Question about configuring LDAP in cf-175

83 views
Skip to first unread message

pjmo...@ncsu.edu

unread,
Jul 24, 2014, 12:09:24 PM7/24/14
to vcap...@cloudfoundry.org

First, thanks to those who have gone before in configuring ldap and posting about it  here (e.g.[Adding LDAP authentication to login](https://groups.google.com/a/cloudfoundry.org/forum/#!searchin/vcap-dev/ldap/vcap-dev/LqWdKwPsxp0/ubC3dMYHoUcJ) and  [Using LDAP with UAA](https://groups.google.com/a/cloudfoundry.org/forum/#!searchin/vcap-dev/ldap/vcap-dev/11OizdQn2-0/UXZ12sXK56EJ).

I've edited our uaa manifest to include ldap-specific configuration, like so:
uaa:
    spring_profiles: ldap
    ldap:
      profile: ldap/ldap-search-and-bind.xml
    base:
      url: 'ldap.ncsu.edu'
      userDn: 'uid={0},dc=mydc,dc=mydomain'
      password: 'mypassword'
      searchBase: 'dc=mydc,dc=mydomain'
      searchFilter: 'ou=accounts,uid={0}'

When I used the login server to send a uaa request, uaa logged this:

uaa.log:[2014-07-23 01:39:21.024] uaa - 1971 [http-bio-8080-exec-8] .... DEBUG --- BindAuthenticator: Attempting to bind as cn=myid,ou=Users,dc=test,dc=com

The bind information appears to correspond to text in [ldap-simple-bind.xml](https://github.com/cloudfoundry/uaa/blob/36efbc0bf6186a4abaf51c04e55cdb2d5e15091b/uaa/src/main/webapp/WEB-INF/spring/ldap/ldap-simple-bind.xml), line 36:

    value="${ldap.base.userDnPattern:cn={0},ou=Users,dc=test,dc=com}" />

I tried re-deploying with 'userDnPattern' set, but the bind remained the same.

Two questions:

If you've overridden the defaults, how did you go about doing so?

Is it possible that the configuration code for uaa (UAAConfiguration.java?) needs to be revised to read in and replace the ldap parameters?






Filip Hanik

unread,
Jul 24, 2014, 12:42:33 PM7/24/14
to vcap...@cloudfoundry.org
you almost got the config right, the ldap.profile.file attribute is missing

ldap:
  profile:
    file: ldap/ldap-search-and-bind.xml
  base:
    url: 'ldap://localhost:10389/'
    userDn: 'cn=admin,dc=test,dc=com'
    password: 'password'
    searchBase: 'dc=test,dc=com'
    searchFilter: 'cn={0}'










--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/6948fbcb-d1a9-4315-82f9-3ad55cd15300%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

pjmo...@ncsu.edu

unread,
Jul 24, 2014, 1:12:33 PM7/24/14
to vcap...@cloudfoundry.org

I was relieved (and annoyed) that it was only my slip... until I checked the mainfest, where I'd written it correctly:
    ldap:
      profile: ldap/ldap-search-and-bind.xml

On reflection, that appears to be where it's pulling the default text from for the attempted bind.

Filip Hanik

unread,
Jul 24, 2014, 4:37:26 PM7/24/14
to vcap...@cloudfoundry.org
I may be misunderstanding you when you say that you have it correct,

you have
    ldap:
      profile: ldap/ldap-search-and-bind.xml

this is INCORRECT, it should be
    ldap:
      profile: 
        file: ldap/ldap-search-and-bind.xml


aa...@hubernet.net

unread,
Jul 24, 2014, 4:48:30 PM7/24/14
to vcap...@cloudfoundry.org
I think there is some confusion in this thread between what goes in the BOSH manifest and what goes in the uaa.yml on the UAA server.  The profile.file syntax is generated by the uaa.yml.erb, but what you need in your manifest is something like this (this is tested on v175):

  uaa:
    spring_profiles: ldap
    ldap:
      profile_type: search-and-bind
      searchBase: "DC=domain,DC=com"
      searchFilter: "(&(userPrincipalName={0})(objectClass=user))"
      url: "ldaps://gc.domain.com:3269/"
      userDN: "CN=User,OU=Accounts,DC=domain,DC=com"
      userPassword: 12345

Aaron Huber
Intel Corporation

Filip Hanik

unread,
Jul 24, 2014, 5:10:47 PM7/24/14
to vcap...@cloudfoundry.org
Aaron, is correct.  Thanks for pointing it out!!

