LDAP integration with trial enterprise edition of dotcms 4.1.1 is not working

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP integration with trial enterprise edition of dotcms 4.1.1 is not working

Ravi Kumar
Hi,

I am new to dotcms,  I am trying to integrate the openLDAP with trial enterprise edition of dotcms 4.1.1.   I have installed dotcms 4.1.1 and openLDAP 2.4.* in my local windows operating system.

I have read the documentation and followed the below steps 



1. Logged in as admin and created a new role in dotcms. Role name is "cms" and key for this role is "dotcmsadmin".  Provided access to the Tabs. 

2. I have logged into openLDAP and created users and groups. Ldap tree looks like this.

suffix-      dc=maxcrc,dc=com
                    ou=groups (1)  (ou=groups,dc=maxcrc,dc=com)
                         cn=dotcmsadmin ( cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com)

                   ou=People(2)
                        cn=ram (cn=ram,ou=People,dc=maxcrc,dc=com)
                        cn=krish (cn=krish,ou=People,dc=maxcrc,dc=com)
     
I added 2 users to the "dotcmsadmin" group as a member

following are the user(ram) attributes in LDAP

objectclass =inetOrgPerson (structural)
objectclass =organizationalPerson (structural)
objectclass =person (structural)
objectclass =top (abstract)
cn =ram
sn =ram
displayName =ram
givenName =ram
mail         =[hidden email]
manager =cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com
title         =dotcmsadmin
userPassword =xxxxxxxxx

Note: Since I am not able to add memberOf attribute to the user, I have mapped group details to "manager" attribute


2. I have used ROOT Folder plugin to override the portal.properties file. Copied "dotcms_4.1.1\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal.properties" to 

"\dotcms_4.1.1\plugins\com.dotcms.config\ROOT\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal-ext.properties" and modified the below properties 


    # LDAP (LDAP Servers)
    # once a user is authenticated, LDAP will query the user and pull a list
    # of groups that the user belongs to 
    # These groups will be created in the CMS on the fly and the CMS user will
    # be associated with them.
    auth.pipeline.pre=com.dotcms.enterprise.LDAPProxy
    auth.impl.ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory
    # Set SSL if you are using LDAPS  or leave blank
    auth.impl.ldap.security.authentication=
    # set path to keystore with root server cert imported or leave blank 
    auth.impl.ldap.security.keystore.path=
    auth.impl.ldap.host=localhost
    auth.impl.ldap.port=389
    # should be full dn of user
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
    auth.impl.build.groups=true
    auth.impl.ldap.build.group.name.filter=^(.+)
   # Prefix the dotcms should strip from group name.  Leave blank to not strip any prefix.
   auth.impl.ldap.build.group.name.filter.strip=
   #If you set to false any user created from LDAP will not be able to log into the dotCMS if LDAP is not availible. 
   auth.impl.ldap.syncPassword=true
# The following attributes can be used to match up dotCMS user properties to LDAP Attributes.  Uncomment all attributes.
# If you leave the attribute blank then it will not be synced from LDAP. 
# NOTE:  YOU CANNOT HAVE A GROUP NAME WITH A "=" IN IT 

auth.impl.ldap.attrib.user=mail
auth.impl.ldap.attrib.firstName=cn
auth.impl.ldap.attrib.middleName=givenName
auth.impl.ldap.attrib.lastName=sn
auth.impl.ldap.attrib.nickName=
auth.impl.ldap.attrib.email=mail
auth.impl.ldap.attrib.gender=
auth.impl.ldap.attrib.group=manager

3. deployed using "deploy-plugins.bat" and restarted the dotcms

Issue :  

When i try to login with default admin user  "[hidden email]" it is not able to login and in console it is showing "Authentication failed. Please try again". (In LDAP also we don't have a user with the name "admin".

Even when i try with the LDAP user "[hidden email]" its giving "Authentication failed. Please try again" message. Nothing is displayed in log files except below message 

ERROR ejb.UserManagerImpl: Could not find the user: null, return DNE

Tried below things as well

1. able to connect to LDAP through Jxplorer 
2. auth.impl.ldap.attrib.group=manager        (change the attribute to "title" instead of "manager")


I am clue less now, hope someone can help on this.

Thanks,
Ravi.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: LDAP integration with trial enterprise edition of dotcms 4.1.1 is not working

Jason Tesser-2
OK so a few things 

the properties in the dotcms config must be exposed as attributes in LDAP. I say this because you are pointing the group at a CN path.  It needs to be an attribute of your user. 
2. If your auth works from Jxplorer with teh EXACT same baseDN and auth user etc.. it should work from us also for auth.  So make sure when testing in Jxplorer you are using this in the connection settings
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
AND then that you can authenticate with the mail attribute as the attribute. Cause you are telling dotcms to use mail as the user.  So that means email which is stores in mail has the password and all attributes stores on that user returned. 

