Le lun. 15 nov. 2021 à 21:30, Meissa Sakho <[email protected]
<mailto:[email protected]>> a écrit :
I've tried your hint and it works.
The question is: Why do we have such regression?
In the older version, it worked as defined in my first post and as
described in this article
https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#
<https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#>
Le lun. 15 nov. 2021 à 17:52, Emmanuel Lécharny <[email protected]
<mailto:[email protected]>> a écrit :
Hi Meissa,
I can confirm this is a buig the the Apache Directory server. the
comparison of the RDN does not work properly when providing a
RDN like
"cn=Meissa Sakho+uid=msakho".
The added entry has this normalized DN:
0.9.2342.19200300.100.1.1= msakho +2.5.4.3= meissa sakho
,0.9.2342.19200300.100.1.25= example
,0.9.2342.19200300.100.1.25= com
while the Bind dn is normalized this way :
2.5.4.3= meissa sakho +0.9.2342.19200300.100.1.1= msakho
,0.9.2342.19200300.100.1.25= example
,0.9.2342.19200300.100.1.25= com
As you can see, the two values are inverted (cn+uid in one case,
and
uid+cn in the other case). That should not be the case.
This is the rreason why it fails.
Funny enough, would you try to login using "uid=msakho+cn=Meissa
SAKHO,ou=users,dc=example,dc=com", it would work...
On 15/11/2021 05:16, Emmanuel Lécharny wrote:
> Hi,
>
> Still, the first LDAP entry (with cn: meissa sakho) should
work, as CN
> is case insensitive.
>
> I'll investigate.
>
> Thanks for the inffo !
>
> On 14/11/2021 18:57, Meissa Sakho wrote:
>> I'm using the latest version:
>>
>> Version: 2.0.0.v20210717-M17
>>
>> I was able to make it work by changing this section:
>>
>> *dn: cn=Meissa SAKHO+uid=msakho,ou=Users,dc=example,dc=com
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: inetOrgPerson
>> objectClass: top
>> cn: meissa sakho
>> sn: sakho
>> title: cn=Administrator,ou=Groups,dc=example,dc=com
>> uid: msakho
>> userpassword: meissa*
>>
>> *
>> *
>>
>> *with this section:*
>>
>> dn: cn=Meissa SAKHO,ou=Users,dc=example,dc=com
>> objectclass: person
>> objectclass: organizationalPerson
>> objectclass: inetOrgPerson
>> objectclass: top
>> cn: Meissa SAKHO
>> description: Capt. Meissa SAKHO, R.N
>> givenname: Meissa
>> sn: Sakho
>> uid: msakho
>> mail: [email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
>> userpassword: meissa*
>> *
>>
>>
>> The difference between the two is in the cn.
>>
>> The first version worked once. I've borrowed it from this
article[1]
>> written by one of my colleagues.
>>
>> It seems like there are some differences.
>>
>>
>>
[1]=https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#
<https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#>
>>
<https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#
<https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#>>
>>
>>
>>
>>
>>
>> Le sam. 13 nov. 2021 à 19:51, Emmanuel Lécharny
<[email protected] <mailto:[email protected]>
>> <mailto:[email protected] <mailto:[email protected]>>> a
écrit :
>>
>> Thanks.
>>
>> Will do a test with the data you've provided.
>>
>> Which is the LDAP DS version you are using ?
>>
>> On 12/11/2021 08:55, Meissa Sakho wrote:
>> > Hi Emmanuel,
>> > below is the complete ldif and in bold the
corresponding user
>> whose
>> > password (uid=msakho, password=meissa) is in clear:
>> > version: 1
>> >
>> > dn: dc=example,dc=com
>> > objectclass: top
>> > objectclass: domain
>> > dc: example
>> >
>> > dn: ou=Groups,dc=example,dc=com
>> > objectClass: organizationalUnit
>> > objectClass: top
>> > ou: Groups
>> >
>> >
>> > dn: ou=Users,dc=example,dc=com
>> > objectClass: organizationalUnit
>> > objectClass: top
>> > ou: Users
>> >
>> >
>> > dn: cn=Administrator,ou=Groups,dc=example,dc=com
>> > objectClass: groupOfNames
>> > objectClass: top
>> > cn: Administrator
>> > member:
cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
>> > member: cn=Elvadas NONO,ou=Users,dc=example,dc=com
>> >
>> > dn: cn=AMQGroup,ou=Groups,dc=example,dc=com
>> > objectClass: groupOfNames
>> > objectClass: top
>> > cn: AMQGroup
>> > member: cn=Elvadas
>> Nono+sn=WOGUIA+uid=nelvadas,ou=Users,dc=example,dc=com
>> > member:
cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
>> > member:
cn=Meissa+sn=Sakho+uid=msakho,ou=Users,dc=example,dc=com
>> >
>> > dn: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
>> > objectClass: organizationalPerson
>> > objectClass: person
>> > objectClass: inetOrgPerson
>> > objectClass: top
>> > cn: John
>> > sn: Doe
>> > title: cn=Administrator,ou=Groups,dc=example,dc=com
>> > uid: jdoe
>> > userPassword: redhat
>> >
>> >
>> > dn: cn=Elvadas
NONO+uid=enonowoguia,ou=Users,dc=example,dc=com
>> > objectClass: organizationalPerson
>> > objectClass: person
>> > objectClass: inetOrgPerson
>> > objectClass: top
>> > cn: elvadas nono
>> > sn: Woguia
>> > title: cn=Administrator,ou=Groups,dc=example,dc=com
>> > uid: enonowoguia
>> > userpassword::
>>
e1NTSEF9dlMzVU95V1Bnek9JMUhreG5IV290My9jS0NxZWlGNmlDSlh1SEE9P
>> > Q==
>> >
>> > *dn: cn=Meissa
SAKHO+uid=msakho,ou=Users,dc=example,dc=com
>> > objectClass: organizationalPerson
>> > objectClass: person
>> > objectClass: inetOrgPerson
>> > objectClass: top
>> > cn: meissa sakho
>> > sn: sakho
>> > title: cn=Administrator,ou=Groups,dc=example,dc=com
>> > uid: msakho
>> > userpassword: meissa
>> > *
>> > *
>> > *
>> > Thanks
>> >
>> > Le ven. 12 nov. 2021 à 04:03, Emmanuel Lécharny
>> <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
>> > <mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>> a
>> écrit :
>> >
>> > Hi,
>> >
>> > can you provide the entry associated to this user
(with
>> password
>> > redacted, of course)?
