LDAP Configuration in wherehows 1.0

[mpostument]

Hello,

I am trying to configure ldap authentication. My current configuration

authentication.ldap.url = "ldap://my.dalp.server:389"
authentication.principal.domain = "@mydomain.com"
authentication.ldap.search.base = "OU=Corp,DC=mydomain,DC=com"

But i am getting an error:

|      1 | testuser | LDAP                | FAILURE | javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580 ] | 2017-07-25 13:07:03 |

Update: I've found the way how to use ldap. You need to create a user in the database with 'LDAP' as authentication_type and without a password. But i wherehows should automatically create this record in the database after the user is trying to log in?

[shpark76]

Compared to my ldap configuration, your config envs look like it should work as well.

Run the debugger in the below file, then, figure out populated values in debug runtime. wherehows-frontend/app/security/AuthenticationManager.java 84: Hashtable<String, String> env = 85: buildEnvContext(userName, password, contextFactories, ldapUrls[i], principalDomains[i]);

wherehows-frontend/conf/application.conf authentication.ldap.context_factory_class = "com.sun.jndi.ldap.LdapCtxFactory" authentication.ldap.url = "ldap://my.dalp.server:389" or "ldaps://my.dalp.server:389" authentication.principal.domain = "@mydomain.com" authentication.ldap.search.base = "OU=Corp,DC=mydomain,DC=com"

[mars-lan]

Error code 49 means LDAP_INVALID_CREDENTIALS: http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes#gsc.tab=0 Data code 52e means invalid credentials: http://www.imrantariq.com/blog/data-codes-related-to-ldap-error-code-49-with-microsoft-active-directory/

So it seems like you're connecting to the LDAP server, but the server rejects the password?

[wenhuaOpenx]

Hi Mars, This is the front-end log, when I remove my name from 'user' table, and try login using my ldap account:

2017-08-15 00:35:35 ERROR application:176 - UserDAO getCurrentUser failed, username = wenhua.wang 2017-08-15 00:35:35 ERROR application:177 - Exception = Incorrect result size: expected 1, actual 0 2017-08-15 00:35:35 ERROR application:117 - Piwik site ID must be an integer 2017-08-15 00:35:45 WARN application:102 - Ldap authentication error for: wenhua.wang - ldaps://corp.openx.com:636 : javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=corp,DC=openx,DC=com'

[mpostument]

@mars-lan but after I created user in users table LDAP start working for this user

[huangjun]

@Infectsoldier How did you create the ldap user? Could you share the details? Thanks!

[rraghav13]

@wenhuaOpenx @Infectsoldier can you please elaborate on how you added usernames to the database to login? I setup Wherehows using docker and had to pass the ldap configs via the .env file which had the format WHZ_LDAP_URL=ldap://ad.company.com:port WHZ_LDAP_PRINCIPAL_DOMAIN=@company.com WHZ_LDAP_SEARCH_BASE=DC=corp,DC=company,DC=com Now, when I try logging in the frontend, I get invalid credentials with no error messages related to LDAP in the logs.

wherehows-frontend_1       | 2017-08-15 22:14:44 INFO  p.a.Play:97 - Application started (Prod)
wherehows-frontend_1       | 2017-08-15 22:14:44 INFO  p.c.s.NettyServer:165 - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
wherehows-frontend_1       | 2017-08-15 22:14:47 INFO  application:84 - Creating DAO factory: wherehows.dao.DaoFactory
wherehows-frontend_1       | 2017-08-15 22:14:48 ERROR application:180 - Piwik site ID must be an integer

I would like to know how to add the user in the ldap table in db so that I pass through the login.

[mpostument]

@huangjun @raghav130593 sql code example, replace ldap_username and email with your user

  INSERT INTO users (name, username, email, authentication_type)
  SELECT nu.*
  FROM (SELECT 'ldap_username' as user, 'ldap_username' as username, 'ldap_username@email.com' as email, 'LDAP' as authentication_type) nu
  LEFT JOIN users u ON nu.email = u.email
  WHERE u.email IS NULL;

let me know if this is working for you

[wenhuaOpenx]

@raghav130593 For the error with Piwiki, I believe you should specify an integer value for " PIWIK_SITE_ID" in wherehows-frontend/application.env .

I also got "Invalid credentials" error. To fix it, I add the ldap account to 'users' table in mysql db, by running query as below. But I haven't figure out the other way to fix the issue.

INSERT INTO wherehows.users (name, email, username, authentication_type) VALUES ('name', 'email', 'ldap account', 'LDAP')

[rraghav13]

@wenhuaOpenx I added the user in the database by exec-ing into the mysql container. I still am getting invalid credentials when I try to login. And, also docker-compose logs also has no errors regarding ldap. Also, is there just a normal username/password authentication without ldap because I don't want to be stuck hereand not be able to go ahead because of this issue.

[wenhuaOpenx]

If you want to avoid LDAP, here is a tricky method I've used before. Run the query as below, and change the name, password as yours.

INSERT INTO wherehows.users (name, email, username, password_digest, password_digest_type, authentication_type) VALUES ('test', 'test@openx.com', 'test', SHA1('test'), 'SHA1', 'default')

[rraghav13]

@wenhuaOpenx Thank you that worked. I will have to figure out the issue with LDAP as I get the same code 49 error mentioned above when I checked the user_login_history table.

2017-08-17 19:06:43 |
|     17 | username      | LDAP                | FAILURE | javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 ] 

[sagartoms]

@wenhuaOpenx Am I able to login without using LDAP?

[jywadhwani]

@Infectsoldier were you able to resolve the issue? We are now using jaas config that supports multiple forms of authentication (isn't restricted to LDAP). Let us know if we can close this issue.

[mpostument]

@jywadhwani haven't used wherehows for a long time. Maybe someone else can confirm?

[tonglin0325]

I got the same problem: javax.naming.AuthenticationException: javax.security.auth.login.LoginException: 没有为WHZ-Authentication配置 LoginModulesIDLE

[keremsahin1]

Dear issue owner,

Thanks for your interest in WhereHows. We have recently announced DataHub which is the rebranding of WhereHows. LinkedIn improved the architecture of WhereHows and rebranded WhereHows into DataHub and replaced its metadata infrastructure in this direction. DataHub is a more advanced and improved metadata management product compared to WhereHows.

Unfortunately, we have to stop supporting WhereHows to better focus on DataHub and offer more help to DataHub users. Therefore, we will drop all issues related to WhereHows and will not accept any contribution for it. Active development for DataHub has already started on datahub branch and will continue to live in there until it's finally merged to master and project is renamed to DataHub.

Please check the datahub branch to get familar with DataHub.

Best, DataHub team