gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'ServerLdap'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'uid=***,ou=JeniePortal,ou=applications,***'
password: 'passw#rd'
active_directory: false
allow_username_or_email_login: false
base: '0=sample'
user_filter: ''
EOS
I tried uid also instead of sAMAccountName.
Still users are unable to authenticate.
Any help please.
I'm not sure what your actual issue is, but the thing I notice first is that your bind_dn is missing the uid value-part. The bind_dn defines the user that is used to do lookups for the user that wants to log in. When you connect to an ActiveDirectory that should be something like sAMAccountName=xyz,ou=JeniePortal,ou=applications and the password should ve that users password. When the ActiveDirectory allows anonymous access you can leave those two parameters blank (bind_dn='')
Related
Im new on Ansible and i try to create some user accounts on remote servers and i encountered some trouble.
I want to create users if they do not exist, and update them password if they are present.
I read the documentation and found the parameter "update_password" but im stuck on how to verify their existence.
I try to do like that :
- name: Determine local user accounts
getent:
database: passwd
- name: Add user
user:
name: support
comment: support account
password: bonjour
groups: support,pricing
append: yes
with_items: {{ user }}
when: user not in ansible_facts.getent_passwd
- name: Update user password
user:
name: support
password: bonjour
update_password: always
with_items: {{ user }}
when: user in ansible_facts.getent_passwd
Im not sure to understand the concept of ansible_facts.
A key foundation of Ansible, is that it is built around idempotency. This means you simply describe the state you want your system to be in, and leave it to Ansible to figure out the details of what needs to be done to make your system match your desired state.
Therefore, you simply need to define the user you want on the system, and Ansible will take care of checking whether they already exist or not, and act accordingly:
- name: Manage support user
user:
name: support
comment: support account
password: <some crypted password string>
groups: support,pricing
append: yes
This will add the user if they do not already exist, otherwise update the users parameters to match your specification.
Note You should not place clear text passwords in these tasks. Checkout this page for details of how to create an encrypted password.
I'm currently trying to set up a website using Bolt CMS. For a simple contact form, I'm trying to use the "SimpleForms" extension. For this, it seems I have to set up a "mailoptions" field in "config.yml".
Now, for the mail host I use Zoho Mail. I have successfully made an account, verified my domain and so on. My current mailoptions values in the config look like this:
mailoptions:
transport: smtp
host: smtp.zoho.com
port: 465
username: ****
password: ****
auth_mode: null
encyption: null
senderMail: null
senderName: null
Notice, I've obviously just inserted some stars where the username and password is supposed to go :-)
Now, I'm not exactly sure what values are allowed for the last 4 fields. I have not for the life of me been able to find any documentation on this. However, if I simply try to send an email through a SimpleForms contact form with these settings, I get the following error:
Swift_TransportException:
Connection to smtp.zoho.com:465 Timed Out
Again, haven't been able to find much info on this problem. My initial guess is that it might have to do with me not properly setting the last 4 fields, however I just do not know what they are supposed to be :( All I know, from following a DigitalOcean tutorial (I use DigitalOcean as server host), is that the settings are supposed to be as follow:
SMTP Host: smtp.zoho.com
SMTP Port: 465
Use SSL Encryption: Yes, use SSL encryption
SMTP Authentication: Yes, use SMTP authentication
Email Address or Username: The email address that you set up in the previous step. In our example, the email address is "application#example.com"
Email Name: The name associated with the email address. In our example, the name of the email is "Application Mail"
Email Password: The password that you set when you created the application mail account
I have tried different values for auth_mode and encryption, such as:
auth_mode: smtp
encryption: ssl
However, this still gives me the same timeout error.
[EDIT]
So, I was able to find the actual documentation for the values (which is Swiftmailer related). My current settings looks like this:
mailoptions:
transport: smtp
host: smtp.zoho.com
port: 465
username: ****
password: ****
auth_mode: login
encyption: ssl
senderMail: **** (The same as the username email)
senderName: **** (The name of the email account holder)
I've also double checked the mail settings from Zoho's own website, HERE.
This all seems to be correct settings, however I am still getting the original timeout message :(
EDIT
Check the comment of the answer for my stupid mistake :)
Bolt just uses Swiftmailer via the Silex service provider. The Silex documentation page probably has the answers you're looking for… namely:
The following options can be set:
host: SMTP hostname, defaults to 'localhost'.
port: SMTP port, defaults to 25. username: SMTP username, defaults to an empty string.
password: SMTP password, defaults to an empty string.
encryption: SMTP encryption, defaults to null. Valid values are 'tls', 'ssl', or null (indicating no encryption).
auth_mode: SMTP authentication mode, defaults to null. Valid values are 'plain', 'login', 'cram-md5', or null.
