Open shukalo83 opened 4 years ago
mlbiam
commented
4 years ago Are you trying to use apache directory studio or another gui? It looks like its search for cn=schema. You'll need to either proxy the apacheds' cn=schema or use the net.sourceforge.myvd.inserts.SchemaInsert to host a local schema (see https://portal.apps.tremolo.io/docs/tremolosecurity-docs/myvd/1.0.8/myvd.html)
shukalo83
commented
4 years ago I'm using apache dir studio. By the way I'm trying direct search with ldap search and I have also this error:
[admin@kc ~]$ ldapsearch -H ldap://localhost:10983 -b 'dc=portal,dc=com' -s sub 'uid=user.id@group.com'
ldap_sasl_interactive_bind_s: No such attribute (16)
[admin@kc ~]$ ldapsearch -H ldap://localhost:10983 -s sub 'uid=user.id@group.com'
ldap_sasl_interactive_bind_s: No such attribute (16)I would like just to proxy schema but I don't know what's happening later, when I add AD intergration. Can I route per userid?
For instance if user.id@internal.com, then go to AD and authenticate there.
So minimum config should be on myVD. Non technical users will administer users via apacheDS and MD AD tool.
I've read user manual pretty carefully but somewhat lost. It introduces concepts but I failed to grasp what's happening with the insert when you have two separate schemas.
shukalo83
commented
4 years ago I have to bump this. Still no luck with the config. I need to connect keycloak server to a myvirtual directory. MyVD is in front of ApacheDS and AD.
server.listener.port=10983
#Configure global chains
server.globalChain=LogAllTransactions
server.globalChain.LogAllTransactions.className=net.sourceforge.myvd.inserts.DumpTransaction
server.globalChain.LogAllTransactions.config.logLevel=info
server.globalChain.LogAllTransactions.config.label=Global
server.nameSpaces=ApacheDS,AD
server.ApacheDS.chain=dnMapper,ldap
server.ApacheDS.nameSpace=dc=geoportal,dc=com
server.ApacheDS.weight=10
server.ApacheDS.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.ApacheDS.ldap.config.type=LDAP
server.ApacheDS.ldap.config.host=localhost
server.ApacheDS.ldap.config.port=10389
server.ApacheDS.ldap.config.remoteBase=o=company
server.ApacheDS.ldap.config.proxyDN=uid=user.id@company.com,ou=users,o=company
server.ApacheDS.ldap.config.proxyPass=password
server.ApacheDS.dnMapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper
server.ApacheDS.dnMapper.config.dnAttribs=member
server.ApacheDS.dnMapper.config.remoteBase=o=company
server.ApacheDS.dnMapper.config.localBase=dc=portal,dc=com
server.AD.nameSpace=dc=portal,dc=com
server.AD.weight=100
server.AD.chain=uidMapper,dnMapper,ldap
server.AD.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.AD.ldap.config.host=192.168.0.2
server.AD.ldap.config.port=389
server.AD.ldap.config.remoteBase=dc=portal,dc=local
server.AD.ldap.config.proxyDN=uid=administrator,ou=people,dc=portal,dc=local ???
server.AD.ldap.config.proxyPass=passw
server.AD.dnMapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper
server.AD.dnMapper.config.dnAttribs=member
server.AD.dnMapper.config.remoteBase=dc=portal,dc=local
server.AD.dnMapper.config.localBase=dc=portal,dc=com
server.AD.uidMapper.className=net.sourceforge.myvd.inserts.mapping.AttributeMapper
server.AD.uidMapper.config.mapping=sAMAccountName=uidSorry for the delay
ldap_sasl_interactive_bind_s: No such attribute (16)
MyVD doesn't support SASL. Use the -x in ldapsearch to do a simple bind
Can I route per userid?
Sort of. MyVD has several routing plugins you can use. Look for RouteByAttributeValue in the MyVD docs (https://portal.apps.tremolo.io/docs/tremolosecurity-docs/myvd/1.0.9/myvd.html). You would setup a route for domains either in an email address or userPrincipalName.
Looking at your configuration, the only potential issue I see if you're mapping a remote base (the base of the remote directory) of o=company to the local base (in MyVD) to dc=portal,dc=com in the dc=geoportal,dc=com namespace. Is that what you intended?
