LDAP Fail on Authentication

[sup...@kernel.inf.br]

I'm trying to use authentication over ldap.

Was using base dn: dc=example,dc=com,dc=br

NxFilter imports users and groups. But when I try to authentica it's using "uname = uid=userlogging,dc=example,dc=com,dc=br" but my user is on  'ou=users,dc=example,dc=com,dc=br'

So I changed the configuration to use base dn: ou=Users,dc=example, dc=com, dc=br

Obviously when i synchronized the groups was deletes ( groups are on ou=Groups,dc=example,dc=com,dc=br )

But i try to authenticate again, the log return:

ERROR [05-26 11:22:21] - uname = uid=userlogging,ou=users,dc=example,dc=com,dc=br, error = javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

On LDAP the password is using ssha

1 - I think that LDAP module has to search on subtree or permit to configure dn base for group and dn base for users. With subtree is better.

2 - Invalid Credentials? Why? 

What am I doing wrong?

[Jinhee]

Did you use OpenLDAP? If so where did you install it? On Linux?

In your case, you'd need to go with 'dc=example,dc=com,dc=br'.

Did you try your LDAP admin account and password as well? We do the same kind of authentication process as when you import your users.

[Jinhee]

We do subtree search.

[Jinhee]

We transform your user name for OpenLDAP login. If your username is 'userlogging' then we try this,

  uid=userlogging,ou=users,dc=example,dc=com,dc=br

So I think it's OK. But if it fails we do one more with,

  cn=userlogging,ou=users,dc=example,dc=com,dc=br

Anyway we need to know what's your LDAP server first.

[sup...@kernel.inf.br]

OpenLDAP - package slapd - 2.4.31 - Ubuntu Server 14.04

But, the log shows without include ( ou=users ) except if i put on base DN but when i do this I lost the synchronize of groups and the authentication doesn't works like before.

[sup...@kernel.inf.br]

Yes, i tested with LDAP admin account and password, this works. But the others not.

[sup...@kernel.inf.br]

I look the type hash used on LDAP admin is crypt and i change my user do uses this. But it didn't work. I noted that when I change my password and i forced a sync the register shows no one change.

[Jinhee]

You should have users and groups in the same OU. Do you have any reason not to have them in the same OU?

[Jinhee]

We might work on it to make it working even if you import your users and groups separately. But at the moment you need to have them in the same OU. And that's a subtree scope query.

[sup...@kernel.inf.br]

Just using the traditional mode of a single organization.
To do this change I will modify all systems onliest to NxFilter works.
The import works very well to bring groups and users fail onliest on authentication.

[sup...@kernel.inf.br]

Do you want that I change to debug mode?

Even if the tree is on a different pattern I'm pointing the root (on setup the base) of the tree LDAP, so that it would see all OUs

[Jinhee]

The problem is that we don't know the 'OU' from your username. If you use this kind of basedn,

  ou=users,dc=example,dc=com,dc=br

We know the OU and we can use it when you try to login. But if you use the basedn without OU.

  dc=example,dc=com,dc=br

We don't know the OU and we use this kind of DN when you try to login,

  uid=userlogging,dc=example,dc=com,dc=br

But when you specify the OU that is 'users' we don't see the groups. We sould be able to see your users and groups in the same OU.

[Jinhee]

The other possible way is that we allow another type of username. When you login you use,

  cn=userlogging,ou=users,dc=example,dc=com,dc=br

And we extract 'userlogging' from that DN and we create a session for that. We need to modify several things but it's possible.

[Jinhee]

I think that's the most promising way. Though your users don't like it to use a full DN for login that's just way it is when you separate your users and groups from each other.

[sup...@kernel.inf.br]

yeah, i think that is the way

[sup...@kernel.inf.br]

cn and uid correct?

cn=userlogging 

and

uid=userlogging

[Jinhee]

I tested it. 'cn' didn't work. You have to use 'uid'. So it would be,

  uid=userlogging,ou=users,dc=example,dc=com,dc=br

This is the patched nxd.jar replace your /nxfilter/nxd.jar with it and restart NxFilter.

  http://nxfilter.org/imsi/nxd.zip

[sup...@kernel.inf.br]

I updated.

I'm using NxFilter 3.2.0

My configuration:

Base DN: dc=example,dc=com,dc=br

Base synchronized:

ERROR [05-28 09:33:35] - uname = uid=userlogging,dc=example,dc=com,dc=br, error = javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

Doesn't works.

