Hi
The easiest way is a script, that converts the letsencrypt-Certificate
(RSA-Type) to jks-Type after each cert-renew

See
https://cwiki.apache.org/confluence/display/OPENMEETINGS/Tutorials+for+installing+OpenMeetings+and+Tools
Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M3.pdf

That works fine.

If you want to use the letsencrypt-RSA-Type file direct, it's a bit of work:

A basically example for that configuration is in the tomcat Server.xml file.
But - as is - it will not work in OM5.0.0.-M3
You need the "APR based Apache Tomcat Native library"

if you install that with apt of ubuntu 18.03 LTS, you get version 1.2.21
you will get an error in the tomcat-logfile :
tomcat needs Version 1.2.23

There is no compiled version available, so you have to download the
source and compile Apache Tomcat Native library V1.2.23 for yourselfe.
You find a description it here:
http://tomcat.apache.org/native-doc/
(the 1st "apt-get install libapr1-dev libssl-dev" installs the source)

I configured tomcat, that der 3 cert-files are in the tomcat-conf-directory.
In the tomcat-conf-directory are 3 links, that point into the
Letsencrypt-Cert-Dir-Files.

regards
Koni


Am 07.04.2020 um 12:42 schrieb Rohrbach, Gerald:
>
> Maxim,
>
>  
>
> so far our openMeetings server for internal use is working fine.
>
>  
>
> I found a lots of manuals using letsencrypt certificates, but this
> seem not to be that easy and we need to repeat the procedure every 90
> days.
>
> To make it more comfortable for the users I think we need to get the
> certificate in plac.e
>
> Unfortunately my knowledge about this certificate stuff is going to zero…
>
>  
>
> We have an official wildcard certificate, that we can use.
>
> But I did not found a manual how this is to install.
>
>  
>
> Is there any docu I can use? Is that specific to openMeetings or is that
>
> more specific for tomcat?
>
>  
>
>  
>
> Gerald
>
>  
>
>  
>
>  
>
>  
>
>  
>
> *Von:*Maxim Solodovnik [mailto:solomax...@gmail.com]
> *Gesendet:* Montag, 30. März 2020 17:19
> *An:* Openmeetings user-list <user@openmeetings.apache.org>
> *Betreff:* Re: ldap config problems with authentication solved -
> Database move to different server
>
>  
>
> First of all clustering is not working in
> M3 https://issues.apache.org/jira/browse/OPENMEETINGS-2186
>
> You need M4 SNAPSHOT for this
>
>  
>
> Then, I'm afraid, there is misunderstanding: `localDB` is UI term
> means DB as opposite to LDAP
>
> To change DB location you need to change localhost to some external IP
> in persistence.xml
>
>  
>
> Latest SNAPSHOT is
> here: https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/
>
> Latest docs
> here: 
> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html
>
>  
>
> I hope were will be no DB updates before M4 release, so most probably
> DB will be compatible
>
>  
>
>  
>
>  
>
> On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald
> <g.rohrb...@funkegruppe.de <mailto:g.rohrb...@funkegruppe.de>> wrote:
>
>     Well, I need another hint….
>
>      
>
>     As we have now tested a lot and do think we can use it for more
>     users probably we
>
>     need more than one server. I interested in the clustering.
>
>     But I know this is sometimes difficult on our core switch to setup.
>
>      
>
>     First step would be to have the database separated on a different
>     server.
>
>     We have already created a lots of users in the M3 release.
>
>      
>
>     For testing of the M4  I have made already a backup and restored it.
>
>     But in this case the database was also local.
>
>      
>
>     Probably I need to change somewhere in a config file, where the
>     new database is
>
>     Located, if it is not local.
>
>     Because in the backup there was a localDB, on the new server I
>     would like a different machine.
>
>     Which file I need to edit?
>
>      
>
>      
>
>      
>
>     Regards
>
>      
>
>     Gerald.
>
>      
>
>      
>
>      
>
>      
>
>      
>
>      
>
>      
>
>     *Von:*Maxim Solodovnik [mailto:solomax...@gmail.com
>     <mailto:solomax...@gmail.com>]
>     *Gesendet:* Montag, 30. März 2020 16:19
>     *An:* Openmeetings user-list <user@openmeetings.apache.org
>     <mailto:user@openmeetings.apache.org>>
>     *Betreff:* Re: ldap config problems with authentication solved
>
>      
>
>     Great news :)
>
>     I don't have to fix it :)))
>
>      
>
>     Thanks a lot!
>
>      
>
>     On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald
>     <g.rohrb...@funkegruppe.de <mailto:g.rohrb...@funkegruppe.de>> wrote:
>
>         Maxim,
>
>          
>
>         I found the solution:
>
>          
>
>         This are the settings:
>
>          
>
>         ldap_search_query=(userPrincipalName=%s)
