GroupWise 24.2 - Post Office LDAP Authentication

Good morning, 

Well it seems that while I have the LDAP eDirectory source set up correctly, I can perform the User Import, and I have pulled in my users from the eDirectory Tree, when attempting to set the Post Office to LDAP Authentication, my User gets the Access Denied message, I see in the post office log that a C/S attempted is being made but I don't see any errors, it just reports the attempted log on event, for the post Office I have set the LDAP Authentication radio button , left the Pool settings at the default for now, 30 seconds, 5 minutes, 2 quarantine under the selected LDAP servers I have my Test eDir connection and the LDAP server that I configured, I followed the documentation here, https://www.novell.com/documentation/groupwise24/gw_guide_admin/data/adm_poa_config_security.html#adm_poa_config_sec_ldap_auth and it appears to be set up correctly, I initially had it set to SSL but changed that back to port 389 for now, and still I cannot log in with LDAP password. Is there anything else that I might be missing, as mentioned my users were able to import using the LDAP directory as configured with this documentation, https://www.novell.com/documentation/groupwise24/gw_guide_admin/data/b199manl.html  

Please let me know if any further information is requested, 

-DS

  • 0  

    Good morning, 

    For now I set the Post Office to no password so that I can start testing it a little more at this time. 

    Thank you, 

    -DS

  • 0   in reply to   

    User LDAP Sync in GroupWise and LDAP Authentication are two different shoes in GroupWise. First of all, LDAPS is generally preferable because otherwise the passwords would be circulating through the network in plain text. Secondly, there is the question of whether compare or bind should be used against eDir. First of all, an LDAP source and an LDAP eDir server are required in the configuration under "System" LDAP. Then, under Security in the POA, only the LDAP eDir server (or several) must be entered as the source for LDAP. Furthermore, client options must be set, e.g. in the primary domain, from where it is then inherited in the entire GroupWise as long as no other setting has been made somewhere else at a lower level. In the client settings, select Network Authentication, Secure NetIq logon and CASA Single sign on. LDAP login errors can be detected in an LDAP trace on the corresponding eDir server.

    George

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0   in reply to   

    Good morning, 

    First, thank you for the information regarding the difference between the LDAP Sync and the LDAP Authentication, I really didn't know there was a difference between the pair of them. 

    Second, I have set the LDAP Authentication to Bind, with the LDAP User, and LDAP password, still no change(s), I cannot log in as it reports incorrect password. I also did attempt to use compare earlier, no success, on the Primary Domain Client options Security I have Network Auth, NETIQ Secure Login, Novell Collaboration all checked, nothing is set at the Secondary Domain, on the Post Office I have LDAP selected, and Selected LDAP Servers is the LDAP server itself (the LDAP Sync is under the Available), I did restart the entire GW system just to make sure I can restart as needed as this is a testing system at this time, in the POA log I see the following, 10:53:06 5ABF C/S Login Windows Net Id=CN=Dxxxxxxxxx,OU=Sxxxxxxxx,OU=Hx,O=Sxxxxxx ::GW Id=Dxxxxxxxxxxxx :: [IP address] so it appears to be making a connection, but I don't see where it actually does get logged into the system as I was when I had the Authentication turned off (requiring no password) on the LDAP Server I have that set to the DNS name, and currently using port 389, I tried earlier to use SSL with the SSL Certificate DNS for that server, and that failed as well. 

    Thank you, 

    -DS

  • 0   in reply to   

    In a first try do it without SSL. SSL will be a new chapter.

    However you have to check your LDAP Group and LDAP Server if they are limited to TLS connections only.


    Use "Verified Answers" if your problem/issue has been solved!

  • 0   in reply to   

    Good afternoon, 

    So I have my eDirectory server04, as the LDAP server, it is set to 389 non ssl. 

    I did actually check on the Server04, and it does have Require TLS for Simple Binds with Password [checked] I can uncheck it of course, and as for the LDAP server, there are no Bind restrictions nor Require TLS for all operations is unchecked. So would it be the LDAP Group TLS restrictions that might be causing my issues?

    Thank you, 

    -DS

  • 0   in reply to   

    To just get things working again I went ahead back to no password required, Low security, and I will try with the TLS Requirement turned off. 

    I did an LDAP sync, and I did see that it successfully connected to the LDAP source pulling data for a pair of users. Didn't see all users but at this point I at least know that the GW sync process appears to be stable, 

  • 0   in reply to   

    In a POA log file, you shall see the LDAP connection from POA shall be initialized. If you do not see it, then the PO does not seem to be aware of the LDAP authentication settings. Rebuild this PO from a domain level and make sure the log level is set to Verbose.

  • 0   in reply to   

    The configuration of LDAP can be found in the POA web interface under LDAP. The configuration and function can be viewed by clicking on "LDAP Authenticatin". If there is no "good" after the LDAP server status, look for the cause. Experience has shown that a diagnosis should first be carried out on the eDir LDAP page in iManager. A simple solution is to first set up an ldap client on LINUX GW and check whether an ldap search on 389 with LDAP user and PW (this is the user that has been entered in GW for LDAP) works. If this is ok test with LDAPS.

    Example

    LDAP Pool Configuration:
    LDAP Server: myedir-server
    Directory ID: mytree
    Directory Type: eDirectory
    LDAP Server Authenticated User ID: cn=gwadmin,o=myou
    Disable LDAP Password Change: Yes
    LDAP Server Name/IP Address: myserver.comain.com
    LDAP Server Port: 636
    LDAP SSL Enabled: Yes
    LDAP SSL Key File Name: /opt/novell/groupwise/certificates/my-tree-ca.der
    LDAP User Authentication Method: Compare
    LDAP Server Status: Good
    Total Hits on an Established Bind: 225
    Total Number of New Binds: 993
    Total LDAP Requests to this Server: 1218
    Total Number of Failed Bind: 0

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0   in reply to   

    You must see it when a user wants to login .. and not only in this list you showed. Example bellow:

    10:41:44 0D36 C/S Login Windows  Net Id=Administrator ::GW Id=ad1 :: 10.94.75.143
    10:41:50 0D36 Initializing Secured LDAP session with win2019.late.com at port 636 using SSL Key file /opt/novell/groupwise/certificates/late-CA.der (ad1)


  • 0   in reply to   

    I did the rebuild process, Post office loaded correctly, and at the moment I am seeing the following setting 

    LDAP Authentication: Disabled (which is correct since I set this to no password to just get things working.)

    I'll try to setup the LDAP server again now that the TLS requirement has been turned off, on Server04, and see if that setting has changed when I make the switch.