search

SoftInstigate / restheart

Rapid API Development with MongoDB
https://restheart.org
GNU Affero General Public License v3.0
807 stars 171 forks source link

Unable to connect to LDAP (RESTHeart 3.2.0-beta-1, Docker) #253

Closed svscorp closed 6 years ago

svscorp commented 7 years ago

I looked at ADIdentityManager.java and it seems that it accepts only domain name in princpalNameSuffix. I am not sure does it consider users in (ou=people) ?

For some reason, not able to connect to LDAP, following documentation. Using OpenLDAP. Restheart is behind reverse proxy. What did I miss?

Error:

04:58:34.281 [XNIO-1 task-3] INFO  o.r.handlers.RequestLoggerHandler - GET https://domain.com/restheart/ from /xx.xx.xx.xx:51382 => status=401 elapsed=15ms contentLength=0
04:58:44.778 [XNIO-1 task-4] WARN  o.r.security.impl.ADIdentityManager - Failed to authenticate admin@company.adop.com
04:58:44.787 [XNIO-1 task-4] ERROR o.r.security.impl.ADIdentityManager - Failed to connect to any specified DC with any user/suffix combination
04:58:44.788 [XNIO-1 task-4] ERROR o.r.security.impl.ADIdentityManager - Failed to connect to any specified DC with any user/suffix combination
javax.naming.NamingException: Failed to connect to any specified DC with any user/suffix combination

Security:

## Config for AD Identity Manager
adim:
   - domainControllers: ldap://ldap:389
     principalNameSuffixes: company.ldap.com

Restheart:

## Config for AD Identity Manager
adim:
   - domainControllers: ldap://ldap:389
     principalNameSuffixes: company.ldap.com

Permissions

permissions:
# Users with LDAP group 'administrators' can do anything
    - role: administrators
      predicate: path-prefix[path="/"]

Strange, but in "_metrics" it shows v.3.0.0 - is it normal?

{
  "version" : "3.0.0",
  "gauges" : { },
  "counters" : { },
  "histograms" : { },
  "meters" : { },
  ...
}
mkjsix commented 7 years ago

Hi @svscorp

As far as I can remember the ADIdentityManager was an external contribution from a developer with the specific need to connect to Microsoft Active Directory, which I don't know whether it is 100% LDAP compliant or not. My guess is that we'd need a new LdapIdentyManager class specifically tested against generic LDAP implementations, but we lack the knowledge and the need on our side. Do you mind trying creating such a class, maybe modifying that AD implementation, and provide tests for it?

svscorp commented 7 years ago

Hi @mkjsix

Got it. It doesn't look LDAP compliant. Because it should authenticate using a DN and attribute. Usually it's "uid" (and implementation should for sure allow to configure what attribute is used).

I don't mind contributing, but I have zero capacity to do this as in charge of a project go-live. Last few weeks I was actively submitting changes to various repositories, but next few weeks/month are busy 400%. I was researching on plugging RESTHeart + Mongo into the project landscape, but LDAP didn't work, so probably will be taken out :\

Do you think there is a chance RESTHeart team can implement it?

mkjsix commented 7 years ago

Sorry, we are unfortunately in the same conditions at the moment: we're fully busy delivering a project and not able to look into this for at least a couple of weeks.

svscorp commented 6 years ago

Hi @mkjsix Is there any chance you can have a look into the ldap enhancement?

mkjsix commented 6 years ago

Hi @svscorp, The problem here we don't have any LDAP instance to test with. Sorry but we contribute to the project following our own internal requirements or customer's, at present we don't have either regarding LDAP. I just hoped that somebody else in the community could have expertise and interest in opening a PR, no success so far.

svscorp commented 6 years ago

Hi @mkjsix, I understand the point about the priorities - no problem. I have LDAP instance though :)