Well, I would suggest to take original server.xml from M4 https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L76 And change nothing but <Certificate ...> tag use this one <Certificate certificateKeyFile="conf/your_key.pem" certificateFile="conf/your_crt.pem" certificateChainFile="conf/your_ca.pem" type="RSA" /> with your own paths
no native libraries, conversions etc. one easy step :)) Please ensure cert paths are readable by OM :)) On Tue, 7 Apr 2020 at 19:50, K. Kamhamea <kamha...@googlemail.com> wrote: > In my manual I covered wildcard certificates under System Administrator > > SSL > > > https://cwiki.apache.org/confluence/display/OPENMEETINGS/OpemMeetings+5+Manual > > Am Di., 7. Apr. 2020 um 12:43 Uhr schrieb Rohrbach, Gerald < > g.rohrb...@funkegruppe.de>: > >> Maxim, >> >> >> >> so far our openMeetings server for internal use is working fine. >> >> >> >> I found a lots of manuals using letsencrypt certificates, but this seem >> not to be that easy and we need to repeat the procedure every 90 days. >> >> To make it more comfortable for the users I think we need to get the >> certificate in plac.e >> >> Unfortunately my knowledge about this certificate stuff is going to zero… >> >> >> >> We have an official wildcard certificate, that we can use. >> >> But I did not found a manual how this is to install. >> >> >> >> Is there any docu I can use? Is that specific to openMeetings or is that >> >> more specific for tomcat? >> >> >> >> >> >> Gerald >> >> >> >> >> >> >> >> >> >> >> >> *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] >> *Gesendet:* Montag, 30. März 2020 17:19 >> *An:* Openmeetings user-list <user@openmeetings.apache.org> >> *Betreff:* Re: ldap config problems with authentication solved - >> Database move to different server >> >> >> >> First of all clustering is not working in M3 >> https://issues.apache.org/jira/browse/OPENMEETINGS-2186 >> >> You need M4 SNAPSHOT for this >> >> >> >> Then, I'm afraid, there is misunderstanding: `localDB` is UI term means >> DB as opposite to LDAP >> >> To change DB location you need to change localhost to some external IP in >> persistence.xml >> >> >> >> Latest SNAPSHOT is here: >> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/ >> >> Latest docs here: >> https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/site/openmeetings-server/Clustering.html >> >> >> >> I hope were will be no DB updates before M4 release, so most probably DB >> will be compatible >> >> >> >> >> >> >> >> On Mon, 30 Mar 2020 at 22:13, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> >> wrote: >> >> Well, I need another hint…. >> >> >> >> As we have now tested a lot and do think we can use it for more users >> probably we >> >> need more than one server. I interested in the clustering. >> >> But I know this is sometimes difficult on our core switch to setup. >> >> >> >> First step would be to have the database separated on a different server. >> >> We have already created a lots of users in the M3 release. >> >> >> >> For testing of the M4 I have made already a backup and restored it. >> >> But in this case the database was also local. >> >> >> >> Probably I need to change somewhere in a config file, where the new >> database is >> >> Located, if it is not local. >> >> Because in the backup there was a localDB, on the new server I would like >> a different machine. >> >> Which file I need to edit? >> >> >> >> >> >> >> >> Regards >> >> >> >> Gerald. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] >> *Gesendet:* Montag, 30. März 2020 16:19 >> *An:* Openmeetings user-list <user@openmeetings.apache.org> >> *Betreff:* Re: ldap config problems with authentication solved >> >> >> >> Great news :) >> >> I don't have to fix it :))) >> >> >> >> Thanks a lot! >> >> >> >> On Mon, 30 Mar 2020 at 21:16, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> >> wrote: >> >> Maxim, >> >> >> >> I found the solution: >> >> >> >> This are the settings: >> >> >> >> ldap_search_query=(userPrincipalName=%s) >> >> ldap_userdn_format=userPrincipalName=%s,CN=Users,DC=company,DC=de >> >> >> >> ldap_user_attr_login=sAMAccountName >> >> >> >> Then the users are created in the right way use...