RE: [openmeetings-user] LDAP questions
Hi Sebastian, Thanks for the quick response. I had a look at the code and understand where the problem is - in order to be able to use something other than the UPN for login, parts of the LDAPAuth stuff would need to be changed, so that before actually making an LDAP bind as the user, a search would need to be run based on the field used for login, to find the user's full DN. That can then be used for binding instead of the UPN, to check if the password is valid. So it would be a few more lines of code. In any case, it would be very, very helpful to be able to use other fields, especially the sAMAccountName field. For my prototype install I can work around the problem. If it's not fixed in a couple of months, I may have a go at it myself. My Java knowledge is a little rusty, but I might be able to figure something out. It looks like some code is already present for some of the groups stuff I was talking about as well - but it's commented out and marked as "for future use", so I guess the author of the LDAP plugin didn't get around to finishing it all yet. Best regards, Holger [cid:image001.jpg@01CC8DA3.6E2DC220] From: openmeetings-user@googlegroups.com [mailto:openmeetings-user@googlegroups.com] On Behalf Of seba.wag...@gmail.com Sent: Dienstag, 18. Oktober 2011 12:06 To: openmeetings-user@googlegroups.com Subject: Re: [openmeetings-user] LDAP questions Hallo Holger, *do we have to use userPrincipalName as the login name?* => I think you can configure a custom fieldname_user_principal for the search fo the user. The result of the search is used to simulate the user in OpenMeetings. For the auth itself, I think this custom fieldname is only available if you are using OpenLDAP as ldap_server_type in your config. I don't know if either this modification to be able to auth in ADS with custom fieldname for user_principle makes no sense or if we just never had the request to make it available. But to fill the user-values you can define a custom principle_filedname and also which attributes to sync with from your LDAP, compare those sample files: http://code.google.com/p/openmeetings/source/browse/trunk/singlewebapp/WebContent/conf/sample_openldap_om_ldap.cfg http://code.google.com/p/openmeetings/source/browse/trunk/singlewebapp/WebContent/conf/om_ldap.cfg *Another question: am I correct in saying that all the LDAP login does is authenticate the user, check for existence in the local database and if it's the first login, create a local user profile from the AD fields?* + checks the password of course. + updates the user record with some of the basic new values. * I was hoping I could probably use group memberships to assign room membership or privileges - I guess that's currently not possible then?* => As the nature of those LDAP/ADS Servers is that their struture is different for each company we did not make any kind of additional things. It would be not that hard to write some add-ons based on what is available currently, but its qutie hard to provide a general configuration possibility that fits for everybody. So this task would require some basic code modification in the auth mechanism. Sebastian 2011/10/18 Holger Rabbach (ICT) mailto:holger.rabb...@om.org>> Hi, Got the RTMPS stuff working (note: doesn't work in Chrome for some reason), now on to LDAP/AD integration. First of all, do we have to use userPrincipalName as the login name? We have a problem there, as for legacy reasons we have different domains in that field, depending on when the account was created. We try not to use that field anywhere for that reason. Another question: am I correct in saying that all the LDAP login does is authenticate the user, check for existence in the local database and if it's the first login, create a local user profile from the AD fields? I was hoping I could probably use group memberships to assign room membership or privileges - I guess that's currently not possible then? Thanks again for all the work and the helpful responses here - I'm just trying to get a feel for what can and can't be done right now, so I can make informed recommendations for how this great piece of software can be integrated into our existing infrastructure. Best regards, Holger [cid:image001.jpg@01CC8DA3.6E2DC220] OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3 0JG - United Kingdom Charity reg no: 1112655 - Company reg no: 5649412 (England and Wales) -- You received this message because you are subscribed to the Google Groups "OpenMeetings User" group. To post to this group, send email to openmeetings-user@googlegroups.com<mailto:openmeetings-user@googlegroups.com>. To unsubscribe from this group, send email to openmeetings-user+unsubscr...@googlegroups.com<mailto:openmeetings-user%2bunsubscr...@googlegroups.com>. For mo
Re: [openmeetings-user] LDAP questions