shukalo83
commented
4 years ago Thank you @mlbiam. When I disable AD namespace everything is OK and ldapsearch is working correctly. With AD namespace enabled I've got java exception with 'Invalid credentials'. I presume myvd cannot connect to AD but I'm able to do a search on AD like this:
ldapsearch -H ldap://192.168.0.2:389 -x -W -D "administrator@portal.local" -b "dc=portal,dc=local" "(sAMAccountName=administrator)"server.AD.nameSpace=dc=portal,dc=com
server.AD.weight=100
server.AD.chain=uidMapper,dnMapper,ldap
server.AD.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.AD.ldap.config.host=192.168.0.2
server.AD.ldap.config.port=389
server.AD.ldap.config.remoteBase=dc=portal,dc=local
server.AD.ldap.config.proxyDN=uid=administrator@portal.local
server.AD.ldap.config.proxyPass=password
server.AD.dnMapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper
server.AD.dnMapper.config.dnAttribs=member
server.AD.dnMapper.config.remoteBase=dc=portal,dc=local
server.AD.dnMapper.config.localBase=dc=portal,dc=com
server.AD.uidMapper.className=net.sourceforge.myvd.inserts.mapping.AttributeMapper
server.AD.uidMapper.config.mapping=sAMAccountName=uidTried with this also:
server.AD.ldap.config.proxyDN=CN=Administrator,CN=Users,DC=portal,DC=local
Still everytime I get this:
[admin@kc bin]$ ldapsearch -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'uid=administrator@portal.local'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: uid=administrator@portal.local
# requesting: ALL
#
# search result
search: 2
result: 49 Invalid credentials
text: INVALID_CREDENTIALS: failed for MessageType : SEARCH_REQUEST
Message ID :
2
SearchRequest
baseDn : 'dc=portal,dc=com'
filter : '
(uid=administrator@portal.local)'
scope : whole subtree
typ
esOnly : false
Size Limit : no limit
Time Limit : no limit
Deref Aliases : never Deref Aliases
attributes :
org.apache.dire
ctory.api.ldap.model.message.SearchRequestImpl@ec7dd1d7: Invalid Credentials:
...
I'm running out of ideas now.
mlbiam
commented
4 years ago server.AD.ldap.config.proxyDN doesn't look like a full distinguished name. The setting needs to be the service account's full distinguished name.
shukalo83
commented
4 years ago I've added this and it works now:
server.AD.ldap.config.ignoreRefs=true
server.AD.ldap.config.passBindOnly=false
server.AD.ldap.config.maxIdle=300000
server.AD.ldap.config.maxMillis=30000
server.AD.ldap.config.maxStaleTimeMillis=10000
server.AD.ldap.config.minimumConnections=10What's interesting is that I still can't query AD with uid= but it accepts the cn= format:
[admin@kc ~]$ ldapsearch -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'uid=user.id@external.com'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: uid=user.id@external.com
# requesting: ALL
#
# user.id@external.com, users, portal.com
dn: uid=user.id@external.com,ou=users,dc=portal,dc=com
uid: user.id@external.com
mail: user.id@external.com
displayName:: Qm9qYW4gxaB1a2Fsbw==
sn:: xaB1a2Fsbw==
cn: User
objectclass: top
objectclass: inetOrgPerson
objectclass: person
objectclass: organizationalPerson
userPassword:: e1NIQTI1Nn03TmNZY05HV014YXBmanJEUUl5WU5hMk04UFBCdkhBMUo4TUNaVk5
QZGE0PQ==
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[admin@kc ~]$ ldapsearch -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'uid=administrator@portal.local'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: uid=administrator@portal.local
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[admin@kc ~]$ ldapsearch -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'cn=administrator@portal.local'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: cn=administrator@portal.local
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[admin@kc ~]$ ldapsearch -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'cn=administrator'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: cn=administrator
# requesting: ALL
#
# Administrator, Users, portal.com
dn: CN=Administrator,CN=Users,dc=portal,dc=com
uSNCreated: 8196
badPwdCount: 0
countryCode: 0
description: Built-in account for administering the computer/domain
whenChanged: 20200908050516.0Z
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
primaryGroupID: 513
objectGUID:: TZv9gcj3W0Cawi9zome4fQ==
objectSid:: AQUAAAAAAAUVAAAAhJC7ADgmpiSsDsbe9AEAAA==
instanceType: 4
adminCount: 1
whenCreated: 20200713123251.0Z
dSCorePropagationData: 20200713124937.0Z
dSCorePropagationData: 20200713123426.0Z
dSCorePropagationData: 16010101181216.0Z
userAccountControl: 66048
lastLogonTimestamp: 132440151163572057
isCriticalSystemObject: TRUE
cn: Administrator
codePage: 0
sAMAccountName: Administrator
accountExpires: 9223372036854775807
sAMAccountType: 805306368
managedObjects: CN=ARCGIS-APP,OU=Domain Controllers,DC=portal,DC=local
pwdLastSet: 132325403870671932
lastLogon: 132440220564531053
name: Administrator
lastLogoff: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=portal,DC=local
distinguishedName: CN=Administrator,CN=Users,DC=portal,DC=local
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=portal,DC=local
memberOf: CN=Domain Admins,CN=Users,DC=portal,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=portal,DC=local
memberOf: CN=Schema Admins,CN=Users,DC=portal,DC=local
memberOf: CN=Administrators,CN=Builtin,DC=portal,DC=local
logonCount: 13
badPasswordTime: 132440220505261749
uSNChanged: 27197
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[admin@kc ~]$
Hello everyone!
I'm trying to make one virtual directory with ApacheDS and MS AD in the backend.
Please if you can offer sam examples config files, it would mean a lot.
We've just succeeded to connect to ApacheDS on the same host but we've got error that server does not offer any scheme and the default is being used.
Here's the link for the log and config files: https://1drv.ms/u/s!AscO89aeoy8EmlDIIpSyzN1SdqJT?e=WPbVy8
Also, if it helps I'll paste the config here: