Does Go LDAP\AD authentication support following referrals
490 views
Skip to first unread message
seaniebe1
Dec 1, 2014, 1:16:54 PM12/1/14
to go...@googlegroups.com
I need to authenticate users across domains. I can set up an LDAP uri that hosts users within it, but also refers to another domain controller with users on that domain controller. I am able to authenticate only the users that are directly associated with the LDAP uri that was specified in the Go configuration. It doesnt seem to authenticate if the users are on the referred domain controller. I know on other software there is usually a setting that will "Allow" referrals. Is there such a setting for Go?
Aravind SV
Dec 4, 2014, 11:18:59 AM12/4/14
to seaniebe1, go...@googlegroups.com
I found this line in code, which talks about LDAP referrals. This makes me think that, passing in the property -Djava.naming.referral=follow to Go might work. I don't have an LDAP setup like the one you mention easily available. Can you try that?
If you use an RPM based installation, you should be able to add this line to /etc/default/go-server:
export GO_SERVER_SYSTEM_PROPERTIES='-Djava.naming.referral=follow'Cheers,
Aravind
On Mon, Dec 1, 2014 at 1:16 PM, seaniebe1 <sean...@gmail.com> wrote:
I need to authenticate users across domains. I can set up an LDAP uri that hosts users within it, but also refers to another domain controller with users on that domain controller. I am able to authenticate only the users that are directly associated with the LDAP uri that was specified in the Go configuration. It doesnt seem to authenticate if the users are on the referred domain controller. I know on other software there is usually a setting that will "Allow" referrals. Is there such a setting for Go?
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Aravind SV
Dec 5, 2014, 6:59:16 AM12/5/14
to go...@googlegroups.com
Also, there's a comment here which can help (maybe not you, @seaniebe1, but others searching about LDAP). It describes using a virtual LDAP server, to combine different AD servers or LDAP domains into one, so that Go can use it.
seaniebe1
Dec 5, 2014, 11:01:24 AM12/5/14
to go...@googlegroups.com, sean...@gmail.com
Thank you for your response Aravind, I did try this setting, Im using windows platform, I did update the wrapper-server.conf file and added the following:
wrapper.java.additional.16=-Djava.naming.referral=follow
wrapper.java.additional.16=-Djava.naming.referral=follow
This setting did get me further and allowed for me to get a successful LDAP connection test, but when I attempted to log in with one of the userid's associated with the referred dc, i recieved the following exception:
2014-12-04 16:11:46,846 DEBUG [16960467@qtp-27626654-16] ProviderManager:190 - Authentication attempt using com.thoughtworks.go.server.security.providers.UserLicenseEnforcementProvider
2014-12-04 16:11:46,851 INFO [16960467@qtp-27626654-16] UserMap:55 - Adding user [org.springframework.security.userdetails.User@0: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER]
2014-12-04 16:11:46,852 DEBUG [16960467@qtp-27626654-16] ProviderManager:190 - Authentication attempt using com.thoughtworks.go.server.security.providers.UserLicenseEnforcementProvider
2014-12-04 16:11:46,939 DEBUG [16960467@qtp-27626654-16] FilterBasedLdapUserSearch:109 - Searching for user 'sdavey', with user search [ searchFilter: '(&(objectClass=user)(sAMAccountName={0}))', searchBase: 'OU=Employees,DC=oss,DC=bvn,DC=com', scope: subtree, searchTimeLimit: 5000, derefLinkFlag: false ]
2014-12-04 16:11:47,061 INFO [16960467@qtp-27626654-16] DefaultSpringSecurityContextSource:56 - URL 'ldap://ddc1', root DN is ''
2014-12-04 16:11:47,063 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:297 - AuthenticationSource not set - using default implementation
2014-12-04 16:11:47,065 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:315 - Using LDAP pooling.