On Fri, Nov 3, 2017 at 6:21 AM Ravi Kumar <[hidden email]> wrote:
Hi,

I am new to dotcms,  I am trying to integrate the openLDAP with trial enterprise edition of dotcms 4.1.1.   I have installed dotcms 4.1.1 and openLDAP 2.4.* in my local windows operating system.

I have read the documentation and followed the below steps 



1. Logged in as admin and created a new role in dotcms. Role name is "cms" and key for this role is "dotcmsadmin".  Provided access to the Tabs. 

2. I have logged into openLDAP and created users and groups. Ldap tree looks like this.

suffix-      dc=maxcrc,dc=com
                    ou=groups (1)  (ou=groups,dc=maxcrc,dc=com)
                         cn=dotcmsadmin ( cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com)

                   ou=People(2)
                        cn=ram (cn=ram,ou=People,dc=maxcrc,dc=com)
                        cn=krish (cn=krish,ou=People,dc=maxcrc,dc=com)
     
I added 2 users to the "dotcmsadmin" group as a member

following are the user(ram) attributes in LDAP

objectclass =inetOrgPerson (structural)
objectclass =organizationalPerson (structural)
objectclass =person (structural)
objectclass =top (abstract)
cn =ram
sn =ram
displayName =ram
givenName =ram
mail         =[hidden email]
manager =cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com
title         =dotcmsadmin
userPassword =xxxxxxxxx

Note: Since I am not able to add memberOf attribute to the user, I have mapped group details to "manager" attribute


2. I have used ROOT Folder plugin to override the portal.properties file. Copied "dotcms_4.1.1\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal.properties" to 

"\dotcms_4.1.1\plugins\com.dotcms.config\ROOT\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal-ext.properties" and modified the below properties 


    # LDAP (LDAP Servers)
    # once a user is authenticated, LDAP will query the user and pull a list
    # of groups that the user belongs to 
    # These groups will be created in the CMS on the fly and the CMS user will
    # be associated with them.
    auth.pipeline.pre=com.dotcms.enterprise.LDAPProxy
    auth.impl.ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory
    # Set SSL if you are using LDAPS  or leave blank
    auth.impl.ldap.security.authentication=
    # set path to keystore with root server cert imported or leave blank 
    auth.impl.ldap.security.keystore.path=
    auth.impl.ldap.host=localhost
    auth.impl.ldap.port=389
    # should be full dn of user
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
    auth.impl.build.groups=true
    auth.impl.ldap.build.group.name.filter=^(.+)
   # Prefix the dotcms should strip from group name.  Leave blank to not strip any prefix.
   auth.impl.ldap.build.group.name.filter.strip=
   #If you set to false any user created from LDAP will not be able to log into the dotCMS if LDAP is not availible. 
   auth.impl.ldap.syncPassword=true
# The following attributes can be used to match up dotCMS user properties to LDAP Attributes.  Uncomment all attributes.
# If you leave the attribute blank then it will not be synced from LDAP. 
# NOTE:  YOU CANNOT HAVE A GROUP NAME WITH A "=" IN IT 

auth.impl.ldap.attrib.user=mail
auth.impl.ldap.attrib.firstName=cn
auth.impl.ldap.attrib.middleName=givenName
auth.impl.ldap.attrib.lastName=sn
auth.impl.ldap.attrib.nickName=
auth.impl.ldap.attrib.email=mail
auth.impl.ldap.attrib.gender=
auth.impl.ldap.attrib.group=manager

3. deployed using "deploy-plugins.bat" and restarted the dotcms

Issue :  

When i try to login with default admin user  "[hidden email]" it is not able to login and in console it is showing "Authentication failed. Please try again". (In LDAP also we don't have a user with the name "admin".

Even when i try with the LDAP user "[hidden email]" its giving "Authentication failed. Please try again" message. Nothing is displayed in log files except below message 

ERROR ejb.UserManagerImpl: Could not find the user: null, return DNE

Tried below things as well

1. able to connect to LDAP through Jxplorer 
2. auth.impl.ldap.attrib.group=manager        (change the attribute to "title" instead of "manager")


I am clue less now, hope someone can help on this.

Thanks,
Ravi.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CALDe1GMYRB2gfj30OOrtW27Lc93uKZ73b%2BM-mQ2dZy8QsKSM4A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: LDAP integration with trial enterprise edition of dotcms 4.1.1 is not working

Ravi Kumar
Thanks for reply. 

If you look at the LDAP attributes of user (ram) i mentioned in this mail thread, all the defined attributes are exposed as a User attributes. And also i didn't face any issues with connecting to LDAP with Jxplorer. Please see the attached file.


Few Question : 

1. Does trial version of dotcms enterprise edition supports LDAP integration ?

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

3. Do we need any other configurations ?

4. Any other pointers to debug this issue?

I am attaching the screen shots of role details in dotcms and LDAP user attributes.

