Hi Oliver, I did partly, for the handler, the connector was largely copied from the docs as the docs seemed quite intimidating to me and in development (my usual field) it seems to work better.
I took another look at the docs (I even printed them lol). and read this thread: https://sourceforge.net/p/openxpki/mailman/openxpki-users/thread/CABJYN4M1cVqOtYHQs4twoN8wJCRgPKfROzZ5z-iMPGJeDoyEyA%40mail.gmail.com/#msg36439661 It seems that figured it out. For someone's future reference I guess: My handler: ldap: type: Connector label: LDAP Login for Users role: RA Operator source@: connector:auth.connector.ra-ldap My connector: ra-ldap: class: Connector::Builtin::Authentication::LDAP LOCATION: ldap://{server IP} base: "dc=vault,dc=local" binddn: [email protected] password: "Secure123" filter: "(&(sAMAccountName=[% LOGIN %]))" (the filter will be made more restrictive later, don't worry) So ehhh I curse ChatGPT, and I guess this is also a good learning experience of when not to trust AI lol. Some feedback on the docs that might make them more accessible, feel free to ignore it if you think differently (it's my study's culture to give feedback and be open): * Make the pages on realm separate with frequent headers, this'll make the pages less intimidating. * I also would prefer to me relatively magical variables like source and the "@" being explained better; perhaps even a step by step if LDAP is really that common. * A page with (common) errors thrown would also be nice, especially in easily referenceable table format. Thanks a lot for dealing with my and ChatGPT's nonsense. Fay Knol ----------- Student Open-ICT University of Applied Science Utrecht [email protected] ________________________________ From: Oliver Welter <[email protected]> Sent: Thursday, April 17, 2025 11:05 AM To: [email protected] <[email protected]> Subject: Re: [OpenXPKI-users] [External] Re: Issue with LDAP login on OpenXPKI Hi Fay, did you generate your config using AI tools? The config you have posted in the very beginning is not valid, there is no "connector" attribute to a handler, please read the docs and sample configs or search the ML, there are working examples at a lot of places.. Oliver On 16.04.25 11:17, Fay Knol via OpenXPKI-users wrote: Oh sorry it seems I may have missed that (part of the) message. I've reverted my config back to my original message for this. there they are, this is it command in the container: /var/log/openxpki# tail openxpki.log 2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 INFO Got invalid auth result from handler ldap [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN [pid=10|sid=oqx5] 2025/04/16 11:13:44 WARN Login failed (user: not set, error: I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=oqx5] 2025/04/16 11:13:44 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5] Sorry I hope you're still willing to help out! Kind Regards, Fay Knol ----------- Student Open-ICT University of Applied Science Utrecht [email protected]<mailto:[email protected]> ________________________________ From: Oliver Welter <[email protected]><mailto:[email protected]> Sent: Tuesday, April 15, 2025 5:12 PM To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Subject: Re: [OpenXPKI-users] [External] Re: Issue with LDAP login on OpenXPKI Well, you have ignored my hint to check the logs with debug enabled - a lot of people here use this module so I am sure it works with the right filters and parameters but to understand what is going wrong we need the logs.. On 15.04.25 12:35, Fay Knol via OpenXPKI-users wrote: Thanks for the Reply Killian, unfortunately even that config did not work. so this is where I'll officially give up and we'll just have to make local accounts for all the people who want to make a cert. Thanks a lot for the help anyways! Regards, Fay Knol ----------- Student Open-ICT University of Applied Science Utrecht [email protected]<mailto:[email protected]> ________________________________ From: Killian, Edward [USA] via OpenXPKI-users <[email protected]><mailto:[email protected]> Sent: Friday, April 11, 2025 6:05 PM To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Cc: Killian, Edward [USA] <[email protected]><mailto:[email protected]> Subject: Re: [OpenXPKI-users] [External] Re: Issue with LDAP login on OpenXPKI Here is the section of