Can not connect to ldap server/container.
2,400 views
Skip to first unread message
vn...@yandex.com
Aug 17, 2017, 6:46:09 AM8/17/17
to BigBlueButton-dev
I have wasted the last two days on this..
I created an ldap container;
docker pull osixia/openldapdocker network create --subnet=172.254.0.0/16 ldapnetworkdocker run -detach --restart=unless-stopped --network ldapnetwork --ip 172.254.254.254 --name openldap --hostname openldap osixia/openldap
it runs fine.. I can connect to it three ways:
1) inside the container itself: docker exec ldap-service ldapsearch -x -H ldap://172.254.254.254 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
2) from the host system; ldapsearch -x -H ldap://172.254.254.254 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
3) and from inside the greenlight container with the same command as #1 but with "greenlight" as the container.
All give identical output.. But greenlight can not connect!
I am running greenlight with this command:
docker run -d -p 5000:80 --restart=unless-stopped --network ldapnetwork --ip 172.254.254.1 -v $(pwd)/db/production:/usr/src/app/db/production -v $(pwd)/assets:/usr/src/app/public/system -v $(pwd)/log:/usr/src/app/log --env-file env --name greenlight bigbluebutton/greenlight
it shares the bridge network with openldap.
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES15af649c2c18 bigbluebutton/greenlight "scripts/default_s..." About an hour ago Up About an hour 0.0.0.0:5000->80/tcp greenlight0e4c08d91a4b osixia/openldap:1.1.8 "/container/tool/run" 3 hours ago Up 3 hours 389/tcp, 636/tcp ldap-service
my greenlight env file contains these ldap settings:
LDAP_SERVER=ldap://172.254.254.254LDAP_PORT=389LDAP_METHOD=plainLDAP_UID=uidLDAP_BASE=dc=example,dc=orgLDAP_BIND_DN=cn=admin,dc=example,dc=orgLDAP_PASSWORD=admin
LDAP_Server is equivalent to the -H param above.
port is 389, the default, and is open on the container.
ldap method is plain, same is the command line examples above, no -Z or -ZZ so those are all plain connects..
base = the -b param above.
bind dn = -D param above
password = -w param above
These all seem correct, and I think it should work! but it does not.
Anybody spot anything wrong here?
vn...@yandex.com
Aug 17, 2017, 6:52:49 AM8/17/17
to BigBlueButton-dev
I posted this in the dev list in the hope that somebody could update the source regarding the ldap connection routines, and adding some verbosity to the error message. Exact error codes would be a huge help, or log it somewhere..
vn...@yandex.com
Aug 17, 2017, 7:07:23 AM8/17/17
to BigBlueButton-dev
also, please update to omniauth 1.3.2..
changelog indicates this is the latest version!
Version 1.3.2 (January 17, 2017)
greenlight-master/gemfile shows:
gem 'omniauth', '1.3.1'gem 'omniauth-twitter', '1.2.1'gem 'omniauth-google-oauth2', '0.4.1'gem 'omniauth-ldap'
Fred Dixon
Aug 17, 2017, 9:29:26 AM8/17/17
to BigBlueButton-dev
Hey there,
> I have wasted the last two days on this..
..
> Anybody spot anything wrong here?
Yes, your first remark. If you are looking for others in the community to volunteer their time to help you, starting with a self-proclaimed grievance isn't going to get you support any faster.
If your looking for commercial help, we recommend you reach out to the companies listed at
Just to be clear, it's OK to point out errors. We love it when people do so. But to do it in a condescending manner is incompatible with the ethos and community of an open source project.
Regards,... Fred
BigBlueButton Product Manager
--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-dev+unsubscribe@googlegroups.com.
To post to this group, send email to bigbluebutton-dev@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-dev.
For more options, visit https://groups.google.com/d/optout.
BigBlueButton Developer
@bigbluebutton
vn...@yandex.com
Aug 17, 2017, 10:55:09 AM8/17/17
to BigBlueButton-dev
OK, point taken. Tone does matter. I did indeed waste two days, not due to greenlight, or bigbluebutton, or the docs.. It was mostly due to my approx 30 year gap since doing any serious Unix/Solaris work. Now we got linux, same shell, so..
And the two days are still gone. Not a grievance, but a fact. I googled openldap, and google fights me, and ignores terms, it returns "popular" results ,not accurate ones. Some forum posts with similiar problems, and no answers. It is very frustrating.
