Question about configuring LDAP in cf-175

[pjmo...@ncsu.edu]

First, thanks to those who have gone before in configuring ldap and posting about it  here (e.g.[Adding LDAP authentication to login](https://groups.google.com/a/cloudfoundry.org/forum/#!searchin/vcap-dev/ldap/vcap-dev/LqWdKwPsxp0/ubC3dMYHoUcJ) and  [Using LDAP with UAA](https://groups.google.com/a/cloudfoundry.org/forum/#!searchin/vcap-dev/ldap/vcap-dev/11OizdQn2-0/UXZ12sXK56EJ).

I've edited our uaa manifest to include ldap-specific configuration, like so:
uaa:
    spring_profiles: ldap
    ldap:
      profile: ldap/ldap-search-and-bind.xml
    base:
      url: 'ldap.ncsu.edu'
      userDn: 'uid={0},dc=mydc,dc=mydomain'
      password: 'mypassword'
      searchBase: 'dc=mydc,dc=mydomain'
      searchFilter: 'ou=accounts,uid={0}'

When I used the login server to send a uaa request, uaa logged this:

uaa.log:[2014-07-23 01:39:21.024] uaa - 1971 [http-bio-8080-exec-8] .... DEBUG --- BindAuthenticator: Attempting to bind as cn=myid,ou=Users,dc=test,dc=com

The bind information appears to correspond to text in [ldap-simple-bind.xml](https://github.com/cloudfoundry/uaa/blob/36efbc0bf6186a4abaf51c04e55cdb2d5e15091b/uaa/src/main/webapp/WEB-INF/spring/ldap/ldap-simple-bind.xml), line 36:

    value="${ldap.base.userDnPattern:cn={0},ou=Users,dc=test,dc=com}" />

I tried re-deploying with 'userDnPattern' set, but the bind remained the same.

Two questions:

If you've overridden the defaults, how did you go about doing so?

Is it possible that the configuration code for uaa (UAAConfiguration.java?) needs to be revised to read in and replace the ldap parameters?

[Filip Hanik]

you almost got the config right, the ldap.profile.file attribute is missing

ldap:

  profile:

    file: ldap/ldap-search-and-bind.xml

  base:

    url: 'ldap://localhost:10389/'

    userDn: 'cn=admin,dc=test,dc=com'

    password: 'password'

    searchBase: 'dc=test,dc=com'

    searchFilter: 'cn={0}'

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/6948fbcb-d1a9-4315-82f9-3ad55cd15300%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

[pjmo...@ncsu.edu]

I was relieved (and annoyed) that it was only my slip... until I checked the mainfest, where I'd written it correctly:
    ldap:
      profile: ldap/ldap-search-and-bind.xml

On reflection, that appears to be where it's pulling the default text from for the attempted bind.

[Filip Hanik]

I may be misunderstanding you when you say that you have it correct,

you have

    ldap:
      profile: ldap/ldap-search-and-bind.xml

this is INCORRECT, it should be

    ldap:
      profile: 

        file: ldap/ldap-search-and-bind.xml

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/096b76c4-d986-4b1e-b933-ca6cbe8afd8f%40cloudfoundry.org.

[aa...@hubernet.net]

I think there is some confusion in this thread between what goes in the BOSH manifest and what goes in the uaa.yml on the UAA server.  The profile.file syntax is generated by the uaa.yml.erb, but what you need in your manifest is something like this (this is tested on v175):

  uaa:
    spring_profiles: ldap
    ldap:
      profile_type: search-and-bind
      searchBase: "DC=domain,DC=com"
      searchFilter: "(&(userPrincipalName={0})(objectClass=user))"
      url: "ldaps://gc.domain.com:3269/"
      userDN: "CN=User,OU=Accounts,DC=domain,DC=com"
      userPassword: 12345

Aaron Huber

Intel Corporation

[Filip Hanik]

Aaron, is correct.  Thanks for pointing it out!!