2014-12-04 16:11:47,066 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:336 - Trying provider Urls: ldap://ddc1
2014-12-04 16:11:47,067 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:132 - Principal: 'CN=Pro\, AntHill,OU=Service Accounts,DC=bvn,DC=com'
2014-12-04 16:11:47,147 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:228 - Got Ldap context on server 'ldap://ddc1'
2014-12-04 16:11:47,411 WARN [16960467@qtp-27626654-16] LdapUserSearch:85 - The ldap configuration for search base 'OU=Employees,DC=oss,DC=bvn,DC=com' is invalid
org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: ":" (58), after : ""
at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:145)
at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:100)
2014-12-04 16:11:46,851 INFO [16960467@qtp-27626654-16] UserMap:55 - Adding user [org.springframework.security.userdetails.User@0: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER]
2014-12-04 16:11:46,852 DEBUG [16960467@qtp-27626654-16] ProviderManager:190 - Authentication attempt using com.thoughtworks.go.server.security.providers.UserLicenseEnforcementProvider
2014-12-04 16:11:46,939 DEBUG [16960467@qtp-27626654-16] FilterBasedLdapUserSearch:109 - Searching for user 'sdavey', with user search [ searchFilter: '(&(objectClass=user)(sAMAccountName={0}))', searchBase: 'OU=Employees,DC=oss,DC=bvn,DC=com', scope: subtree, searchTimeLimit: 5000, derefLinkFlag: false ]
2014-12-04 16:11:47,061 INFO [16960467@qtp-27626654-16] DefaultSpringSecurityContextSource:56 - URL 'ldap://ddc1', root DN is ''
2014-12-04 16:11:47,063 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:297 - AuthenticationSource not set - using default implementation
2014-12-04 16:11:47,065 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:315 - Using LDAP pooling.
2014-12-04 16:11:47,066 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:336 - Trying provider Urls: ldap://ddc1
2014-12-04 16:11:47,067 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:132 - Principal: 'CN=Pro\, AntHill,OU=Service Accounts,DC=bvn,DC=com'
2014-12-04 16:11:47,147 DEBUG [16960467@qtp-27626654-16] AbstractContextSource:228 - Got Ldap context on server 'ldap://ddc1'
2014-12-04 16:11:47,411 WARN [16960467@qtp-27626654-16] LdapUserSearch:85 - The ldap configuration for search base 'OU=Employees,DC=oss,DC=bvn,DC=com' is invalid
org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: ":" (58), after : ""
at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:145)
at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:100)
Note: if I go back into "go" and navigate to the admin\serverconfiguration and change the uri to go directly(removing the need to use referral) and using the same search base, I am able to log in, so that search base works when am not using the referral technique to access the users. unfortunately to include all users that need access I would need to use the referral techique. Maybe I will be unable to use the refer technique with Go, but i thought I would post my results. I will research the other alternative you suggested regarding virtual directory.
Thanks Again for your response.
Sriram Narayanan
Dec 5, 2014, 11:05:14 AM12/5/14
to seaniebe1, go...@googlegroups.com
I have used myvd in the past successfully to authenticate users from two different Active Directory domains, with Go.
This works as advertized.
Aravind SV
Dec 8, 2014, 7:43:13 AM12/8/14
to Sriram Narayanan, seaniebe1, go...@googlegroups.com
On Fri, Dec 5, 2014 at 11:04 AM, Sriram Narayanan <srir...@gmail.com> wrote:
I have used myvd in the past successfully to authenticate users from two different Active Directory domains, with Go.This works as advertized.
Yes, I tried it too and wrote about the config I used, here. It definitely works.
On Fri, Dec 5, 2014 at 9:31 PM, seaniebe1 <sean...@gmail.com> wrote:This setting did get me further and allowed for me to get a successful LDAP connection test, but when I attempted to log in with one of the userid's associated with the referred dc, i recieved the following exception:
:( Sad. The exception seems to suggest something wrong in the LDAP query. That's weird, since it works without referral.
I will research the other alternative you suggested regarding virtual directory.Thanks Again for your response.
You're welcome. When you get around to configuring the virtual directory, let me know if you need any help. It's a little confusing to get started with. Try and use the configuration I posed in that GitHub issue to verify that your setup works, before you can make it use referrals.
Cheers,
Aravind
Reply all
Reply to author
Forward
0 new messages