Page 1 of 2

LDAP

Posted: 01 Oct 2017, 11:24
by albertocastillo2001
Hello

I have a few questions regarding LDAP:
[*]Does any of you had issues with it?
[*]Does it allow users' passwords be changed on Madsonic and sync back to the LDAP directory?
[*]Is there any other way to enable a global authentication like this? or is only LDAP the only method available?

As of now those are the questions I have

Thanks

Re: LDAP

Posted: 04 Oct 2017, 10:39
by albertocastillo2001
Anyone?
Thanks

Re: LDAP

Posted: 05 Oct 2017, 22:54
by albertocastillo2001
Seriously. No one has attempted to use LDAP?

Thanks

Re: LDAP

Posted: 10 Oct 2017, 11:00
by chrissi55
[*]Does any of you had issues with it?

Yes I have! -> So as mentioned in the Android Google Play Store the Madsonic App is (at the moment) not able to log in LDAP Users.
Only local Accounts can log in.

With my Webbrowser (Chromium, SRware Iron or Firefox) LDAP Accounts don't have any Problems to log in.

[*]Does it allow users' passwords be changed on Madsonic and sync back to the LDAP directory?

Not for me. It is disabled in User Account Settings
Don't know if there is a way to make it run. The User for the LDAP Connection has write abilities.



Anyway LDAP was THE reason for me to take Madsonic and not Plex or something like other "walled gardens" :-)

Re: LDAP

Posted: 13 Oct 2017, 16:21
by albertocastillo2001
Hello

Thanks for your response

I setup a small OpenLDAP server to test.
Created all the groups mentioned in the wiki help and using the cn=admin user for binding for now.

Everytime a LDAP user accesses the web app, it will clone the "default" user and create a user named "user[LDAP]" according to the log and you will find it on the list of users. However it doesn't give any permission to it no matter what LDAP groups you added the user to. It just seems to not check the LDAP groups at any level. It doesn't matter if you remove the user from the LDAP groups at all. The user will still be able to log in

Hwere are the LDAP groups I created which are in the wiki

madsonic.admin :: Madsonic administrator role
madsonic.config :: Madsonic change settings role
madsonic.stream :: Madsonic can play media role
madsonic.jukebox :: Madsonic jukebox user role
madsonic.search :: Madsonic search role
madsonic.cover :: Madsonic cover & comment edit role
madsonic.upload :: Madsonic can upload role
madsonic.download :: Madsonic download role
madsonic.podcast :: Madsonic podcast administrator role
madsonic.comment :: Madsonic editor role
madsonic.lastfm :: Madsonic last.fm usage role
madsonic.share :: Madsonic share role
madsonic.audio :: Madsonic audio conversion role
madsonic.video :: Madsonic video conversion role

http://beta.madsonic.org/pages/ldap.jsp

Do you have the same issue? which Madsonic version are you using? I am using 6.2.9040

Thanks

Re: LDAP

Posted: 14 Oct 2017, 09:07
by chrissi55
albertocastillo2001 wrote:I setup a small OpenLDAP server to test.
That's the first diff to my config. I'm using an M$ Active Directory and so I followed the instructions of Madsonic Helpsites concerning LDAP.

There are two ways you can add users from LDAP Auth...

1) Using LDAP Connection in the Admin -> LDAP Settings - when a LDAP User login first time an Account will be created with low/no rights!
The Admin should edit the users Settings first
Therefor it is needed a tag "Automatically create LDAP Users in madsonic..."

better is (maybe) variant Nr.2.....

2) Adding Users to the group [LDAP] manually and edit all needed settings directly.
When an fully added user first time login to Madsonic his account is authed by the LDAP
When adding users manually let the fileds password / retype password "free"!!
You have the control over allowed / disallowed LDAP Users!

The proposal of madsonic is

LDAP URL :: ldap://localhost:389/dc=madsonic,dc=org
LDAP search filter :: (sAMAccountName={0})
LDAP group searchBase :: ou=groups,ou=organisation
LDAP group filter :: (member={0})
LDAP group role attribute :: cn
LDAP manager DN :: cn=ldap,ou=users,ou=organisation,dc=madsonic,dc=org
LDAP manager password :: the given password


When errors occur (like in my case at the beginning) I checked the LDAP group searchBase and changed it to "cn=Users" because my users were not found with the settings mentioned above.

