re. Daisy 2.3 upgrade LDAP issue

Dear list,

we continue having the problems described on the list after setting up 2.3 on a clean, new machine. When exporting from the 2.2 machine and importing on the new one, the ldap authentication continues to fail.

From Karel's mail I learned that we need the searchBase (the repository will not start without) and that 2.3 uses a two step authentication: First finding the user's path and then authenticating him/her. I would love this to work, because up to now every user group had to have their own authentication scheme.

What I do not get is (config lines taken from Karel's answer):

-  <searchBase>cn=Users,dc=server,dc=domain,dc=be</searchBase>
        Why do I need to provide a qualified searchBase? Shouldn't this be exactly what daisy requests from the ldap server? What if the user sits on dc=Server2?

-  <filter>cn=$daisyLogin</filter>
        Which filter options are there other than the $daisyLogin (and the userPrincipalName Karel used in his example). Must we use a filter? What does it pass to the ldap-server?

-  <property name="java.naming.security.principal" value="cn=daisyauth,cn=Users,dc=server,dc=domain,dc=be"/>
        Is this a daisy user, or a user that was set up for the purpose of getting ldap-tree infos? Our server accepts an anonymous bind, so we shouldn't need this, nor the security credentials?

Thanks in advance,
Kevin

daisy-request@... Gesendet von: daisy-bounces@... 29.06.2009 17:20 Bitte antworten an daisy@...

An daisy@... Kopie Thema daisy Digest, Vol 57, Issue 23 <Watchdog Deichmann: Virus checked>

Hi,

I experimented with Daisy + ldap (on a local windows 2008 active
directory) today;  First off, my earlier suggestion was not complete -
as you may have guessed by comparing with Matthias' suggestions...

Here's what changed between Daisiy 2.2 and Daisy 2.3.
In Daisy 2.2, the authentication check was nothing more than a simple
authentication check (a 'bind' in ldap terminology), using the
credentials entered in the daisy login screen as the user's DN and
password.

In Daisy 2.3, the authentication check has two phases: First user
object is searched (hence the searchBase and filter) (in order to find
the user's DN) and only then the password is checked.
The main use case for the new approach is when an organisation's users
are not all in the same unit (e.g. dc=unit1users,dc=example,dc=com &
dc=unit2users,dc=example,dc=com)

Hence, this configuration snippet should work:

<scheme name="secret" description="LDAP Secret">
<environment>
<property name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="java.naming.provider.url"
value="ldap://server.domain.be:389"/>
<property name="java.naming.security.authentication" value="simple"/>
<property name="java.naming.security.principal"
value="cn=daisyauth,cn=Users,dc=server,dc=domain,dc=be"/>
<property name="java.naming.security.credentials" value="xxverysecretxx"/>
</environment>
<searchBase>cn=Users,dc=server,dc=domain,dc=be</searchBase>
<filter>cn=$daisyLogin</filter>
<cache enabled="true" maxCacheSize="3000" maxCacheDuration="1800000"/>
<autoCreateUser>...</autoCreateUser>
</scheme>

One gotcha that I ran into: You have to be careful about the user
names, because the windows logon name
may be different from the cn in the ldap directory - for example I
have a user which looks like this:

LDAP DN: cn=Karel Vervaeke,cn=Users,...
User logon name: karel@...
User logon name (pre-Windows 2000): KRB\karel

With the configuration snippet above, I have to use "Karel Vervaeke"
when logging in to daisy.  "karel" is not the correct Daisy user name.
If you need the Daisy user name to be "karel", try using the following filter:

<filter>sAMAccountName=$daisyLogin</filter>
or
<filter>userPrincipalName=$daisyLogin@...</filter>

HTH,
Karel

On Thu, Jun 25, 2009 at 2:31 PM, Bruno Dumon<bruno@...> wrote:
> If the LDAP authentication failed, whatever the reason, you should see
> a line in the log starting with the text "Failed to authenticate user
> with following environment:" followed by the settings and the
> exception, if any.
>
> This is logged to the repository log on DEBUG level, thus to the file
> {repodata}/logs/daisy
>
> The LDAP exception is not forwarded to the client in order not to
> reveal any sensitive information.
>
> On Thu, Jun 25, 2009 at 1:38 PM, Mario
> Brackeva<Mario.Brackeva@...> wrote:
>> I changed the log entry like you advised, but it doesn't make a difference.
>>
>> I cleaned up the test server and restored the production backup from last night. I then started daisy (2.2) and all is well.
>> I then upgraded (link to the 2.3 directory instead of 2.2 and run the upgrade sql script) and applied your "searchBase" patch to the myconfig.xml file. Started again, but can't log in anymore with LDAP users.
>>
>> I then replaced the file lib/daisy/jars/daisy-auth-ldap-2.3.jar with the old one from 2.2, and ...
>> ... it works fine now!
>>
>> Some other issues:
>> - When I edit a document, I don't get the WYSIWYG editor, just the plain text editor
>> - I don't see the "search&replace" option
>>
>>
>> Mario.



