[GeoNetwork-users] LDAP config

Terry_Rankine · August 11, 2009, 2:33am

Hi

My organisations ldap tree does not use UID in the dn, the dn's are
constructed as follows

cn=Terry Rankine,ou=Users,dc=blah,dc=deblah,dc=au
uid=TerryRankine
sn=Rankine
givenName=Terry
objectClass=interOrgPerson
mail=.....
.....

how can i configure geonetwork's ldap to do this 2 stage bind?
--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3421426.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

hramthun · August 21, 2009, 12:04pm

Terry Rankine wrote:

Hi

My organisations ldap tree does not use UID in the dn, the dn's are
constructed as follows

cn=Terry Rankine,ou=Users,dc=blah,dc=deblah,dc=au
uid=TerryRankine
sn=Rankine
givenName=Terry
objectClass=interOrgPerson
mail=.....
.....

how can i configure geonetwork's ldap to do this 2 stage bind?

Hallo,

I changed the foolowing line in file LDAPContext.java
...
  public LDAPInfo lookUp(String username, String password)
  {
    try
    {
from:
      String path = "uid="+ username +","+ usersDN +","+ baseDN;
to
      String path = "cn="+ username +","+ usersDN +","+ baseDN;

DirContext dc = LDAPUtil.openContext(getUrl(), path, password);
...

usersDN and baseDN are set here:

    String prefix = "system/ldap";
...
    baseDN = sm.getValue (prefix +"/distinguishedNames/base");
    usersDN = sm.getValue (prefix +"/distinguishedNames/users");
...

Maybe this helps.

Regards
Hans

--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3488779.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

Terry_Rankine · August 24, 2009, 1:45am

hramthun wrote:

String path = "cn="+ username +","+ usersDN +","+ baseDN;

That assumption still means that the user in putting their CN into the
username box. This is not the case for us.

the CN is an identifier for us, not a username.

In our case
CN = first, middle and last name
uid = the thing they use as their username.

we need a way of binding to discover the UID, then binding as that CN
against thier password.

Our other clients of ldap are able to do this (apache, jira, pam, etc)

Any other suggestions?

Terry

--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3500978.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

hramthun · August 24, 2009, 7:17am

Hallo Terry

Terry Rankine (via Nabble) wrote:

hramthun wrote:
String path = "cn="+ username +","+ usersDN +","+ baseDN;

That assumption still means that the user in putting their CN into the
username box. This is not the case for us.

No I still login with my username not with the cn. The cn (in the
Geonetwork class) is only to authorize against the ldap system. I tried
'ldapsearch' or 'ldapbind' (on oracle ldap) to see which commands
produce which output.

Cheers
Hans

the CN is an identifier for us, not a username.

In our case
CN = first, middle and last name
uid = the thing they use as their username.

we need a way of binding to discover the UID, then binding as that CN
against thier password.

Our other clients of ldap are able to do this (apache, jira, pam, etc)

Any other suggestions?

Terry

------------------------------------------------------------------------
View message @ http://n2.nabble.com/LDAP-config-tp3421426p3500978.html
To unsubscribe from Re: LDAP config, click here
< (link removed) =>.

--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3501807.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

hramthun · August 24, 2009, 7:28am

Hallo Terry,

Terry Rankine wrote:

hramthun wrote:

String path = "cn="+ username +","+ usersDN +","+ baseDN;

That assumption still means that the user in putting their CN into the
username box. This is not the case for us.

No I still login with my username not with the cn. The cn (in the
Geonetwork class) is only to authorize against the ldap system. I tried
'ldapsearch' or 'ldapbind' (on oracle ldap) to see which commands
produce which output.

Cheers
Hans

--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3501851.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

Terry_Rankine · August 25, 2009, 3:05am

if I type my uid into the username box - it uses it as the BindDN to test my
username/password.

My LDAP entry
dn=cn=Terry Rankine, ou=Users, dc=arrc, dc=csiro, dc=au
uid=mrt

there is no DN which matches uid=mrt,ou=Users,dc=arrc,dc=csiro,dc=au or
cn=mrt,ou=Users,dc=arrc,dc=csiro,dc=au which means if i type my uid in it
will always fail.

how can geonetwork find my ldap user if it cant bind as my uid, to my DN
when it doesnt know how to build my dn?

