ISSUE: Grails ADMIN logs in via LDAP but no other account does.
System = Win 7, grails 2.2.1, Active Dir lightweight
I have created a simple grails default application, installed the latest grails spring security and ldap plugins. I then followed the following tutorial to configure the spring security setup. Tutorial located at http://blog.springsource.com/2010/08/11/simplified-spring-security-with-grails/
Anyway got spring security working fairly fast, next step was setting up LDAP to use the anonymousAuthenticationProvider so my grails app would log in without checking its own DB for passwords, only LDAP. I am using windows Active Directory. Anyway, followed this configuration setup http://grails-plugins.github.io/grails-spring-security-ldap/docs/manual/guide/2.%20Usage.html . All seems to start fine, except the only user that seems to log in correctly is admin, no other user works. I get a can not find user with that username / password error. I have added error, warn and info log output for spring security but does not seem to give much info at all except for the admin account which actually works. I verified it works as I gave the spring security db password a different password to the ldap password, and once the ldap was configured the only password that worked for the admin was the ldap one. Unfortunately no other users worked though.
Here is my grails config:
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'org.example.SecUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'org.example.SecUserSecRole'
grails.plugins.springsecurity.authority.className = 'org.example.SecRole'
grails.plugins.springsecurity.ldap.context.managerDn = 'CN=admin,OU=people,OU=imApp,DC=example,DC=org'
grails.plugins.springsecurity.ldap.context.managerPassword = 'password'
grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:55000/'
grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true
grails.plugins.springsecurity.ldap.search.base = 'OU=people,OU=imApp,DC=example,DC=org'
grails.plugins.springsecurity.ldap.search.filter='uid={0}' //ad use sAMAccountName instead of uid
grails.plugins.springsecurity.ldap.search.searchSubtree =true
grails.plugins.springsecurity.ldap.auth.hideUserNotFoundExceptions= false
grails.plugins.springsecurity.ldap.search.derefLink = true
// specify this when you want to skip attempting to load from db and only use LDAP
grails.plugins.springsecurity.providerNames = ['ldapAuthProvider', 'anonymousAuthenticationProvider']
grails.plugins.springsecurity.conf.ldap.authorities.retrieveGroupRoles = false
grails.plugins.springsecurity.conf.ldap.authorities.retrieveDatabaseRoles = false
//grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'ou=groups,ou=imApp,dc=mcommunity,dc=org'
//role specific ldap config
grails.plugins.springsecurity.ldap.useRememberMe = false
I have tried a few variations of this config, for example it says Active Dir requires sAMAccountName as the search.filter but when I use this no accounts work, if i comment it out completely it works as already memntioned, admin logs in but no other account does. If I remove the springsecurity.providerNames the app starts but uses DB as password auth provider. I came across some blogs mentioned removing password for model class and db, or making it null-able which I tried but had no effect on outcome.
My Active Dir structure is as follows:
DC=example,dc=org
OU=imApp
OU=groups
OU=people
CN=admin user CN=admin,OU=people,OU=imApp,DC=example,DC=org
CN=user1 user CN=user1,OU=people,OU=imApp,DC=example,DC=org
CN=LostAndFound
CN= NTDS Quotas
CN=Roles
I have given each account a LDAP password, and added a parameter uid matching that of their username (CN). I have not used a Custom UserDetailsContextMapper, just default. However, I did try a Custom UserDetailsContextMapper and just came across the same issue, so reverted back to using just standard. Also I noticed Active Dir has a lower case dc for org so I tried using same lower case dc in Grails config but has same result.
Has anyone come across this issue or know where I may be going worng? Any help appreciated.
