LDAP and AD integration
Moderator: moderators
26 posts
• Page 1 of 2 • 1, 2
LDAP and AD integration
by beneco07 » Mon Apr 02, 2012 6:08 pm
I've been trying to integrate LDAP and Active Directory into subsonic as a way to authenticate users but so far I've had no luck. Has anyone done this? If so, could you please tell me how?
- beneco07
- Posts: 1
- Joined: Mon Apr 02, 2012 5:56 pm
Re: LDAP and AD integration
by sir2u » Thu Apr 05, 2012 8:07 pm
On the Advanced tab: Check the LDAP Integration box
For this example, your domain controller is called "dc" and the domain is "domain.org". Your OU user structure is just right under the root of the domain in an OU called "Users" and there is user called "username" in the OU.
LDAP URL: ldap://dc.domain.org:389/ou=users,dc=domain,dc=org
LDAP Search Filter: (sAMAccountName={0})
LDAP Manager DN: cn=username,ou=users,dc=domain,dc=org
See attached screenshot.
For this example, your domain controller is called "dc" and the domain is "domain.org". Your OU user structure is just right under the root of the domain in an OU called "Users" and there is user called "username" in the OU.
LDAP URL: ldap://dc.domain.org:389/ou=users,dc=domain,dc=org
LDAP Search Filter: (sAMAccountName={0})
LDAP Manager DN: cn=username,ou=users,dc=domain,dc=org
See attached screenshot.
- sir2u
- Posts: 48
- Joined: Mon Oct 11, 2010 9:44 pm
Re: LDAP and AD integration
by sir2u » Wed Apr 25, 2012 9:29 pm
As a security precaution, don't use a privileged account for the Manager DN account. If it's an option, use LDAPS. All that needs to change from the above configuration is for the LDAP URL to be ldaps://dc.domain.org:636/ou=users,dc=domain,dc=org
- sir2u
- Posts: 48
- Joined: Mon Oct 11, 2010 9:44 pm
Re: LDAP and AD integration
by spookybathtub » Fri Apr 27, 2012 12:24 am
sir2u, you seem to be a great authority of information on Subsonic's LDAP settings. I wonder if you can help solve this problem:
I have LDAP working on port 389. But when I try to enable LDAPS on port 636, I get an error. The LDAP server is using a self-signed certificate, so I think I need to tell Subsonic to trust that cert. I have the cert, and I've tried installing it to the System keychain, but that didn't make a difference.
[2012-04-26 17:21:10,003] INFO SubsonicLdapBindAuthenticator - Failed to authenticate user 'test' in LDAP.
org.acegisecurity.ldap.LdapDataAccessException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: simple bind failed: ldap.chapman.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
I have LDAP working on port 389. But when I try to enable LDAPS on port 636, I get an error. The LDAP server is using a self-signed certificate, so I think I need to tell Subsonic to trust that cert. I have the cert, and I've tried installing it to the System keychain, but that didn't make a difference.
[2012-04-26 17:21:10,003] INFO SubsonicLdapBindAuthenticator - Failed to authenticate user 'test' in LDAP.
org.acegisecurity.ldap.LdapDataAccessException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: simple bind failed: ldap.chapman.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
- spookybathtub
- Posts: 110
- Joined: Thu Oct 07, 2010 7:13 am
Success!
by spookybathtub » Fri Apr 27, 2012 1:13 am
Nevermind, I solved it! The Java runtime has its own keystore of trusted certificates that is separate from the OS X keychain. I installed my LDAP server's certificate to that keystore, with the alias matching the server's domain name, and voila — Subsonic can connect with LDAPS. On a mac, the location of this keystore is /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts.
- spookybathtub
- Posts: 110
- Joined: Thu Oct 07, 2010 7:13 am
Re: LDAP and AD integration
by sir2u » Fri Apr 27, 2012 1:29 am
Glad to hear you got it working. Hopefully you now have all the pieces to get your large scale deployment going. Good luck!
- sir2u
- Posts: 48
- Joined: Mon Oct 11, 2010 9:44 pm
Re: LDAP and AD integration
by HerrNilsson » Wed Nov 28, 2012 8:14 am
Hello
I cant get this to work
I have a test account called "testaccount" under DOMAIN.LOCAL --> Domain --> Accounts
And i have a group called "test" under DOMAIN.LOCAL --> Domain --> Groups
The test account is a member of the test group.
I've specified the following in Subsonic:
LDAP URL: ldap://dc01.domain.local:389/dc=domain,dc=local
LDAP search filter: (&(sAMAccountName={0})(&(objectCategory=user)(!(userAccountControl=514))(memberof=cn=test,ou=Groups,ou=domain,dc=spofify,dc=local)))
LDAP manager DN; cn=ldap,ou=Accounts,ou=Domain,dc=domain,dc=local
The problem is i get wrong username or password when i try to login with the test account.
Can someone please help me with this? Thanks
EDIT: I try to login with DOMAIN.LOCAL\testaccount or just DOMAIN\testaccount but get the same error.
I cant get this to work
I have a test account called "testaccount" under DOMAIN.LOCAL --> Domain --> Accounts
And i have a group called "test" under DOMAIN.LOCAL --> Domain --> Groups
The test account is a member of the test group.
I've specified the following in Subsonic:
LDAP URL: ldap://dc01.domain.local:389/dc=domain,dc=local
LDAP search filter: (&(sAMAccountName={0})(&(objectCategory=user)(!(userAccountControl=514))(memberof=cn=test,ou=Groups,ou=domain,dc=spofify,dc=local)))
LDAP manager DN; cn=ldap,ou=Accounts,ou=Domain,dc=domain,dc=local
The problem is i get wrong username or password when i try to login with the test account.
