scm-auth-ldap-plugin against Active Directory
1,302 views
Skip to first unread message
.Mark
Jul 25, 2011, 10:33:42 AM7/25/11
to scmmanager
I am having a bit of trouble getting the scm-auth-ldap-plugin working
against Active Directory. I am not sure if there is something
preventing this from working in Active Directory or if I am not
setting up the plugin correctly.
I am using scm-webapp-1.5 with scm-auth-ldap-plugin 1.3 on Ubuntu
server 11 in Jetty. I am using Softerra LDAP Browser to explore our
Active Directory.
Here is what I am trying to use int he LDAP authentication
configuration. I do not fully understand what to put in the "Groups
Unit" and "Groups Poeple".
The following configuration settings gives me the following error in
the log.
Fullname Attribute Name: cn
ID Attribute Name: SAMAccountName
Mail Attribute Name: mail
Group Attribute Name: memberOf
Base DN: <left blank>
Connection DN: CN=First Last,OU=Employee Full-
Time,OU=Corporate,DC=Company,DC=com
Connection Password: ********
Host URL: ldap://xxx.xxx.xx.x:389
Search Filter: (&(SAMAccountName={0})(objectClass=user))
Search Scope: one
Groups Unit:OU=Groups,OU=Corporate,DC=Company,DC=com
Groups People:OU=Employee Full-Time,OU=Corporate,DC=Company,DC=com
When I try to log into the system I use the following account in a
different web browser.
User: First.Last
password: ********
The error message:
16:24:57.736 [1656788308@qtp-959772314-6] ERROR
sonia.scm.auth.ldap.LDAPAuthenticationHandler - OU=Employee Full-
Time,OU=Corporate,DC=Company,DC=com,: [LDAP: error code 34 - 0000208F:
NameErr: DSID$
'OU=Employee Full-Time,OU=Corporate,DC=Company,DC=com,'
^@]
javax.naming.InvalidNameException: OU=Employee Full-
Time,OU=Corporate,DC=Company,DC=com,: [LDAP: error code 34 - 0000208F:
NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match
of:
'OU=Employee Full-Time,OU=Corporate,DC=Company,DC=com,'
^@]
The following configuration settings gives me the following error in
the log.
Fullname Attribute Name: cn
ID Attribute Name: SAMAccountName
Mail Attribute Name: mail
Group Attribute Name: memberOf
Base DN: DC=Company,DC=com
Connection DN: CN=First Last,OU=Employee Full-Time,OU=Corporate
Connection Password: ********
Host URL: ldap://xxx.xxx.xx.x:389
Search Filter: (&(SAMAccountName={0})(objectClass=user))
Search Scope: one
Groups Unit:OU=Groups,OU=Corporate
Groups People:OU=Employee Full-Time,OU=Corporate
When I try to log into the system I use the following account in a
different web browser.
User: First.Last
password: ********
The error message:
17:03:27.440 [672845127@qtp-1143608781-2] ERROR
sonia.scm.auth.ldap.LDAPAuthenticationHandler - [LDAP: error code 49 -
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext
error, data 52e, v1db1$
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data
52e, v1db1^@]
Any ideas how I would be able to get this working?
against Active Directory. I am not sure if there is something
preventing this from working in Active Directory or if I am not
setting up the plugin correctly.
I am using scm-webapp-1.5 with scm-auth-ldap-plugin 1.3 on Ubuntu
server 11 in Jetty. I am using Softerra LDAP Browser to explore our
Active Directory.
Here is what I am trying to use int he LDAP authentication
configuration. I do not fully understand what to put in the "Groups
Unit" and "Groups Poeple".
The following configuration settings gives me the following error in
the log.
Fullname Attribute Name: cn
ID Attribute Name: SAMAccountName
Mail Attribute Name: mail
Group Attribute Name: memberOf
Base DN: <left blank>
Connection DN: CN=First Last,OU=Employee Full-
Time,OU=Corporate,DC=Company,DC=com
Connection Password: ********
Host URL: ldap://xxx.xxx.xx.x:389
Search Filter: (&(SAMAccountName={0})(objectClass=user))
Search Scope: one
Groups Unit:OU=Groups,OU=Corporate,DC=Company,DC=com
Groups People:OU=Employee Full-Time,OU=Corporate,DC=Company,DC=com
When I try to log into the system I use the following account in a
different web browser.
User: First.Last
password: ********
The error message:
16:24:57.736 [1656788308@qtp-959772314-6] ERROR
sonia.scm.auth.ldap.LDAPAuthenticationHandler - OU=Employee Full-
Time,OU=Corporate,DC=Company,DC=com,: [LDAP: error code 34 - 0000208F:
NameErr: DSID$
'OU=Employee Full-Time,OU=Corporate,DC=Company,DC=com,'
^@]
javax.naming.InvalidNameException: OU=Employee Full-
Time,OU=Corporate,DC=Company,DC=com,: [LDAP: error code 34 - 0000208F:
NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match
of:
'OU=Employee Full-Time,OU=Corporate,DC=Company,DC=com,'
^@]
The following configuration settings gives me the following error in
the log.