>
>         ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de
>
>          
>
>         ldap_user_attr_login=sAMAccountName
>
>          
>
>         Then the users are created in the right way use...@company.de
>         <mailto:use...@company.de>
>
>         No duplicates anymore.
>
>          
>
>          
>
>         Regards
>
>          
>
>         Gerald
>
>          
>
>          
>
>         *Von:*Maxim Solodovnik [mailto:solomax...@gmail.com
>         <mailto:solomax...@gmail.com>]
>         *Gesendet:* Montag, 30. März 2020 14:37
>         *An:* Openmeetings user-list <user@openmeetings.apache.org
>         <mailto:user@openmeetings.apache.org>>
>         *Betreff:* Re: ldap config problems with authentication
>
>          
>
>         Of cause I can add simple check
>         "if-login-contains-domain-do-not-add-another-one" but I would
>         prefer to create simulation of real LDAP :)
>
>          
>
>         On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik
>         <solomax...@gmail.com <mailto:solomax...@gmail.com>> wrote:
>
>              
>
>              
>
>             On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald
>             <g.rohrb...@funkegruppe.de
>             <mailto:g.rohrb...@funkegruppe.de>> wrote:
>
>                 Maxim,
>
>                  
>
>                 that was a good hint with the logging.
>
>                 I think it is just a understanding and config issue.
>
>                  
>
>                    SearchRequest
>
>                         baseDn : 'CN=Users,DC=company,DC=de'
>
>                         filter : '(uid=x...@compay.de
>                 <mailto:uid=x...@compay.de>)'
>
>                  
>
>                 In ADS uid attribute is not filled. Instead in ADS we
>                 need to user UserPrincipalName or something else.
>
>              
>
>             for ADS `samlAccountName` or something like this should be
>             used
>
>              
>
>                  
>
>                 So authentication works fine, but eyery time someone
>                 logs in a new user account is created.
>
>                  
>
>                 It  looks like we still have an issue, as the create
>                 user login is wrong.
>
>                 testu...@company.de@company.de <http://company.de>
>
>              
>
>             This is the issue
>
>             I'm using this
>
>             
> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif
>
>             Schema for tests
>
>             Maybe you can help me to create schema for the case with
>             "suffixed" users?
>
>              
>
>                  
>
>                 I hope I get the rest also figured out.
>
>                  
>
>                  
>
>                 Gerald
>
>                  
>
>                  
>
>                  
>
>                  
>
>                  
>
>                 *Von:*Maxim Solodovnik [mailto:solomax...@gmail.com
>                 <mailto:solomax...@gmail.com>]
>                 *Gesendet:* Montag, 30. März 2020 11:50
>                 *An:* Openmeetings user-list
>                 <user@openmeetings.apache.org
>                 <mailto:user@openmeetings.apache.org>>
>                 *Betreff:* Re: ldap config problems with authentication
>
>                  
>
>                 Your log is hard to read due to formatting issues :((
>
>                 Googling `DSID-0C090442` results something about
>                 "searching between forests" which I don't understand :(
>
>                  
>
>                 Admin->LDAP has setting "Add domain to user name"
>
>                 Do you have it checked? (domain to add should be
>                 specified)
>
>                  
>
>                 What is your LDAP provider? Is it ADS?
>
>                  
>
>                 To make logging more verbose you can
>
>                 1) stop OM
>
>                 2) add following line to logback-config.xml
>
>                  <logger name="org.apache.directory" level="DEBUG" />
>
>                 3) restart OM
>
>                  
>
>                 According to my previous experience SEARCHANDBIND
>                 might work better
>
>                  
>
>                  
>
>                 On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald
>                 <g.rohrb...@funkegruppe.de
>                 <mailto:g.rohrb...@funkegruppe.de>> wrote:
>
>                     Also having LDAP issues:
>
>                      
>
>                     It seems not to work.
>
>                      
>
>                     Below is the om_ldap.cfg, that is used in the
>                     config file:
