4.6 LDAP authentication issue

Discussion:

Gael Ravot

2012-09-11 16:55:37 UTC

Hello all,

I have just tried to set up LDAP authentication on my 4.6 install.
Everything worked fine when importing the users. But now I am not able
to login to the webUI anymore - even with superadmin...

I always get the following 500 error:

http error: 500
Root DNs must be the same when using multiple URLs
RequestURI=/sipxconfig/j_acegi_security_check

Did anyone already have this issue? Is there a way to disable LDAP
authentication via CLI?

I am very new to sipx so sorry if I am missing something very simple
here...

Thanks in advance,

Gael

--
Gaël Ravot
Ingénieur Réseau & Télécom
+41 21 692 22 67
UNIL, Centre Informatique, 1015 Lausanne
Switzerland

Mircea Carasel

2012-09-12 07:34:39 UTC

Permalink

Post by Gael Ravot
http error: 500
Root DNs must be the same when using multiple URLs
RequestURI=/sipxconfig/j_acegi_security_check
This might be a server error. Please attach sipxconfig.log from

/var/log/sipxpbx/sipxconfig.log

Mircea

Gael Ravot

2012-09-12 09:10:54 UTC

Permalink

Hello Mircea,

here is the log.

When googling the error message I found a discussion about issues with
spring and spaces in the ldap URL (see
http://forum.springsource.org/showthread.php?98862-LDAP-url-with-space-problem)
My URL do have a space in it... So do you think this could this be a
similar issue?

Unfortunately I cannot find where my LDAP URL is stored so I am unable
to see how it is encoded...

Thanks,

Gael

Post by Gael Ravot
http error: 500
Root DNs must be the same when using multiple URLs
RequestURI=/sipxconfig/j_acegi_security_check
This might be a server error. Please attach sipxconfig.log from
/var/log/sipxpbx/sipxconfig.log
Mircea
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Gaël Ravot
Ingénieur Réseau & Télécom
+41 21 692 22 67
UNIL, Centre Informatique, 1015 Lausanne
Switzerland

Mircea Carasel

2012-09-12 10:01:16 UTC

Permalink

Post by Gael Ravot
When googling the error message I found a discussion about issues with
spring and spaces in the ldap URL (see
http://forum.springsource.org/showthread.php?98862-LDAP-url-with-space-problem)
My URL do have a space in it... So do you think this could this be a
similar issue?
Unfortunately I cannot find where my LDAP URL is stored so I am unable to
see how it is encoded...
Yes, it appears the same issue. We are using acegi security API which

spring security 3 is based on..
Can you look into postgres database and see what is saved in ldap_attr_map
and ldap_connection tables?

run:
psql -U postgres -d SIPXCONFIG

then:
select * from ldap_connection;

then:
select * from ldap_attr_map

Mircea

Douglas Hubler

2012-09-12 10:03:40 UTC

Permalink

Post by Gael Ravot
Yes, it appears the same issue. We are using acegi security API which
spring security 3 is based on..
Can you look into postgres database and see what is saved in ldap_attr_map
and ldap_connection tables?

Mircea, i'll forever be confused on ldap auth, but i thought the user
with name "superadmin" should be able to get in even when ldap is
down/misconfigured.

Mircea Carasel

2012-09-12 10:28:32 UTC

Permalink

Post by Douglas Hubler
Mircea, i'll forever be confused on ldap auth, but i thought the user
with name "superadmin" should be able to get in even when ldap is
down/misconfigured

The LDAP authenticator is the first in the manager authenticators list.
then comes the DB authenticator All authenticators is checked in the order
they are defined in the list

When superadmin logs in, the LDAP authenticator comes into picture first,
it will fail and then db authenticator is checked. (LDAP authenticator
tries to authenticate the user only if LDAP authentication setting is set)
In a LDAP only authentication setup, there is a validation in the db
authenticator that permits administrator to login. no matter what
authentication scheme is set.

I agree that this workflow can be optimized and as a result, such cases to
be avoided, to put the superadmin checking in the LDAP authenticator, to
bypass LDAP authentication step when superadmin tryes to login

it is pretty strightforward, we have the follwing checking in LDAP
authenticator:

@Override
public boolean supports(Class authentication) {
if (!m_ldapManager.getSystemSettings().isConfigured()) {
return false;
}

-this makes LDAP authentication be effective only when ldap authentication
is set in UI. we should add here the superadmin checking, not in DB
authenticator (daoAuthenticationProvider.java)

Mircea

Gael Ravot

2012-09-12 10:28:03 UTC

Permalink

Post by Mircea Carasel
psql -U postgres -d SIPXCONFIG
select * from ldap_connection;

Post by Mircea Carasel
select * from ldap_attr_map

ldap_attr_map_id | default_group_name | default_pin |
search_base | object_class | filter
------------------+--------------------+-------------+--------------------------------+--------------+------------------------
4 | ldap_imports | 1111 | o=universite de
lausanne, c=ch | person | ou=Centre informatique

I replaced the space in the host field in ldap_connection with %20:

update ldap_connection set host='auth.unil.ch
o=universite%20de%20lausanne,c=ch' where ldap_connection_id=4;

and now I can login with superadmin, or any imported LDAP users with pin
1111. Using LDAP password still doesn't work though.

Thanks a lot for the help!

Gael

--
Gaël Ravot
Ingénieur Réseau & Télécom
+41 21 692 22 67
UNIL, Centre Informatique, 1015 Lausanne
Switzerland

Mircea Carasel

2012-09-12 10:37:08 UTC

Permalink

Post by Gael Ravot
and now I can login with superadmin, or any imported LDAP users with pin
1111. Using LDAP password still doesn't work though.
In order to use the LDAP password for authentication you have to set the

LDAP only authentication setting.
In Admin Portal, go under LDAP/AD configuration page and then among the
tabs on the left, pick the tab where to set "Ldap Only" authentication (I
don't have ldap configured here and I don't remember the tab name)

Mircea