Nuxeo 7.10 ldap authentication

Hi, We have a nuxeo 5.6 installation we want to migrate to the latest Nuxeo version available (7.10). We use a ldap to manage users, groups and of course authentication. I upgraded successfully to 5.8 then 6.0. All is working fine The problem i have is migrating from 6 to 7 : The application starts correctly but impossible to log in with a ldap account , the following message is displayed “Identifiant ou mot de passe incorrect”. server.xml gives this logs : 2015-12-09 10:15:24,257 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(xxxx.xxx@xxxxx.fr, false): LDAP search base='ou=people,dc=xxxxx,dc=fr' filter='(&(mail={0})(&(objectClass=)(mail=)))' args='xxxx.xxx@xxxxx.fr' scope='2' [LDAPSession '-8773852779606179798' for directory ldapUserDirectory] 2015-12-09 10:15:24,268 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(xxxx.xxx@xxxxx.fr, false): LDAP search base='ou=people,dc=xxxxx,dc=fr' filter='(&(mail={0})(&(objectClass=)(mail=)))' args='xxxx.xxx@xxxxx.fr' scope='2' => found: cn=XXXX XXXX,ou=xxxx,ou=people,dc=xxxxx,dc=fr [LDAPSession '-8773852779606179798' for directory ldapUserDirectory] 2015-12-09 10:15:24,268 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAP bind dn='cn=XXXXX XXXXX,ou=xxxxx,ou=people,dc=xxxxx,dc=fr' 2015-12-09 10:15:24,270 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPSession] Bind succeeded, authentication ok 2015-12-09 10:15:24,271 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.BaseSession] Can't get current user to check directory permission. EVERYTHING is allowed by default 2015-12-09 10:15:24,272 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.BaseSession] Can't get current user to check directory permission. EVERYTHING is allowed by default 2015-12-09 10:15:24,272 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(xxxx.xxx@xxxxx.fr, true): LDAP search base='ou=people,dc=xxxxx,dc=fr' filter='(&(mail={0})(&(objectClass=)(mail=)))' args='xxxx.xxx@xxxxx.fr' scope='2' [LDAPSession '-8773852715181670356' for directory ldapUserDirectory] 2015-12-09 10:15:24,283 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(xxxx.xxx@xxxxx.fr, true): LDAP search base='ou=people,dc=xxxxx,dc=fr' filter='(&(mail={0})(&(objectClass=)(mail=)))' args='xxxx.xxx@xxxxx.fr' scope='2' => found: cn=XXXXX XXXXX,ou=xxxx,ou=people,dc=xxxxx,dc=fr [LDAPSession '-8773852715181670356' for directory ldapUserDirectory] 2015-12-09 10:15:24,285 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(xxxx.xxx@xxxxx.fr, false): LDAP search base='ou=people,dc=xxxxx,dc=fr' filter='(&(mail={0})(&(objectClass=)(mail=)))' args='xxxx.xxx@xxxxx.fr' scope='2' [LDAPSession '-8773852663642062803' for directory ldapUserDirectory] 2015-12-09 10:15:24,292 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(xxxx.xxx@xxxxx.fr, false): LDAP search base='ou=people,dc=xxxxx,dc=fr' filter='(&(mail={0})(&(objectClass=)(mail=)))' args='xxxx.xxx@xxxxx.fr' scope='2' => found: cn=XXXXX.XXXX,ou=xxxx,ou=people,dc=xxxxx,dc=fr [LDAPSession '-8773852663642062803' for directory ldapUserDirectory] 2015-12-09 10:15:24,293 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPReference] LDAPReference.getSourceIdsForTarget(xxxx.xxx@xxxxx.fr): LDAP search search base='ou=groupes-dynamiques,ou=Applications,dc=xxxxx,dc=fr' filter='(&(uniqueMember={0})(&(&(|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs)))(cn=)))' args='cn=xxxxx xxxxx,ou=enm,ou=people,dc=xxxxx,dc=fr' scope='2' [LDAPReference to resolve field='members' of sourceDirectory='ldapGroupDirectory' with targetDirectory='ldapUserDirectory' and staticAttributeId='uniqueMember', dynamicAttributeId='memberURL'] 2015-12-09 10:15:26,088 DEBUG [ajp-bio-0.0.0.0-8009-exec-2] [org.nuxeo.ecm.directory.ldap.LDAPReference] LDAPReference.getSourceIdsForTarget(xxxx.xxx@xxxxx.fr): LDAP search search base='ou=groupes-dynamiques,ou=Applications,dc=xxxxx,dc=fr' filter='memberURL=' scope='2' [LDAPReference to resolve field='members' of sourceDirectory='ldapGroupDirectory' with targetDirectory='ldapUserDirectory' and staticAttributeId='uniqueMember', dynamicAttributeId='memberURL']

