LDAP plugin not playing ball with FreeIPA?

[Guillem Liarte]

Hello all,

I have spent hours trying to integrate scm manager to use Free IPA, but I have not been successful yet.

I can successfully find and filter the results I want from the command line with an ldapsearch, and when I test the parameters with a valid account, it connects, but fails to find it, I have used things like apache, Atlassian and other tools that use LDAP and OR AD, and I am certain that what i am doing is correct, however I can see I may be missing something I do not know.

So my question is; do we know of a working setup where the user authentication comes from FreeIPA's LDAP?

As a secondary question, where is the configuration file that stores the LDAP settings? I could not find it.

Thanks!

[Sebastian Sdorra]

Hi,

I've never tested SCM-Manager directly with Free IPA, but i've used Fedora DS (389 Directory Server) which is used under the hood by Free IPA. Could you post a trace log of a failed login?

- Enable trace logging: https://bitbucket.org/sdorra/scm-manager/wiki/faq

Sebastian

2013/11/14 Guillem Liarte <guillem...@googlemail.com>

--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Guillem Liarte]

I have enabled it and now I can see more. 

It complains it cannot bind; however I can bind doing a ldapsearch:

ldapsearch -D "cn=Directory Manager" -w  ##### -h localhost -b "cn=users,cn=accounts,dc=netdevops,dc=com"  "(&(objectClass=posixaccount)(memberOf=cn=sysadmins,cn=groups,cn=accounts,dc=netdevops,dc=com))"

# extended LDIF

#

# LDAPv3

# base <cn=users,cn=accounts,dc=netdevops,dc=com> with scope subtree

# filter: (&(objectClass=posixaccount)(memberOf=cn=sysadmins,cn=groups,cn=accounts,dc=netdevops,dc=com))

# requesting: ALL

#

# guillem.liarte, users, accounts, netdevops.com

dn: uid=guillem.liarte,cn=users,cn=accounts,dc=netdevops,dc=com

displayName: Guillem Liarte

cn: Guillem Liarte

objectClass: top

objectClass: person

objectClass: organizationalperson

objectClass: inetorgperson

objectClass: inetuser

objectClass: posixaccount

objectClass: krbprincipalaux

objectClass: krbticketpolicyaux

objectClass: ipaobject

objectClass: ipasshuser

objectClass: ipaSshGroupOfPubKeys

objectClass: mepOriginEntry

loginShell: /bin/sh

sn: Liarte

gecos: Guillem Liarte

homeDirectory: /home/guillem.liarte

krbPwdPolicyReference: cn=sysadmins,cn=NETDEVOPS.COM,cn=kerberos,dc=netdevops,

 dc=com

mail: guillem...@netdevops.com

krbPrincipalName: guillem...@NETDEVOPS.COM

givenName: Guillem

uid: guillem.liarte

initials: GL

[ ... ]   lots of output omitted [. . .]

# search result

search: 2

result: 0 Success

# numResponses: 3

# numEntries: 2

___

When I do the same test from scm:

16:32:08.442 [qtp1255548706-14] TRACE sonia.scm.web.filter.BasicAuthenticationFilter - user is allready authenticated

16:32:08.443 [qtp1255548706-14] TRACE sonia.scm.security.AuthorizationCollector - retrieve AuthorizationInfo for user scmadmin from cache

16:32:08.445 [qtp1255548706-14] DEBUG sonia.scm.auth.ldap.LDAPConnection - create context for dn cn=Directory Manager

16:32:08.445 [qtp1255548706-14] DEBUG sonia.scm.auth.ldap.LDAPConnection - use follow as referral strategy

16:32:08.446 [qtp1255548706-14] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - using scope object for user search

16:32:08.446 [qtp1255548706-14] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search-filter for user search: (&(objectClass=posixaccount)(memberOf=cn=sysadmins,cn=groups,cn=accounts,dc=netdevops,dc=com)(uid=guillem.liarte))

16:32:08.446 [qtp1255548706-14] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search base for user search: cn=users,cn=accounts,dc=netdevops,dc=com

16:32:08.447 [qtp1255548706-14] WARN  sonia.scm.auth.ldap.LDAPAuthenticationContext - no user with username guillem.liarte found

16:32:08.447 [qtp1255548706-14] TRACE sonia.scm.auth.ldap.LDAPAuthenticationContext - return authentication result: user: null, state: NOT_FOUND

____

I have tried starting the search in different parts of the tree, but it always fails the same way.

