Try the fastest and simplest way to install ONLYOFFICE

[Community Server] LDAP users can't login with 9.5

Tech support for Enterprise Version

Re: [Community Server] LDAP users can't login with 9.5

Postby dsi-lille » Fri Nov 10, 2017 2:07 pm

Hello,

with the help of my colleagues, we found the problem.
The problem is related with the error "LDAP Domain not found"

In the LDAPUtils.cs class from the ASC.ActiveDirectory library, you assume that the LDAP Domain contain necessarily DC attribute (line 43) :

Code: Select all
private static readonly Regex DcRegex = new Regex("dc=([^,]+)", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.IgnoreCase);


This is not our case, we don't have any DC attribute. Our DN attributes looks like this :

Code: Select all
uid=toto,ou=people,ou=example,ou=lorem,o=ipsum, c=fr


So we changed the regular expression like this :

Code: Select all
private static readonly Regex DcRegex = new Regex("(dc|ou)=([^,]+)", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.IgnoreCase);


And all works (LDAP authentication, saving LDAP Settings and the LDAP synchronisation).

Could you, please, fix this rapidly ?

Thanks a lot,
Yoann.
dsi-lille
 
Posts: 138
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] LDAP users can't login with 9.5

Postby Maxim » Sat Nov 11, 2017 8:05 am

Hello Yoann!
Can you send me results of the next command?
Code: Select all
ldapsearch -x -H ldap://host:port -LLL -b "" -s base '(objectClass=*)' suppotedControls supportedCapabilities
Maxim
 
Posts: 1162
Joined: Tue Oct 11, 2016 2:34 pm

Re: [Community Server] LDAP users can't login with 9.5

Postby dsi-lille » Mon Nov 13, 2017 8:32 am

Hello Maxim,

we only have supportedControls attributes.
supportedCapabilities seems an exclusive attribute to Active Directory (we have Sun LDAP here) for me.

That's why it's the GetDomain method from LDApObjectExtension.cs that is used

Code: Select all
        public static string GetDomain(this LdapObject ldapObject)
        {
            if (ldapObject == null || string.IsNullOrEmpty(ldapObject.DistinguishedName))
                return null;

            return LdapUtils.DistinguishedNameToDomain(ldapObject.DistinguishedName);
        }


and this lead to use DistinguishedNameToDomain method from LDAPUtils.cs class :

Code: Select all
        public static string DistinguishedNameToDomain(string distinguishedName)
        {
            if (string.IsNullOrEmpty(distinguishedName))
                return null;

            var matchList = DcRegex.Matches(distinguishedName);

            var dcList = matchList.Cast<Match>().Select(match => match.Groups[1].Value).ToList();

            return !dcList.Any() ? null : string.Join(".", dcList);
        }


and this method uses an incorrect regular expression :

Code: Select all
private static readonly Regex DcRegex = new Regex("(ou|dc)=([^,]+)", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.IgnoreCase);


I did my homework ;)

So now, can you fix this rapidly ?
Thanks,
Yoann
dsi-lille
 
Posts: 138
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] LDAP users can't login with 9.5

Postby Maxim » Mon Nov 13, 2017 9:12 am

Hello!
We need your domain component. Maybe there are values like "defaultNamingContext' or "rootDomainNamingContext"
What is version of SUN LDAP you use?
Maxim
 
Posts: 1162
Joined: Tue Oct 11, 2016 2:34 pm

Re: [Community Server] LDAP users can't login with 9.5

Postby dsi-lille » Mon Nov 13, 2017 10:20 am

Hello Maxim,

"defaultNamingContext' or "rootDomainNamingContext" are both specific to Active Directory...
we use the latest version (11) of SUN/Oracle Directory Server...
dsi-lille
 
Posts: 138
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] LDAP users can't login with 9.5

Postby Maxim » Mon Nov 13, 2017 12:34 pm

Hello Yoann!
We cannot use your method, we cannot change regular expression otherwise other users will get incorrect domain error who use DC and OU in DN. We need DC
Is the DC specified in the LDAP connection settings in the UserDN or Group DN attributes?
Anyway, we will remove the restriction (next version 9.5.2) on synchronization. If the domain can not be found, it will be as "unknown" (with the ability to specify in the portal's configuration).
Maxim
 
Posts: 1162
Joined: Tue Oct 11, 2016 2:34 pm

Re: [Community Server] LDAP users can't login with 9.5

Postby dsi-lille » Mon Nov 13, 2017 1:06 pm

Is the DC specified in the LDAP connection settings in the UserDN or Group DN attributes?


There is no DC in the user DN (only ou, o and c) and we doesn't use Group Membership.
Our tree LDAP does not contain DC attributes at all.

Anyway, we will remove the restriction (next version 9.5.2) on synchronization. If the domain can not be found, it will be as "unknown" (with the ability to specify in the portal's configuration).

Great news !
When this new version will be available ?

We need the latest Document Server to solve this issue : viewtopic.php?f=31&t=10551
Is it Document Server version 5.0.3.41 compatible with Community Server 9.1 ?

Thanks,
Yoann
dsi-lille
 
Posts: 138
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] LDAP users can't login with 9.5

Postby dsi-lille » Fri Nov 17, 2017 9:17 am

Hi,

can i have answers to my questions ?

Thanks a lot,
Yoann
dsi-lille
 
Posts: 138
Joined: Mon Jul 11, 2016 1:47 pm

Previous

Return to Enterprise Version

Who is online

Users browsing this forum: No registered users and 2 guests