LDAP - Alias Domain

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP - Alias Domain

Raymond Norton
I am trying to get LDAP authentication setup on 2.1, on Centos 6.5


I am working with a FQDN e.g. school.k12.mn.us. However, there local AD
domain is schoolsrhigh. I believe I have everything set up for the
proper DN + %n for the template. However, I get invalid user when
attempting to login via [hidden email], or user@schoolsrhigh. I
attempted to set up an alias domain of schoolsrhigh, but Baruwa did not
like the syntax.


Ideas?

--
Raymond Norton
LCTN
952.955.7766


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

jeremymcs
Your fqdn would be school.k12.mn.us .. The netbios isn't needed. What's your URI/DN/SEARCH look like ?

Are the users setup to use user@fqdn as an alternate login ? 

--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.net | Endless Solutions
Office : <a href="tel:850-250-5590;501">850-250-5590x501 | Cell : <a href="tel:850-890-2543">850-890-2543 | Fax : <a href="tel:850-254-2955">850-254-2955

On Sep 26, 2014, at 3:24 PM, Raymond Norton <[hidden email]> wrote:

I am trying to get LDAP authentication setup on 2.1, on Centos 6.5


I am working with a FQDN e.g. school.k12.mn.us. However, there local AD domain is schoolsrhigh. I believe I have everything set up for the proper DN + %n for the template. However, I get invalid user when attempting to login via [hidden email], or user@schoolsrhigh. I attempted to set up an alias domain of schoolsrhigh, but Baruwa did not like the syntax.


Ideas?

--
Raymond Norton
LCTN
952.955.7766


_______________________________________________
http://pledgie.com/campaigns/12056

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Raymond Norton
DC=schoolsrhigh,DC=school,DC=k12,DC=mn,DC=us

I don't have anything in the search filter

Users currenlty login to desktops via schoolsrhigh/user, but cannot login as [hidden email]





On 09/26/2014 03:31 PM, Jeremy McSpadden wrote:
Your fqdn would be school.k12.mn.us .. The netbios isn't needed. What's your URI/DN/SEARCH look like ?

Are the users setup to use user@fqdn as an alternate login ? 

--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.net | Endless Solutions
Office : <a moz-do-not-send="true" href="tel:850-250-5590;501">850-250-5590x501 | Cell : <a moz-do-not-send="true" href="tel:850-890-2543">850-890-2543 | Fax : <a moz-do-not-send="true" href="tel:850-254-2955">850-254-2955

On Sep 26, 2014, at 3:24 PM, Raymond Norton <[hidden email]> wrote:

I am trying to get LDAP authentication setup on 2.1, on Centos 6.5


I am working with a FQDN e.g. school.k12.mn.us. However, there local AD domain is schoolsrhigh. I believe I have everything set up for the proper DN + %n for the template. However, I get invalid user when attempting to login via [hidden email], or user@schoolsrhigh. I attempted to set up an alias domain of schoolsrhigh, but Baruwa did not like the syntax.


Ideas?

--
Raymond Norton
LCTN
952.955.7766


_______________________________________________
http://pledgie.com/campaigns/12056


_______________________________________________
http://pledgie.com/campaigns/12056

-- 
Raymond Norton
LCTN
952.955.7766

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Andrew Colin Kissa
Administrator

On 29 Sep 2014, at 3:50 PM, Raymond Norton <[hidden email]> wrote:

> Users currenlty login to desktops via schoolsrhigh/user, but cannot login as [hidden email]

Have you tested that your settings are correct using ldapsearch ?


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Raymond Norton
I've used jsexplorer and can connect with the given DN


On 09/29/2014 09:03 AM, Andrew Colin Kissa wrote:
On 29 Sep 2014, at 3:50 PM, Raymond Norton [hidden email] wrote:

Users currenlty login to desktops via schoolsrhigh/user, but cannot login as [hidden email]
Have you tested that your settings are correct using ldapsearch ?



_______________________________________________
http://pledgie.com/campaigns/12056

-- 
Raymond Norton
LCTN
952.955.7766

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Raymond Norton
In reply to this post by Andrew Colin Kissa
However, I use the following format to login:

Raymond@schoolsrhigh


On 09/29/2014 09:03 AM, Andrew Colin Kissa wrote:
On 29 Sep 2014, at 3:50 PM, Raymond Norton [hidden email] wrote:

Users currenlty login to desktops via schoolsrhigh/user, but cannot login as [hidden email]
Have you tested that your settings are correct using ldapsearch ?



_______________________________________________
http://pledgie.com/campaigns/12056

-- 
Raymond Norton
LCTN
952.955.7766

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Andrew Colin Kissa
Administrator
In reply to this post by Raymond Norton

On 29 Sep 2014, at 4:12 PM, Raymond Norton <[hidden email]> wrote:

> I've used jsexplorer and can connect with the given DN

Are you able to search for a user using the attribute you have provided in the
interface.

Also if your AD has referrals in it then it will not work in the community edition.

