Skip to first unread message
Jørgen Staun Hansen
Jan 29, 2015, 9:40:06 AM1/29/15
to scmma...@googlegroups.com
During our test phase with SCM we got Active Directory authentication to work perfect. But after moving this server to our DMZ, authentications fails.
A working setup is like this
SCM-server 1.44
Ubuntu 12.04
SCM LDAP configuration = Active Directory
IP 10.10.50.15
sub 255.255.0.0
GW 10.10.10.254
DNS 10.1.1.10ReadOnly Active Directory Server in our DMZ (windows 2008 R2)
10.1.1.10
255.255.255.0
10.1.1.1Failed setup
When I change IP and vLan for SCM-server to
IP 10.1.24.99
IP 255.255.255.240
GW 10.1.24.97
DNS 10.1.1.10Authentication fails
If I make a LDAP Connection Test I get this error: LDAP Connection Test Failed
Changing auth. type to OpenLDAP, I get a Connection Succes, but the rest fails.
The weird part is that if I make a LDAPSearch query on the SCM-server, it works fine?
# ldapsearch -x -h 10.1.1.10 -D "ju...@XXX.loc" -W -b "cn=scm_lookup,ou=XXX DS,ou=Service Accounts,ou=Accounts,ou=resources,ou=intern,ou=XXX,DC=XXX,dc=loc" -s sub "(cn=*)" cn mail sn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=scm_lookup,ou=XXX DS,ou=Service Accounts,ou=Accounts,ou=resources,ou=intern,ou=XXX,DC=XXX,dc=loc> with scope subtree
# filter: (cn=*)
# requesting: cn mail sn
#
# scm_lookup, XXX DS, Service Accounts, Accounts, Resources, Intern, XXX , XXX
.loc
dn: CN=scm_lookup,OU=XXX DS,OU=Service Accounts,OU=Accounts,OU=Resources,OU=Intern,OU=XXX,DC=XXX,DC=loc
cn: scm_lookup
sn: Manager
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1checking the eventlog on the Active Directory server we can see that the authentication is succesfull, but the web-interface in SCM does not know this?!?
Does anyone have SCM-Manager working in a DMZ (our firewall is not blocking anything, we tried to allow all traffic but still no success)
Sebastian Sdorra
Jan 29, 2015, 2:25:49 PM1/29/15
to scmma...@googlegroups.com
Could you please the output of a trace log for a failed configuration test?
Sebastian
--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jørgen Staun Hansen
Jan 30, 2015, 2:57:30 AM1/30/15
to scmma...@googlegroups.com
scm-manager.log when user "Julie" tries to log on after enabling TRACE in the logging.xml
Output when trying to test connection
2015-01-30 08:41:30.219 [qtp62407697-20] TRACE sonia.scm.security.ConfigurableLoginAttemptHandler - LoginAttemptHandler is disabled
2015-01-30 08:41:30.220 [qtp62407697-20] TRACE sonia.scm.web.security.ChainAuthenticatonManager - no authentication result for user julie found in cache
2015-01-30 08:41:30.220 [qtp62407697-20] TRACE sonia.scm.web.security.ChainAuthenticatonManager - start authentication chain for user julie
2015-01-30 08:41:30.221 [qtp62407697-20] TRACE sonia.scm.web.security.ChainAuthenticatonManager - check authenticator class sonia.scm.web.security.DefaultAuthenticationHandler for user julie
2015-01-30 08:41:30.221 [qtp62407697-20] DEBUG sonia.scm.web.security.DefaultAuthenticationHandler - julie is not an xml user
2015-01-30 08:41:30.221 [qtp62407697-20] DEBUG sonia.scm.web.security.ChainAuthenticatonManager - authenticator sonia.scm.web.security.DefaultAuthenticationHandler ends with result, user: null, state: NOT_FOUND
2015-01-30 08:41:30.221 [qtp62407697-20] TRACE sonia.scm.web.security.ChainAuthenticatonManager - check authenticator class sonia.scm.auth.ldap.LDAPAuthenticationHandler for user julie
2015-01-30 08:41:30.223 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPConnection - create context for dn cn=scm_lookup,ou=MyDomain DS,ou=Service Accounts,ou=Accounts,ou=resources,ou=intern,ou=MyDomain,DC=MyDomain,dc=loc
2015-01-30 08:41:30.223 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPConnection - use follow as referral strategy
2015-01-30 08:41:30.320 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - using scope sub for user search
2015-01-30 08:41:30.320 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search-filter for user search: (&(objectClass=Person)(sAMAccountName=julie))
2015-01-30 08:41:30.320 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - no prefix for user defined, using basedn for search
2015-01-30 08:41:30.320 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search base for user search: dc=MyDomain,dc=loc
2015-01-30 08:41:30.326 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPConnection - create context for dn CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=MyDomain,DC=MyDomain,DC=loc
2015-01-30 08:41:30.326 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPConnection - use follow as referral strategy
2015-01-30 08:41:30.336 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - user CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=MyDomain,DC=MyDomain,DC=loc successfully authenticated
2015-01-30 08:41:30.336 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPUtil - could not find attribute mail
2015-01-30 08:41:30.337 [qtp62407697-20] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - succefully created user from from ldap response: User{name=julie, displayName=Julie tester, mail=null, password=(not set), admin=false, type=$