While my working nuxeo 6 installation gives the following : 2015-12-09 09:49:26,759 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(xxxx.xxx@xxxxx.fr, false): LDAP search base='ou=people,dc=xxxxx,dc=fr' filter='(&(mail={0})(&(objectClass=)(mail=)))' args='xxxx.xxx@xxxxx.fr' scope='2' [LDAPSession '-8780542182579765189' for directory ldapUserDirectory] 2015-12-09 09:49:26,772 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(xxxx.xxx@xxxxx.fr, false): LDAP search base='ou=people,dc=xxxxx,dc=fr' filter='(&(mail={0})(&(objectClass=)(mail=)))' args='xxxx.xxx@xxxxx.fr' scope='2' => found: cn=XXXXXX XXXX,ou=XXXX,ou=people,dc=xxxxx,dc=fr [LDAPSession '-8780542182579765189' for directory ldapUserDirectory] 2015-12-09 09:49:26,772 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAP bind dn='cn=XXXXXX XXXX,ou=XXXX,ou=people,dc=xxxxx,dc=fr' 2015-12-09 09:49:26,776 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.directory.ldap.LDAPSession] Bind succeeded, authentication ok 2015-12-09 09:49:26,777 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.directory.BaseSession] Can't get current user to check directory permission. EVERYTHING is allowed by default

I also tried to install a Nuxeo 7.10 connected to our ldap from scrtach, using the installation wizard and I have the same result. the default-ldap-users-directory-bundle.xml generated by the installation wizard is the same I use in my Nuxeo6 installation.

I probably missed something, but I don't know where and what, and where i am wrong.

Thanks a lot for the answer

Vincent

My default-ldap-users-directory-bundle.xml

<extension target=“org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory”

point="servers">

<!-- Nuxeo 7 : Configuration of a server connection

  A single server declaration can point to a cluster of replicated
  servers (using OpenLDAP's slapd + sluprd for instance). To leverage
  such a cluster and improve availability, please provide one
  <ldapUrl/> tag for each replica of the cluster.
-->
<server name="default">

  <ldapUrl>ldap://my.ldap.server.fr:389</ldapUrl>
  <!-- Optional servers from the same cluster for failover
    and load balancing:

    <ldapUrl>ldap://server2:389</ldapUrl>
    <ldapUrl>ldaps://server3:389</ldapUrl>

    "ldaps" means TLS/SSL connection.
  -->

  <!-- Credentials used by Nuxeo5 to browse the directory, create
    and modify entries.

    Only the authentication of users (bind) use the credentials entered
    through the login form if any.
  -->
  <bindDn></bindDn>
  <bindPassword></bindPassword>
  <!-- Attempts to get a result when LDAP is temporary unavailable -->
  <retries>5</retries>
</server>

<extension target=“org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory”

point="directories">

<directory name="ldapUserDirectory">
  <server>default</server>
  <schema>user</schema>
  <idField>username</idField>
  <passwordField>password</passwordField>
  <searchBaseDn>ou=people,dc=domain,dc=fr</searchBaseDn>
  <searchClass>*</searchClass>
  <!-- To additionally restricte entries you can add an
    arbitrary search filter such as the following:
    Beware that "&" writes "&" in XML.

    <searchFilter>mail=*</searchFilter>-->

  <!-- use subtree if the people branch is nested -->
  <searchScope>subtree</searchScope>

  <!-- using 'subany', search will match *toto*. use 'subfinal' to
    match *toto and 'subinitial' to match toto*. subinitial is the
    default  behaviour-->
  <substringMatchType>subany</substringMatchType>

  <readOnly>true</readOnly>

  <!-- comment <cache* /> tags to disable the cache -->
  <cacheEntryName>ldap-user-entry-cache</cacheEntryName>
  <cacheEntryWithoutReferencesName>ldap-user-entry-cache-without-references</cacheEntryWithoutReferencesName>

  <!--
       If the id field is not returned by the search, we set it with the searched entry, probably the login.
       Before setting it, you can change its case. Accepted values are 'lower' and 'upper',
       anything else will not change the case.
  -->
  <missingIdFieldCase>lower</missingIdFieldCase>

  <!-- Maximum number of entries returned by the search -->
  <querySizeLimit>0</querySizeLimit>

  <!-- Time to wait for a search to finish. 0 to wait indefinitely -->
  <queryTimeLimit>0</queryTimeLimit>