>
>                      
>
>                     ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213
>                     ^[[36mo.a.o.s.q.s.ReminderJob:93
>                     [Bean#0_Worker-3]^[[0;39m - Rss disabled by
>                     Admin                          
>                                                                               
>                                ^[[39mDEBUG^[[0;39m
>                     03-30 08:52:26.214
>                     ^[[36mo.a.o.s.q.s.ReminderJob:93
>                     [Bean#0_Worker-8]^[[0;39m - Rss disabled by
>                     Admin                                             
>                                                                               
>             ^[[39mDEBUG^[[0;39m
>                     03-30 09:02:26.214
>                     ^[[36mo.a.o.s.q.s.ReminderJob:93
>                     [Bean#0_Worker-5]^[[0;39m - Rss disabled by
>                     Admin                                                     
>            
>                                                                        
> ^[[39mDEBUG^[[0;39m
>                     03-30 09:11:36.412
>                     ^[[36mo.a.o.d.d.s.LdapConfigDao:69
>                     [io-5443-exec-10]^[[0;39m -
>                     getActiveLdapConfigs                                      
>                                             
>                                                     ^[[39mDEBUG^[[0;39m
>                     03-30 09:11:36.517
>                     ^[[36mo.a.o.d.d.s.LdapConfigDao:69
>                     [nio-5443-exec-2]^[[0;39m -
>                     getActiveLdapConfigs                                      
>                                                                
>                                  ^[[39mDEBUG^[[0;39m 03-30
>                     09:12:13.115 ^[[36mo.a.o.c.l.LdapLoginManager:172
>                     [nio-5443-exec-2]^[[0;39m -
>                     LdapLoginmanager.doLdapLogin                              
>                                                                           
>                     ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129
>                     ^[[36mo.a.o.c.l.LdapLoginManager:226
>                     [nio-5443-exec-2]^[[0;39m - Not
>                     authenticated.                                            
>                                                                     
>                     
> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
>                     80090308: LdapErr: DSID-0C090442, comment:
>                     AcceptSecurityContext error, data 52e,
>                     v3839^@                                                   
>                              
>                     at
>                     
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995)
>                                                    
>
>                      
>
>                      
>
>                     What does the LdapLogin Manager message means, was
>                     the query user not able to connect or was the end
>                     user password wrong.
>
>                     How I can make visible, what the query for the
>                     user ist.
>
>                     It should be in the form u...@domain.de
>                     <mailto:u...@domain.de>, maybe the mapping is just
>                     wrong.
>
>                      
>
>                      
>
>                      
>
>                      
>
>                      
>
>                     This is the modified
>
>                      ldap_conn_host=DESVR-DC01.firma.de
>                     <http://DESVR-DC01.firma.de>
>
>                     ldap_conn_port=389
>
>                     ldap_conn_secure=false
>
>                      
>
>                     # Login distinguished name (DN) for Authentication
>                     on LDAP Server - keep empty if not required
>
>                     # Use full qualified LDAP DN
>
>                     
> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de
>
>                      
>
>                     # Loginpass for Authentication on LDAP Server -
>                     keep empty if not required
>
>                     ldap_passwd=#password#
>
>                      
>
>                     # base to search for userdata(of user, that wants
>                     to login)
>
>                     ldap_search_base=CN=Users,DC=firma,DC=de
>
>                      
>
>                     # Fieldnames (can differ between Ldap servers)
>
>                     ldap_search_query=(uid=%s)
>
>                      
>
>                     # the scope of the search might be: OBJECT,