I am flailing around, yet not making progress towards a solution! This is why I feel the time was wasted.
I think the setup is about 99% correct, but there is some small stupid thing going wrong.
openldap self hosted seems to me mostly dead, I think this is no longer a preferred solution to anything. A standard that nobody uses or wants at this point. People want things integrated, not another thing to manage. Well off the beaten pay in other words.
I was hoping for a response like this, "Oh yeah, I fought that and.." here is my env settings, 5 seconds to find the file, cut paste, post a working config.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-dev.
For more options, visit https://groups.google.com/d/optout.
vn...@yandex.com
Aug 17, 2017, 11:06:42 AM8/17/17
to BigBlueButton-dev
and some logs:
I, [2017-08-17T10:41:36.524933 #1] INFO -- : [56aa3be6-a805-43eb-a6a4-104f7dbab7b5] Processing by LandingController#guest as HTML
I, [2017-08-17T10:41:36.557799 #1] INFO -- : [56aa3be6-a805-43eb-a6a4-104f7dbab7b5] Rendering landing/guest.html.erb within layouts/application
I, [2017-08-17T10:41:36.630883 #1] INFO -- : [56aa3be6-a805-43eb-a6a4-104f7dbab7b5] Rendered shared/_center_panel.html.erb (66.9ms)
I, [2017-08-17T10:41:36.631143 #1] INFO -- : [56aa3be6-a805-43eb-a6a4-104f7dbab7b5] Rendered landing/guest.html.erb within layouts/application (73.1ms)
I, [2017-08-17T10:41:36.642674 #1] INFO -- : [56aa3be6-a805-43eb-a6a4-104f7dbab7b5] Completed 200 OK in 117ms (Views: 91.1ms | ActiveRecord: 0.0ms)
I, [2017-08-17T10:41:38.453039 #1] INFO -- : [14fad81f-3a71-4238-b51e-d72d2db3d0d2] Started GET "/b/users/login" for 172.254.0.1 at 2017-08-17 10:41:38 +0000
I, [2017-08-17T10:41:38.457244 #1] INFO -- : [14fad81f-3a71-4238-b51e-d72d2db3d0d2] Processing by SessionsController#new as HTML
I, [2017-08-17T10:41:38.459285 #1] INFO -- : [14fad81f-3a71-4238-b51e-d72d2db3d0d2] Redirected to https://bbb.mbaenglish.online/b/auth/ldap
I, [2017-08-17T10:41:38.459643 #1] INFO -- : [14fad81f-3a71-4238-b51e-d72d2db3d0d2] Completed 302 Found in 2ms (ActiveRecord: 0.0ms)
I, [2017-08-17T10:41:38.678141 #1] INFO -- : [6b57a25b-6da9-4431-af96-b6c131f6ad0f] Started GET "/b/auth/ldap" for 172.254.0.1 at 2017-08-17 10:41:38 +0000
I, [2017-08-17T10:41:38.918676 #1] INFO -- : [081cfab6-be46-486b-b029-62af40a0723f] Started GET "/b/users/login" for 172.254.0.1 at 2017-08-17 10:41:38 +0000
I, [2017-08-17T10:41:38.921133 #1] INFO -- : [081cfab6-be46-486b-b029-62af40a0723f] Processing by SessionsController#new as HTML
I, [2017-08-17T10:41:38.922628 #1] INFO -- : [081cfab6-be46-486b-b029-62af40a0723f] Redirected to https://bbb.mbaenglish.online/b/auth/ldap
I, [2017-08-17T10:41:38.922908 #1] INFO -- : [081cfab6-be46-486b-b029-62af40a0723f] Completed 302 Found in 2ms (ActiveRecord: 0.0ms)
I, [2017-08-17T10:41:39.143250 #1] INFO -- : [cd66bef9-9bcc-46fe-acce-69c655771718] Started GET "/b/auth/ldap" for 172.254.0.1 at 2017-08-17 10:41:39 +0000
I, [2017-08-17T10:41:41.961592 #1] INFO -- : [0b95337c-892e-4a43-a6dc-a3a09df615c5] Started POST "/b/auth/ldap/callback" for 172.254.0.1 at 2017-08-17 10:41:41
I, [2017-08-17T10:41:42.212913 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Started GET "/b/auth/failure?message=ldap_error&origin=https%3A%2F%2Fbbb.mba
I, [2017-08-17T10:41:42.215362 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Processing by SessionsController#auth_failure as HTML
I, [2017-08-17T10:41:42.215460 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Parameters: {"message"=>"ldap_error", "origin"=>"https://bbb.mbaenglish.on