Thanks & Regards,
Ravi.






On Friday, November 3, 2017 at 9:08:52 PM UTC+8, LORDs_diakonos wrote:
OK so a few things 

1. look here <a href="https://dotcms.com/docs/latest/ldap-configuration#MatchingAttributes" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration%23MatchingAttributes\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ-71PVHrs5j9x-B2PQi_kz3tNng&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration%23MatchingAttributes\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ-71PVHrs5j9x-B2PQi_kz3tNng&#39;;return true;">https://dotcms.com/docs/latest/ldap-configuration#MatchingAttributes
the properties in the dotcms config must be exposed as attributes in LDAP. I say this because you are pointing the group at a CN path.  It needs to be an attribute of your user. 
2. If your auth works from Jxplorer with teh EXACT same baseDN and auth user etc.. it should work from us also for auth.  So make sure when testing in Jxplorer you are using this in the connection settings
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
AND then that you can authenticate with the mail attribute as the attribute. Cause you are telling dotcms to use mail as the user.  So that means email which is stores in mail has the password and all attributes stores on that user returned. 

On Fri, Nov 3, 2017 at 6:21 AM Ravi Kumar <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="qqiTqgDYAwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">ravikuma...@...> wrote:
Hi,

I am new to dotcms,  I am trying to integrate the openLDAP with trial enterprise edition of dotcms 4.1.1.   I have installed dotcms 4.1.1 and openLDAP 2.4.* in my local windows operating system.

I have read the documentation and followed the below steps 

<a href="https://dotcms.com/docs/latest/ldap-configuration" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr4arAsOs6rSTwyqVuHmxHfhsFFQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr4arAsOs6rSTwyqVuHmxHfhsFFQ&#39;;return true;">https://dotcms.com/docs/latest/ldap-configuration


1. Logged in as admin and created a new role in dotcms. Role name is "cms" and key for this role is "dotcmsadmin".  Provided access to the Tabs. 

2. I have logged into openLDAP and created users and groups. Ldap tree looks like this.

suffix-      dc=maxcrc,dc=com
                    ou=groups (1)  (ou=groups,dc=maxcrc,dc=com)
                         cn=dotcmsadmin ( cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com)

                   ou=People(2)
                        cn=ram (cn=ram,ou=People,dc=maxcrc,dc=com)
                        cn=krish (cn=krish,ou=People,dc=maxcrc,dc=com)
     
I added 2 users to the "dotcmsadmin" group as a member

following are the user(ram) attributes in LDAP

objectclass =inetOrgPerson (structural)
objectclass =organizationalPerson (structural)
objectclass =person (structural)
objectclass =top (abstract)
cn =ram
sn =ram
displayName =ram
givenName =ram
mail         =<a href="javascript:" target="_blank" gdf-obfuscated-mailto="qqiTqgDYAwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">r...@...
manager =cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com
title         =dotcmsadmin
userPassword =xxxxxxxxx

Note: Since I am not able to add memberOf attribute to the user, I have mapped group details to "manager" attribute


2. I have used ROOT Folder plugin to override the portal.properties file. Copied "dotcms_4.1.1\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal.properties" to 

"\dotcms_4.1.1\plugins\com.dotcms.config\ROOT\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal-ext.properties" and modified the below properties 


    # LDAP (LDAP Servers)
    # once a user is authenticated, LDAP will query the user and pull a list
    # of groups that the user belongs to 
    # These groups will be created in the CMS on the fly and the CMS user will
    # be associated with them.
    auth.pipeline.pre=com.dotcms.enterprise.LDAPProxy
    auth.impl.ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory
    # Set SSL if you are using LDAPS  or leave blank
    auth.impl.ldap.security.authentication=
    # set path to keystore with root server cert imported or leave blank 
    auth.impl.ldap.security.keystore.path=
    auth.impl.ldap.host=localhost
    auth.impl.ldap.port=389
    # should be full dn of user
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
    auth.impl.build.groups=true
    auth.impl.ldap.build.group.name.filter=^(.+)
   # Prefix the dotcms should strip from group name.  Leave blank to not strip any prefix.
   auth.impl.ldap.build.group.name.filter.strip=
   #If you set to false any user created from LDAP will not be able to log into the dotCMS if LDAP is not availible. 
   auth.impl.ldap.syncPassword=true
# The following attributes can be used to match up dotCMS user properties to LDAP Attributes.  Uncomment all attributes.
# If you leave the attribute blank then it will not be synced from LDAP. 
# NOTE:  YOU CANNOT HAVE A GROUP NAME WITH A "=" IN IT 

auth.impl.ldap.attrib.user=mail
auth.impl.ldap.attrib.firstName=cn
auth.impl.ldap.attrib.middleName=givenName
auth.impl.ldap.attrib.lastName=sn
auth.impl.ldap.attrib.nickName=
auth.impl.ldap.attrib.email=mail
auth.impl.ldap.attrib.gender=
auth.impl.ldap.attrib.group=manager

3. deployed using "deploy-plugins.bat" and restarted the dotcms

Issue :  

When i try to login with default admin user  "<a href="javascript:" target="_blank" gdf-obfuscated-mailto="qqiTqgDYAwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">ad...@..." it is not able to login and in console it is showing "Authentication failed. Please try again". (In LDAP also we don't have a user with the name "admin".