Best,
Marklw16
Try these settings:
grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='DC=example,dc=org'
grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'
Related
I am using subfission/cas for my application. I have followed all installation steps. I am using windows, if that matters. More precisely, I have configured the following:
I ran the following in my terminal
composer require "subfission/cas" "dev-master"
I configured my Kernel.php accordingly, adding the following:
'cas.auth' => 'Subfission\Cas\Middleware\CASAuth',
'cas.guest' => 'Subfission\Cas\Middleware\RedirectCASAuthenticated',
I ran the following command:
php artisan vendor:publish
I also set up my cas server in my cas.php config file:
'cas_hostname' => env('CAS_HOSTNAME', 'cas.myserver.me'),
'cas_real_hosts' => env('CAS_REAL_HOSTS', 'cas.myserver.me'),
What I want is a middleware for all my routes, so I added the following route rule in my routes:
Route::middleware(['cas.auth'])->group(function ()
{
Route::get('/', function ()
{
return view('welcome');
});
});
Basically, I want to redirect everyone who is not logged in to the login page whenever I access the main page (for now, I will add more routes in the future). What happens is that the users are redirected to the login page when they are not logged in, but after the login I receive the following error:
ErrorException (E_WARNING)
DOMDocument::loadXML(): Opening and ending tag mismatch: hr line 1 and body in Entity, line: 1
No matter what view I'm redirecting the user to. I tried the default welcome page as well as an empty view, but I still get the same error.
EDIT: I have used the dev-master branch from subfission/cas for the above error and after switching to 2.1.1, I get a different error:
session_name(): Cannot change session name when headers already sent
EDIT 2: I did some more digging and I enabled internal errors in my cas client class with:
libxml_use_internal_errors(true);
And now I get the following:
Authentication failure: SA not validated Reason: bad response from the CAS server
And the cas response is:
The thing is that I use the same cas server for another 2 projects and it works well for those (but those aren't laravel projects.
I know it's been a while, but for anyone else having issues like this, the issue is the protocol selected for which your web service communicates with your CAS(Central Authentication Service) provider. There are two main protocols used for SSO/CAS in this package:
SAML(Security Assertion Markup Language) version 1.1 & 2
CAS Protocol v3.0
[Confusingly enough, CAS protocol shares the same namespace as the service.]
The idea is to match the protocol and version with your identity provider. It sounds like your provider is using CASv3.0, which is why disabling SAML worked.
Also, if you enable debug mode, you will see further error details in your log file to help your troubleshoot.
Best of luck!
I managed to solve the issue by disabling the SAML in the cas configure file:
'cas_enable_saml' => env('CAS_ENABLE_SAML', true),
change to
'cas_enable_saml' => env('CAS_ENABLE_SAML', false),
I have read all the possible fixes for the above issue when trying to get XAMPP working. Nothing has worked and I need to find an answer to get it working for a college course.
I am running a Mac OS X 10.11.6 and downloaded the XAMPP version 5.6.40. Then I open http://localhost/phpmyadmin/ go to user accounts and change the root password on for local host.
Then I go to the file config.inc.php and change 'config' to 'cookie' and also change the password. Then I restart the servers try to log back in but it gives the above error message and doesn't let me enter credentials. Some students in my class have done it the exact same way and it has worked for them.
I have looked at and tried many possible fixes as I can but with no success.
If you are using
$cfg['Servers'][$i]['auth_type'] = 'cookie';
Then you can set the user and password to blank, as using cookie makes phpMyAdmin throw a login page where you are expected to enter the userid and password in the login dialog.
$cfg['Servers'][$i]['user'] = '';
$cfg['Servers'][$i]['password'] = '';
It would also be worth refreshing your browser cache after making this change.
Thats CRTL+F5
Dont forget to restart Apache after making this change
I am using Ion Auth for registration, and everything is working fine on local, So when I wanted to move Live server I need email activation for new registrations [I am not using SMTP, there is no email config file in my config folder], So I made changes in ion_auth.php in config file as follows::
$config['email_activation'] = TRUE;
$config['manual_activation'] = FALSE;
$config['use_ci_email'] = TRUE;
as far as I know about this library (I am new to CodeIgniter), that's it. But unfortunately these configurations are not taking effect. When I var dump the following items inside constructor of ion_auth.php library file returns null
$this->config->item('use_ci_email','ion_auth') or
$this->config->item('email_activation','ion_auth')
And other config items like 'admin_email' has no issues, I can fetch the value. So, what is wrong with my config file, I am using very basic file provided by the library repo.
