search

urlaubsverwaltung / urlaubsverwaltung

Schluss mit Papierchaos und langweiliger Software. Wir zeigen dir, dass Urlaubsverwaltung auch Spaß machen kann.
https://urlaubsverwaltung.cloud
Apache License 2.0
261 stars 82 forks source link

Request a hint about AD/LDAP configuration #1123

Closed BurninLeo closed 3 years ago

BurninLeo commented 4 years ago

What I have seen from Urlaubplaner looks very good so far. Unfortunately, it is not a lot, because after hours of playing around with the configuration, I still fail to login via Active Directory or LDAP.

As the information on GitHub about the configuration is sparse, I hope to find the right hint here. My configuration in application.properties looks like this (anonymized):

# LDAP / AD FILTER -----------------------------------------------------------------------------------------------------
uv.security.filter.objectClass=person
uv.security.filter.memberOf=

# LDAP -----------------------------------------------------------------------------------------------------------------
uv.security.directory-service.ldap.url=ldap://ad.institution.de:3268
uv.security.directory-service.ldap.base=ou=Users,ou=XY,ou=ZAB,dc=ad,dc=institution,dc=de
uv.security.directory-service.ldap.manager-dn=CN=<USERNAME>,OU=Users,OU=XY,OU=ZAB,DC=ad,DC=institution,DC=de
uv.security.directory-service.ldap.manager-password=<PASSWORD>
uv.security.directory-service.ldap.sync.enabled=false
uv.security.directory-service.ldap.user-search-filter=(sAMAccountName={0})
uv.security.directory-service.ldap.user-search-base=ou=Users,ou=XY,ou=ZAB,dc=ad,dc=institution,dc=de
uv.security.directory-service.ldap.sync.enabled=false

This is running on a Debian server, and to test the groups and credentials, I use this command:

ldapsearch -h ad.institution.de -p 3268 -D <USERNAME> -w <PASSWORT> -b "ou=Users,ou=XY,ou=ZAB,dc=ad,dc=institution,dc=de" "(sAMAccountName=<USER2>)"

And this results in a valid find.

# extended LDIF
#
# LDAPv3
# base <ou=Users,ou=XY,ou=ZAB,dc=ad,dc=institution,dc=de> with scope subtree
# filter: (sAMAccountName=<USER2>)
# requesting: ALL
#

# <USER2>, Users, XY, ZAB, ad.institution.de
dn: CN=<USER2>,OU=Users,OU=XY,OU=ZAB,DC=ad,DC=institution,DC=de
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: <USER2>

When I nuw run Urlaubsplaner and try a login with <USER2> and it's (valid) credentials, the debug messages look like this:

2020-05-12 21:25:53.012 DEBUG 27295 --- [nio-8080-exec-3] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2020-05-12 21:25:53.013 DEBUG 27295 --- [nio-8080-exec-3] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: <USER2>
2020-05-12 21:25:53.015 DEBUG 27295 --- [nio-8080-exec-3] o.s.s.l.s.FilterBasedLdapUserSearch      : Searching for user '<USER2>', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'ou=Users,ou=XY,ou=ZAB,dc=ad,dc=institution,dc=de', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2020-05-12 21:25:53.102 DEBUG 27295 --- [nio-8080-exec-3] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.authentication.InternalAuthenticationServiceException
2020-05-12 21:25:53.108 ERROR 27295 --- [nio-8080-exec-3] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
        'OU=Users,OU=XY,OU=ZAB,DC=ad,DC=institution,DC=de'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
        'OU=Users,OU=XY,OU=ZAB,DC=ad,DC=institution,DC=de'
]; remaining name 'ou=Users,ou=XY,ou=ZAB,dc=ad,dc=institution,dc=de'
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206) ~[spring-security-ldap-5.1.8.RELEASE.jar!/:5.1.8.RELEASE]
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85) ~[spring-security-ldap-5.1.8.RELEASE.jar!/:5.1.8.RELEASE]

This is where I do not find another setting or option to try. If you have an idea what is going wrong, I would very much apprechiate a hint. Und ich freue mich natürlich auch über eine Antwort auf Deutsch ... die englischer GitHub Oberfläche verleitete mich ins Englische :)

derTobsch commented 4 years ago

@BurninLeo hat es bei dir nun funktioniert? Aus der Ferne ist es schwer zu sagen wie dein ldap aufgebaut ist.

BurninLeo commented 4 years ago

Leider nein ... mit ldapsearch bekomme ich gültige Einträge vom AD (s. oben), aber ich scheitere offenbar daran, dass der Urlaubsplaner die richtige Anfrage schickt, damit eine passende Antwort kommt :(

BurninLeo commented 4 years ago

Ich habe noch einige Stunden an der LDAP-Anbindung gearbeitet, probiert, unterschiedliche Fehler provoziert ... leider sind die Debugging-Infos so spärlich (z.B. kann man nicht die Anfrage zeigen lassen, wie sie an den LDAP-Server ging), dass es unglaublich schwierig ist, Ansatzpunkte für die Fehlerbehebung zu finden.

github-actions[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.