Re: LDAP

Posted: 14 Oct 2017, 10:00
by albertocastillo2001
So in any case it seems it doesn't establish permissions based on the LDAP/AD groups right?

You didn't mention anything, what's your version?

Thanks

Re: LDAP

Posted: 14 Oct 2017, 13:26
by chrissi55
Sorry, my Version is same as yours.

But on a parallel Virtual Machine i've tested the 6.3.9560 with same config and working LDAP Conn.

Re: LDAP

Posted: 14 Oct 2017, 13:29
by albertocastillo2001
Thanks. Does ldap group work on that one?

To me it doesn't work on the earlier stable version

Re: LDAP

Posted: 14 Oct 2017, 15:51
by chrissi55
You can give it a try ... but imho under 6.3.9560 i've had the same problems with my (earlier - and wrong) configuration of the parameters in

LDAP group searchBase :: ou=groups,ou=organisation

So first try to find out in wich group / LDAP path your users are - then use this string to insert into the LDAP Config of madsonic.

Otherwise a madsonic admin should help us a little bit ;)

Re: LDAP

Posted: 14 Oct 2017, 16:40
by albertocastillo2001
I don't know, haven't tried newest version but groups don't work on mine. Authentication works but doesn't check the groups at all

Re: LDAP

Posted: 16 Oct 2017, 07:48
by chrissi55
albertocastillo2001 wrote:Authentication works but doesn't check the groups at all
I'm not sure what that means?

Do you think of the feature to create new groups -> and under user settings -> set to this group as "User Level" ?

This is working for me under every Version 6.2.xx and 6.3.9700 too.

Allthough all my users are named "username[LDAP]" i can set them to a User Level like "FRIENDS" or "FAMILY" or something lika that.

Then all files that are defined under AccessSettings.view -> user / group permissions "Security Groups" are fully working with my LDAP users.

Re: LDAP

Posted: 16 Oct 2017, 11:56
by albertocastillo2001
Hello

I am talking about the groups that you can setup in LDAP to delegate access on Madsonic
http://beta.madsonic.org/pages/ldap.jsp#

See there

Re: LDAP

Posted: 16 Oct 2017, 13:02
by chrissi55
ok you're thinking of this ...

-> https://www.google.de/url?sa=t&rct=j&q= ... VwdwFaNBKG


(page 10 ++)

Sorry but I only can decribe it for Windows AD ...

what I did:

1) create a new "groupOfNames" with cn = "madsonic.admin" in my groups that are found in cn=Users
-> very important using classObject groupOfNames and not "group" or "groupOfUniqueNames" !!!

2) I set the member = myName of the Member with "cn=MyName,cn=Users,dc=example,dc=com"

3) I set the role Group Mapping in LDAP settings of madsonic

Solution = NOT WORKING!

Ok I checked again my Domain Controller and the new cn=madsonic.admin
Under Windows AD you are able to use the ADSI Editor that gave me e.g. the values for "member"
I edited them by using the ADSI Editor and searchig for the users by names
What happened was ... ADSI Editor set my membership as <SID=000012345678899 .......>

After saving those settings I re-login again under my test-vm running madsonic 6.3.9700 !!

Solution = WORKING!!

My new added user "MyName" + LDAP-Password logged in first time and acts as "admin"

:-)

Re: LDAP

Posted: 16 Oct 2017, 14:51
by chrissi55
...but what is not working (directly) is ...

when a user was added to the role "madsonic.admin" and logged in - he/she will be "admin" allthough a local admin is quiting the mebership afterwards.

I logged in again after i removed my account from the admin role - and still resists as "admin"!!

After i logged out and logged in as local admin I deleted the account from madsonic.

The i logged in again "first-time" with my normal account and now i was User - admin Status gone.

Re: LDAP

Posted: 16 Oct 2017, 15:40
by albertocastillo2001
Yea, seems there are a few issues here

I noticed that the GroupofNames class contains the attribute "members" which is used on the template that was posted in the documentation. SO it uses that attribute to check the members.