Even when i try with the LDAP user "<a href="javascript:" target="_blank" gdf-obfuscated-mailto="qqiTqgDYAwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">r...@..." its giving "Authentication failed. Please try again" message. Nothing is displayed in log files except below message 

ERROR ejb.UserManagerImpl: Could not find the user: null, return DNE

Tried below things as well

1. able to connect to LDAP through Jxplorer 
2. auth.impl.ldap.attrib.group=manager        (change the attribute to "title" instead of "manager")


I am clue less now, hope someone can help on this.

Thanks,
Ravi.

--
<a href="http://dotcms.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;">http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="qqiTqgDYAwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dotcms+un...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="qqiTqgDYAwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dot...@....
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/557e9744-d956-4997-be57-9a1b8fbea08c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

ldap-user-attributes.png (37K) Download Attachment
role-in-dotcms.png (75K) Download Attachment
JXplorer.png (45K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: LDAP integration with trial enterprise edition of dotcms 4.1.1 is not working

Jason Tesser
Let me see if I can move you along a bit :-)
1. Does trial version of dotcms enterprise edition supports LDAP integration ?

Answer : YES.  The trial functions as a license. If you are interested in purchasing I can have a business person here at dotcms reach out to you.  Sometimes we are able to do POC depending on the engagement 

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

Answer : You need the same left side of the equals must be the same meaning the property names but NOT the values 

3. Do we need any other configurations ?

Answer : should not

4. Any other pointers to debug this issue?

Answer : your manager in OpenLDAP is not right. It needs to be the actual group name which maps to a role key in dotcms that has permissions and layouts. That is what I meant in the last response.  You have a full CN path in there.  

On Sun, Nov 5, 2017 at 12:27 AM Ravi Kumar <[hidden email]> wrote:
Thanks for reply. 

If you look at the LDAP attributes of user (ram) i mentioned in this mail thread, all the defined attributes are exposed as a User attributes. And also i didn't face any issues with connecting to LDAP with Jxplorer. Please see the attached file.


Few Question : 

1. Does trial version of dotcms enterprise edition supports LDAP integration ?

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

3. Do we need any other configurations ?

4. Any other pointers to debug this issue?

I am attaching the screen shots of role details in dotcms and LDAP user attributes.

Thanks & Regards,
Ravi.






On Friday, November 3, 2017 at 9:08:52 PM UTC+8, LORDs_diakonos wrote:
OK so a few things 

the properties in the dotcms config must be exposed as attributes in LDAP. I say this because you are pointing the group at a CN path.  It needs to be an attribute of your user. 
2. If your auth works from Jxplorer with teh EXACT same baseDN and auth user etc.. it should work from us also for auth.  So make sure when testing in Jxplorer you are using this in the connection settings
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
AND then that you can authenticate with the mail attribute as the attribute. Cause you are telling dotcms to use mail as the user.  So that means email which is stores in mail has the password and all attributes stores on that user returned. 

On Fri, Nov 3, 2017 at 6:21 AM Ravi Kumar <[hidden email]> wrote:
Hi,

I am new to dotcms,  I am trying to integrate the openLDAP with trial enterprise edition of dotcms 4.1.1.   I have installed dotcms 4.1.1 and openLDAP 2.4.* in my local windows operating system.

I have read the documentation and followed the below steps 



1. Logged in as admin and created a new role in dotcms. Role name is "cms" and key for this role is "dotcmsadmin".  Provided access to the Tabs. 

2. I have logged into openLDAP and created users and groups. Ldap tree looks like this.

suffix-      dc=maxcrc,dc=com
                    ou=groups (1)  (ou=groups,dc=maxcrc,dc=com)
                         cn=dotcmsadmin ( cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com)

                   ou=People(2)
                        cn=ram (cn=ram,ou=People,dc=maxcrc,dc=com)
                        cn=krish (cn=krish,ou=People,dc=maxcrc,dc=com)
     
I added 2 users to the "dotcmsadmin" group as a member

following are the user(ram) attributes in LDAP

objectclass =inetOrgPerson (structural)
objectclass =organizationalPerson (structural)
objectclass =person (structural)
objectclass =top (abstract)
cn =ram
sn =ram
displayName =ram
givenName =ram
mail         =[hidden email]
manager =cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com
title         =dotcmsadmin
userPassword =xxxxxxxxx

