Configuring LDAP authentication

james.d · April 7, 2016, 6:19am

Hello!

Concerning the configuration of LDAP authentication, I have already read on page 35 in the CMDBuild Technical Manual that it is needed to FIRST create users in CMDBuild and THEN use LDAP only for authentication.

I would appreciate your answer on the following.

Is there a way to massively add a large number of users in CMDBuild e.g. 500 ?

I mean I cannot add them manually, thus I need a way to add them all together. Of course it would be nice if any proposed way is also "dynamic" in terms of updating what is added in the AD.

Lastly, I would like to ask if we can somehow associate the stakeholders (Persons) with User accounts?

Thank you,

James

tecnoteca · April 7, 2016, 6:14pm

To solve your problem you should implement a synchronization connector between LDAP and CMDBuild, using its REST or SOAP webservice (similar to that used in CMDBuild Ready2Use to synchronize the persons in the "Employee" class).

Normally the system users are just the CMDBuild users in the IT department, and the number varies from 10 to 150/200, for which you can also operate manually.

You have to consider that in any case, once imported, you will need to associate the users to the CMDBuild appropriate groups, so you'll still need to manually intervene.

CMDBuild Team

james.d · April 8, 2016, 12:33pm

Thank you for the information! I really appreciate it!

A few questions more on this, please. I guess your answers will help many people who are working with LDAP and CMDBuild.

1. For the above I will use the Basic Connector, right? After I make it from command line (ubuntu), should it then be visible in the scheduler of the UI of CMDBuild (Task Manager)?

2. Is it necessary to define a RfC process to handle the changes?

3. As soon as I manage to import "Employees" from LDAP, how can I also make these as "Users" so that they can log-in? (or vice versa)

4. Is there an error in the source code as indicated in the last post here? : www.cmdbuild.org/forum/forum-in-english/447412351

tecnoteca · April 10, 2016, 4:46pm

I answer to your questions.
1. We usually use the Advanced Connector that has better performance and additional features, but also goes well the Basic Connector. The connectors scheduled in the system "cron" are not visible in the CMDBuild UI.
2. No, you can directly perform the changes in the CMDB.
3. "Employees" and "Users" are distinct entities, if necessary you can operate from the connector on both classes.
4. We are not aware of mistakes, but for a long time we do not use the Basic Connector
CMBuild Team

ben.ipinge · April 11, 2016, 10:39am

What is the name of the Advanced or Basic Connector you are using, and where can I find it?

Previously Tecnoteca wrote:

I answer to your questions.
1. We usually use the Advanced Connector that has better performance and additional features, but also goes well the Basic Connector. The connectors scheduled in the system "cron" are not visible in the CMDBuild UI.
2. No, you can directly perform the changes in the CMDB.
3. "Employees" and "Users" are distinct entities, if necessary you can operate from the connector on both classes.
4. We are not aware of mistakes, but for a long time we do not use the Basic Connector
CMBuild Team

tecnoteca · April 11, 2016, 10:49am

It comes as part of the maintenance service.
You can find several
information on the Advanced Connector on the Connectors Manual (
http://www.cmdbuild.org/en/documentazione/manuali/connectors-manual ).
CMDBuild Team

james.d · April 11, 2016, 11:10am

Thanks again for your reply!
Concerning my question no.4 earlier in this thread, I still claim that there should be some errors in LDAPConnector.java file.
According to my log files, as well as based on other forum posts, I can see that users trying to make LDAP and basic connector work together, all face the same issue.
Please see posts:
http://www.cmdbuild.org/forum/forum-for-advanced-cmdbuild-users/220978686
http://www.cmdbuild.org/forum/forum-in-english/928077220
http://www.cmdbuild.org/forum/forum-in-english/447412351
http://www.cmdbuild.org/forum/forum-in-english/928077220

Probably the solution is to modify the LDAPConnector.java file according to http://www.cmdbuild.org/forum/forum-in-english/447412351
Please guide me how to handle that file (i.e. compile, location, etc).

Thank you!

tecnoteca · April 11, 2016, 12:36pm

We will check.