I tried groupofUniqueNames as I am using LDAP Admin to manage the configuration and it doesn't contain that attribute, but contains "uniqueName" instead tha you can use and set it on the Madsonic LDAP Group Filter


However now in the log (set to debug mode) it will retrieve the admin role for the user, however the user has nothing
I will try to add the groups using commands using the groupofNames class instead and see what happens

Re: LDAP

Posted: 16 Oct 2017, 16:17
by albertocastillo2001
ok, I built a ldif file and imported it into LDAP

I get the same issue as when I tried "groupofUniqueNames" and modified the LDAP group filter to "((member={0}))" instead of "((uniqueMember={0}))"

I see this output on the log, however the test user doesn't seem like has any permissions at all even if all roles were given

Code: Select all

[10/16/17 5:11 PM]	DEBUG	MadsonicLdapBindAuthenticator	authentication request: test
[10/16/17 5:11 PM]	DEBUG	MadsonicLdapBindAuthenticator	user 'test' successfully authenticated in LDAP. DN: uid=test,ou=users
[10/16/17 5:11 PM]	DEBUG	SecurityService	Cloned from default user: test
[10/16/17 5:11 PM]	INFO	MadsonicLdapBindAuthenticator	cloned from default user 'test' for DN uid=test,ou=users
[10/16/17 5:11 PM]	DEBUG	SecurityService	Updated user default
[10/16/17 5:11 PM]	DEBUG	MadsonicLdapBindAuthenticator	set token for test
[10/16/17 5:11 PM]	DEBUG	UserDetailsServiceBasedAuthoritiesPopulator	retrieved roles from LDAP: [ROLE_ADMIN, ROLE_SETTINGS, ROLE_STREAM, ROLE_JUKEBOX, ROLE_UPLOAD, ROLE_SEARCH, ROLE_COVERART, ROLE_DOWNLOAD, ROLE_PODCAST, ROLE_COMMENT, ROLE_LASTFM, ROLE_SHARE, ROLE_VIDEO]
[10/16/17 5:13 PM]	DEBUG	MadsonicLdapBindAuthenticator	authentication request: test
[10/16/17 5:13 PM]	DEBUG	MadsonicLdapBindAuthenticator	user 'test' successfully authenticated in LDAP. DN: uid=test,ou=users
[10/16/17 5:13 PM]	DEBUG	UserDetailsServiceBasedAuthoritiesPopulator	retrieved roles from LDAP: [ROLE_ADMIN, ROLE_SETTINGS, ROLE_STREAM, ROLE_JUKEBOX, ROLE_UPLOAD, ROLE_SEARCH, ROLE_COVERART, ROLE_DOWNLOAD, ROLE_PODCAST, ROLE_COMMENT, ROLE_LASTFM, ROLE_SHARE, ROLE_VIDEO]

Re: LDAP

Posted: 16 Oct 2017, 18:54
by chrissi55
Have you tried it only with 6.2.xxx or with 6.3.9700 (latest beta) too?

I would give the latest BETA a try ...

Do you have an VM like VirtualBox -> ubuntu server 17.04 or 16.04 ?

It shouldn't be necessary to insert a premium key to check this out ...

Re: LDAP

Posted: 17 Oct 2017, 13:29
by albertocastillo2001
Hi. I only tried the latest stable version. I will try the beta as soon as I can. I am traveling now so this might need to wait.

I will try that snapshot. I also mailed Madsonic support

I am using one of my vps running Ubuntu server 16.04

Lately I was able to learn a lot about ldap, its classes and schemas and the way it works.

Since the Madsonic log reports that the roles are being obtained, I would think that this version of Madsonic I am using might not be supporting ldap entirely

Thanks

Enviado desde mi ONE A2003 mediante Tapatalk

Re: LDAP

Posted: 17 Oct 2017, 14:36
by Madsonic
albertocastillo2001 wrote:I have a few questions regarding LDAP:

[*]Does any of you had issues with it?
Madsonic should work with Microsoft LDAP, Apache DS and OpenLDAP too.
albertocastillo2001 wrote:[*]Does it allow users' passwords be changed on Madsonic and sync back to the LDAP directory?
No, passthrough password changes are not implemented.
albertocastillo2001 wrote:[*]Is there any other way to enable a global authentication like this? or is only LDAP the only method available?
A social integration (Facebook, Google, ...) is planned, but not yet available.

Updated LDAP info page @ http://beta.madsonic.org/pages/ldap.jsp

We recommend updating to the latest Madsonic 6.3 version for best LDAP compatibility.

Best regards