I changed my configuration to force use Ou=Users:

Base DN: Ou=Users, dc=example,dc=com,dc=br

Base not yet synchronized to mantain groups.

INFO [05-28 09:38:53] - TalkUtil.deal_login, New login session for 192.168.100.185, userlogging

Works, but if i synchronize i lost groups that are on: Ou=Groups,cn=example,dc=com,dc=br

[Jinhee]

What I am saying is to use the following as the username on your login-page.

   'uid=userlogging,ou=users,dc=example,dc=com,dc=br'

Not using only 'userlogging'. You are supposed to login to your LDAP server with the DN anyway.

[sup...@kernel.inf.br]

I made a test.

I create an Ou called Ou=Empresa,dc=example,dc=com,dc=br

And create a subtree Ou=Users and ou=Groups

Create users and groups under the respective Ou.

So i have Ou=Empresa and Ou=Users,Ou=Empresa and Ou=Groups,ou=Empresa

I change the configuration to base dn=Ou=Empresa,dc=example,dc=com,dc=br

Synchronized ok.

But event so I had failed on authentication. I don't know why the nxFilter don't check my subtree on authentication.

[sup...@kernel.inf.br]

NxFilter filter by any object on ldap?

[sup...@kernel.inf.br]

But for the ordinary user this is impractical

[Jinhee]

Go back to the old one. Use 'dc=example,dc=com,dc=br' as your basedn. And use this as your username on your login-page.

  uid=userlogging,ou=users,dc=example,dc=com,dc=br

Did you already try that? Did you have the log from NxFilter when you did that?

[sup...@kernel.inf.br]

I try, it really works login with uid=userlogging,ou=users,dc=example,dc=com,dc=br

But I can't say to the user uses this.

INFO [05-28 10:37:22] - TalkUtil.deal_login, New login session for 192.168.yy.1xx, userlogging

But on logging i see this error: ERROR [05-28 10:31:19] - LdapAgent.get_obj_arr_ol: javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'dc=agespisa,dc=com,dc=br'

[Jinhee]

Then you go back to the old problem. Put the users and groups in the same OU. It's organization unit, why can't you have the users and groups in the same OU?

If you have to use the current LDAP structure you have to use that lengthy login username. We do this on background,

  username from login-page + basd DN from DB

So what you get? You do the math.

If you don't want to tell your user to add 'ou=users,dc=example,dc=com,dc=br' part then you add it on JSP page level. You know JSP code. Or Javascript on your

login-page.

That size limit error is about paging. But we already do paging. How many users do you have on your LDAP server?

[sup...@kernel.inf.br]

>>Then you go back to the old problem. Put the users and groups in the same OU. It's organization unit, why can't you have the users and groups in the same OU?

First, because i have all other systems configurated by this way if i change the tree this will generate problems in another systems. I have GitLAB, SVN, Apache Authentication, MX. All other working this way.

Second, this doesn't works. I create a model like you said, if you see older emails.

> If you have to use the current LDAP structure you have to use that lengthy login username. We do this on background,

 >username from login-page + basd DN from DB

The users won't accept and i think that they are right.

>So what you get? You do the math.

>If you don't want to tell your user to add 'ou=users,dc=example,dc=com,dc=br' part then you add it on JSP page level. You know JSP code. Or Javascript on your login-page.

> That size limit error is about paging. But we already do paging. How many users do you have on your LDAP server?

1040

[Jinhee]

Your older email shows that you didn't understand what I have said at all. You do it the same thing on another level. What do you get with your LDAP Admin when you use your 'OU' as your basedn. You only get your users not groups. But you use 'OU' when you login. We do importation and login. Not just login, not just importation. We do both of them. And you use two different DN to login and to import. That's the problem. I can solve that problem by having 'Login DN' but this is not a general situation. Maybe we can do the login process several times with all the OUs. But I am not sure if it's worth enough.

Your users won't accep? Did I not already tell you that?

We do paging. I don't know why it's not working on your system. I might need to test it on my OpenLDAP server first.

[Jinhee]

We can solve the problem by keeping the full DN in DB. This one takes some testing procedure though. Will be available in several days.

[Jinhee]

Try this one,

  http://nxfilter.org/preview/nxfilter-3.3.0.zip

It keeps the original DN for LDAP login. This means you can import user and groups without OU and login with just a username.

[sup...@kernel.inf.br]

The authentication works, but the import gives Error 500

[Jinhee]

Are you saying that you have 500 error on your webpage? Can you show me a capture image for NxFilter output while you have the 500 error?