Hallo Holger, *do we have to use userPrincipalName as the login name?* => I think you can configure a custom fieldname_user_principal for the search fo the user. The result of the search is used to simulate the user in OpenMeetings. For the auth itself, I think this custom fieldname is only available if you are using OpenLDAP as ldap_server_type in your config. I don't know if either this modification to be able to auth in ADS with custom fieldname for user_principle makes no sense or if we just never had the request to make it available. But to fill the user-values you can define a custom principle_filedname and also which attributes to sync with from your LDAP, compare those sample files: http://code.google.com/p/openmeetings/source/browse/trunk/singlewebapp/WebContent/conf/sample_openldap_om_ldap.cfg http://code.google.com/p/openmeetings/source/browse/trunk/singlewebapp/WebContent/conf/om_ldap.cfg *Another question: am I correct in saying that all the LDAP login does is authenticate the user, check for existence in the local database and if it’s the first login, create a local user profile from the AD fields?* + checks the password of course. + updates the user record with some of the basic new values. * I was hoping I could probably use group memberships to assign room membership or privileges – I guess that’s currently not possible then?* => As the nature of those LDAP/ADS Servers is that their struture is different for each company we did not make any kind of additional things. It would be not that hard to write some add-ons based on what is available currently, but its qutie hard to provide a general configuration possibility that fits for everybody. So this task would require some basic code modification in the auth mechanism. Sebastian 2011/10/18 Holger Rabbach (ICT) > Hi, > > ** ** > > Got the RTMPS stuff working (note: doesn’t work in Chrome for some reason), > now on to LDAP/AD integration. First of all, do we have to use > userPrincipalName as the login name? We have a problem there, as for legacy > reasons we have different domains in that field, depending on when the > account was created. We try not to use that field anywhere for that reason. > > > Another question: am I correct in saying that all the LDAP login does is > authenticate the user, check for existence in the local database and if it’s > the first login, create a local user profile from the AD fields? I was > hoping I could probably use group memberships to assign room membership or > privileges – I guess that’s currently not possible then? > > Thanks again for all the work and the helpful responses here – I’m just > trying to get a feel for what can and can’t be done right now, so I can make > informed recommendations for how this great piece of software can be > integrated into our existing infrastructure. > > ** ** > > Best regards, > > Holger > > ** ** > > [image: Description: holger-rabbach] > > ** ** > > -- > OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3 > 0JG - United Kingdom > Charity reg no: 1112655 - Company reg no: 5649412 (England and Wales) > > -- > You received this message because you are subscribed to the Google Groups > "OpenMeetings User" group. > To post to this group, send email to openmeetings-user@googlegroups.com. > To unsubscribe from this group, send email to > openmeetings-user+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/openmeetings-user?hl=en. > -- Sebastian Wagner http://www.openmeetings.de http://www.webbase-design.de http://www.wagner-sebastian.com seba.wag...@gmail.com -- You received this message because you are subscribed to the Google Groups "OpenMeetings User" group. To post to this group, send email to openmeetings-user@googlegroups.com. To unsubscribe from this group, send email to openmeetings-user+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/openmeetings-user?hl=en. <>
[openmeetings-user] LDAP questions
Hi, Got the RTMPS stuff working (note: doesn't work in Chrome for some reason), now on to LDAP/AD integration. First of all, do we have to use userPrincipalName as the login name? We have a problem there, as for legacy reasons we have different domains in that field, depending on when the account was created. We try not to use that field anywhere for that reason. Another question: am I correct in saying that all the LDAP login does is authenticate the user, check for existence in the local database and if it's the first login, create a local user profile from the AD fields? I was hoping I could probably use group memberships to assign room membership or privileges - I guess that's currently not possible then? Thanks again for all the work and the helpful responses here - I'm just trying to get a feel for what can and can't be done right now, so I can make informed recommendations for how this great piece of software can be integrated into our existing infrastructure. Best regards, Holger [cid:image001.jpg@01CC8D7F.4862A890] OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3 0JG - United Kingdom Charity reg no: 1112655 - Company reg no: 5649412 (England and Wales) -- You received this message because you are subscribed to the Google Groups "OpenMeetings User" group. To post to this group, send email to openmeetings-user@googlegroups.com. To unsubscribe from this group, send email to openmeetings-user+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/openmeetings-user?hl=en. <>