my connector.yaml: user-ad: class: Connector::Builtin::Authentication::LDAP LOCATION: ldap://{server IP} base: dc=int,dc={domain},dc=us binddn: {user@domain}<mailto:[email protected]> password: PASSWORD filter: "(&(sAMAccountName=[% LOGIN %])(memberOf=CN=ca-admin,OU=groups,DC=int,DC={domain},DC=us))" We’re filtering on the user being a member of the ca-admin group. Edward Killian Systems Engineer – Lead Engineer Global Defense Group [email protected]<mailto:[email protected]> Booz | Allen | Hamilton BoozAllen.com<http://www.boozallen.com/> From: Oliver Welter <[email protected]><mailto:[email protected]> Date: Friday, April 11, 2025 at 4:35 AM To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Subject: [External] Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI Search in log. conf for the defintion of the "connector" facility and set this to trace, this should help in seeing the LDAP error messages On 11. 04. 25 09: 32, Fay Knol via OpenXPKI-users wrote: Thanks for your reply Killian it seems that unfortunately Search in log.conf for the defintion of the "connector" facility and set this to trace, this should help in seeing the LDAP error messages On 11.04.25 09:32, Fay Knol via OpenXPKI-users wrote: Thanks for your reply Killian it seems that unfortunately that also doesn't work for me. as you can see here ra-ldap: class: Connector::Builtin::Authentication::LDAP LOCATION: ldap://{serverIP} base: dc=vault,dc=local binddn: [email protected]<mailto:[email protected]> password: Secure123 filter: "(&(sAMAccountName=[% LOGIN %]))" and I still get the following error message 2025/04/11 09:27:00 WARN Group Not Defined. Defaulting to EGID '0 0' [pid=1|pki_realm=prodrealm] 2025/04/11 09:27:00 WARN User Not Defined. Defaulting to EUID '0' [pid=1|pki_realm=prodrealm] 2025/04/11 09:27:04 ERROR I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_CONTINUE_SESSION_SESSION_CONTINUE_FAILED; __ID__ => 7F175Im4RC+EvQ5okCv5iw== [pid=10|pki_realm=prodrealm] 2025/04/11 09:27:11 INFO Got invalid auth result from handler ldap [pid=10|sid=DAq/] 2025/04/11 09:27:11 WARN Login failed (user: not set, error: I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=DAq/] 2025/04/11 09:27:11 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED [pid=10|sid=DAq/] Thanks, Fay Knol ----------- Student Open-ICT University of Applied Science Utrecht [email protected]<mailto:[email protected]> ________________________________ From: Killian, Edward [USA] <[email protected]><mailto:[email protected]> Sent: Thursday, April 10, 2025 5:50 PM To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Cc: Fay Knol <[email protected]><mailto:[email protected]> Subject: Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI In my case I had to use the same binddn in connector.yaml that I used in the ldapsearch command. In your case the "-D" [email protected]<mailto:[email protected]> would be used in the connector.yaml as binddn: [email protected]<mailto:[email protected]> Edward Killian Systems Engineer - Lead Engineer Global Defense Group [email protected]<mailto:[email protected]> Booz | Allen | Hamilton BoozAllen.com<https://www.boozallen.com/> ________________________________ From: Fay Knol via OpenXPKI-users <[email protected]><mailto:[email protected]> Sent: Thursday, April 10, 2025 10:01 AM To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Cc: Fay Knol <[email protected]><mailto:[email protected]> Subject: [External] Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI This Message Is From an External Sender This message came from outside your organization. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/May37g!hlrrf7aNkGxHwu3hRx30QiAUZNI8_B56qe65RSNJYMWmgTs0Cujk3h5NXnW_qJ0pRBNc7Sa8qp7DhfG64FQUO8tXJaZoKuKA2qjyN51621cHHDK1uQmhi7IImeo1-84lPK7BNgF9EFupqA$> Hi Oliver, Thanks for your reply! I'm sure the openxpki service user had sufficient permissions because even with filtering the request works as you can see here ldapsearch -LLL -x -H ldap://{test server ip} -D "[email protected]"<mailto:[email protected]> -w "Secure123" -b "DC=vault,DC=local" "(&(sAMAccountName=fay)(memberOf=CN=PKIAdmins,CN=Users,DC=vault,DC=local))" dn: CN=Fay's Test Account,CN=Users,DC=vault,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Fay's Test Account sn: Test Account givenName: Fay's