I, [2017-08-17T10:41:42.216901 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Redirected to https://bbb.mbaenglish.online/b/
I, [2017-08-17T10:41:42.217165 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Completed 302 Found in 2ms (ActiveRecord: 0.0ms)
I, [2017-08-17T10:41:42.438777 #1] INFO -- : [983dfa3e-5b92-4c93-9e14-786e010cc8bc] Started GET "/b/" for 172.254.0.1 at 2017-08-17 10:41:42 +0000
I, [2017-08-17T10:41:42.441540 #1] INFO -- : [983dfa3e-5b92-4c93-9e14-786e010cc8bc] Processing by LandingController#index as HTML
I, [2017-08-17T10:41:42.441667 #1] INFO -- : [983dfa3e-5b92-4c93-9e14-786e010cc8bc] Parameters: {"resource"=>"meetings"}
the bits that seem most interesting:
I, [2017-08-17T10:41:39.143250 #1] INFO -- : [cd66bef9-9bcc-46fe-acce-69c655771718] Started GET "/b/auth/ldap" for 172.254.0.1 at 2017-08-17 10:41:39 +0000
I, [2017-08-17T10:41:41.961592 #1] INFO -- : [0b95337c-892e-4a43-a6dc-a3a09df615c5] Started POST "/b/auth/ldap/callback" for 172.254.0.1 at 2017-08-17 10:41:41
I, [2017-08-17T10:41:42.212913 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Started GET "/b/auth/failure?message=ldap_error&origin=https%3A%2F%2Fbbb.mba
I, [2017-08-17T10:41:42.215362 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Processing by SessionsController#auth_failure as HTML
I, [2017-08-17T10:41:42.215460 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Parameters: {"message"=>"ldap_error", "origin"=>"https://bbb.mbaenglish.on
I, [2017-08-17T10:41:42.216901 #1] INFO -- : [e66e83e8-9711-4cc2-aa20-3c8eb9a03030] Redirected to https://bbb.mbaenglish.online/b/
Get, post, then failure.. I have no idea WHY. what data was sent? What was the ldap error? Again, command line works with the same params.
not sure about the odd truncation of the messages. Did the GET fail? servername, port? Was it an LDAP error?
Not a whinge, just saying I did spend time trying to fix it, before bothering you all.
that auth module has been around for ages, it must have worked for someone, somewhere. Or it would have been fixed, or nobody would use the gem.
Message has been deleted
vn...@yandex.com
Aug 17, 2017, 11:41:51 AM8/17/17
to BigBlueButton-dev
The quickest solution on your end would be to remove the openLDAP stuff from the docks. Google OK, twitter OK, local LDAP, contact commercial support!
Finis. Problem goes away.
Joshua Arts
Aug 17, 2017, 4:48:40 PM8/17/17
to BigBlueButton-dev
Hey there,
I tried setting it up using the OpenLDAP and phpLDAPAdmin docker images and got it working.
You shouldn't need to set the LDAP protocol for the LDAP_SERVER variable, the gem should do that automatically.
If you haven't already, try:
LDAP_SERVER=172.254.254.254
Remember, each time you make a change to the env file you need to follow the steps in the 'Applying env file changes' section from the docs.
Also, I followed the following tutorial when using phpLDAPAdmin to populate my server.
Unfortunately since we use middleware to authenticate with LDAP (we have to so we don't actually handle LDAP server credentials), we can't really implement our own detailed error messages. We're stuck with what the middleware sends us, which is some of the least descriptive errors I've ever seen.
Hope this helps!
Josh
vn...@yandex.com
Aug 17, 2017, 11:12:19 PM8/17/17
to BigBlueButton-dev
Thanks Joshua! That nailed it..
Attached is my walkthrough .md notes
I knew I was close. It is a mystery to me why
LDAP_SERVER=ldap://172.254.254.254
works on the command line yet fails inside greenlight. It works on the host, and via command line inside the greenlight container.
Changing it as you suggested to:
LDAP_SERVER=172.254.254.254
fixes the authentication issues.