GN config bits:
Distinguished names:
Base: dc=arrc,dc=csiro,dc=au
Users: ou=users
User's attributes:
Name: cn
Profile: mail

gn log:
42903803 [TP-Processor2] WARN geonetwork.ldap - Cannot open context on :
ldap://****.****.csiro.au:389
42903804 [TP-Processor2] WARN geonetwork.ldap - (C) Reason : [LDAP: error
code 49 - Invalid Credentials]

ldap log:
Aug 25 10:58:44 cgsrv4 slapd[22705]: conn=0 op=0 BIND
dn="cn=mrt,ou=users,dc=arrc,dc=csiro,dc=au" method=128

I am pretty sure Geonetwork needs to work out that it has to do two steps
here.
search the tree for my uid, bind as my dn with my username and password

Terry

hramthun wrote:

No I still login with my username not with the cn. The cn (in the
Geonetwork class) is only to authorize against the ldap system. I tried
'ldapsearch' or 'ldapbind' (on oracle ldap) to see which commands
produce which output.

--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3507526.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

hramthun · August 25, 2009, 6:50am

Hi Terry,

How did you configure the geonetwork ldap access (Administration/System
configuration)?
My values are:
host: myLDAP_host.de
port: 4032
base: dc=dkrz,dc=de

for DN:
users: cn=Users
name: cn (I think here was uid before)
profile: ... (keep open)

That's the reason why I changed the code from 'uid' to 'cn' as I wrote in my
first answer.

What you fill in here must exact match the parameters you enter in a
successful ldapsearch command.

Cheers
Hans

Terry Rankine wrote:

if I type my uid into the username box - it uses it as the BindDN to test
my username/password.

My LDAP entry
dn=cn=Terry Rankine, ou=Users, dc=arrc, dc=csiro, dc=au
uid=mrt

there is no DN which matches uid=mrt,ou=Users,dc=arrc,dc=csiro,dc=au or
cn=mrt,ou=Users,dc=arrc,dc=csiro,dc=au which means if i type my uid in it
will always fail.

how can geonetwork find my ldap user if it cant bind as my uid, to my DN
when it doesnt know how to build my dn?

GN config bits:
Distinguished names:
Base: dc=arrc,dc=csiro,dc=au
Users: ou=users
User's attributes:
Name: cn
Profile: mail

gn log:
42903803 [TP-Processor2] WARN geonetwork.ldap - Cannot open context on :
ldap://****.****.csiro.au:389
42903804 [TP-Processor2] WARN geonetwork.ldap - (C) Reason : [LDAP:
error code 49 - Invalid Credentials]

ldap log:
Aug 25 10:58:44 cgsrv4 slapd[22705]: conn=0 op=0 BIND
dn="cn=mrt,ou=users,dc=arrc,dc=csiro,dc=au" method=128

I am pretty sure Geonetwork needs to work out that it has to do two steps
here.
search the tree for my uid, bind as my dn with my username and password

Terry

hramthun wrote:

No I still login with my username not with the cn. The cn (in the
Geonetwork class) is only to authorize against the ldap system. I tried
'ldapsearch' or 'ldapbind' (on oracle ldap) to see which commands
produce which output.

--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3508110.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

Terry_Rankine · August 25, 2009, 7:29am

Hi Hans

I am pretty sure that your LDAP schema has duplicate identity information or
LDAP 'views' running to enable the solution to work for you.

The following LDAP schema will not work in geonetwork as it stands.
User Tree DN
ou=Users, dc=arrc, dc=csiro, dc=au

My LDAP entry
dn=cn=Terry Rankine, ou=Users, dc=arrc, dc=csiro, dc=au
uid=mrt
sn=Terry Rankine

I have a patch here which will fix it, but it is specific to the 2 step
lookup. Do you mind seeing what it breaks on your installation?

Cheers,
Terry Rankine

http://n2.nabble.com/file/n3508251/patch-ldap-2step-lookup.txt
patch-ldap-2step-lookup.txt

--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3508251.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

hramthun · August 25, 2009, 8:56am

Terry Rankine wrote:

The following LDAP schema will not work in geonetwork as it stands.
User Tree DN
ou=Users, dc=arrc, dc=csiro, dc=au

My LDAP entry
dn=cn=Terry Rankine, ou=Users, dc=arrc, dc=csiro, dc=au
uid=mrt
sn=Terry Rankine

Hi Terry,

On our ldap (oracle ldap) this works correctly:
'cn=hans_ramthun,cn=Users,dc=dkrz,dc=de'
With this authorization I can retrieve all possible values like 'uid' or
'mail' or any other by filter.
But I do nothing else this check whether the connect is correct or not. I
don't use any value which I retrieve from ldap.
So with my code modification (see first mail) I'm able to login any user who
is known by the ldap.

I tried in other attempts to make something similar as you do in your extra
code. But for my need it's not necessary.

What I could do with additional information retrieved from ldap is to update
the geonetwork user information.

Cheers
Hans

--
View this message in context: http://n2.nabble.com/LDAP-config-tp3421426p3508615.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.