Open nredobi opened 4 years ago
Ylianst
commented
4 years ago I am not very familiar with LDAP, so I can't help much. However, MeshCentral uses the ldapauth-fork library internally. So the best start is to look at the documentation of the options of that library and see what is going on. The "ldapOptions" are directly passed into ldapauth-fork, if that helps.
jsastriawan
commented
4 years ago I read through ldapauth-fork source code. It seems the way to authenticate the user is to bind using username and password. Are you allowing user to bind using its credential?
nredobi
commented
4 years ago I've looked at the ldapauth-fork documentation and I think I'm configuring parametres correctly, but it doesn't seem that. Yes, in openldap server I have allowed user to bind using its credentials. With ldapsearch command it goes succes. Have I to configure something else in config.json file for this purpose?
mherrb
commented
4 years ago After fighthing a bit and reading the code, I found the following working configuration with OpenLDAP:
"auth": "ldap",
"ldapUserName": "uid",
"ldapUserKey": "uid",
"ldapOptions":
{
"url": "ldaps://ldap.example.com:636",
"searchBase": "ou=users,dc=example,dc=com",
"searchFilter": "(uid={{username}})"
}
}Using "ldapUserName": "cn" also works, it will display nicer names, but you need to use the uid (login name) to add users to a group, while the completion is done on the full name. So I went for 'uid' there too.
nredobi
commented
4 years ago Thank you very much for your time and your answer. Adding those two lines that you have put: "ldapUserName": "uid", "ldapUserKey": "uid", it has worked correctly.
jmchantrein
commented
3 years ago Hello,
Thank you @mherrb for your tips, it's working fine like this. Thank you @Ylianst for your great work !
I have 2 more questions: 1) when I use ldap authentication, I can't connect with my local users anymore, is there any way to combine the 2 authentication (ldap and local) at the same time ? 2) Is it possible to filter the users on an ldap attribute they have in common for example (but not a groupOfNames) ?
Thanks
Hi all, I have installed MeshCentral 0.5.11 (in a new Debian 10 Buster machine). I want to configure it to authenticate users with my openldap in another Debian 10 Buster server. Which is the correct config.json file configuration for this purpose? I've tried it unsuccessfully. From the same server and the same parameters I can connect with "ldapsearch" without problems to openldap server. My tests with a Windows AD have been ok too.
my config.json for openldap:
"auth": "ldap", "ldapOptions": { "url": "ldap://ldap.myexample.net:389", "bindDN": "cn=readOnlyUser,ou=especiales,dc=myexample", "bindCredentials": "passwordOfReadOnlyUser", "searchBase": "ou=usuarios,dc=myexample", "searchFilter": "(uid={{username}})" } Getting always: node[xxxxx]: WEB: handleLoginRequest: login failed, bad username and password
ldapsearch -H ldap://ldap.myexample.net:389 -D cn=readOnlyUser,ou=especiales,dc=myexample -W -b ou=usuarios,dc=myexample -LLL "(uid=meshuser)"
That is succes, I receive the data
It's ok too: node[xxxxx]: WEB: handleLoginRequest: successful login
¿Where could be the problem in my first case?
Thanks