The IPA and smc-manager are running in the same machine at the moment.

I can carry out the ldapsearch remotely, so that is not the problem here.

At the moment I am puzzled about what to do. 

If I wanted to look at a plugin for IPA, or to modify the current ldap pluguin so it can take it, where could I start?   is it written in java (I never done any java, only python and ruby).

Thanks,

G

[Sebastian Sdorra]

I think the problem the following line in the log:

- using scope object for user search

I think the scope should be one or sub.

Sebastian

[Guillem Liarte]

Sebastian,

I tried with all the scopes, same effect.

Where I can see the the LDAP pluguin's code, or where can I test it separately?

[Sebastian Sdorra]

The source of the plugin is located at https://bitbucket.org/tludewig/scm-auth-ldap-plugin. You can uncheck the enabled checkbox for ldap authentication and then you can use the "Test Connection" button, without affecting other users. Could you post a trace log with search scope sub?

Sebastian

2013/11/15 Guillem Liarte <guillem...@googlemail.com>

[Guillem Liarte]

Sebastian,

Here:

17:02:45.433 [qtp899890847-17] DEBUG sonia.scm.auth.ldap.LDAPConnection - create context for dn cn=Directory Manager

17:02:45.433 [qtp899890847-17] DEBUG sonia.scm.auth.ldap.LDAPConnection - use follow as referral strategy

17:02:45.434 [qtp899890847-17] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - using scope sub for user search

17:02:45.435 [qtp899890847-17] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search-filter for user search: (&(objectClass=posixaccount)(memberOf=cn=sysadmins,cn=groups,cn=accounts,dc=netdevops,dc=com)(uid=guillem.liarte))

17:02:45.435 [qtp899890847-17] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search base for user search: cn=users,dc=netdevops,dc=com

17:02:45.437 [qtp899890847-17] ERROR sonia.scm.auth.ldap.LDAPAuthenticationContext - exception occured during user search

javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]

[Sebastian Sdorra]

It looks like the base dn for the user search does not exists (base dn for user search = people unit, base dn). I've setup a FreeIPA in a virtual machine. For me works the following configuration:

- Profile: Custom

- ID Attribute Name: uid

- Fullname Attribute Name: cn

- Mail Attribute Name: mail

- Group Attribute Name: group

- Base DN: dc=scm-manager,dc=local

- Connection DN: cn=Directory Manager

- Connection Password: xxx

- Host URL: ldap://localhost:389

- Search Filter: (&(uid={0}))

- Group Search Filter: (&(objectClass=groupOfUniqueNames)(uniqueMember={0})

- Search Scope: sub

- People Unit: cn=users,cn=accounts

- Groups Unit: cn=groups,cn=accounts

- Referral Strategy: FOLLOW

- Enable nested ad groups: false

- Use StartTLS: false

- Enabled: true

I'm not sure about the group configuration, but authentication works. Perhaps we should create a profile for FreeIPA.

Sebastian

[Guillem Liarte]

Sebastian,


I can confirm that the configuration you proposed in your last reply works. Many thanks for your help!

Connection: SUCCESS
Search user: SUCCESS
Authenticate user: SUCCESS
Returned user is valid: SUCCESS

User:
- Name: guillem.liarte
- Display Name: Guillem Liarte
- Mail: guillem...@netdevops.com

 

Groups

Regards,

Guillem