LDAP integration with trial enterprise edition of dotcms 4.1.1 is not working

[Ravi Kumar]

Hi,

I am new to dotcms,  I am trying to integrate the openLDAP with trial enterprise edition of dotcms 4.1.1.   I have installed dotcms 4.1.1 and openLDAP 2.4.* in my local windows operating system.

I have read the documentation and followed the below steps 

https://dotcms.com/docs/latest/ldap-configuration

1. Logged in as admin and created a new role in dotcms. Role name is "cms" and key for this role is "dotcmsadmin".  Provided access to the Tabs. 

2. I have logged into openLDAP and created users and groups. Ldap tree looks like this.

suffix-      dc=maxcrc,dc=com

                    ou=groups (1)  (ou=groups,dc=maxcrc,dc=com)

                         cn=dotcmsadmin ( cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com)

                   ou=People(2)

                        cn=ram (cn=ram,ou=People,dc=maxcrc,dc=com)

                        cn=krish (cn=krish,ou=People,dc=maxcrc,dc=com)

     

I added 2 users to the "dotcmsadmin" group as a member

following are the user(ram) attributes in LDAP

objectclass =inetOrgPerson (structural)

objectclass =organizationalPerson (structural)

objectclass =person (structural)

objectclass =top (abstract)

cn =ram

sn =ram

displayName =ram

givenName =ram

mail         =r...@test.com

manager =cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com

title         =dotcmsadmin

userPassword =xxxxxxxxx

Note: Since I am not able to add memberOf attribute to the user, I have mapped group details to "manager" attribute

2. I have used ROOT Folder plugin to override the portal.properties file. Copied "dotcms_4.1.1\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal.properties" to 

"\dotcms_4.1.1\plugins\com.dotcms.config\ROOT\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal-ext.properties" and modified the below properties 

    # LDAP (LDAP Servers)

    # once a user is authenticated, LDAP will query the user and pull a list

    # of groups that the user belongs to 

    # These groups will be created in the CMS on the fly and the CMS user will

    # be associated with them.

    auth.pipeline.pre=com.dotcms.enterprise.LDAPProxy

    auth.impl.ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory

    # Set SSL if you are using LDAPS  or leave blank

    auth.impl.ldap.security.authentication=

    # set path to keystore with root server cert imported or leave blank 

    auth.impl.ldap.security.keystore.path=

    auth.impl.ldap.host=localhost

    auth.impl.ldap.port=389

    # should be full dn of user

    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com

    auth.impl.ldap.password=secret

    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com

    auth.impl.build.groups=true

    auth.impl.ldap.build.group.name.filter=^(.+)

   # Prefix the dotcms should strip from group name.  Leave blank to not strip any prefix.

   auth.impl.ldap.build.group.name.filter.strip=

   #If you set to false any user created from LDAP will not be able to log into the dotCMS if LDAP is not availible. 

   auth.impl.ldap.syncPassword=true

# The following attributes can be used to match up dotCMS user properties to LDAP Attributes.  Uncomment all attributes.

# If you leave the attribute blank then it will not be synced from LDAP. 

# NOTE:  YOU CANNOT HAVE A GROUP NAME WITH A "=" IN IT 

auth.impl.ldap.attrib.user=mail

auth.impl.ldap.attrib.firstName=cn

auth.impl.ldap.attrib.middleName=givenName

auth.impl.ldap.attrib.lastName=sn

auth.impl.ldap.attrib.nickName=

auth.impl.ldap.attrib.email=mail

auth.impl.ldap.attrib.gender=

auth.impl.ldap.attrib.group=manager

3. deployed using "deploy-plugins.bat" and restarted the dotcms

Issue :  

When i try to login with default admin user  "ad...@dotcms.com" it is not able to login and in console it is showing "Authentication failed. Please try again". (In LDAP also we don't have a user with the name "admin".

Even when i try with the LDAP user "r...@test.com" its giving "Authentication failed. Please try again" message. Nothing is displayed in log files except below message 

ERROR ejb.UserManagerImpl: Could not find the user: null, return DNE

Tried below things as well

1. able to connect to LDAP through Jxplorer 

2. auth.impl.ldap.attrib.group=manager        (change the attribute to "title" instead of "manager")

I am clue less now, hope someone can help on this.

Thanks,

Ravi.

[Jason Tesser]

OK so a few things 

1. look here https://dotcms.com/docs/latest/ldap-configuration#MatchingAttributes

the properties in the dotcms config must be exposed as attributes in LDAP. I say this because you are pointing the group at a CN path.  It needs to be an attribute of your user. 

2. If your auth works from Jxplorer with teh EXACT same baseDN and auth user etc.. it should work from us also for auth.  So make sure when testing in Jxplorer you are using this in the connection settings

    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com

    auth.impl.ldap.password=secret

    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com

AND then that you can authenticate with the mail attribute as the attribute. Cause you are telling dotcms to use mail as the user.  So that means email which is stores in mail has the password and all attributes stores on that user returned. 

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To post to this group, send email to dot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ravi Kumar]

Thanks for reply. 

If you look at the LDAP attributes of user (ram) i mentioned in this mail thread, all the defined attributes are exposed as a User attributes. And also i didn't face any issues with connecting to LDAP with Jxplorer. Please see the attached file.

Few Question : 

1. Does trial version of dotcms enterprise edition supports LDAP integration ?

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

3. Do we need any other configurations ?

4. Any other pointers to debug this issue?

I am attaching the screen shots of role details in dotcms and LDAP user attributes.

Thanks & Regards,

Ravi.

[Jason Tesser]

Let me see if I can move you along a bit :-)

1. Does trial version of dotcms enterprise edition supports LDAP integration ?

Answer : YES.  The trial functions as a license. If you are interested in purchasing I can have a business person here at dotcms reach out to you.  Sometimes we are able to do POC depending on the engagement 

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

Answer : You need the same left side of the equals must be the same meaning the property names but NOT the values 

3. Do we need any other configurations ?

Answer : should not

4. Any other pointers to debug this issue?

Answer : your manager in OpenLDAP is not right. It needs to be the actual group name which maps to a role key in dotcms that has permissions and layouts. That is what I meant in the last response.  You have a full CN path in there.  

To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/557e9744-d956-4997-be57-9a1b8fbea08c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

3059 Grand Avenue

Suite 410-B

Miami FL 33133

Main: 305-900-2001 | Direct: 978.294.9429

jason....@dotcms.com | dotcms.com

[Ravi Kumar]

Thank you very much for details.

Based on your response, I understood that the community edition of dotcms with 30 days free enterprise licence would not work with LDAP integration, we need to have separate licence for it. 

As we are just trying to exploring dotcms features and doing some POCs not sure about the purchasing licence. Ok.. will let you know soon.

 

Thanks,

Ravi.

[Jason Tesser]

the 30 trial works. the community edition after trial does not

To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/6dd0d39e-7b6d-44c5-85a2-b991396ede6e%40googlegroups.com.