2015-01-30 08:41:30.337 [qtp62407697-20] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - try to fetch groups for user julie
2015-01-30 08:41:30.337 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search-filter for group search: (&(objectClass=group)(member=CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=MyDomain$
2015-01-30 08:41:30.337 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - no prefix for group defined, using basedn for search
2015-01-30 08:41:30.337 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search base for group search: dc=MyDomain,dc=loc
2015-01-30 08:41:30.337 [qtp62407697-20] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search groups for user CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=MyDomain,DC=MyDomain,DC=loc at dc=MyDomain,dc=loc with f$
2015-01-30 08:41:30.339 [qtp62407697-20] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - append group CN=MyDomain DK,OU=MyDomain Groups,OU=Groups,OU=Resources,OU=Intern,OU=MyDomain,DC=MyDomain,DC=loc with name MyDomain DK to user result
Output when trying to test connection
2015-01-30 08:54:23.668 [qtp62407697-15] TRACE sonia.scm.web.filter.AutoLoginFilter - user is allready authenticated
2015-01-30 08:54:23.669 [qtp62407697-15] TRACE sonia.scm.web.filter.AutoLoginFilter - user is allready authenticated
2015-01-30 08:54:23.670 [qtp62407697-15] TRACE sonia.scm.security.AuthorizationCollector - retrieve AuthorizationInfo for user scmadmin from cache
2015-01-30 08:54:23.672 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPConnection - create context for dn cn=scm_lookup,ou=MyDomain DS,ou=Service Accounts,ou=Accounts,ou=resources,ou=intern,ou=MyDomain,DC=MyDomain,dc=loc
2015-01-30 08:54:23.672 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPConnection - use follow as referral strategy
2015-01-30 08:54:23.680 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - using scope sub for user search
2015-01-30 08:54:23.680 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search-filter for user search: (&(objectClass=Person)(sAMAccountName=julie))
2015-01-30 08:54:23.680 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - no prefix for user defined, using basedn for search
2015-01-30 08:54:23.680 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search base for user search: dc=MyDomain,dc=loc
2015-01-30 08:54:23.682 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPConnection - create context for dn CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=MyDomain,DC=MyDomain,DC=loc
2015-01-30 08:54:23.682 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPConnection - use follow as referral strategy
2015-01-30 08:54:23.691 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - user CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=MyDomain,DC=MyDomain,DC=loc successfully authenticated
2015-01-30 08:54:23.691 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPUtil - could not find attribute mail
2015-01-30 08:54:23.691 [qtp62407697-15] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - succefully created user from from ldap response: User{name=julie, displayName=Julie tester, mail=null, password=(not set), admin=false, type=$
2015-01-30 08:54:23.691 [qtp62407697-15] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - try to fetch groups for user julie
2015-01-30 08:54:23.691 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search-filter for group search: (&(objectClass=group)(member=CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=MyDomain$
2015-01-30 08:54:23.691 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - no prefix for group defined, using basedn for search
2015-01-30 08:54:23.691 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search base for group search: dc=MyDomain,dc=loc
2015-01-30 08:54:23.691 [qtp62407697-15] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search groups for user CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=MyDomain,DC=MyDomain,DC=loc at dc=MyDomain,dc=loc with f$
2015-01-30 08:54:23.895 [qtp62407697-15] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - append group CN=MyDomain DK,OU=MyDomain Groups,OU=Groups,OU=Resources,OU=Intern,OU=MyDomain,DC=MyDomain,DC=loc with name MyDomain DK to user resultHope this gives you any ideas what might be blocking me.
Jørgen Staun Hansen
Jan 30, 2015, 3:49:45 AM1/30/15
to scmma...@googlegroups.com
Just moved the server back on the internal network at checked again.
The only difference in a Test Connection is this part: (its missing in the failed setup)
2015-01-30 09:46:38.974 [qtp1155208113-20] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - return authentication result: user: julie, state: SUCCESSJørgen Staun Hansen
Feb 3, 2015, 7:11:10 AM2/3/15
to scmma...@googlegroups.com
did the tracelog give any pointers on what could stop the authentication?
Den torsdag den 29. januar 2015 kl. 20.25.49 UTC+1 skrev Sebastian Sdorra:
Jørgen Staun Hansen
Feb 3, 2015, 9:58:44 AM2/3/15
to scmma...@googlegroups.com
This is really weird.
I deleted the user Julie in SCM-Manager and tried to login as Julie again. The user actually gets created, but logon still fails.