When I set the values, inside the constructor of library file as below, it works.
$this->config->set_item('use_ci_email', TRUE);
$this->config->set_item('email_activation', TRUE);
Is there anything wrong I am doing to get this weird behavior.
Ok, so I opened an issue on Ion Auth Git repo, and the Author, Ben Edmunds responded with the solution, If anybody facing this issue, with latest CodeIgniter, please pull the latest commit of IonAuth library and test, It will work.
For more on the issue, please refer the isse,
Codeigniter Ion Auth configuration and Email Activation
I am experiencing performance issues on a Sitecore Intranet Portal installation that relate to the GetUser method of the domain (Extranet). The extranet domain contains roughly about 800 users and calling Sitecore.Context.Domain.GetUser(userName) takes about 12 seconds at very least. Using a direct login model to authenticate the user against the Active Directory (LDAP) takes almost 60 seconds just to get the user logged in.
Any tips on performance tuning users in Sitecore 5.3? Is there a point when the number of users become to many for Sitecore to be efficient?
I know LDAP can be very slow, if you don't assign what kind of connection it should use (ssl, signing etc). Then it'll try to negotiate with the AD which kind of connection it should use and that can be very slow.
We had an issue with a customer that had this problem and the login went from 20+ seconds to about 1 second.
So if you're using your own LDAP module or similiar that could be the case.
If you are using Sitecore LDAP module, I dunno if you can set it up.
Since I didn't create that fix and am not very proficient in AD I'm not suer what to do, but maybe the following code can help you:
var connection = new LdapConnection(d);
connection.SessionOptions.SecureSocketLayer = false;
NetworkCredential nw = new NetworkCredential(username, password);
connection.AuthType = AuthType.Negotiate;
connection.SessionOptions.Signing = true;
connection.SessionOptions.Sealing = true;
connection.Bind(nw)
I hope that helps.
This looks old to answer. but AD Ldap module is using the same binding you mentioned here.
I just moved my current office Joomla 1.5.8 instalation from the server(linux) to my local machines (winxp) so I can work locally and only upload the changes.
The thing is after downloading all the files and installing a backup of the remote DB on my local machine I found myself unable to login to the administrator panel, I can see the frontpage but not login :/
So far, I have googled alot this problem, but most people seem to be experiencing this problem while upgrading from joomla 1.0
To make sure the problem was not on permissions for the files,I did a separate brand new joomla instalation on another folder and it worked just fine, I could access the website and I also could login to admin page, then I changed the config file to connect to the joomla I'm trying to move and now I find myself again unable to login :/
I think the problem is on the DB however I already tried searching for specific paths but no luck
Does anyone has another Idea?
thanks in advance :)
Try to change following variable in your local configuration file with you local values.
var $offline = '0';
var $log_path = 'Your local joomla path\logs';
var $tmp_path = 'Your local joomla path\tmp';
var $live_site = 'local url will be here';
var $dbtype = 'mysql';
var $host = 'local db host';
var $user = 'DB user for local';
var $db = 'Db name for local';
var $dbprefix = 'DB prefix whatever you have set, by default jos_';
var $password = 'your DB password for local';
You probably have LDAP or openid authentication enabled and thats what is causing this blank page while you try to login.
Just go to your database and go to your:
jos_plugins
And edit the plugins which are either openid or LDAP
set their published status from 1 to '0'
Case solved.
Does your site use any kind of extra authentication? Mine used the LDAP Authentication plugin. MY local machine couldn't connect to the LDAP server. After turning LDAP authentication off (only use Joomla authentication) it worked.
edit the jos_plugins table in mysql to set published from 1 to 0 for any extra authentication plugins you are using.
I have discussed this issue in details here: http://www.itoctopus.com/blank-page-on-joomla-login
In most cases we have seen, Joomla is trying to load a file that no longer exists.