,
kim
cmapadmin
Site Admin
Posts: 793
Joined: Sat Dec 13, 2008 2:22 pm

Re: LDAP / Active Directory Authentication Problem

Post by cmapadmin »

The canvas will enlarge to the right and bottom based on what is dragged past the edge, but does not have the auto scrolling which would keep increasing the size. So for now if you want to enlarge it quickly, select two objects which are separated and drag the one farthest from the edge to the edge, scroll and repeat.
khanal
Posts: 5
Joined: Mon Aug 24, 2015 6:56 am

Re: LDAP / Active Directory Authentication Problem

Post by khanal »

Thank you for the options, unfortunately they are not workable in our environment given our IT policies and restrictions.

So reluctantly we'll have to put our plans for CmapServer on hold - I hope not indefinitely, and hope that fix for this particular Active Directory issue (which sounds like you've already got a pretty good idea how to implement) makes its way onto your roadmap soon.

If there's anything we can do to help this happen, do let us know.
Post Reply