Skip to Content.
Sympa Menu

en - Re: [sympa-users] Can´tauthenticate to windows active directory

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Hanno van den Boogaard <address@concealed>
  • To: "Jahnke-Zumbusch, Dirk" <address@concealed>
  • Cc: "address@concealed" <address@concealed>
  • Subject: Re: [sympa-users] Can´tauthenticate to windows active directory
  • Date: Mon, 19 Feb 2018 08:55:33 +0000

Hi Dirk,

in our DEV Environment ldapsearch -x -h host-01.de.domain.com -p 389 -D
“address@concealed" -W -b "cn=Users,dc=de,dc=domain,dc=com" -s sub
"(cn=*)" cn mail sn
and other applications using ldap are working with ldap on Port 389.
I realize that for a live environment, ldaps is preferable.
I don't think that's a connection problem.

Steve Shipways workaround with include_ldap_2level_query to use Active
Directory for Sympa Data Sources makes me wonder if the current auth.conf
ldap paragraph can be used for login against active direcotry at all.
Is there anyone here who uses active directory for sympa login?

Kind Regards,
Hanno


Am 16.02.18, 17:12 schrieb "Jahnke-Zumbusch, Dirk"
<address@concealed>:

Hi Hanno,

I am astonished about port 389 in conjunction with AD
and would expect 3268 (ldap) or better 3269 (ldaps)
instead.

When I used Linux and AD (not with SYMPA), i had
either /etc/openldap/ldap.conf or $HOME/.ldaprc
like this:

BASE dc=my, dc=example, dc=com
URI ldaps://my.example.com
TLS_CACERTDIR /etc/pki/tls/certs
TLS_REQCERT never

Obviously I did not want to check certificate validity and
set coordinates for AD

Perhaps testing connection with AD using ldapsearch helps:

ldapsearch -x -H ldaps://adc.my.example.com:3269 \
-W -D 'cn=ACCOUNTNAME,ou=my,ou=sub,ou=orgunit,dc=my,dc=example,dc=com’ \
’(mail=hanno*)’

Here I used port 3269 (ldaps) and the bind DN could get lengthy.

I would guess using AD w/o bind to extract data is not allowed
and also binding over non-TLS transport may be forbidden.

My 2c, hope they help
Dirk

----- On 16 Feb, 2018, at 16:37, Hanno van den Boogaard
address@concealed wrote:

> Hi Soji,

> I tried both. Even without bind user and password.

> I can connect with ldapsearch linux tool from my sympa server to the
active
> directory ldap server.

> I think the active directory connect works differently. Also found the
following
> in the documentation. I don't think that will help me with the auth.conf

> [ https://www.sympa.org/manual/ldap | https://www.sympa.org/manual/ldap
]

> Active Directory having quite a specific functionning, Steve Shipway
found a way
> to make it work with Sympa. Here is his guidelines to achieve this goal.

> First, create a service account in your LDAP so that Sympa can connect.
This
> only needs read-only access.

> You need to use a 2level query, since AD stores DNs against group
membership .
> Also, note that if using a .incl file to define external list admins,
you
> cannot pass a full DN as a parameter as it contains commas (I’ve logged
a bug
> report for this).

> Kind Regards,

> Hanno

> Hanno van den Boogaard

> System Administration

> [ mailto:address@concealed | address@concealed ]

> Von: Soji Ikeda <address@concealed>
> Datum: Freitag, 16. Februar 2018 um 03:37
> An: Hanno van den Boogaard <address@concealed>
> Cc: "address@concealed" <address@concealed>
> Betreff: Re: [sympa-users] Can´t authenticate to windows active
directory

> Hi,

> 2018/02/16 0:22 、 Hanno van den Boogaard < [
mailto:address@concealed |
> address@concealed ] > のメール :

>> Hello Listmasters,

>> Iam new to sympa and I try to authenticate against our windows active
directory
>> using the ldap paragraph in the auth.conf without success.

>> The sympa error log shows:

>> Feb 15 15:35:52 DECGN-MLM01 wwsympa[1288]: err main::#1608 >
>> main::do_renewpasswd#4265 > main::is_ldap_user#3988 >
>> Sympa::Database::connect#154 > (eval)#154 >
>> Sympa::DatabaseDriver::LDAP::_connect#162 Failed to bind to LDAP server
>> ldap://xyz.de.abcd.com:389: (49) 80090308: LdapErr: DSID-0C090400,
comment:
>> AcceptSecurityContext error, data 52e, v1db1

>> My auth conf:

>> ldap

>> host [ http://xyz.de.abcd.com:389/ | xyz.de.abcd.com:389 ]

>> timeout 10

>> bind_dn cn=ReaderUser,ou=Users,dc=de,dc=abcd,dc=com

>> bind_password xxxyyyy

>> suffix dc=de,dc=abcd,dc=com

>> get_dn_by_uid_filter (uid=[sender])

>> get_dn_by_email_filter
(|(mail=[sender])(mailalternateaddress=[sender]))

>> email_attribute mail

>> scope sub

>> user_table

>> regexp .*

>> bind password und dn should be ok.

>> Are there special configs or sample configs for using windows active
directory
>> and auth conf ?

> Result code 49 indicates “Invalid credential”. Bind DN or bind password
seems
> incorrect.

> I don’t know the details but, with Active Directory LDAP profile, bind
DN can be
> in the form “user@domain” or “domain¥user”.

> Regards,

> — Soji

>> Local authentication is working.

>> Kind Regards,

>> Hanno

>> Hanno van den Boogaard

>> System Administration

>> [ mailto:address@concealed | address@concealed ]

--
--
Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics Member of the Helmholtz Association
D-22603 Hamburg Notkestrasse 85 / 22607 Hamburg

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19+.

Top of Page