Re: [OpenXPKI-users] LDAP authentication

Wed, 26 Jan 2022 07:17:52 -0800 

Hi,
sorry for the noise but it seems I had to write this message to find the error 
:)
Fix:

~~handler.yaml~~
ADPassword:
    type: Connector
    label: LDAP Login for Users
    role: User
    source@: connector:auth.connector.userAD


Best regards,

Stefan

________________________________________
Von: Stefan Weigel <[email protected]>
Gesendet: Mittwoch, 26. Januar 2022 16:10
An: [email protected]
Betreff: [OpenXPKI-users] LDAP authentication

Hi,
I have read the documentation and found also a thread message 
(https://www.mail-archive.com/[email protected]/msg02218.html)
 with a (for the user) working configuration.
But I can't get it working:

~~stack.yaml~~
ADPassword:
    label: User AD-Login
    description: Login with username and password (from AD)
    handler: ADPassword
    type: passwd

~~handler.yaml~~
ADPassword:
    type: Connector
    label: LDAP Login for Users
    role: User
    user@: connector:auth.connector.userAD

~~connector.yaml~~
userAD:
    class: Connector::Builtin::Authentication::LDAP
    LOCATION: ldaps://localhost:636
    base: dc=example.dc=org
    binddn: cn=openxpki,dc=example.dc=org
    password: <bindpw>
    sslversion: tlsv1_3
    debug: 1
    verify: none
    capath: /etc/ssl/certs/
    cafile: /etc/ssl/certs/ca-certificates.crt
    filter: "(uid=[% LOGIN %])"

With 'type: Connector' in handler.yaml I'm getting:
2022/01/26 15:51:25 DEBUG Call get in Multi to 
realm.genuaca.auth.connector.userAD.capath [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.create [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.timelimit [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.scope [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.certificate_file [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.attrs [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.bind [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.ciphers [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.keepalive [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.LOCATION [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get in Multi to 
realm.genuaca.auth.connector.userAD.LOCATION [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.ssl_ignore_mode [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Dispatch to connector at auth.connector.userAD 
[pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call exists in Multi to 
realm.genuaca.auth.handler.ADPassword.source [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Query username caop with mode combined 
[pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Call get_hash in Multi to 
realm.genuaca.auth.handler.ADPassword.user.caop [pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Dispatch to connector at auth.connector.userAD 
[pid=18128|sid=0mzS]
2022/01/26 15:51:25 INFO Got invalid auth result from handler ADPassword 
[pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG No get_hash() method defined at 
/usr/share/perl5/Connector.pm line 321, <DATA> line 755.
 [pid=18128|sid=0mzS]
2022/01/26 15:51:25 WARN Login failed  (user: caop, error: No get_hash() method 
defined at /usr/share/perl5/Connector.pm line 321, <DATA> line 755.
) [pid=18128|sid=0mzS]
2022/01/26 15:51:25 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED 
[pid=18128|sid=0mzS]
2022/01/26 15:51:25 DEBUG Sending error $VAR1 = {
          'PARAMS' => {},
          'CLASS' => 'OpenXPKI::Exception::Authentication',
          'LABEL' => 'I18N_OPENXPKI_UI_AUTHENTICATION_FAILED'
        };
 [pid=18128|sid=0mzS]


With 'type: Password' in handler.yaml I'm getting:
2022/01/26 16:06:03 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.LOCATION [pid=18262|sid=Jjd+]
2022/01/26 16:06:03 DEBUG Call get in Multi to 
realm.genuaca.auth.connector.userAD.LOCATION [pid=18262|sid=Jjd+]
2022/01/26 16:06:03 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.groupdn [pid=18262|sid=Jjd+]
2022/01/26 16:06:03 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.certificate_file [pid=18262|sid=Jjd+]
2022/01/26 16:06:03 DEBUG Call get_meta in Multi to 
realm.genuaca.auth.connector.userAD.PREFIX [pid=18262|sid=Jjd+]
2022/01/26 16:06:03 DEBUG Dispatch to connector at auth.connector.userAD 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:03 DEBUG Open bind to to ldaps://localhost:636 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:03 DEBUG Binding with cn=openxpki,dc=example,dc=org 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:03 DEBUG Searching LDAP databse for user "caop" 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG LDAP Search options $VAR1 = 'filter';
$VAR2 = '(uid=caop)';
$VAR3 = 'base';
$VAR4 = 'dc=example,dc=org';
 [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG LDAP search returned 1 entry [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG Found 1 LDAP entries matching the user "caop" 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG Trying to bind to dn: 
uid=caop,ou=people,ou=internal,dc=example,dc=org [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG LDAP bind to uid=caop,ou=people,dc=example,dc=org 
returned error code 48 (error: Inappropriate authentication) 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:04 WARN Authentication failed [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 INFO Got invalid auth result from handler ADPassword 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:04 WARN Login failed  (user: not set, error: 
I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG Sending error $VAR1 = {
          'LABEL' => 'I18N_OPENXPKI_UI_AUTHENTICATION_FAILED',
          'CLASS' => 'OpenXPKI::Exception::Authentication',
          'PARAMS' => {}
        };
 [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG Incoming auth for stack ADPassword 
[pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG Request stack info for ADPassword [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG Call get_hash in Multi to 
realm.genuaca.auth.stack.ADPassword.param [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG Node does not exist at  
realm|genuaca|auth|stack|ADPassword|param [pid=18262|sid=Jjd+]
2022/01/26 16:06:04 DEBUG Changing session state from WAITING_FOR_LOGIN to NEW 
[pid=18262|]
2022/01/26 16:06:04 DEBUG Call get in Multi to system.server.name [pid=18262|]
2022/01/26 16:06:07 DEBUG Call get in Multi to system.server.name 
[pid=18261|sid=clSI]

But as I understand the password from the UI is not passed to connector that's 
why resulting an in bind without password.


What am I doing wrong ?




Thanks and best regards,

Stefan

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to