CMDBuild Team

ben.ipinge · April 11, 2016, 3:34pm

Is it possible to provide steps to configure basic or advanced connector for AD/LDAP integration?

tecnoteca · April 11, 2016, 4:53pm

We do not have such documents.
Between commercial services is available this course: www.tecnoteca.com/en/cmdbuild/formazione/module-e
CMDBuild Team

tecnoteca · April 13, 2016, 2:20pm

Probably you have a unrecognized tag in your configuration.xml

In fact, the configuration for OCS and LDAP is slightly different.

This is an example for LDAP.

<Address>localhost/Address>

<Context>cmdbuild</Context>

<Username>inventory</Username>

<Password>inventory</Password>

</Server>

<Table>Employee</Table>

</Database>

</cmdbuild>

<DN>ou=employee,ou=tecnoteca,ou=com</DN>

<ServerAddress>ad.tecnoteca.com</ServerAddress>

<User>cn=cmdbuild,ou=employee,ou=tecnoteca,ou=com</User>

<Password>cmdbuild</Password>

<Class>InternalEmployee</Class>

<Key>sAMAccountName</Key>

<Attributes>sAMAccountName,mail</Attributes>

<Search>(&(objectClass=person)(sAMAccountName=*)(mail=*))</Search>

</serverldap>

</configuration>

Regards,

the CMDBuild team

james.d · April 19, 2016, 6:52am

Thank you CMDBuild Team!

Indeed your comment helped me move on.

However, I now face another problem with LDAP...

To be honest I have spent over a week trying to make LDAP&basic-connector work together, and I have serious doubts if ANYONE has made it before. I have read all forum posts and I have found NOBODY who has successfully configured LDAP with basic-connector.

Please could you be more specific regarding the overall steps?

Besides configuring the basic connector files, I guess I have to make a process "ImportAsset" and load the XPDL, right? Then, what about the ImportTask?

Please consider my newest errors, after I run "bash connector.sh &"

javax.xml.ws.soap.SOAPFaultException: Fault occurred while processing.

at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)

at com.sun.proxy.$Proxy46.getCardList(Unknown Source)

at org.cmdbuild.externalconnector.inventory.data.GetDataFromCMDBuild.isNewCard(GetDataFromCMDBuild.java:119)

at org.cmdbuild.externalconnector.update.LDAPConnector.connect(LDAPConnector.java:119)

at org.cmdbuild.externalconnector.update.UpdateCMDBuild.main(UpdateCMDBuild.java:45)

Caused by: org.apache.cxf.binding.soap.SoapFault: Fault occurred while processing.

at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)

at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)

at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)

at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)

at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:99)

at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)

at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)

at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)

at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:795)

at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2399)

at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2239)

at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:2082)

at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)

at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:730)

at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)

at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)

at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:544)

at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:341)

at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:294)

at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)

at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)

... 4 more

and my cmdbuild.log:

INFO 2016-04-15 16:25:30 [soap ] storing operation user for authentication string 'PasswordHandler.AuthenticationString[authentication login=inventory/USERNAME,<null>,impersonation login=<null>]'

DEBUG 2016-04-15 16:25:30 [soap ] getting login and group for authentication string 'PasswordHandler.AuthenticationString[authentication login=inventory/USERNAME,<null>,impersonation login=<null>]'

DEBUG 2016-04-15 16:25:30 [soap ] login and group are 'inventory/USERNAME,<null>'

DEBUG 2016-04-15 16:25:30 [soap ] trying login with 'inventory/USERNAME,<null>'

INFO 2016-04-15 16:25:30 [cmdbuild] trying to login user inventory with group null

INFO 2016-04-15 16:25:30 [soap ] operation user successfully stored

INFO 2016-04-15 16:25:30 [cmdbuild] getting all-in-one 'interface org.cmdbuild.services.event.Observer'

WARN 2016-04-15 16:25:30 [org.apache.cxf.phase.PhaseInterceptorChain] Application {http://proxy.sun.com/}$Proxy149Service#{http://soap.services.cmdbuild.org}getCardList has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault

at org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:162)

at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.createFault(AbstractJAXWSMethodInvoker.java:213)

at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:128)

at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:178)

at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:66)

at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)

at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)

at java.util.concurrent.FutureTask.run(FutureTask.java:166)

at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)

at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)

at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)

at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)

at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:239)

at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:213)

at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:131)

at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:266)

at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:186)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)

at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:242)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)