- Andrew


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Andrew Colin Kissa
Administrator
In reply to this post by Raymond Norton

The username is in the sAMAccountName in AD, and only has the
user part, so you need to select split domain and only Raymond
will be passed to the LDAP server.

On 29 Sep 2014, at 4:13 PM, Raymond Norton <[hidden email]> wrote:

> However, I use the following format to login:
>
> Raymond@schoolsrhigh


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Raymond Norton
hmmm. If I simply login as raymond, how will baruwa know to search the proper domain via ldap?


On 09/29/2014 09:46 AM, Andrew Colin Kissa wrote:
The username is in the sAMAccountName in AD, and only has the
user part, so you need to select split domain and only Raymond
will be passed to the LDAP server.

On 29 Sep 2014, at 4:13 PM, Raymond Norton [hidden email] wrote:

However, I use the following format to login:

Raymond@schoolsrhigh

      

_______________________________________________
http://pledgie.com/campaigns/12056

-- 
Raymond Norton
LCTN
952.955.7766

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Andrew Colin Kissa
Administrator

Please read my response properly, you still have to login as raymond@domain.

On 29 Sep 2014, at 5:10 PM, Raymond Norton <[hidden email]> wrote:

> hmmm. If I simply login as raymond, how will baruwa know to search the proper domain via ldap?


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Raymond Norton
I did have split selected. Is %n the proper template?


On 09/29/2014 10:12 AM, Andrew Colin Kissa wrote:
Please read my response properly, you still have to login as raymond@domain.

On 29 Sep 2014, at 5:10 PM, Raymond Norton [hidden email] wrote:

hmmm. If I simply login as raymond, how will baruwa know to search the proper domain via ldap?

      

_______________________________________________
http://pledgie.com/campaigns/12056

-- 
Raymond Norton
LCTN
952.955.7766

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Andrew Colin Kissa
Administrator

Proper in what context ? %n gets replaced with user@domain where ever you use it.

On 29 Sep 2014, at 6:03 PM, Raymond Norton <[hidden email]> wrote:

> I did have split selected. Is %n the proper template?


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Raymond Norton
I can successfully do an ldpasearch with the following:


ldapsearch -D "schoolsrhigh\Raymond" -W -h publicIP -b
"dc=schoolsrhigh,dc=school,dc=k12,dc=mn,dc=us" -s sub "(objectclass=*)"



Baruwa LDAP settings for domain:


base DN: DC=schoolsrhigh,DC=school,DC=k12,DC=MN,DC=us
Username attribute: uid
Email attribute mail
Bind DN: schoolsrhigh\Raymond
Bind password: password


Logins attempted (none work)
schoolsrhigh\Raymond
[hidden email]
[hidden email]

JSXplorer does not show uid is populated, so not sure what to use in the
Username atribute.

Working with the school, they indicate that users cannot login to
desktops as [hidden email]

Does this mean we need to add a upn in AD for them?

Any advice appreciated.











_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Andrew Colin Kissa
Administrator

On 30 Sep 2014, at 3:59 PM, Raymond Norton <[hidden email]> wrote:

> Any advice appreciated.

What directory is it ? Can you provide a redacted entry from this directory.


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Raymond Norton
Are you asking if its Open or AD? It's AD.

I am assuming you want the redacted results of and ldapsearch of my test account??


On 09/30/2014 09:50 AM, Andrew Colin Kissa wrote:
On 30 Sep 2014, at 3:59 PM, Raymond Norton [hidden email] wrote:

Any advice appreciated.
What directory is it ? Can you provide a redacted entry from this directory.



_______________________________________________
http://pledgie.com/campaigns/12056

-- 
Raymond Norton
LCTN
952.955.7766

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Andrew Colin Kissa
Administrator

On 30 Sep 2014, at 5:07 PM, Raymond Norton <[hidden email]> wrote:

> Are you asking if its Open or AD? It's AD.

If it is AD this is wrong "Username attribute: uid" It has to be sAMAccountName


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Raymond Norton
Thanks.. changed to sAMAccountName.

Still not working. Not sure what to use for a template or filter.

Here is a redacted search on the user I am testing with:


# extended LDIF
#
# LDAPv3
# base <dc=schoolsrhigh,dc=school,dc=k12,dc=mn,dc=us> with scope subtree
# filter: (cn=Raymond_LCTN)
# requesting: ALL
#