Heinrich Deichmann-Schuhe GmbH & Co. KG, Deichmannweg 9, 45359 Essen

Registergericht Essen HRA 3564, Umsatzsteueridentifikations-Nr.: DE 119663402
Persönlich haftende Gesellschafterin ist die Deichmann Verwaltungs- und
Handelsgesellschaft mbH mit Sitz in Essen, Registergericht Essen HRB 2279.

Geschäftsführer:
Dr. Heinz-Horst Deichmann * Heinrich Otto Deichmann (Geschäftsführende Gesellschafter)
Martin Fischer * Bjørn Gulden * Martin Heynen * Walter Neuroth
Karsten Schütt * Wolfgang Wislsperger

_______________________________________________
daisy community mailing list
Professional Daisy support: http://outerthought.org/en/services/daisy/support.html
mail to: daisy@...
list information: http://lists.cocoondev.org/mailman/listinfo/daisy

On Thu, Jul 2, 2009 at 1:21 PM, <Kevin_Walsh@...> wrote:
You can have multiple <scheme> elements in your ldap configuration.
You can have one with
<searchBase>cn=Users,dc=server,dc=domain,dc=be</searchBase>
and one with
<searchBase>cn=Users,dc=server2,dc=domain,dc=be</searchBase>

A wildcard approach (cn=Users,dc=*,dc=domain,dc=be) is not possible here.

>
> -  <filter>cn=$daisyLogin</filter>
>         Which filter options are there other than the $daisyLogin (and the
> userPrincipalName Karel used in his example). Must we use a filter? What
> does it pass to the ldap-server?

$daisyLogin is the only parameter there.  The filter is required,
because this is the used to find the actual user in ldap.

> -  <property name="java.naming.security.principal"
> value="cn=daisyauth,cn=Users,dc=server,dc=domain,dc=be"/>
>         Is this a daisy user, or a user that was set up for the purpose of
> getting ldap-tree infos? Our server accepts an anonymous bind, so we
> shouldn't need this, nor the security credentials?

If your server accepts an anonymous bind, leave out the
java.naming.security.principal & java.naming.security.credentials
parameters

> Thanks in advance,
> Kevin
>

HTH,
Karel
_______________________________________________
daisy community mailing list
Professional Daisy support: http://outerthought.org/en/services/daisy/support.html
mail to: daisy@...
list information: http://lists.cocoondev.org/mailman/listinfo/daisy

Right, got it working. Our config is now:

        <environment>
          <property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
          <property name="java.naming.provider.url" value="ldap://myserver.mydomain.local:389"/>
          <property name="java.naming.security.authentication" value="simple"/>
          <property name="java.naming.security.principal" value="cn=myaccount,ou=Service Accounts,ou=Users,ou=mydepartment
,dc=mydomain,dc=local"/>
          <property name="java.naming.security.credentials" value="mypassword"/>
        </environment>
        <searchBase>dc=mydomain,dc=local</searchBase>
        <filter>sAMAccountName=$daisyLogin</filter>
        <cache enabled="true" maxCacheSize="3000" maxCacheDuration="1800000"/>
...

Our users in Active Directory are organized in departments directly under the root. Hence the generic <searchBase>.


Mario.

-----Original Message-----
From: daisy-bounces@... [mailto:daisy-bounces@...] On Behalf Of Karel Vervaeke
Sent: donderdag 2 juli 2009 13:49
To: Daisy: open source CMS - general mailinglist
Subject: Re: [daisy] re. Daisy 2.3 upgrade LDAP issue

On Thu, Jul 2, 2009 at 1:21 PM, <Kevin_Walsh@...> wrote:
You can have multiple <scheme> elements in your ldap configuration.
You can have one with
<searchBase>cn=Users,dc=server,dc=domain,dc=be</searchBase>
and one with
<searchBase>cn=Users,dc=server2,dc=domain,dc=be</searchBase>

A wildcard approach (cn=Users,dc=*,dc=domain,dc=be) is not possible here.

>
> -  <filter>cn=$daisyLogin</filter>
>         Which filter options are there other than the $daisyLogin (and the
> userPrincipalName Karel used in his example). Must we use a filter? What
> does it pass to the ldap-server?

$daisyLogin is the only parameter there.  The filter is required,
because this is the used to find the actual user in ldap.

> -  <property name="java.naming.security.principal"
> value="cn=daisyauth,cn=Users,dc=server,dc=domain,dc=be"/>
>         Is this a daisy user, or a user that was set up for the purpose of
> getting ldap-tree infos? Our server accepts an anonymous bind, so we
> shouldn't need this, nor the security credentials?

If your server accepts an anonymous bind, leave out the
java.naming.security.principal & java.naming.security.credentials
parameters

> Thanks in advance,
> Kevin
>

HTH,
Karel
_______________________________________________
daisy community mailing list
Professional Daisy support: http://outerthought.org/en/services/daisy/support.html
mail to: daisy@...
list information: http://lists.cocoondev.org/mailman/listinfo/daisy
_______________________________________________
daisy community mailing list
Professional Daisy support: http://outerthought.org/en/services/daisy/support.html
mail to: daisy@...
list information: http://lists.cocoondev.org/mailman/listinfo/daisy