Subsonic Forum

I've been trying to integrate LDAP and Active Directory into subsonic as a way to authenticate users but so far I've had no luck. Has anyone done this? If so, could you please tell me how?

On the Advanced tab: Check the LDAP Integration box

For this example, your domain controller is called "dc" and the domain is "domain.org". Your OU user structure is just right under the root of the domain in an OU called "Users" and there is user called "username" in the OU.

LDAP URL: ldap://dc.domain.org:389/ou=users,dc=domain,dc=org

LDAP Search Filter: (sAMAccountName={0})

LDAP Manager DN: cn=username,ou=users,dc=domain,dc=org

See attached screenshot.

As a security precaution, don't use a privileged account for the Manager DN account. If it's an option, use LDAPS. All that needs to change from the above configuration is for the LDAP URL to be ldaps://dc.domain.org:636/ou=users,dc=domain,dc=org

sir2u, you seem to be a great authority of information on Subsonic's LDAP settings. I wonder if you can help solve this problem:
I have LDAP working on port 389. But when I try to enable LDAPS on port 636, I get an error. The LDAP server is using a self-signed certificate, so I think I need to tell Subsonic to trust that cert. I have the cert, and I've tried installing it to the System keychain, but that didn't make a difference.

[2012-04-26 17:21:10,003] INFO SubsonicLdapBindAuthenticator - Failed to authenticate user 'test' in LDAP.
org.acegisecurity.ldap.LdapDataAccessException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: simple bind failed: ldap.chapman.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Nevermind, I solved it! The Java runtime has its own keystore of trusted certificates that is separate from the OS X keychain. I installed my LDAP server's certificate to that keystore, with the alias matching the server's domain name, and voila — Subsonic can connect with LDAPS. On a mac, the location of this keystore is /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts.

Glad to hear you got it working. Hopefully you now have all the pieces to get your large scale deployment going. Good luck!

Hello

I cant get this to work

I have a test account called "testaccount" under DOMAIN.LOCAL --> Domain --> Accounts
And i have a group called "test" under DOMAIN.LOCAL --> Domain --> Groups
The test account is a member of the test group.

I've specified the following in Subsonic:

LDAP URL: ldap://dc01.domain.local:389/dc=domain,dc=local
LDAP search filter: (&(sAMAccountName={0})(&(objectCategory=user)(!(userAccountControl=514))(memberof=cn=test,ou=Groups,ou=domain,dc=spofify,dc=local)))
LDAP manager DN; cn=ldap,ou=Accounts,ou=Domain,dc=domain,dc=local

The problem is i get wrong username or password when i try to login with the test account.

Can someone please help me with this? Thanks

EDIT: I try to login with DOMAIN.LOCAL\testaccount or just DOMAIN\testaccount but get the same error.

Verify that the LDAP search filter is correct. In fact, to verify that everything else is correct, I'd simplify the filter to just accept anyone: (sAMAccountName={0}). Start with it wide open just to get a working baseline, then add the layers of security one by one so that in case anything breaks, you know what just changed to break it.

Also, tail /var/subsonic/subsonic.log (I'm assuming this is on linux) as you try to log in. There's usually an explanation as to why the authentication is failing. If the filter is incorrect, you could get a message like, "SubsonicLdapBindAuthenticator - Failed to authenticate user 'test' in LDAP.org.acegisecurity.userdetails.UsernameNotFoundException: User test not found in directory."

Hope this helps.

I tried the other LDAP search filter with the same result.

The log tells me

Code: Select all

[2012-11-28 15:18:29,444] INFO SubsonicLdapBindAuthenticator - Failed to authenticate user 'testaccount' in LDAP.
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DOMAIN.LOCAL:389 [Root exception is java.net.UnknownHostException: DOMAIN.LOCAL]]



Hrmm this message "Root exception is java.net.UnknownHostException: DOMAIN.LOCAL" seems to indicate that there's some kind of issue contacting the domain controller. 1) Try using an ip address instead of dc01.domain.local 2) if that works, then verify the dns settings of the subsonic server and check to make sure it can resolve dc01.domain.local

I could easily set mine up to authenticate any users in a specific OU, but I wanted it to check against a Security Group.

Here is what I use, and it works for any user anywhere in the domain, that is a member of the SubSonic_Users group.

Code: Select all

LDAP URL:
ldap://DC01.Domain.com:389/DC=Domain,DC=com

LDAP Search Filter:
(&(sAMAccountName={0})(&(objectCategory=user)(memberof=CN=SubSonic_Users,OU=Security_Groups,OU=Accounts,DC=Domain,DC=com)))

LDAP Manager DN:
CN=SubSonic Service Account,OU=Service Accounts,OU=Accounts,DC=Domain,DC=com

Password:
(Set to the password of the LDAP Manager account--only permissions on that account is Domain User)

Maybe this will help you out. My DCs are running Windows Server 2012, and my domain and forest levels are at Server 2012.

I've tried just that and get the message

[2012-11-28 15:48:29,904] INFO SubsonicLdapBindAuthenticator - Failed to authenticate user 'testaccount' in LDAP.
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DOMAIN.LOCAL:389 [Root exception is java.net.UnknownHostException: DOMAIN.LOCAL]]

Same error with IP address.


I know the LDAP is working cause i have other things running against it.

FYI - The LDAP manager DN can also use the DOMAIN\username format.

You tried using an IP address and it still didn't work?

Exactly.

EDIT: Get the same error message in the log.