Note: Since I am not able to add memberOf attribute to the user, I have mapped group details to "manager" attribute


2. I have used ROOT Folder plugin to override the portal.properties file. Copied "dotcms_4.1.1\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal.properties" to 

"\dotcms_4.1.1\plugins\com.dotcms.config\ROOT\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal-ext.properties" and modified the below properties 


    # LDAP (LDAP Servers)
    # once a user is authenticated, LDAP will query the user and pull a list
    # of groups that the user belongs to 
    # These groups will be created in the CMS on the fly and the CMS user will
    # be associated with them.
    auth.pipeline.pre=com.dotcms.enterprise.LDAPProxy
    auth.impl.ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory
    # Set SSL if you are using LDAPS  or leave blank
    auth.impl.ldap.security.authentication=
    # set path to keystore with root server cert imported or leave blank 
    auth.impl.ldap.security.keystore.path=
    auth.impl.ldap.host=localhost
    auth.impl.ldap.port=389
    # should be full dn of user
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
    auth.impl.build.groups=true
    auth.impl.ldap.build.group.name.filter=^(.+)
   # Prefix the dotcms should strip from group name.  Leave blank to not strip any prefix.
   auth.impl.ldap.build.group.name.filter.strip=
   #If you set to false any user created from LDAP will not be able to log into the dotCMS if LDAP is not availible. 
   auth.impl.ldap.syncPassword=true
# The following attributes can be used to match up dotCMS user properties to LDAP Attributes.  Uncomment all attributes.
# If you leave the attribute blank then it will not be synced from LDAP. 
# NOTE:  YOU CANNOT HAVE A GROUP NAME WITH A "=" IN IT 

auth.impl.ldap.attrib.user=mail
auth.impl.ldap.attrib.firstName=cn
auth.impl.ldap.attrib.middleName=givenName
auth.impl.ldap.attrib.lastName=sn
auth.impl.ldap.attrib.nickName=
auth.impl.ldap.attrib.email=mail
auth.impl.ldap.attrib.gender=
auth.impl.ldap.attrib.group=manager

3. deployed using "deploy-plugins.bat" and restarted the dotcms

Issue :  

When i try to login with default admin user  "[hidden email]" it is not able to login and in console it is showing "Authentication failed. Please try again". (In LDAP also we don't have a user with the name "admin".

Even when i try with the LDAP user "[hidden email]" its giving "Authentication failed. Please try again" message. Nothing is displayed in log files except below message 

ERROR ejb.UserManagerImpl: Could not find the user: null, return DNE

Tried below things as well

1. able to connect to LDAP through Jxplorer 
2. auth.impl.ldap.attrib.group=manager        (change the attribute to "title" instead of "manager")


I am clue less now, hope someone can help on this.

Thanks,
Ravi.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/557e9744-d956-4997-be57-9a1b8fbea08c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--



3059 Grand Avenue
Suite 410-B
Miami FL 33133
Main: 
305-900-2001 | Direct: 978.294.9429

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CAKKUxWc1pQrnobznUNiBqNvmzYJ%3DK%3D0c1ZwvOnHpZBORqoFFBA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: LDAP integration with trial enterprise edition of dotcms 4.1.1 is not working

Ravi Kumar
Thank you very much for details.

Based on your response, I understood that the community edition of dotcms with 30 days free enterprise licence would not work with LDAP integration, we need to have separate licence for it. 

As we are just trying to exploring dotcms features and doing some POCs not sure about the purchasing licence. Ok.. will let you know soon.
 

Thanks,
Ravi.

On Monday, November 6, 2017 at 9:06:57 PM UTC+8, Jason Tesser wrote:
Let me see if I can move you along a bit :-)
1. Does trial version of dotcms enterprise edition supports LDAP integration ?

Answer : YES.  The trial functions as a license. If you are interested in purchasing I can have a business person here at dotcms reach out to you.  Sometimes we are able to do POC depending on the engagement 

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

Answer : You need the same left side of the equals must be the same meaning the property names but NOT the values 

3. Do we need any other configurations ?

Answer : should not

4. Any other pointers to debug this issue?

Answer : your manager in OpenLDAP is not right. It needs to be the actual group name which maps to a role key in dotcms that has permissions and layouts. That is what I meant in the last response.  You have a full CN path in there.  

On Sun, Nov 5, 2017 at 12:27 AM Ravi Kumar <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="Zw35l6PDBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">ravikuma...@...> wrote:
Thanks for reply. 

If you look at the LDAP attributes of user (ram) i mentioned in this mail thread, all the defined attributes are exposed as a User attributes. And also i didn't face any issues with connecting to LDAP with Jxplorer. Please see the attached file.


