Open baclaeys opened 1 month ago
si458
commented
1 month ago have you tried updating to the latest version of meshcentral as this does have some LDAP improvements? you are running 1.1.0 and the latest is 1.1.30
edit: you will also need node 16 or above now too
baclaeys
commented
1 month ago have you tried updating to the latest version of meshcentral as this does have some LDAP improvements? you are running 1.1.0 and the latest is 1.1.30
edit: you will also need node 16 or above now too
I have tried using the latest version, but it did it then as well. It is a production environment, so I was hoping to stick with the stable release. I just tried using a new bind user account. I will post an update on how that goes after some testing.
si458
commented
1 month ago the only thing i can think of that looks abit weird is CN='meshcentralusers',OU=Users,OU=Iowa City,OU=Sites,DC=cis,DC=pg,DC=com
i dont think the CN should have ' around them?
one other thing you could try is run the server in debug mode and watch the ldap logins
(requires a restart of your meshcentral sadly) node node_modules/meshcentral --debug ldap,authlog
OR below inside your config.json (still requires a restart)
{
"settings": {
"debug": "ldap,authlog"
},
...
}
LeonardoIdalgo
commented
1 month ago Hello, I've recently been having the same issue. I'm unable to configure the LDAP for my MeshCentral.
C:\meshcentral\node_modules>node meshcentral --debug ldap,authlog MeshCentral HTTP redirection server running on port 80. AUTHLOG: Server listening on 0.0.0.0 port 80. MeshCentral v1.1.31, LAN mode. MeshCentral HTTPS server running on port 443. AUTHLOG: Failed password for leonardXXX.XXXxx from 192.XX.5.XX port 26997, Browser: Edge/129.0.0.0, OS: Windows/10 I’m not sure what I’m doing wrong.
"_customer1": {
"_dns": "xxxxx.sxxpxxx.br",
"_title": "INxxx",
"_title2": "Remote",
"_newAccounts": 1,
"auth": "ldap",
"_LDAPUserName": "gecos",
"_LDAPUserKey": "uid",
"_LDAPUserEmail": "otherMail",
"_LDAPUserGroups": "memberOf",
"_LDAPSiteAdminGroups": [
"CN=TxxxxxxC,OU=IxxxxxxR,DC=mxxxxi,DC=xx,DC=xxx"
],
"_LDAPUserRequiredGroupMembership": [
"CN=Txxxxxxx,OU=INxxxxxR,DC=mxxxxx,DC=xx,DC=xxx"
],
"_LDAPSyncWithUserGroups": {
"filter": [
"CN=xxxxxxx,OU=Ixxxxx,DC=mxxxxxi,DC=xx,DC=xxx,DC=xx"
]
},
"_LDAPOptions": {
"URL": "ldap://dxxxxxxxxxx:636",
"BindDN": "CN=LEONAxxxxxx xxxxx,OU=xxxxxx,OU=xxxxxxxxxTICA,OU=xxxxxxL PExxxxRA,OU=CxxxxTO HOxxxxxLxxx xxxxxxx,DC=xxxxxxx,DC=xx,DC=xxx,DC=xx",
"BindCredentials": "xxxxxxxx*",
"SearchBase": "DC=xxxxxx,DC=xx,DC=xxx,DC=xx",
"SearchFilter": "(sAMAccountName={{username}})",
"tlsOptions": {
"rejectUnauthorized": false
}
}
}Let me know if you need any further assistance!
si458
commented
1 month ago @LeonardoIdalgo all your values have an underscore infront of them. Any values in your config.json that start with an underscore are ignored! So remove the underscore, restart and away you go!
LeonardoIdalgo
commented
1 month ago I can't believe I was making such a basic mistake. Thank you so much for your help, I'll test it and let you know.
LeonardoIdalgo
commented
1 month ago Good afternoon, I'm still having trouble configuring LDAP in my MeshCentral. I tested the same credentials I used to access LDAP in LDAP Soft, and I was also able to make queries using:
powershell
$ldapConnection = New-Object System.DirectoryServices.DirectorySearcher $ldapConnection.SearchRoot = [ADSI]"LDAP://$($ldapServer):$($ldapPort)" $ldapConnection.Filter = "(cn=$groupName)" # Filter to search for the group
$ldapConnection.SearchScope = [System.DirectoryServices.SearchScope]::Subtree $ldapConnection.PropertiesToLoad.Add("cn") Using PowerShell, I was able to establish a connection to check if LDAP is active and successfully perform queries as well.
But when I input the information below into MeshCentral, it doesn't connect. This situation is really frustrating for me.
