JATOS and LDAP
in JATOS
I'm the sysadmin for a university Psychology Department, and I've been asked to bring a JATOS server online. Of course, I want to tie it into the university's LDAP environment. In line with the documentation, I've configured it appropriately
# LDAP authentication # ~~~~~~~~~~~~~~~~~~~ # LDAP url. Leave empty if you have no authentication via LDAP (default is ""). jatos.user.authentication.ldap.url = "ldaps://ldap.example.edu:636" # LDAP base domain name. Leave empty if you have no authentication via LDAP (default is ""). jatos.user.authentication.ldap.basedn = "dc=example,dc=edu" # Time to wait for a response from LDAP server (default 5000) #jatos.user.authentication.ldap.timeout = 10000
...and it doesn't work. Here are my questions:
- Is there some sort of log of LDAP activity so I can see what happens?
- I have disabled SELinux, so that's not the problem.
- Every other LDAP-supporting application I use wants a binding username and password and which attribute to use (uid in this example).
So...am I missing something?
Thanks!
Comments
Hi,
First, two important things:
- keep in mind that JATOS supports LDAP only minimally at the moment. For example, users have to be created by hand in JATOS, and only then they can access it with their LDAP credentials. We intend to extend all this in the future.
-we're working on a bug fix and will release an update in the next few days (it's basically done). It really would make sense to wait and configure LDAP with the next release. (We can let you know when).
On to your problem: The university that we implemented LDAP for had theirs restricted to their internal network. There, a 'public' directory was not a problem. Currently it does not need a binding admin account to look up users - instead it assumes the directory is 'public'.
Does this help? Let us know if it doesn't
Elisa
I'm in a similar situation - I'd like to integrate with LDAP, and have configured it correctly as far as I can see, and disabled SELinux, but can't log in.
Is there a way to get more verbose logging?
Thanks!
Sorry, there is only one logging mode. What does your application.log say?
c.g.Authentication - Authentication failed: remote address x.x.x.x failed for username xxxxx
I hoped for some connection error. But that is just the error that gets logged if the authentication failed, e.g. username or password were incorrect.
In your original message you wrote 'disabled SELinux' - can you elaborate on this? I'm not familiar with SELinux.
Does your LDAP needs a 'binding' admin account? Because JATOS doesn't (yet) support this type of LDAP authentication - it just assumes the directory is public.
SELinux is "Security Enhanced Linux", which uses configurable policies to allow or deny permission for certain things - e.g. writing to the filesystem or connecting to or listening on sockets - at the system level. By default (in my experience), very little that could be remotely dangerous is allowed by default and installation of applications often requires manually tweaking the policies to get things working.
For troubleshooting, it's possible to just disable the whole thing (temporarily or permanently), which is what I've tried doing - I thought maybe the SELinux policy was preventing JATOS from connecting an outbound socket to the LDAP server. Disabling made no difference, so SELinux isn't the source of my problem.
For other webapps I've set up, binding with a known account is used, although ITS is telling me that direct authentication with the given username/password should work.
Does JATOS make any assumptions about the schema of the LDAP server?
Also, could you point me at the code where LDAP authentication is happening? I might be able to figure out a way to manually simulate how it's interactive with our infrastructure for troubleshooting purposes.
(caveat: I'm not an expert on SELinux, nor LDAP!)
An update: It turns out our LDAP endpoint is backed by Active Directory. I'm not sure how this interacts with this GitHub issue: https://github.com/JATOS/JATOS/issues/219
However, I've been given an alternative LDAP configuration to use which is backed by OpenLDAP, and now authentication works, and I don't need further help here, thanks!
Nice! Hm, I'm not an LDAP expert but I thought active directory and LDAP are somehow compatible.