Few Question : 

1. Does trial version of dotcms enterprise edition supports LDAP integration ?

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

3. Do we need any other configurations ?

4. Any other pointers to debug this issue?

I am attaching the screen shots of role details in dotcms and LDAP user attributes.

Thanks & Regards,
Ravi.






On Friday, November 3, 2017 at 9:08:52 PM UTC+8, LORDs_diakonos wrote:
OK so a few things 

1. look here <a href="https://dotcms.com/docs/latest/ldap-configuration#MatchingAttributes" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration%23MatchingAttributes\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ-71PVHrs5j9x-B2PQi_kz3tNng&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration%23MatchingAttributes\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ-71PVHrs5j9x-B2PQi_kz3tNng&#39;;return true;">https://dotcms.com/docs/latest/ldap-configuration#MatchingAttributes
the properties in the dotcms config must be exposed as attributes in LDAP. I say this because you are pointing the group at a CN path.  It needs to be an attribute of your user. 
2. If your auth works from Jxplorer with teh EXACT same baseDN and auth user etc.. it should work from us also for auth.  So make sure when testing in Jxplorer you are using this in the connection settings
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
AND then that you can authenticate with the mail attribute as the attribute. Cause you are telling dotcms to use mail as the user.  So that means email which is stores in mail has the password and all attributes stores on that user returned. 

On Fri, Nov 3, 2017 at 6:21 AM Ravi Kumar <[hidden email]> wrote:
Hi,

I am new to dotcms,  I am trying to integrate the openLDAP with trial enterprise edition of dotcms 4.1.1.   I have installed dotcms 4.1.1 and openLDAP 2.4.* in my local windows operating system.

I have read the documentation and followed the below steps 

<a href="https://dotcms.com/docs/latest/ldap-configuration" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr4arAsOs6rSTwyqVuHmxHfhsFFQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr4arAsOs6rSTwyqVuHmxHfhsFFQ&#39;;return true;">https://dotcms.com/docs/latest/ldap-configuration


1. Logged in as admin and created a new role in dotcms. Role name is "cms" and key for this role is "dotcmsadmin".  Provided access to the Tabs. 

2. I have logged into openLDAP and created users and groups. Ldap tree looks like this.

suffix-      dc=maxcrc,dc=com
                    ou=groups (1)  (ou=groups,dc=maxcrc,dc=com)
                         cn=dotcmsadmin ( cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com)

                   ou=People(2)
                        cn=ram (cn=ram,ou=People,dc=maxcrc,dc=com)
                        cn=krish (cn=krish,ou=People,dc=maxcrc,dc=com)
     
I added 2 users to the "dotcmsadmin" group as a member

following are the user(ram) attributes in LDAP

objectclass =inetOrgPerson (structural)
objectclass =organizationalPerson (structural)
objectclass =person (structural)
objectclass =top (abstract)
cn =ram
sn =ram
displayName =ram
givenName =ram
mail         =[hidden email]
manager =cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com
title         =dotcmsadmin
userPassword =xxxxxxxxx

Note: Since I am not able to add memberOf attribute to the user, I have mapped group details to "manager" attribute


2. I have used ROOT Folder plugin to override the portal.properties file. Copied "dotcms_4.1.1\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal.properties" to 

"\dotcms_4.1.1\plugins\com.dotcms.config\ROOT\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal-ext.properties" and modified the below properties 


    # LDAP (LDAP Servers)
    # once a user is authenticated, LDAP will query the user and pull a list
    # of groups that the user belongs to 
    # These groups will be created in the CMS on the fly and the CMS user will
    # be associated with them.
    auth.pipeline.pre=com.dotcms.enterprise.LDAPProxy
    auth.impl.ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory
    # Set SSL if you are using LDAPS  or leave blank
    auth.impl.ldap.security.authentication=
    # set path to keystore with root server cert imported or leave blank 
    auth.impl.ldap.security.keystore.path=
    auth.impl.ldap.host=localhost
    auth.impl.ldap.port=389
    # should be full dn of user
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
    auth.impl.build.groups=true
    auth.impl.ldap.build.group.name.filter=^(.+)
   # Prefix the dotcms should strip from group name.  Leave blank to not strip any prefix.
   auth.impl.ldap.build.group.name.filter.strip=
   #If you set to false any user created from LDAP will not be able to log into the dotCMS if LDAP is not availible. 
   auth.impl.ldap.syncPassword=true
# The following attributes can be used to match up dotCMS user properties to LDAP Attributes.  Uncomment all attributes.
# If you leave the attribute blank then it will not be synced from LDAP. 
# NOTE:  YOU CANNOT HAVE A GROUP NAME WITH A "=" IN IT 

auth.impl.ldap.attrib.user=mail
auth.impl.ldap.attrib.firstName=cn
auth.impl.ldap.attrib.middleName=givenName
auth.impl.ldap.attrib.lastName=sn
auth.impl.ldap.attrib.nickName=
auth.impl.ldap.attrib.email=mail
auth.impl.ldap.attrib.gender=
auth.impl.ldap.attrib.group=manager

3. deployed using "deploy-plugins.bat" and restarted the dotcms

Issue :  

When i try to login with default admin user  "[hidden email]" it is not able to login and in console it is showing "Authentication failed. Please try again". (In LDAP also we don't have a user with the name "admin".