I owe you a free beer next time you are in north Vietnam..
Regarding phpldapadmin and the link to tech republic, I could not figure out how to get phpldapadmin exposed to the rest of the world through nginx. I figured, skip all that, and focus on the slapd server, and skip the pretty web interface. I have one teacher, me, who needs to log in..
Here is what I used:
```
### create ldif for an ldap group and a user:
```
# cat >> ldapgroup.ldif
dn: ou=People,dc=example,dc=org
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=org
objectClass: organizationalUnit
ou: Groups
dn: cn=admin,ou=Groups,dc=example,dc=org
objectClass: posixGroup
cn: bbbAdmins
gidNumber: 5000
dn: uid=Robert,ou=People,dc=example,dc=org
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: Robert
sn: Cooley
givenName: Robert
cn: Robert Cooley
displayName: Robert Cooley
uidNumber: 10000
gidNumber: 5000
userPassword: password
gecos: Robert Cooley
loginShell: /bin/bash
homeDirectory: /home/robert
```
Add it to the directory
```
ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -H ldap://172.254.254.254 -f ldapgroup.ldif
```
This is a 100% command line, testable from the host, and inside the container, solution. No extra containers to go wrong, nothing needs to change with regards to nginx, etc. No need to secure openLDAP, etc. Totally private, only greenlight can or should talk to it!
I changed the example docker run command in the docs to force an IP address, it concerned me that the address could change depending on what else was running, which started first, etc. I wanted something more deterministic. So add a bridge, force greenlight and openldap to share an ip block, give them each a static address, etc. Perhaps "2 days wasted" is over-strong.. A good chunk of that time was fighting with docker networking, pinging the host, etc. Much was learned, so not a total waste, just a long slow fight with little progress.
I think this is the minimum use case for LDAP auth. A good example for the docs, IMO. Or you could change the code, and add a backdoor login method. Greenlight_Admin=Admin,Greenlight_Admin_Password="password', and then BAM set authenticated=true or whatever and carry on! Quick and dirty for the win! :)
I feel that openLDap, and LDAP in general is unloved. Google on it and you will see a lot of hits from about 2002-2014. Maybe it "just works" for the rest of the world, and nobody saw a need to post anything about it, but ...
As for error messages: My favorite is "An Error Occurred" with an OK button. No, it is NOT "ok"! Sigh.
vn...@yandex.com
Aug 17, 2017, 11:19:10 PM8/17/17
to BigBlueButton-dev
Oops, I see you mentioned the gem adds the LDAP:// reference, so I will not be mystified any more!
With my wrong entry, I suppose we would get ldap://ldap://172...
Doesn't that make the port number irrelevant? ldap should resolve to 389 anyway..
Joshua Arts
Aug 18, 2017, 9:53:02 AM8/18/17
to BigBlueButton-dev
Glad that fixed the authentication issue for you!
I believe you are correct in saying that it resolves to port 389 either way. I haven't tried leaving the port blank, but we include it just in case anyone is doing some wonky stuff and needs to use a different port.
Your server setup looks good to me. I know when I was trying it, I needed to set my LDAP_BASE to the location of the users (which, for you, would be: ou=People,dc=example,dc=org).
--
You also mentioned that you are the only user that needs logging in, there might be a much easier way to go about this.
You can set GOOGLE_OAUTH2_HD variable in the env file to restrict google authentication to a specific domain. So, if you are the only one that has a account with that domain (or aren't worried about the others logging in), you'll be the only one able to login.
Not sure if this is applicable for your scenario, but I thought I'd mention it either way.
Josh
vn...@yandex.com
Aug 19, 2017, 6:29:06 AM8/19/17
to BigBlueButton-dev
I do not use google services. I have no account, and want no account. I block it at the router.. Same with twitter and facebook. No spying/tracking please!
I stuck with the defaults, and example.org. Lazy.. Works for me!
The docs need a bit of help in that area, skip the reference to openldap. That leads to a deep and long rabbit hole. Use my walkthrough if you want.. Simple direct command line stuff, and it works.
bah, LDAP..
bah, LDAP..
I am sure there are some ldap admins out there in the world, and I hope they get paid TONS of money. They deserve it! And they can have it all the ldap stuff for themselves. I never want to touch it again.. :)
The thing screams "OVERKILL'. a text file with usernames and a password would make me happy!
Reply all
Reply to author
Forward
0 new messages