search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.02k stars 543 forks source link

LDAP Integration, Unable to Login #4636

Open beefliver opened 1 year ago

beefliver commented 1 year ago

Describe your issue I am attempting to integrate LDAP but having issues. The server is joined to the domain. I try starting the server and I get the error that it can't parse the file (removed sensitive ldap info)

Server Software (please complete the following information):

Your config.json file


{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "MongoDb": "mongodb://127.0.0.1:27017/meshcentral",
    "cert": "0.0.0.0",
    "WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "_port": 443,
    "_aliasPort": 443,
    "_redirPort": 80,
    "_redirAliasPort": 80
  },
  "domains": {
    "": {
      "title": "MeshCentral",
      "_title2": "Servername",
      "_loginPicture": "title-sample.png",
      "welcomePicture": "hazard.png",
      "nightMode": 1,
      "_minify": true,
      "_newAccounts": true,
      "_userNameIsEmail": true

      "auth": "ldap",
      "_ldapUserName": "{{{givenName}}} {{{sn}}}",
      "_ldapUserBinaryKey": "objectSid",
      "_ldapUserEmail": "mail",
      "_ldapUserRealname": "{{{givenName}}} {{{sn}}}",
      "_ldapUserPhoneNumber": "telephoneNumber",
      "_ldapUserImage": "thumbnailPhoto",
      "_ldapSaveUserToFile": "C:\\tmp\\ldapuser-save.txt",
      "_ldapUserGroups": "memberOf",
      "_ldapUserRequiredGroupMembership": [ "CN=Domain Admins,OU=MeshCentral_,DC=com,DC=com" ],
      "_ldapSyncWithUserGroups": { "filter": [ "CN=MeshCentral_Admins" ] },
      "ldapOptions": {
        "url": "ldaps://0.0.0.0:636/",
        "tlsOptions": { "rejectUnauthorized": false },
        "bindDN": "cn=MeshCentral LDAP,ou=ServiceAccounts,dc=com,dc=com",
        "bindCredentials": "P@ssw0rd",
        "searchBase": "cn=users,dc=com,dc=com",
        "searchFilter": "(name={{username}})",
        "reconnect": true

    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "myemail@mydomain.com",
    "names": "myserver.mydomain.com",
    "production": false
  }
}
beefliver commented 1 year ago

Okay, I was finally able to get it to parse the file (my error)

I am now receiving an LDAP Error: InvalidCredentialsError: 80090308: LdapErr: DSID=0C090439....

Unsure what may be causing the issue, the login creds are 100% correct

TerAnYu commented 1 year ago

Try using a filter:

"searchFilter": "(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))",

maybe these options:

      "ldapUserBinaryKey": "objectSid",
      "ldapUserName": "name",
      "ldapUserKey": "objectSid",
      "ldapUserEmail": "mail",
      "ldapUserRealname": "name",
      "ldapUserPhoneNumber": "telephoneNumber",
      "ldapUserImage": "thumbinalPhoto",
      "ldapUserGroups": "memberOf",

or:

      "auth": "ldap",
      "ldapOptions": {
        "url": "ldaps://127.0.0.1:636",
        "tlsOptions": {
          "rejectUnauthorized": false
        },
        "bindDN": "cn=meshuser,ou=sys-users,ou=users,dc=domainname,dc=loc",
        "bindCredentials": "P@ssw0rd",
        "searchBase": "ou=users,dc=domainname,dc=local",
        "searchFilter": "(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))",
        "reconnect": true
      },
      "ldapUserBinaryKey": "objectSid",
      "ldapUserName": "name",
      "ldapUserKey": "objectSid",
      "ldapUserEmail": "mail",
      "ldapUserRealname": "name",
      "ldapUserPhoneNumber": "telephoneNumber",
      "ldapUserImage": "thumbinalPhoto",
      "ldapUserGroups": "memberOf",
      "ldapUserRequiredGroupMembership": [
        "CN=mesh-administrators,OU=Permissions,ou=users,dc=domainname,DC=loc"
      ],
      "ldapSyncWithUserGroups": {
        "filter": [
          "mesh-administrators"
        ]
      },
beefliver commented 1 year ago

I tried different variations of what you listed (with the proper adjustments)

I run it in --debug ldap but it doesn't display any errors through CMD, simply says that it's incorrect username or password (they're 100% correct)

This section here:

"bindDN": "cn=meshuser,ou=sys-users,ou=users,dc=domainname,dc=loc", "bindCredentials": "P@ssw0rd", "searchBase": "ou=users,dc=domainname,dc=local", "searchFilter": "(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))", "reconnect": true

    The "searchBase" is that where it searches for the account that will provide the credentials for this integration, for example a service account strictly for this or is this asking for the location of the users that will login?
beefliver commented 1 year ago

Here's what the AD structure looks like

Domain: Meshworld.com * Meshworld Computers Groups __MeshCentral_Admins ServiceAccounts MeshCentral LDAP (using to validate the integration) *Users John.Doe (_is added to MCAdmins Group)

beefliver commented 1 year ago

Here's a screenshot image

"Domain Users" security group are here image

beefliver commented 1 year ago

This is where the group is located image

This is where the account to validate the integration is located image

TerAnYu commented 1 year ago

Use the program Active Directory Explorer to determine the exact full path for the user and/or group.

beefliver commented 1 year ago

dsquery via cmd helped me with finding the path. I'll make changes on the config and see if I'm able to get it to communicate

beefliver commented 1 year ago

I have the correct paths, can't figure out why it doesn't connect. I start the server with --debug ldap and nothing displays when I attempt to login

beefliver commented 1 year ago

After restarting the PC, I now get an AssertionError upon trying to login

AssertionError [ERR_ASSERTION]: Search filter not defined (opts.searchFilter) at new LdapAuth (C:\MeshCentral\node_modules\ldapauth-fork\lib\ldapauth.js:82:10) at Object.obj.authenticate (C:\MeshCentral\node_modules\meshcentral\webserver.js:698:28) at handleLoginRequest (C:\MeshCentral\node_modules\meshcentral\webserver.js:1110:13) at handleRootPostRequest (C:\MeshCentral\node_modules\meshcentral\webserver.js:3292:29) at Layer.handle [as handle_request] (C:\MeshCentral\node_modules\express\lib\router\layer.js:95:5) at next (C:\MeshCentral\node_modules\express\lib\router\route.js:144:13) at C:\MeshCentral\node_modules\body-parser\lib\read.js:137:5 at AsyncResource.runInAsyncScope (node:async_hooks:203:9) at invokeCallback (C:\MeshCentral\node_modules\raw-body\index.js:231:16) at done (C:\MeshCentral\node_modules\raw-body\index.js:220:7)

TerAnYu commented 1 year ago

Might be a strange question, but

npm install authenticode-js

done after installing MeshCentral?

I don't have any other ideas, maybe someone more knowledgeable can help.

beefliver commented 1 year ago

Nope, I did not run that command after installing.

I am able to login locally just fine, but once I try to login via LDAP - I'm greeted with errors. As mentioned, I verified that the paths are correct, just unsure what I may be doing wrong.

null6process commented 10 months ago

Hello beefliver,

you can change ldaps to ldap ? "url": "ldaps://127.0.0.1:636", to "url": "ldap://127.0.0.1:389",

delete the ssl protocol and try a gain.