Fullname Attribute Name: cn
ID Attribute Name: SAMAccountName
Mail Attribute Name: mail
Group Attribute Name: memberOf
Base DN: DC=Company,DC=com
Connection DN: CN=First Last,OU=Employee Full-Time,OU=Corporate
Connection Password: ********
Host URL: ldap://xxx.xxx.xx.x:389
Search Filter: (&(SAMAccountName={0})(objectClass=user))
Search Scope: one
Groups Unit:OU=Groups,OU=Corporate
Groups People:OU=Employee Full-Time,OU=Corporate
When I try to log into the system I use the following account in a
different web browser.
User: First.Last
password: ********
The error message:
17:03:27.440 [672845127@qtp-1143608781-2] ERROR
sonia.scm.auth.ldap.LDAPAuthenticationHandler - [LDAP: error code 49 -
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext
error, data 52e, v1db1$
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data
52e, v1db1^@]
Any ideas how I would be able to get this working?
Sebastian Sdorra
Jul 25, 2011, 11:10:31 AM7/25/11
to scmma...@googlegroups.com
Hello,
The second config is the right one, but i think the "connection dn"
must be full qualified (CN=First Last,OU=Employee
Full-Time,OU=Corporate,DC=Company,DC=com). The version 1.4 of the
ldap-plugin has a improved logging and help texts for the
configuration. The SCM-Manager shows no available plugin upgrades at
the moment, so you have to uninstall the version 1.3 and then you
could install the version 1.4.
The second config is the right one, but i think the "connection dn"
must be full qualified (CN=First Last,OU=Employee
Full-Time,OU=Corporate,DC=Company,DC=com). The version 1.4 of the
ldap-plugin has a improved logging and help texts for the
configuration. The SCM-Manager shows no available plugin upgrades at
the moment, so you have to uninstall the version 1.3 and then you
could install the version 1.4.
Sebastian
2011/7/25 .Mark <ward...@gmail.com>:
.Mark
Jul 25, 2011, 11:38:26 AM7/25/11
to scmmanager
Thank you!
I have it working with the 1.4 ldap-plugin
This is the settings that I used
Fullname Attribute Name: cn
ID Attribute Name: SAMAccountName
Mail Attribute Name: mail
Group Attribute Name: memberOf
Base DN: DC=Company,DC=com
ID Attribute Name: SAMAccountName
Mail Attribute Name: mail
Group Attribute Name: memberOf
Base DN: DC=Company,DC=com
Connection DN: CN=First Last,OU=Employee Full-
Time,OU=Corporate,DC=Company,DC=com
Connection Password: ********
Host URL: ldap://xxx.xxx.xx.x:389
Search Filter: (&(SAMAccountName={0})(objectClass=user))
Search Scope: one
Time,OU=Corporate,DC=Company,DC=com
Connection Password: ********
Host URL: ldap://xxx.xxx.xx.x:389
Search Filter: (&(SAMAccountName={0})(objectClass=user))
Search Scope: one
Groups Unit:OU=Groups,OU=Corporate
Groups People:OU=Employee Full-Time,OU=Corporate
I had read where if the Base DN is specified the connection DN would
Groups People:OU=Employee Full-Time,OU=Corporate
be relative. Thus, never tried it when I had the other fields fixed
for AD connections.
On Jul 25, 10:10 am, Sebastian Sdorra <s.sdo...@gmail.com> wrote:
> Hello,
> The second config is the right one, but i think the "connection dn"
> must be full qualified (CN=First Last,OU=Employee
> Full-Time,OU=Corporate,DC=Company,DC=com). The version 1.4 of the
> ldap-plugin has a improved logging and help texts for the
> configuration. The SCM-Manager shows no available plugin upgrades at
> the moment, so you have to uninstall the version 1.3 and then you
> could install the version 1.4.
>
> Sebastian
>
GIGA AKS
Sep 25, 2012, 8:00:23 PM9/25/12
to scmma...@googlegroups.com
I tried this value for group - thanks.
In my case,
Profile: custom
Fullname Attribute Name: cn
ID Attribute Name: SAMAccountName
Mail Attribute Name: mail
Group Attribute Name: memberOf
ID Attribute Name: SAMAccountName
Mail Attribute Name: mail
Group Attribute Name: memberOf
Base DN: DC=tsh,DC=mycompany,DC=com
Connection DN: CN=First Last,OU=Employee Full-Time,OU=Corporate,DC=Company,DC=com
Connection Password: ****Password_of_First Last_user_as_given_in_cn=value****
Connection Password: ****Password_of_First Last_user_as_given_in_cn=value****
Host URL: ldap://xxx.xxx.xx.x:389
Search Filter: (&(SAMAccountName={0})(objectClass=user))
Search Filter: (&(SAMAccountName={0})(objectClass=user))
Search Scope: sub (one - didn't work for me).
People Unit:
Group Unit:
left blank for last 2. Enabled nested ad groups, enabled "enable/disable ldap" last checkbox.
Note: if i change scope from sub to one, it didnt work (may be i had to give values like you said for People/Group Unit fields). When I clicked/checked - Use StartTLS encryption - it didnt work.. otherwise, it works finally.
Reply all
Reply to author
Forward
0 new messages