>                     ONELEVEL, SUBTREE
>
>                     ldap_search_scope=SUBTREE
>
>                      
>
>                     # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND)
>
>                     #  When using SIMPLEBIND a simple bind is
>                     performed on the LDAP server to check user
>                     authentication
>
>                     #  When using NONE, the Ldap server is not used
>                     for authentication
>
>                     ldap_auth_type=SIMPLEBIND
>
>                      
>
>                     # userDN format, will be used to bind if
>                     ldap_auth_type=SIMPLEBIND
>
>                     # might be used to get provisionningDn in case
>                     ldap_auth_type=NONE
>
>                     ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de
>
>                      
>
>                     # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE)
>
>                     ldap_provisionning=AUTOCREATE
>
>                      
>
>                     # Ldap deref mode (never, searching, finding, always)
>
>                     ldap_deref_mode=always
>
>                     ldap_use_admin_to_get_attrs=true
>
>                      
>
>                     # Ldap-password synchronization to OM DB
>
>                     #  Set this to 'true' if you want OM to
>                     synchronize the user Ldap-password to OM's internal DB
>
>                     #  If you want to disable the feature, set this to
>                     any other string.
>
>                     #  Defautl value is 'true'
>
>                     ldap_sync_password_to_om=false
>
>                      
>
>                     # Ldap group mode (NONE, ATTRIBUTE, QUERY)
>
>                     # NONE means group associations will be ignored
>
>                     # ATTRIBUTE means group associations will be taken
>                     from 'ldap_group_attr' attribute (M$ AD mode)
>
>                     # QUERY means group associations will be taken as
>                     a result of 'ldap_group_query' query
>
>                     ldap_group_mode=NONE
>
>                      
>
>                     ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup))
>
>                      
>
>                     # Ldap user attributes mapping
>
>                     # Set the following internal OM user attributes to
>                     their corresponding Ldap-attribute
>
>                      
>
>                     ldap_user_attr_login=uid
>
>                     ldap_user_attr_lastname=sn
>
>                     ldap_user_attr_firstname=givenName
>
>                     ldap_user_attr_mail=mail
>
>                     ldap_user_attr_street=streetAddress
>
>                     ldap_user_attr_additionalname=description
>
>                     ldap_user_attr_fax=facsimileTelephoneNumber
>
>                     ldap_user_attr_zip=postalCode
>
>                     ldap_user_attr_country=co
>
>                     ldap_user_attr_town=l
>
>                     ldap_user_attr_phone=telephoneNumber
>
>                     # optional attribute for user picture
>
>                     #ldap_user_attr_picture=
>
>                     ldap_group_attr=memberOf
>
>                      
>
>                     # optional, absolute URL will be used as user
>                     picture if #ldap_user_attr_picture will be empty
>
>                     #ldap_user_picture_uri=picture_uri
>
>                      
>
>                     # optional
>
>                     # the timezone has to match any timezone available
>                     in Java, otherwise the timezone defined in the
>                     value of
>
>                     # the conf_key "default.timezone" in OpenMeetings
>                     "configurations" table
>
>                     #ldap_user_timezone=timezone
>
>                      
>
>                     # Ldap ignore upper/lower case, convert all input
>                     to lower case
>
>                     ldap_use_lower_case=false
>
>                      
>
>                     # Ldap import query, this query should retrieve
>                     all LDAP users
>
>                     ldap_import_query=(objectClass=inetOrgPerson)
>
>
>                  
>
>                 -- 
>
>                 WBR
>                 Maxim aka solomax
>
>
>              
>
>             -- 
>
>             WBR
>             Maxim aka solomax
>
>
>          
>
>         -- 
>
>         WBR
>         Maxim aka solomax
>
>
>      
>
>     -- 
>
>     WBR
>     Maxim aka solomax
>
>
>  
>
> -- 
>
> WBR
> Maxim aka solomax
>

Reply via email to