@company.de >> >> No duplicates anymore. >> >> >> >> >> >> Regards >> >> >> >> Gerald >> >> >> >> >> >> *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] >> *Gesendet:* Montag, 30. März 2020 14:37 >> *An:* Openmeetings user-list <user@openmeetings.apache.org> >> *Betreff:* Re: ldap config problems with authentication >> >> >> >> Of cause I can add simple check >> "if-login-contains-domain-do-not-add-another-one" but I would prefer to >> create simulation of real LDAP :) >> >> >> >> On Mon, 30 Mar 2020 at 19:31, Maxim Solodovnik <solomax...@gmail.com> >> wrote: >> >> >> >> >> >> On Mon, 30 Mar 2020 at 19:25, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> >> wrote: >> >> Maxim, >> >> >> >> that was a good hint with the logging. >> >> I think it is just a understanding and config issue. >> >> >> >> SearchRequest >> >> baseDn : 'CN=Users,DC=company,DC=de' >> >> filter : '(uid=x...@compay.de)' >> >> >> >> In ADS uid attribute is not filled. Instead in ADS we need to user >> UserPrincipalName or something else. >> >> >> >> for ADS `samlAccountName` or something like this should be used >> >> >> >> >> >> So authentication works fine, but eyery time someone logs in a new user >> account is created. >> >> >> >> It looks like we still have an issue, as the create user login is wrong. >> >> testu...@company.de@company.de >> >> >> >> This is the issue >> >> I'm using this >> >> >> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/resources/schema/users.ldif >> >> Schema for tests >> >> Maybe you can help me to create schema for the case with "suffixed" users? >> >> >> >> >> >> I hope I get the rest also figured out. >> >> >> >> >> >> Gerald >> >> >> >> >> >> >> >> >> >> >> >> *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] >> *Gesendet:* Montag, 30. März 2020 11:50 >> *An:* Openmeetings user-list <user@openmeetings.apache.org> >> *Betreff:* Re: ldap config problems with authentication >> >> >> >> Your log is hard to read due to formatting issues :(( >> >> Googling `DSID-0C090442` results something about "searching between >> forests" which I don't understand :( >> >> >> >> Admin->LDAP has setting "Add domain to user name" >> >> Do you have it checked? (domain to add should be specified) >> >> >> >> What is your LDAP provider? Is it ADS? >> >> >> >> To make logging more verbose you can >> >> 1) stop OM >> >> 2) add following line to logback-config.xml >> >> <logger name="org.apache.directory" level="DEBUG" /> >> >> 3) restart OM >> >> >> >> According to my previous experience SEARCHANDBIND might work better >> >> >> >> >> >> On Mon, 30 Mar 2020 at 16:31, Rohrbach, Gerald <g.rohrb...@funkegruppe.de> >> wrote: >> >> Also having LDAP issues: >> >> >> >> It seems not to work. >> >> >> >> Below is the om_ldap.cfg, that is used in the config file: >> >> >> >> ^[[39mDEBUG^[[0;39m 03-30 08:42:26.213 ^[[36mo.a.o.s.q.s.ReminderJob:93 >> [Bean#0_Worker-3]^[[0;39m - Rss disabled by Admin >> >> ^[[39mDEBUG^[[0;39m >> 03-30 08:52:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 >> [Bean#0_Worker-8]^[[0;39m - Rss disabled by >> Admin >> >> ^[[39mDEBUG^[[0;39m >> 03-30 09:02:26.214 ^[[36mo.a.o.s.q.s.ReminderJob:93 >> [Bean#0_Worker-5]^[[0;39m - Rss disabled by >> Admin >> ^[[39mDEBUG^[[0;39m >> 03-30 09:11:36.412 ^[[36mo.a.o.d.d.s.LdapConfigDao:69 >> [io-5443-exec-10]^[[0;39m - >> getActiveLdapConfigs >> ^[[39mDEBUG^[[0;39m 03-30 09:11:36.517 >> ^[[36mo.a.o.d.d.s.LdapConfigDao:69 [nio-5443-exec-2]^[[0;39m - >> getActiveLdapConfigs >> ^[[39mDEBUG^[[0;39m 03-30 09:12:13.115 >> ^[[36mo.a.o.c.l.LdapLoginManager:172 [nio-5443-exec-2]^[[0;39m - >> LdapLoginmanager.doLdapLogin >> ^[[1;31mERROR^[[0;39m 03-30 09:12:13.129 >> ^[[36mo.a.o.c.l.LdapLoginManager:226 [nio-5443-exec-2]^[[0;39m - Not >> authenticated. >> org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: >> 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, >> data 52e, >> v3839^@ >> at >> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:1995) >> >> >> >> >> >> >> What does the LdapLogin Manager message means, was the query user not >> able to connect or was the end user password wrong. >> >> How I can make visible, what the query for the user ist. >> >> It should be in the form u...