You have in your BOSH manifest

uaa:
    spring_profiles: ldap
    ldap:
      profile: ldap/ldap-search-and-bind.xml
    base:
      url: 'ldap.ncsu.edu'
      userDn: 'uid={0},dc=mydc,dc=mydomain'
      password: 'mypassword'
      searchBase: 'dc=mydc,dc=mydomain'
      searchFilter: 'ou=accounts,uid={0}'

this should be 

uaa:
    spring_profiles: ldap
    ldap:
      profile: search-and-bind
    base:
      url: 'ldap://ldap.ncsu.edu'
      userDN: 'uid=this-must-be-a-username,dc=mydc,dc=mydomain'
      userPassword: 'mypassword'

      searchBase: 'dc=mydc,dc=mydomain'
      searchFilter: 'ou=accounts,uid={0}'

differences in bold

But it may be easier to look at 5 different configuration examples attached to this story

https://www.pivotaltracker.com/story/show/73741550

For example

properties:
  uaa:
    ldap:
      enabled: true
      profile_type: search-and-bind
      url: ldap://192.168.50.4:389/
      mailAttributeName: mail
      userDN: 'cn=admin,dc=test,dc=com'
      userPassword: 'password'
      searchFilter: 'cn={0}'
      searchBase: 'dc=test,dc=com'

if you are editing the uaa.yml on the UAA directly, then 

We're adding a bit more documentation in the next release

https://github.com/cloudfoundry/uaa/blob/develop/docs/UAA-LDAP.md#configuration-references

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/a53bb1e9-e195-4f56-979f-bd909571f7e3%40cloudfoundry.org.

[pjmo...@ncsu.edu]

 
All the lights came on when I added 'enabled: true' to the ldap section of the manifest (a post-spiff .yml file containing all the jobs, etc...), following the conventions Aaron pointed out.

Thanks All,
Pat
 
The 

[Filip Hanik]

uaa.ldap.enabled is a future property, not in the code yet. not sure how it may have worked for you :)

It will come from this branch, in a PR shortly

https://github.com/pjk25/cf-release/commit/efdf5c3c916365d9880950c5ec7dd3d5f37006a1#diff-a3b26b477bf92df27717f5b4b79b3c00R12

we are trying to deprecate uaa.spring_profiles as the attribute name is really an implementation detail rather than a feature or function. So uaa.ldap.enabled will be used. If other 'profiles' are implemented in the future, we will add similar enabled/disabled flags per feature in a descriptive attribute

Filip

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/83c902e0-8c40-40b0-a011-1b0ac89a894f%40cloudfoundry.org.

[Alexander Lomov]

Hi, everyone in this thread. 

Currently I also have trouble using LDAP with UAA of v175 release. 

The text of error from uaa.log says: "LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1"

Here is sample of my manifest file: https://gist.githubusercontent.com/allomov/66c94a789a083c9b4470/raw/73a02a3b6b231cc346df537de41dc142497d7172/manifest.yml

And here is the whole error log: https://gist.githubusercontent.com/allomov/66c94a789a083c9b4470/raw/12deacf929917a0c1bce29db250244da30913ea9/uaa-fail.log

I'm sure that LDAP settings are correct because I can connect to it through PHP client.

It would be great if someone knows how to solve this issue. 

Thank you, 

Alex L.

[Filip Hanik]

error happens during the search itself. 

questions:

1 what ldap server are you using?

2. here is an example, you're mixing settings from uaa and cf release

https://github.com/fhanik/cf-release-manifests/blob/master/ldap/ldap-02-search-and-bind.yml

we did turn off connection pooling, but that shouldn't be the cause of this. it says you're not authenticated when the search is performed. do you have the right search base?

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/e0f2486b-c724-4e94-9219-cd466381f168%40cloudfoundry.org.

[Alexander Lomov]

Filip, thank you for answering.

It turned out that we didn't specify filter in UAA filter correctly. We needed substitute cn in "cn={0}" with our field for logging. 

--
You received this message because you are subscribed to a topic in the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CANXYgqHmiw0LhSSEtzdF0ML9hjokfmRgPEme-SpQHppBs-4g4Q%40mail.gmail.com.