  <creationBaseDn>ou=people,dc=example,dc=com</creationBaseDn>
  <creationClass>top</creationClass>
  <creationClass>person</creationClass>
  <creationClass>organizationalPerson</creationClass>
  <creationClass>inetOrgPerson</creationClass>

  <rdnAttribute>ou</rdnAttribute>
  <fieldMapping name="username">mail</fieldMapping>
  <fieldMapping name="password">userPassword</fieldMapping>
  <fieldMapping name="firstName">givenName</fieldMapping>
  <fieldMapping name="lastName">sn</fieldMapping>
  <fieldMapping name="company"></fieldMapping>
  <fieldMapping name="email">mail</fieldMapping>

  <references>
    <inverseReference field="groups" directory="ldapGroupDirectory"
      dualReferenceField="members" />
  </references>

</directory>

<directory name="ldapGroupDirectory">
 <server>default</server>

  <schema>group</schema>
  <idField>groupname</idField>

  <searchBaseDn>ou=groupes-dynamiques,ou=Applications,dc=meteo,dc=fr</searchBaseDn>
  <searchFilter>
    (|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs))
  </searchFilter>
  <searchScope>subtree</searchScope>

  <readOnly>true</readOnly>

  <!-- comment <cache* /> tags to disable the cache -->
  <cacheEntryName>ldap-group-entry-cache</cacheEntryName>
  <cacheEntryWithoutReferencesName>ldap-group-entry-cache-without-references</cacheEntryWithoutReferencesName>

  <creationBaseDn>ou=groups,dc=example,dc=com</creationBaseDn>
  <creationClass>top</creationClass>
  <creationClass>groupOfUniqueNames</creationClass>

  <!-- Maximum number of entries returned by the search -->
  <querySizeLimit>0</querySizeLimit>

  <!-- Time to wait for a search to finish. 0 to wait indefinitely -->
  <queryTimeLimit>0</queryTimeLimit>

  <rdnAttribute>ou</rdnAttribute>
  <fieldMapping name="groupname">cn</fieldMapping>
  <!-- Add another field to map reel group label -->
  <fieldMapping name="grouplabel">cn</fieldMapping>

  <references>
    <!-- LDAP reference resolve DNs embedded in uniqueMember attributes

      If the target directory has no specific filtering policy, it is most
      of the time not necessary to enable the 'forceDnConsistencyCheck' policy.

      Enabling this option will fetch each reference entry to ensure its
      existence in the target directory.
    -->
    <ldapReference field="members" directory="ldapUserDirectory"
      forceDnConsistencyCheck="false" staticAttributeId="uniqueMember"
      dynamicAttributeId="memberURL" />

    <ldapReference field="subGroups" directory="ldapGroupDirectory"
      forceDnConsistencyCheck="false"  staticAttributeId="uniqueMember"
      dynamicAttributeId="memberURL" />

    <inverseReference field="parentGroups" directory="ldapGroupDirectory"
      dualReferenceField="subGroups" />

    <!-- LDAP tree reference resolves children following the ldap tree
      structure.

      Available scopes are "onelevel" (default), "subtree". Children with
      same id than parent will be filtered.

      Enabling this option will fetch each reference entry to ensure its
                existence in the target directory.

      WARNING: Edit is NOT IMPLEMENTED: modifications to this field will be
      ignored when saving the entry.
    -->
    <ldapTreeReference field="directChildren" directory="unitDirectory"
      scope="onelevel" />
    <ldapTreeReference field="children" directory="unitDirectory"
      scope="subtree" />

  </references>

</directory>

0 votes

3 answers

3149 views

ANSWER



I finally solve my authentication problem modifying the default-ldap-users-directory-bundle.xml file :

 <directory name="ldapUserDirectory">
....
     <references>
        <inverseReference field="groups" directory="groupDirectory"
          dualReferenceField="members" />
      </references>
</directory>
<directory name="LdapGroupDirectory">
....
</directory>

Impossible to log in with a ldap account in case i write the following :

<references>
    <inverseReference field="groups" directory="LdapgroupDirectory"
    dualReferenceField="members" />
</references>

Is it normal or a bug ?

Doing this, users are able to log in , but no document is visble. It seems that a similar problem is reported here : https://answers.nuxeo.com/general/q/c7c64791771a4597a13d734cf3ea1b16/Members-can-t-see-documents.

I also added the members group in our ldap but that doesn't change anything.