>> >
>> > Thanks !
>> >
>> > On 11/11/2021 18:53, Meissa Sakho wrote:
>> > > Hello everyone,
>> > > I'm trying to connect to my Ldap DS server
from ActiveMq .
>> > > The connection setting is configured via a
login.config
>> file like
>> > below:
>> > > activemq {
>> > >
>> > >
>>
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule
>> > > required
>> > > debug=true
>> > >
>> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>> > > connectionURL="ldap://localhost:10389";
>> > > connectionUsername="uid=admin,ou=system"
>> > > connectionPassword=secret
>> > > connectionProtocol=s
>> > > authentication=simple
>> > > userBase="ou=Users,dc=example,dc=com"
>> > > userSearchMatching="(uid={0})"
>> > > userSearchSubtree=true
>> > > roleBase="ou=Groups,dc=example,dc=com"
>> > > roleName=cn
>> > > roleSearchMatching="(member={0})"
>> > > roleSearchSubtree=false
>> > > reload=true
>> > > ;
>> > >
>> > > };
>> > > I've imported a sample ldiff file and double
checked that
>> every user
>> > > connection is correct.
>> > > When I try to get connected via the ActiveMq admin
>> console, I'm
>> > getting a
>> > > login failed error message because of a
password that does
>> not match.
>> > >
>> > > 2021-11-11 18:38:29,436 DEBUG
>> > >
>> >
>>
[org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
>> > LDAP
>> > > returned a relative name: cn=Meissa
>> SAKHO+uid=msakho,ou=Users
>> > >
>> > > 2021-11-11 18:38:29,436 DEBUG
>> > >
>> >
>>
[org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
>> > Using
>> > > DN [cn=Meissa
>> SAKHO+uid=msakho,ou=Users,dc=example,dc=com] for
>> > binding.
>> > >
>> > > 2021-11-11 18:38:29,436 DEBUG
>> > >
>>
[org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
>> > > Binding the user.
>> > >
>> > > 2021-11-11 18:38:29,438 DEBUG
>> > >
>>
[org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
>> > > Authentication failed for dn=cn=Meissa
>> > > SAKHO+uid=msakho,ou=Users,dc=example,dc=com
>> > >
>> > > WARN | qtp2029780820-35 | Login failed due
to: Password
>> does not
>> > match for
>> > > user: msakh
>> > > When I check the password test connection via
the DS
>> Studio, it
>> > works fine.
>> > > I don't know what's wrong and where.
>> > > Any idea?
>> > >
>> >
>> > --
>> > *Emmanuel Lécharny - CTO* 205 Promenade des
Anglais – 06200
>> NICE
>> > T. +33 (0)4 89 97 36 50
>> > P. +33 (0)6 08 33 32 61
>> > [email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
>> <mailto:[email protected]
<mailto:[email protected]>
>> <mailto:[email protected]
<mailto:[email protected]>>>
>> > https://www.busit.com/ <https://www.busit.com/>
<https://www.busit.com/ <https://www.busit.com/>>
>> <https://www.busit.com/ <https://www.busit.com/>
<https://www.busit.com/ <https://www.busit.com/>>>
>> >
>> >
>>
---------------------------------------------------------------------
>> > To unsubscribe, e-mail:
>> [email protected]
<mailto:[email protected]>
>> <mailto:[email protected]
<mailto:[email protected]>>
>> > <mailto:[email protected]
<mailto:[email protected]>
>> <mailto:[email protected]
<mailto:[email protected]>>>
>> > For additional commands, e-mail:
>> [email protected]
<mailto:[email protected]>
>> <mailto:[email protected]
<mailto:[email protected]>>
>> > <mailto:[email protected]
<mailto:[email protected]>
>> <mailto:[email protected]
<mailto:[email protected]>>>
>> >
>>
>> -- *Emmanuel Lécharny - CTO* 205 Promenade des
Anglais – 06200
>> NICE
>> T. +33 (0)4 89 97 36 50
>> P. +33 (0)6 08 33 32 61
>> [email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
>> https://www.busit.com/ <https://www.busit.com/>
<https://www.busit.com/ <https://www.busit.com/>>
>>
>
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] <mailto:[email protected]>
https://www.busit.com/ <https://www.busit.com/>