distinguishedName: CN=Fay's Test Account,CN=Users,DC=vault,DC=local ... memberOf: CN=PKIAdmins,CN=Users,DC=vault,DC=local memberOf: CN=DnsAdmins,CN=Users,DC=vault,DC=local ... sAMAccountName: fay Additionally the login didn't work without a filter too I did however have another look at the logs (decided to check them via docker exec in the container this time instead of with docker logs) and got this when I tried to log in. 2025/04/10 15:45:55 INFO Got invalid auth result from handler ldap [pid=10|sid=kPi4] 2025/04/10 15:45:55 WARN Login failed (user: not set, error: I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=kPi4] 2025/04/10 15:45:55 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED [pid=10|sid=kPi4] and this at restart 2025/04/10 15:45:44 INFO Loaded auth handler Anonymous [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 INFO Loaded auth handler ldap [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 INFO Loaded auth handler System [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 INFO Loaded auth handler TestAccounts [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 INFO Loaded auth handler LocalPassword [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 WARN Group Not Defined. Defaulting to EGID '0 0' [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 WARN User Not Defined. Defaulting to EUID '0' [pid=1|pki_realm=prodrealm] could that help diagnose my issue? I couldn't find my error in the mailinglist archives Is there an even more verbose logging option so I can for example see the LDAP-output? By the way I'm running in Docker using the official compose. Regards, Fay ________________________________ From: Oliver Welter <[email protected]><mailto:[email protected]> Sent: Wednesday, April 9, 2025 7:27 PM To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Subject: Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI Hi Fay, I can remember that there are some tricks to know but I can not remember them :( Did you try the memberOf query as filter to the ldap search? AFAIR you need permissions on the group tree to be able to search in this way, so those might be missing....I did not use this module for a long time and I am also not an LDAP expert. Oliver On 08.04.25 07:09, Fay Knol via OpenXPKI-users wrote: Dear mailing list users, I'm currently a 2nd year student at the HU University of Applied Sciences Utrecht working on setting up OpenXPKI as an issuing CA for our student "playground" to self sign certificates. I'm trying to set up LDAP authentication for operators. However, I've been having some issues I haven't been able to figure out for the past week or so. With a ldapsearch like below I get a proper return, so I think that isolates my Active Directory as a variable. ldapsearch -LLL -x -H ldap://{test server ip} -D "[email protected]"<mailto:[email protected]> -w "Secure123" -b "DC=vault,DC=local" "(sAMAccountName=fay)" memberOf dn: CN=Fay's Test Account,CN=Users,DC=vault,DC=local memberOf: CN=PKIAdmins,CN=Users,DC=vault,DC=local memberOf: CN=DnsAdmins,CN=Users,DC=vault,DC=local So now I don't get why my configs don't work Connector config: ra-ldap: class: Connector::Builtin::Authentication::LDAP LOCATION: ldap://{test server ip} base: "DC=vault,DC=local" binddn: cn=openxpki password: "Secure123" filter: "(&(sAMAccountName=[% LOGIN %])(memberOf=CN=PKIAdmins,OU=Users,CN=Users,DC=vault,DC=local))" (mail also didn't work) Handler config: ldap: type: Password class: OpenXPKI::Server::Authentication::LDAP label: LDAP Authentication connector: ra-ldap role: RA Operator Stack config: LDAP: label: LDAP Login description: Login via Active Directory handler: ldap type: passwd The rest of the configuration related to LDAP is just so far just the default copied from the example, test account login works fine. Am I missing something obvious? Are there any other things I should look out for? Thanks in advance, Fay Knol _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/openxpki-users__;!!May37g!IjUPhCPUakfP_RE1b2uGb1A_wW6lkuqbYWgmgE6CqHIqve-JAY_EuiwW3V-PPgvs9IZekZEoWd2MHGZf1pqVTR8a5bmpRYqpImzw$> -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/openxpki-users__;!!May37g!LDLb7ZiuatG0qgnr3h1fI9p_7NYGq2VeiBikC7LhN8HIocIKz25YcASOTwzPSh15UFcbdqOsxB9QqYWS$> -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