Can someone please help me with this? Thanks
EDIT: I try to login with DOMAIN.LOCAL\testaccount or just DOMAIN\testaccount but get the same error.
- HerrNilsson
- Posts: 60
- Joined: Fri Aug 17, 2012 5:13 am
Re: LDAP and AD integration
by sir2u » Wed Nov 28, 2012 1:23 pm
Verify that the LDAP search filter is correct. In fact, to verify that everything else is correct, I'd simplify the filter to just accept anyone: (sAMAccountName={0}). Start with it wide open just to get a working baseline, then add the layers of security one by one so that in case anything breaks, you know what just changed to break it.
Also, tail /var/subsonic/subsonic.log (I'm assuming this is on linux) as you try to log in. There's usually an explanation as to why the authentication is failing. If the filter is incorrect, you could get a message like, "SubsonicLdapBindAuthenticator - Failed to authenticate user 'test' in LDAP.org.acegisecurity.userdetails.UsernameNotFoundException: User test not found in directory."
Hope this helps.
Also, tail /var/subsonic/subsonic.log (I'm assuming this is on linux) as you try to log in. There's usually an explanation as to why the authentication is failing. If the filter is incorrect, you could get a message like, "SubsonicLdapBindAuthenticator - Failed to authenticate user 'test' in LDAP.org.acegisecurity.userdetails.UsernameNotFoundException: User test not found in directory."
Hope this helps.
- sir2u
- Posts: 48
- Joined: Mon Oct 11, 2010 9:44 pm
Re: LDAP and AD integration
by HerrNilsson » Wed Nov 28, 2012 2:11 pm
I tried the other LDAP search filter with the same result.
The log tells me
The log tells me
- Code: Select all
[2012-11-28 15:18:29,444] INFO SubsonicLdapBindAuthenticator - Failed to authenticate user 'testaccount' in LDAP.
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DOMAIN.LOCAL:389 [Root exception is java.net.UnknownHostException: DOMAIN.LOCAL]]
- HerrNilsson
- Posts: 60
- Joined: Fri Aug 17, 2012 5:13 am
Re: LDAP and AD integration
by sir2u » Wed Nov 28, 2012 2:37 pm
Hrmm this message "Root exception is java.net.UnknownHostException: DOMAIN.LOCAL" seems to indicate that there's some kind of issue contacting the domain controller. 1) Try using an ip address instead of dc01.domain.local 2) if that works, then verify the dns settings of the subsonic server and check to make sure it can resolve dc01.domain.local
- sir2u
- Posts: 48
- Joined: Mon Oct 11, 2010 9:44 pm
Re: LDAP and AD integration
by tycoonbob » Wed Nov 28, 2012 2:40 pm
I could easily set mine up to authenticate any users in a specific OU, but I wanted it to check against a Security Group.
Here is what I use, and it works for any user anywhere in the domain, that is a member of the SubSonic_Users group.
Maybe this will help you out. My DCs are running Windows Server 2012, and my domain and forest levels are at Server 2012.
Here is what I use, and it works for any user anywhere in the domain, that is a member of the SubSonic_Users group.
- Code: Select all
LDAP URL:
ldap://DC01.Domain.com:389/DC=Domain,DC=com
LDAP Search Filter:
(&(sAMAccountName={0})(&(objectCategory=user)(memberof=CN=SubSonic_Users,OU=Security_Groups,OU=Accounts,DC=Domain,DC=com)))
LDAP Manager DN:
CN=SubSonic Service Account,OU=Service Accounts,OU=Accounts,DC=Domain,DC=com
Password:
(Set to the password of the LDAP Manager account--only permissions on that account is Domain User)
Maybe this will help you out. My DCs are running Windows Server 2012, and my domain and forest levels are at Server 2012.
- tycoonbob
- Posts: 33
- Joined: Mon Feb 06, 2012 2:49 pm
Re: LDAP and AD integration
by HerrNilsson » Wed Nov 28, 2012 2:50 pm
I've tried just that and get the message
[2012-11-28 15:48:29,904] INFO SubsonicLdapBindAuthenticator - Failed to authenticate user 'testaccount' in LDAP.
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DOMAIN.LOCAL:389 [Root exception is java.net.UnknownHostException: DOMAIN.LOCAL]]
Same error with IP address.
I know the LDAP is working cause i have other things running against it.
[2012-11-28 15:48:29,904] INFO SubsonicLdapBindAuthenticator - Failed to authenticate user 'testaccount' in LDAP.
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DOMAIN.LOCAL:389 [Root exception is java.net.UnknownHostException: DOMAIN.LOCAL]]
Same error with IP address.
I know the LDAP is working cause i have other things running against it.
Last edited by HerrNilsson on Wed Nov 28, 2012 2:52 pm, edited 1 time in total.
- HerrNilsson
- Posts: 60
- Joined: Fri Aug 17, 2012 5:13 am
Re: LDAP and AD integration
by sir2u » Wed Nov 28, 2012 2:51 pm
FYI - The LDAP manager DN can also use the DOMAIN\username format.
- sir2u
- Posts: 48
- Joined: Mon Oct 11, 2010 9:44 pm
Re: LDAP and AD integration
by sir2u » Wed Nov 28, 2012 2:53 pm
You tried using an IP address and it still didn't work?
- sir2u
- Posts: 48
- Joined: Mon Oct 11, 2010 9:44 pm
Re: LDAP and AD integration
by HerrNilsson » Wed Nov 28, 2012 2:56 pm
Exactly.
EDIT: Get the same error message in the log.
EDIT: Get the same error message in the log.
- HerrNilsson
- Posts: 60
- Joined: Fri Aug 17, 2012 5:13 am
26 posts
• Page 1 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 47 guests