# Raymond_LCTN, computer techs, Accounts, schoolsrhigh.school.k12.mn.us
dn: CN=Raymond_LCTN,OU=computer techs,OU=Accounts,DC=schoolsrhigh,DC=school,
  DC=k12,DC=mn,DC=us
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Raymond_LCTN
sn: LCTN
givenName: Raymond
distinguishedName: CN=Raymond_LCTN,OU=computer techs,OU=Accounts,DC=schoolsrh
  igh,DC=school,DC=k12,DC=mn,DC=us
instanceType: 4
whenCreated: 20140915202746.0Z
whenChanged: 20140925203418.0Z
displayName: Raymond_LCTN
uSNCreated: 76384232
uSNChanged: 76945081
department: tech
company: LCTN
homeMTA: CN=Microsoft MTA,CN=EXCHANGE1,CN=Servers,CN=Exchange Administrative G
  roup (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=school Public Schools,CN=
  Microsoft Exchange,CN=Services,CN=Configuration,DC=schoolsrhigh,DC=school,D
  C=k12,DC=mn,DC=us
proxyAddresses: smtp:Raymond@local
proxyAddresses: X400:C=US;A= ;P=school Public S;O=Exchange;S=LCTN;G=Raymond;
proxyAddresses: SMTP:[hidden email]
homeMDB: CN=Mailbox Database 0492601172,CN=Databases,CN=Exchange Administrativ
  e Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=school Public Schools,
  CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=schoolsrhigh,DC=willma
  r,DC=k12,DC=mn,DC=us
mDBUseDefaults: TRUE
mailNickname: Raymond
name: Raymond_LCTN
objectGUID:: Z/CMFj9wMEGS26jaKnY/kQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 130564669279159579
lastLogoff: 0
lastLogon: 130561510451295391
pwdLastSet: 130561506928123228
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAUqrIaPGzEnEH5Tsr8IkAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Raymond
sAMAccountType: 805306368
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Containe
  r,CN=school Public Schools,CN=Microsoft Exchange,CN=Services,CN=Configuratio
  n,DC=schoolsrhigh,DC=school,DC=k12,DC=mn,DC=us
showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,
  CN=Address Lists Container,CN=school Public Schools,CN=Microsoft Exchange,CN
  =Services,CN=Configuration,DC=schoolsrhigh,DC=school,DC=k12,DC=mn,DC=us
legacyExchangeDN: /o=school Public Schools/ou=Exchange Administrative Group (
  FYDIBOHF23SPDLT)/cn=Recipients/cn=Raymond_LCTN
userPrincipalName: [hidden email]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=schoolsrhigh,DC=willm
  ar,DC=k12,DC=mn,DC=us
dSCorePropagationData: 20140915202747.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130561508562241603
textEncodedORAddress: X400:C=US;A= ;P=school Public S;O=Exchange;S=LCTN;G=Ray
  mond;
mail: [hidden email]
msExchHomeServerName: /o=school Public Schools/ou=Exchange Administrative Gro
  up (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE1
msExchMailboxSecurityDescriptor:: AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABQoAAAAB
  AQAAAAAABQoAAAAEABwAAQAAAAACFAABAAIAAQEAAAAAAAUKAAAA
msExchUserAccountControl: 0
msExchMailboxGuid:: UmizfvaTfkSy70zRU7kt2g==
msExchPoliciesIncluded: 4e21c66f-ec4d-498e-a9ee-7f3b07e1b4d5
msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchVersion: 44220983382016
msExchRecipientDisplayType: 1073741824
msExchRBACPolicyLink: CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN
  =school Public Schools,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC
  =schoolsrhigh,DC=school,DC=k12,DC=mn,DC=us
msExchRecipientTypeDetails: 1
msExchUMDtmfMap: emailAddress:7296663
msExchUMDtmfMap: lastNameFirstName:52867296663
msExchUMDtmfMap: firstNameLastName:72966635286

# search reference
ref: ldap://DomainDnsZones.schoolsrhigh.school.k12.mn.us/DC=DomainDnsZones,D
  C=schoolsrhigh,DC=school,DC=k12,DC=mn,DC=us

# search reference
ref: ldap://ForestDnsZones.schoolsrhigh.school.k12.mn.us/DC=ForestDnsZones,D
  C=schoolsrhigh,DC=school,DC=k12,DC=mn,DC=us

# search reference
ref: ldap://schoolsrhigh.school.k12.mn.us/CN=Configuration,DC=schoolsrhigh,
  DC=school,DC=k12,DC=mn,DC=us

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3



> If it is AD this is wrong "Username attribute: uid" It has to be sAMAccountName
>


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP - Alias Domain

Andrew Colin Kissa
Administrator

On 30 Sep 2014, at 6:52 PM, Raymond Norton <[hidden email]> wrote:

> # search reference
> ref: ldap://DomainDnsZones.schoolsrhigh.school.k12.mn.us/DC=DomainDnsZones,D
> C=schoolsrhigh,DC=school,DC=k12,DC=mn,DC=us
>
> # search reference
> ref: ldap://ForestDnsZones.schoolsrhigh.school.k12.mn.us/DC=ForestDnsZones,D
> C=schoolsrhigh,DC=school,DC=k12,DC=mn,DC=us
>
> # search reference
> ref: ldap://schoolsrhigh.school.k12.mn.us/CN=Configuration,DC=schoolsrhigh,
> DC=school,DC=k12,DC=mn,DC=us
The community edition cannot work with referrals.




_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org