Even when i try with the LDAP user "[hidden email]" its giving "Authentication failed. Please try again" message. Nothing is displayed in log files except below message 

ERROR ejb.UserManagerImpl: Could not find the user: null, return DNE

Tried below things as well

1. able to connect to LDAP through Jxplorer 
2. auth.impl.ldap.attrib.group=manager        (change the attribute to "title" instead of "manager")


I am clue less now, hope someone can help on this.

Thanks,
Ravi.

--
<a href="http://dotcms.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;">http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/dotcms/2d984ce0-eac7-4665-aeed-8d9cea1b3336%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
<a href="http://dotcms.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;">http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="Zw35l6PDBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dotcms+un...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="Zw35l6PDBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dot...@....
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/dotcms/557e9744-d956-4997-be57-9a1b8fbea08c%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/dotcms/557e9744-d956-4997-be57-9a1b8fbea08c%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/dotcms/557e9744-d956-4997-be57-9a1b8fbea08c%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/dotcms/557e9744-d956-4997-be57-9a1b8fbea08c%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
--



3059 Grand Avenue
Suite 410-B
Miami FL 33133
Main: 
305-900-2001 | Direct: 978.294.9429

<a href="javascript:" target="_blank" gdf-obfuscated-mailto="Zw35l6PDBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jason....@... | <a href="http://www.dotcms.com/" style="color:rgb(17,85,204)" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.dotcms.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFNWs9V2WKwZWrVfr8NIkv4s5e0Dw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.dotcms.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFNWs9V2WKwZWrVfr8NIkv4s5e0Dw&#39;;return true;">dotcms.com

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/6dd0d39e-7b6d-44c5-85a2-b991396ede6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: LDAP integration with trial enterprise edition of dotcms 4.1.1 is not working

Jason Tesser-2

the 30 trial works. the community edition after trial does not


On Mon, Nov 6, 2017, 10:11 PM Ravi Kumar <[hidden email]> wrote:
Thank you very much for details.

Based on your response, I understood that the community edition of dotcms with 30 days free enterprise licence would not work with LDAP integration, we need to have separate licence for it. 

As we are just trying to exploring dotcms features and doing some POCs not sure about the purchasing licence. Ok.. will let you know soon.
 

Thanks,
Ravi.


On Monday, November 6, 2017 at 9:06:57 PM UTC+8, Jason Tesser wrote:
Let me see if I can move you along a bit :-)
1. Does trial version of dotcms enterprise edition supports LDAP integration ?

Answer : YES.  The trial functions as a license. If you are interested in purchasing I can have a business person here at dotcms reach out to you.  Sometimes we are able to do POC depending on the engagement 

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

Answer : You need the same left side of the equals must be the same meaning the property names but NOT the values 

3. Do we need any other configurations ?

Answer : should not

4. Any other pointers to debug this issue?

Answer : your manager in OpenLDAP is not right. It needs to be the actual group name which maps to a role key in dotcms that has permissions and layouts. That is what I meant in the last response.  You have a full CN path in there.  

On Sun, Nov 5, 2017 at 12:27 AM Ravi Kumar <[hidden email]> wrote:
Thanks for reply. 

If you look at the LDAP attributes of user (ram) i mentioned in this mail thread, all the defined attributes are exposed as a User attributes. And also i didn't face any issues with connecting to LDAP with Jxplorer. Please see the attached file.


Few Question : 

1. Does trial version of dotcms enterprise edition supports LDAP integration ?

 2. Do we need to use the same attributes mentioned in the documentation OR can we use relative attributes as well?  because i used  "manager" attribute of LDAP user as a "memberOf" attribute and "mail" for user..etc.

3. Do we need any other configurations ?

4. Any other pointers to debug this issue?

I am attaching the screen shots of role details in dotcms and LDAP user attributes.

Thanks & Regards,
Ravi.






On Friday, November 3, 2017 at 9:08:52 PM UTC+8, LORDs_diakonos wrote:
OK so a few things 

the properties in the dotcms config must be exposed as attributes in LDAP. I say this because you are pointing the group at a CN path.  It needs to be an attribute of your user. 
2. If your auth works from Jxplorer with teh EXACT same baseDN and auth user etc.. it should work from us also for auth.  So make sure when testing in Jxplorer you are using this in the connection settings
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
AND then that you can authenticate with the mail attribute as the attribute. Cause you are telling dotcms to use mail as the user.  So that means email which is stores in mail has the password and all attributes stores on that user returned. 