I also tried this configuration following this Nuxeo Documentation [https://doc.nuxeo.com/display/NXDOC/How+to+Configure+a+Multidirectory+for+Users+and+Groups], with the same result. nxserver/config/default-multi-directories-config.xml :

<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
    point="directories">
    <directory name="ldapUserDirectory">
.
.
.
   <references>
        <inverseReference field="groups" directory="multiGroupDirectory"
          dualReferenceField="members" />
      </references>
    </directory>

 <directory name="ldapGroupDirectory">
.
.
.
       <ldapReference field="members" directory="ldapUserDirectory"
          forceDnConsistencyCheck="false" staticAttributeId="member"
          dynamicAttributeId="memberURL" />
      </references>
    </directory>
  </extension>

  <extension
    target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory"
    point="directories">
    <directory name="multiUserDirectory">
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <source name="userLDAPsource">
        <subDirectory name="ldapUserDirectory" />
      </source>
    </directory>
    <directory name="multiGroupDirectory">
      <schema>group</schema>
      <idField>groupname</idField>
      <source name="groupLDAPsource">
        <subDirectory name="LdapGroupDirectory" />
      </source>
    </directory>
  </extension>

 <extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">
    <userManager>
      <defaultAdministratorId>xxxxxxxxxxxxxxx</defaultAdministratorId>
      <defaultGroup>members</defaultGroup>
     <users>
        <directory>ldapUserDirectory</directory>
        <virtualUser id="admin" searchable="false">
          <password>xxxxxx</password>
          <property name="firstName"></property>
          <property name="lastName"></property>
          <group>administrators</group>
        </virtualUser>
        <anonymousUser id="Guest">
          <property name="firstName">Guest</property>
          <property name="lastName">User</property>
        </anonymousUser>
      </users>
      <groups>
        <directory>ldapGroupDirectory</directory>
    <membersField>members</membersField>
    <listingMode>search_only</listingMode>
      </groups>
     </userManager>
  </extension>
</component>

With this configuration file the Ldap authentication works. Administrator can see people and groups, but it's very strange I have :

<directory name="ldapGroupDirectory">

and

    <source name="groupLDAPsource">
        <subDirectory name="LdapGroupDirectory" />
      </source>

In case I put , the authentication stop working !

Vincent

0 votes



Thanks for your answer,

I checked again my configuration following your recommendation. In my case still not working. I put a bind DN and password for the user bind, add class person and so on, I can't log in with a ldap user account, only with the emergency admin user. Using the filters used by my nuxeo app in Apache Directory Studio give me groups, users… I do not have this problem with the same configuration and Nuxeo 6 version. I restarted a fresh install, using the installation wizard I can check the connection to my ldap directory, authentication etc. All seems OK.. But still not able to log in… … May be a problem with my search filter for groups members …?

I will do some others tries.

Vincent

0 votes



I think there are several important fields missing information in your default-ldap-users-directory-bundle.xml file and probably also in your configuration. As a reference I'm will depict this matter here:

URL: ldap://ldapserver.domain.com:389 Bind DN: user@domain.com Bind Password: *** Search Base DN: OU=Team,DC=domain,DC=com Search class: person Search scope: onelevel Read only: checked RDN: uid User name: sAMAccountName Password: userPassword First Name: givenName Last name: sn Email: mail Company: o Administrator id: user Default members group: members Emergency user: checked

User name: Administrator
Password: ***

Anonymous user: unchecked

In the previous paragraph I wrote the default fields you should submit to your nuxeo.conf file (via admin interface or xml file). You can input your config in (1) the setup wizard, (2) the admin setup form, (3) the nuxeo.conf file, or (4) the xml file. Using any of these ways you should clarify:

1) The server you want to connect to (field URL) 2) The user you want to use (Bind DN) 3) The password for that user (Bind Password)

There are other fields that you must complete in order to establish a correct authentication mechanism, and in order to the system can find the users you want to allow, those fields are: Search Base DN: OU=Team,DC=domain,DC=com Search class: person Search scope: onelevel Read only: checked RDN: uid User name: sAMAccountName Password: userPassword First Name: givenName Last name: sn Email: mail Company: o

For “Search Base DN” field you must inut the correct one in your organization, note that in this example I'm using an organization unit, perhaps your ldap is organized different.

The field “Administrator id” will tell nuxeo which ldap user will be the administrator.

The fields:

Emergency user: checked User name: Administrator Password: * Anonymous user: unchecked

Will let you get in when the ldap is unreachable, and also I specified in this example that we don't want anonymous users sneaking around (“Anonymous user” field).

You can verify your details with a tool like Apache Directory Studio.

Also take into considerations that if you are using a SSL connection to the ldap server (regularly port 636 or 3269) you must first add the server certificate to your nuxeo server, so it can trust on it and use it to connect.

I have tried this on Windows and Linux/SAMBA (Zentyal Ubuntu based) ldap servers. Hope this will help you.

0 votes