@domain.de , maybe the mapping is just >> wrong. >> >> >> >> >> >> >> >> >> >> >> >> This is the modified >> >> ldap_conn_host=DESVR-DC01.firma.de >> >> ldap_conn_port=389 >> >> ldap_conn_secure=false >> >> >> >> # Login distinguished name (DN) for Authentication on LDAP Server - keep >> empty if not required >> >> # Use full qualified LDAP DN >> >> ldap_admin_dn=CN=ldapopenmeetings,OU=Users-Service-Accounts,DC=firma,DC=de >> >> >> >> # Loginpass for Authentication on LDAP Server - keep empty if not required >> >> ldap_passwd=#password# >> >> >> >> # base to search for userdata(of user, that wants to login) >> >> ldap_search_base=CN=Users,DC=firma,DC=de >> >> >> >> # Fieldnames (can differ between Ldap servers) >> >> ldap_search_query=(uid=%s) >> >> >> >> # the scope of the search might be: OBJECT, ONELEVEL, SUBTREE >> >> ldap_search_scope=SUBTREE >> >> >> >> # Ldap auth type(NONE, SEARCHANDBIND, SIMPLEBIND) >> >> # When using SIMPLEBIND a simple bind is performed on the LDAP server to >> check user authentication >> >> # When using NONE, the Ldap server is not used for authentication >> >> ldap_auth_type=SIMPLEBIND >> >> >> >> # userDN format, will be used to bind if ldap_auth_type=SIMPLEBIND >> >> # might be used to get provisionningDn in case ldap_auth_type=NONE >> >> ldap_userdn_format=uid=%s,CN=Users,DC=firma,DC=de >> >> >> >> # Ldap provisioning type(NONE, AUTOCREATE, AUTOUPDATE) >> >> ldap_provisionning=AUTOCREATE >> >> >> >> # Ldap deref mode (never, searching, finding, always) >> >> ldap_deref_mode=always >> >> ldap_use_admin_to_get_attrs=true >> >> >> >> # Ldap-password synchronization to OM DB >> >> # Set this to 'true' if you want OM to synchronize the user >> Ldap-password to OM's internal DB >> >> # If you want to disable the feature, set this to any other string. >> >> # Defautl value is 'true' >> >> ldap_sync_password_to_om=false >> >> >> >> # Ldap group mode (NONE, ATTRIBUTE, QUERY) >> >> # NONE means group associations will be ignored >> >> # ATTRIBUTE means group associations will be taken from 'ldap_group_attr' >> attribute (M$ AD mode) >> >> # QUERY means group associations will be taken as a result of >> 'ldap_group_query' query >> >> ldap_group_mode=NONE >> >> >> >> ldap_group_query=(&(memberUid=%s)(objectClass=posixGroup)) >> >> >> >> # Ldap user attributes mapping >> >> # Set the following internal OM user attributes to their corresponding >> Ldap-attribute >> >> >> >> ldap_user_attr_login=uid >> >> ldap_user_attr_lastname=sn >> >> ldap_user_attr_firstname=givenName >> >> ldap_user_attr_mail=mail >> >> ldap_user_attr_street=streetAddress >> >> ldap_user_attr_additionalname=description >> >> ldap_user_attr_fax=facsimileTelephoneNumber >> >> ldap_user_attr_zip=postalCode >> >> ldap_user_attr_country=co >> >> ldap_user_attr_town=l >> >> ldap_user_attr_phone=telephoneNumber >> >> # optional attribute for user picture >> >> #ldap_user_attr_picture= >> >> ldap_group_attr=memberOf >> >> >> >> # optional, absolute URL will be used as user picture if >> #ldap_user_attr_picture will be empty >> >> #ldap_user_picture_uri=picture_uri >> >> >> >> # optional >> >> # the timezone has to match any timezone available in Java, otherwise the >> timezone defined in the value of >> >> # the conf_key "default.timezone" in OpenMeetings "configurations" table >> >> #ldap_user_timezone=timezone >> >> >> >> # Ldap ignore upper/lower case, convert all input to lower case >> >> ldap_use_lower_case=false >> >> >> >> # Ldap import query, this query should retrieve all LDAP users >> >> ldap_import_query=(objectClass=inetOrgPerson) >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> > -- Best regards, Maxim