You have in your BOSH manifest
uaa:
    spring_profiles: ldap
    ldap:
      profile: ldap/ldap-search-and-bind.xml
    base:
      url: 'ldap.ncsu.edu'
      userDn: 'uid={0},dc=mydc,dc=mydomain'
      password: 'mypassword'
      searchBase: 'dc=mydc,dc=mydomain'
      searchFilter: 'ou=accounts,uid={0}'

this should be 

uaa:
    spring_profiles: ldap
    ldap:
      profile: search-and-bind
    base:
      url: 'ldap://ldap.ncsu.edu'
      userDN: 'uid=this-must-be-a-username,dc=mydc,dc=mydomain'
      userPassword: 'mypassword'
      searchBase: 'dc=mydc,dc=mydomain'
      searchFilter: 'ou=accounts,uid={0}'

differences in bold
But it may be easier to look at 5 different configuration examples attached to this story

For example
properties:
  uaa:
    ldap:
      enabled: true
      profile_type: search-and-bind
      url: ldap://192.168.50.4:389/
      mailAttributeName: mail
      userDN: 'cn=admin,dc=test,dc=com'
      userPassword: 'password'
      searchFilter: 'cn={0}'
      searchBase: 'dc=test,dc=com'


if you are editing the uaa.yml on the UAA directly, then 


pjmo...@ncsu.edu

unread,
Jul 25, 2014, 2:03:34 PM7/25/14
to vcap...@cloudfoundry.org
 
All the lights came on when I added 'enabled: true' to the ldap section of the manifest (a post-spiff .yml file containing all the jobs, etc...), following the conventions Aaron pointed out.

Thanks All,
Pat
 
The 

Filip Hanik

unread,
Jul 26, 2014, 4:12:30 AM7/26/14
to vcap...@cloudfoundry.org
uaa.ldap.enabled is a future property, not in the code yet. not sure how it may have worked for you :)

It will come from this branch, in a PR shortly

we are trying to deprecate uaa.spring_profiles as the attribute name is really an implementation detail rather than a feature or function. So uaa.ldap.enabled will be used. If other 'profiles' are implemented in the future, we will add similar enabled/disabled flags per feature in a descriptive attribute

Filip



Alexander Lomov

unread,
Sep 9, 2014, 4:33:11 PM9/9/14
to vcap...@cloudfoundry.org, pjmo...@ncsu.edu
Hi, everyone in this thread. 

Currently I also have trouble using LDAP with UAA of v175 release. 

The text of error from uaa.log says: "LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1"


I'm sure that LDAP settings are correct because I can connect to it through PHP client.

It would be great if someone knows how to solve this issue. 

Thank you, 
Alex L.

Filip Hanik

unread,
Sep 9, 2014, 6:45:36 PM9/9/14
to vcap...@cloudfoundry.org, pjmo...@ncsu.edu
error happens during the search itself. 
questions:
1 what ldap server are you using?
2. here is an example, you're mixing settings from uaa and cf release


we did turn off connection pooling, but that shouldn't be the cause of this. it says you're not authenticated when the search is performed. do you have the right search base?

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.

Alexander Lomov

unread,
Sep 10, 2014, 11:23:18 AM9/10/14
to vcap...@cloudfoundry.org, pjmo...@ncsu.edu
Filip, thank you for answering.

It turned out that we didn't specify filter in UAA filter correctly. We needed substitute cn in "cn={0}" with our field for logging. 

--
You received this message because you are subscribed to a topic in the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CANXYgqHmiw0LhSSEtzdF0ML9hjokfmRgPEme-SpQHppBs-4g4Q%40mail.gmail.com.

Reply all
Reply to author
Forward
0 new messages