For anyone having this problem, do check with your host if there is a security setting that disallows outgoing SMTP.
I'm meeting troubles with Squid Kerberos auth and the Squidguard ldapusersearch who I use to apply acl by Active Directory groups membership.
The problem is :
Squid and Squidguard see my user as : user#domain.local so the '%s' variable of squidguard is 'user#domain.local'
Into my ldap query there is no default property who can interpret this string.
Example :
src ldap {
ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}
And sAMAccountName should be only 'user' and not 'user#domain.local' !!!
So I found a solution but It's not very comfortable :
I edit a unused attribute of the AD user and I write into it my kerberos login so my conf looks like this :
src ldap {
ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?displayNamePrintable?sub?(&(displayNamePrintable=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}
And it works !!!
Anyone an idea to bypass the need to create a custom attribute in AD who contents ?
I precise that userPrincipalName is the same as the email and can't interpret Kerberos login.
Thanks all !!!
i am using Squid Version 3.4.5-20140514-r13135 with squidguard 1.5-beta and the strip-domain-realm Patch of Mathieu Parent which is able to strip the Domain and Strip the Realm.
So the users appear as "user" and not as "user#KERBEROSDOMAIN"
Here is an exmaple configuration thats working for me
dbhome /var/lib/squidGuard/db
logdir /var/log/squidGuard
ldapbinddn squidguard#domain.tld
ldapbindpass squidguardpass
ldapprotover 3
ldapcachetime 2400
stripntdomain true
striprealm true
src users {
ldapusersearch "ldap://ldapserver:3268/dc=ADDomain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=SQUID_USERS,OU=Squid_Groups,OU=Groups,DC=ADDomain,DC=com))"
}
I have been wrestling with this for days. I am exasperated in extremis.
I have a hosted Ghost blog at umquhile.org/kelpie. It has been working fine. Somehow I locked myself out of my account. 75,000 posts say I need to set up email so I can click on "Forgotten Password". I have gone by 12,000 posts (okay, a SLIGHT exaggeration) that show how to do it. First, Ghost's tutorial flat does not work. I have tried vanilla sendmail (which is expected not to work), Mailgun, Sendgrid, and Gmail. I have gone over my configuration repeatedly.
I get different error messages depending on how I set it up. Sometimes I have gotten a 535 - invalid login credentials, sometimes all recipients rejected; right now I am getting "Cannot read property 'count' of undefined", whatever that one is. Can someone tell me if there is a problem with this configuration. Or how-the-deuce to get email to work in Ghost.
I should note that I have restarted node.js each time I made a change.
config = {
// ### Production
// When running Ghost in the wild, use the production environment
// Configure your URL and mail settings here
production: {
url: 'http://umquhile.org/kelpie',
mail: {
service: 'Gmail',
fromaddress: ‘xxxx#gmail.com',
transport: 'SMTP',
options: {
host: 'smtp.gmail.com',
secureConnection: true,
port: 465,
auth: {
user: ‘xxxx#gmail.com',
pass: ‘xxxxxxxxxxxxxx’
}
}
},
For what is's worth, I read that Ghost uses Bcrypt hash for passwords. I have used an online Bcrypt generator to hash a password I provided. I copied the string and pasted it into the password field of my admin user in Mysql. That did not work because my account just flat remains locked.
And as soon as I post to stackoverflow, it hits me!!
I went into the database, via phpmyadmin, and found the field status
It was set to locked
I cleared the field, saved the change, and tadaaa! I am now able to access my blog once again. Sorry for the nuisance post! The answer JUST occurred to me.
I'm using ldapjs.
I got this code from some sites:
var newUser = {
cn: 'new guy',
sn: 'guy',
uid: 'nguy',
mail: 'nguy#example.org',
objectClass: 'inetOrgPerson',
userPassword: ssha.create('s00prs3cr3+')
}
The thing is, the password saved as OctetString, and can't be used for login. Do anyone here knows how do I assign password using node (ldapjs preferred)?
Try saving in plain text.
Most LDAP server implementations expect to receive the password in plain text and the server will then encrypt the password.
There are dependencies on the LDAP server implementation and configuration.
-jim
Oh, You did not mention it was AD. Active directory is quite different. It uses [unicodePwd][1], not userPassword. Password operations must be over an encrypted connection. And finally, the password must be "text value in UTF-16". Those Quotes are required.
See updateUserPassword for the JNDI (Java) code for this.