`
"customer1": {
"dns": "hidden",
"title": "INxxxT",
"title2": "Remote",
"NewAccounts": 1,
"auth": "ldap",
"LDAPUserName": "gecos",
"LDAPUserKey": "sAMAccountName",
"LDAPUserEmail": "otherMail",
"LDAPUserGroups": "memberOf",
"LDAPSiteAdminGroups": [ "CN=TxxxxC,OU=IxxxxxxR,DC=mxxxxi,DC=xx,DC=gxx,DC=xx" ],
"LDAPUserRequiredGroupMembership": [ "CN=xxxxxxC,OU=IxxxxxxER,DC=mxxxxqui,DC=xx,DC=xxx,DC=xx" ],
"LDAPSyncWithUserGroups": { "filter": [ "CN=xxxxxxxIC" ] },
"LDAPOptions": {
"URL": "ldap://XXXXXXXXX:636",
"BindDN": "CN=LEONARDO XXXXXX IDxLXO,OU=USUARIOS,OU=XXXXXXXXX TICA,OU=XXXXXX PXXXXXRA,OU=CXXXXX HXXXXXXX MXXXXXXXXX,DC=xxxxxxxi,DC=xxxx,DC=xxx,DC=xx",
"BindCredentials": "HIdden*",
"SearchBase": "DC=xxxxxxi,DC=xx,DC=xx,DC=xx",
"SearchFilter": "(sAMAccountName={{username}})"
}`
C:\meshcentral\node_modules>node meshcentral --debug ldap,authlog MeshCentral HTTP redirection server running on port 80. AUTHLOG: Server listening on 0.0.0.0 port 80. MeshCentral v1.1.31, Hybrid (LAN + WAN) mode. MeshCentral Intel(R) AMT server running on xxxxxx. AUTHLOG: Server listening on 0.0.0.0 port xxxx. MeshCentral HTTPS server running on xxxxxxxxx:443. AUTHLOG: Failed password for leonardo.idxxlgo from xxxxxxx port 26280, Browser: Edge/129.0.0.0, OS: Windows/10 AUTHLOG: Failed password for MxxxxxxxI\leonardo.idxxlgo from 19x.xxx.xxx.xx port 2xx26, Browser: Edge/129.0.0.0, OS: Windows/10 AUTHLOG: Failed password for leonardo.idalgo@mxxxxxxx.xx.xxx.xx from 19xxxxxxx port 2xx49, Browser: Edge/129.0.0.0, OS: Windows/10
si458
commented
1 month ago I think ur BindDN is incorrect as it has spaces in it!
Use something like LDAP Admin to explore ur ldap and check the cn value fir that user
But also ur cn for the usergroup u want users to have access too
If ur struggling, u can always email myself and I can help look into it so long as u can provide access someway sumhow to ur environment so I can debug ut
LeonardoIdalgo
commented
1 month ago Good evening, what's your email? I'm a bit new here on GitHub.
Could you help me with this? I believe I can't proceed right now since I would need authorization from my manager to connect to my environment. For the moment, I'm trying to resolve this on my own.
I got my Bind DN directly from my user’s Distinguished Name, and the structure has already been created with spaces. I was able to connect easily to my LDAP using the same credentials in LDAP Soft. I think the issue might be that JSON doesn’t handle spaces or even the º symbol in Informática.
Here’s my Bind DN:
makefile Copiar código CN=LEONARDO VXXXXXE IDALGO,OU=USUARIOS,OU=1º - INFORMATICA,OU=MXXXXL PXXXRA,OU=COXXXXXXO HOXXXXXR MXXXXXXI,DC=mxxxxxx,DC=xx,DC=xxx,DC=xx Any insights would be greatly appreciated!
si458
commented
1 month ago My email is on my github profile page. But yes the is a possibility the json and ldap doesn't like those special symbols! One way of proving this is create a group without spaces and a user without special characters
baclaeys
commented
1 month ago the only thing i can think of that looks abit weird is
CN='meshcentralusers',OU=Users,OU=Iowa City,OU=Sites,DC=cis,DC=pg,DC=comi dont think the CN should have'around them?one other thing you could try is run the server in debug mode and watch the ldap logins (requires a restart of your meshcentral sadly)
node node_modules/meshcentral --debug ldap,authlogOR below inside your config.json (still requires a restart){ "settings": { "debug": "ldap,authlog" }, ... }
Thank you for sharing the debug configuration. After testing for a few days with a new bind user account I have had no other issues with LDAP authentication. I am not sure what the issue was/is with that other user account. It would still be nice to find the root issue, but I do not which direction to go to troubleshoot. Perhaps this is not the place for that issues.
Describe the bug I have been using LDAP authentication for more than a year now. About a month ago LDAP authentication would periodically stop working. No changes were made to the config.json during this time. I have resorted to using local authentication by commenting out "_auth": "ldap" in the config.json file, but I would like to go back to LDAP authentication.
To Reproduce Steps to reproduce the behavior: At the sign in screen enter your shortname and password. Click on "Log In". Sometimes it will accept the credentials, and sometimes it will not. I also built out two additional servers to test this problem (details listed below). They also had the same issue with LDAP authentication.
Test server 1:
Test Server 2:
Expected behavior LDAP authentication should be successful if the correct username (shortname) and password is entered.
Screenshots If applicable, add screenshots to help explain your problem.
The log file shows the exact same thing as the screenshot. Here is an excerpt from auth.log:
Server Software (please complete the following information):
Client Device (please complete the following information):
Remote Device (please complete the following information):
Additional context Restarting meshcentral.service can sometimes seem to resolve the issue, but I think there is something else that I am missing. I tested logging into all three servers at the same time with LDAP authentication turned on. So far they would all succeed or fail all the same. I am not sure if this is a coincidence.
Your config.json file
The config file below has "_auth": "ldap" commented out to allow for local authentication.