On Fri, Nov 3, 2017 at 6:21 AM Ravi Kumar <[hidden email]> wrote:
Hi,

I am new to dotcms,  I am trying to integrate the openLDAP with trial enterprise edition of dotcms 4.1.1.   I have installed dotcms 4.1.1 and openLDAP 2.4.* in my local windows operating system.

I have read the documentation and followed the below steps 



1. Logged in as admin and created a new role in dotcms. Role name is "cms" and key for this role is "dotcmsadmin".  Provided access to the Tabs. 

2. I have logged into openLDAP and created users and groups. Ldap tree looks like this.

suffix-      dc=maxcrc,dc=com
                    ou=groups (1)  (ou=groups,dc=maxcrc,dc=com)
                         cn=dotcmsadmin ( cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com)

                   ou=People(2)
                        cn=ram (cn=ram,ou=People,dc=maxcrc,dc=com)
                        cn=krish (cn=krish,ou=People,dc=maxcrc,dc=com)
     
I added 2 users to the "dotcmsadmin" group as a member

following are the user(ram) attributes in LDAP

objectclass =inetOrgPerson (structural)
objectclass =organizationalPerson (structural)
objectclass =person (structural)
objectclass =top (abstract)
cn =ram
sn =ram
displayName =ram
givenName =ram
mail         =[hidden email]
manager =cn=dotcmsadmin,ou=groups,dc=maxcrc,dc=com
title         =dotcmsadmin
userPassword =xxxxxxxxx

Note: Since I am not able to add memberOf attribute to the user, I have mapped group details to "manager" attribute


2. I have used ROOT Folder plugin to override the portal.properties file. Copied "dotcms_4.1.1\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal.properties" to 

"\dotcms_4.1.1\plugins\com.dotcms.config\ROOT\dotserver\tomcat-8.0.18\webapps\ROOT\WEB-INF\classes\portal-ext.properties" and modified the below properties 


    # LDAP (LDAP Servers)
    # once a user is authenticated, LDAP will query the user and pull a list
    # of groups that the user belongs to 
    # These groups will be created in the CMS on the fly and the CMS user will
    # be associated with them.
    auth.pipeline.pre=com.dotcms.enterprise.LDAPProxy
    auth.impl.ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory
    # Set SSL if you are using LDAPS  or leave blank
    auth.impl.ldap.security.authentication=
    # set path to keystore with root server cert imported or leave blank 
    auth.impl.ldap.security.keystore.path=
    auth.impl.ldap.host=localhost
    auth.impl.ldap.port=389
    # should be full dn of user
    auth.impl.ldap.userid=cn=Manager,dc=maxcrc,dc=com
    auth.impl.ldap.password=secret
    auth.impl.ldap.domainlookup=dc=maxcrc,dc=com
    auth.impl.build.groups=true
    auth.impl.ldap.build.group.name.filter=^(.+)
   # Prefix the dotcms should strip from group name.  Leave blank to not strip any prefix.
   auth.impl.ldap.build.group.name.filter.strip=
   #If you set to false any user created from LDAP will not be able to log into the dotCMS if LDAP is not availible. 
   auth.impl.ldap.syncPassword=true
# The following attributes can be used to match up dotCMS user properties to LDAP Attributes.  Uncomment all attributes.
# If you leave the attribute blank then it will not be synced from LDAP. 
# NOTE:  YOU CANNOT HAVE A GROUP NAME WITH A "=" IN IT 

auth.impl.ldap.attrib.user=mail
auth.impl.ldap.attrib.firstName=cn
auth.impl.ldap.attrib.middleName=givenName
auth.impl.ldap.attrib.lastName=sn
auth.impl.ldap.attrib.nickName=
auth.impl.ldap.attrib.email=mail
auth.impl.ldap.attrib.gender=
auth.impl.ldap.attrib.group=manager

3. deployed using "deploy-plugins.bat" and restarted the dotcms

Issue :  

When i try to login with default admin user  "[hidden email]" it is not able to login and in console it is showing "Authentication failed. Please try again". (In LDAP also we don't have a user with the name "admin".

Even when i try with the LDAP user "[hidden email]" its giving "Authentication failed. Please try again" message. Nothing is displayed in log files except below message 

ERROR ejb.UserManagerImpl: Could not find the user: null, return DNE

Tried below things as well

1. able to connect to LDAP through Jxplorer 
2. auth.impl.ldap.attrib.group=manager        (change the attribute to "title" instead of "manager")


I am clue less now, hope someone can help on this.

Thanks,
Ravi.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
--

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/6dd0d39e-7b6d-44c5-85a2-b991396ede6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CALDe1GODz1mde%2BPzB8xaDsns-uqn5LbmkG3iK63rbrqAnfAcrQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.