I deleted the user Julie in SCM-Manager and tried to login as Julie again. The user actually gets created, but logon still fails.
Sebastian Sdorra
Feb 3, 2015, 12:56:58 PM2/3/15
to scmma...@googlegroups.com
Do you use ldap referrals in you ad? Does a failed login throw the error message immediately or does it take time? Because the trace log seems not to be finished. Perhaps the ldap-plugin tries to find groups in an other directory server which is connected to the ad, but is not reachable from the scm-manager server.
Sebastian
Jørgen Staun Hansen
Feb 4, 2015, 2:34:16 AM2/4/15
to scmma...@googlegroups.com
The login processes for about 30-45 sec. and then a new login is prompted. We only have one ReadOnly Domain controller in our DMZ and 4 in our internal network. But it is the same server (DMZ Domain Controller) that is being pulled for information when ther SCM-server is on our internal or external network.
Jørgen Staun Hansen
Feb 5, 2015, 10:28:04 AM2/5/15
to scmma...@googlegroups.com
Hi again Sebastian.
Got a little further in my investigation of the login failure.
It seems that SCM-Manager fails on enumerating the groups. When the server is located in the DMZ vLAN then the log ends with
search groups for user CN=julie..... and the rest of the FQDN.and then i stops
on a succesfully logon it can enumerate the groups and the output will then be like this.
2015-02-05 15:26:21.304 [qtp1218685951-21] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search groups for user CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=myDomain,DC=myDomain,DC=loc at dc=myDomain,dc=loc with$2015-02-05 15:26:21.306 [qtp1218685951-21] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - append group CN=myDomain DK,OU=myDomain Groups,OU=Groups,OU=Resources,OU=Intern,OU=myDomain,DC=myDomain,DC=loc with name myDomain DK to user result2015-02-05 15:26:21.306 [qtp1218685951-21] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - append group CN=IT Drift,OU=IT,OU=myDomain Groups,OU=Groups,OU=Resources,OU=Intern,OU=myDomain,DC=myDomain,DC=loc with name IT Drift to user result2015-02-05 15:26:24.591 [qtp1218685951-21] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - try to get groups from group attribute memberOf2015-02-05 15:26:24.591 [qtp1218685951-21] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - append group IT Drift to user result2015-02-05 15:26:24.592 [qtp1218685951-21] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - append group myDomain DK to user result2015-02-05 15:26:24.592 [qtp1218685951-21] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - return authentication result: user: julie, state: SUCCESS
I cannot see where it fails - in the SCM-manager or something else. (we tried to open for everything in our firewall and nothing were blocked, but no succes with authentication)
I made a ldapsearch on the SCM-server listing the user (julie) groups with success, so the server is able to enumerate groups fine through the firewall.
ldapsearch -x -h 10.1.1.10 -D "ju...@myDomain.loc" -W -b "CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=myDomain,DC=myDomain,DC=loc" -s sub "(cn=*)" memberOf
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=myDomain,DC=myDomain,DC=loc> with scope subtree
# filter: (cn=*)
# requesting: memberOf
#
# Julie tester, IT Misc Users, IT Specials, NSB, Users, Intern, myDomain, myDomain.loc
dn: CN=Julie tester,OU=IT Misc Users,OU=IT Specials,OU=NSB,OU=Users,OU=Intern,OU=myDomain,DC=myDomain,DC=loc
memberOf: CN=MyTest,OU=myDomain,DC=myDomain,DC=loc
memberOf: CN=IT Drift,OU=IT,OU=myDomain Groups,OU=Groups,OU=Resources,OU=Intern,OU=myDomain,DC=myDomain,DC=loc
memberOf: CN=myDomain DK,OU=myDomain Groups,OU=Groups,OU=Resources,OU=Intern,OU=myDomain,DC=myDomain,DC=loc
# search result
search: 2
result: 0 SuccessAny ideas?
Sebastian Sdorra
Feb 5, 2015, 2:24:32 PM2/5/15
to scmma...@googlegroups.com
Could you try to change to the custom profile, set the referral strategy to ignore and disable the nested group feature? I think the timeout of the plugin is too high.
Sebastian
Jørgen Staun Hansen
Feb 6, 2015, 2:56:21 AM2/6/15
to scmma...@googlegroups.com
WOW!! - that did it.
I just wonder why it doesn't work with Referral Strategy=Follow? - it is the same server that is being queried?
But hey it works. I can now hand over the SCM system to our developers.
THANKS!
Sebastian Sdorra
Feb 7, 2015, 10:58:37 AM2/7/15
to scmma...@googlegroups.com
You could try to set the strategy to throw, perhaps you get an exception which helps you to identify the problem with the referral. I've updated the ldap-plugin to use timeouts for connection and read operations:
https://bitbucket.org/tludewig/scm-auth-ldap-plugin/commits/3dc4c8bdd3f7d3663d0d265bd953e273ff1d7523
Sebastian
Reply all
Reply to author
Forward
0 new messages