LDAP Configuration is not working

[derkork]

I have configured a plastic server on Linux to connect to an OpenLDAP server on the same machine.

<ServerConfigData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Language>en</Language>
  <WorkingMode>LDAPWorkingMode</WorkingMode>
  <SecurityConfig>LDAP:localhost:389:cn=sysread,ou=users,dc=insomnia-hq,dc=de:XXXXXXXXXXX:dc=insomnia-hq,dc=de</SecurityConfig>
  <BufferPoolSize>0</BufferPoolSize>
  <AuditLogLevel>1</AuditLogLevel>
  <AuditLogFile>audit.log</AuditLogFile>
</ServerConfigData>

However whenever I  try to authenticate agains the server I get the following error message 

 

ERROR Codice.CM.Server.ExceptionTracerSink - Dumping in-transit exception:Active Directory or LDAP: Invalid credentials username, password or domain are not valid. Server error: An error occurre

d in the LDAP server: Local Error

 

From the LDAP server logs I can see that it doesn't even try to connect to the ldap server. Did I misconfigure something here?

[calbzam]

Hi,

 

Can you drive to the Plastic server folder, and open "configureserver.exe". Using the configuration tool, enter your LDAP information and click "Test Connection".  Is it working fine?

 

After that, open a command line and enter "plastic --configure" to configure the Plastic client. Select "LDAP" and click on "Test connection".  If both connections are working fine, you should be able to connect using LDAP authentication.

 

Regards,

Carlos

[derkork]

I'm basically getting the same error message (see attachment). However, this at least seems to connect to the LDAP server. I'm not sure though what the issue is there. If I connect to the LDAP server using, e.g. Apache Directory Studio and the same credentials, I'm getting no issues at all. How exactly does Plastic search the users in the LDAP structure?

 

 

[calbzam]

Hi,

 

If you enter:

 

Username: user@insomnia-hq.de

password:   YourPassword

 

Are you getting the same issue? Do you have your LDAP server on the same host as the Plastic server, right?  (localhost)

 

Regards,

Carlos

[derkork]

That actually did not work, but it put me in the right direction . I was able to find out what the issue behind this is. The Plastic server is looking for uid=<whatever you enter in the username field>. Problem is, that in our LDAP there is no UID attribute for users, just a cn attribute which is unique. So as an experiment I added a uid-attribute to a user et voila, it works. Next thing I wanted to try is groups. Now the Plastic server looks for "(|(objectClass=groupOfUniqueNames)(objectClass=posixGroup)(?objectClass=group))". Problem is that our groups are none of these three but a "groupOfNames" and therefore not found. I also cannot change the groups to something else as this would break all software configuration we have already running (jira, confluence, subversion etc. ). Is there a way to configure the LDAP search strings somehow so we can adapt this to our setup?

 

Kind regards,

Jan

[calbzam]

Hi,

 

I´m sorry. But it´s not possible to configure the LDAP search strings

 

Regards,

Carlos

[derkork]

I´m sorry. But it´s not possible to configure the LDAP search strings

 

Hi Carlos, thanks for letting me know. Is this on the roadmap somehow? Actually every program we have connected to our LDAP server supported the configuration of the LDAP search strings (Jira, Confluence, Postfix, Wordpress,  even the Unity Asset Server after some fiddling), so I'm kinda surprised that Plastic doesn't offer it especially since it is targeted at Corporate environments.

[derkork]

I have set up some experimental LDAP branch to cater for Plastic's fixed LDAP search strings, and at least the users are found now. However my group is not found even though it's a groupOfUniqueNames now (and the LDAP server returns it when Plastic searches for it). Is there some documentation on how the LDAP objects have to be set up so that Plastic will recognize them as users/groups?