LDAP authentification from Artifactory
LDAP authentification from Artifactory
For a while I was trying to authenticate to an "LDAP server" ,implemented by Apache DS, from the Artifactory LDAP interface.
I use Artifactory 6.1.0, the Apache DS and LDAP perspective on Eclipse Oxygen.
The DIT(Directory Information Tree) as you see there are two users (admin and user1) under the organizational unit called system:
1-When I authenticate from the "user DN pattern" (uid=admin,ou=system) and I test the connexion to the server, the test user should be the same as the specified user in the "user DN pattern", if I try with another user(user1 for example) the connexion to the server is established but the authentification fails.
Part1: 
Part2: 
Artifactory cmd error message: 
=>The test user should be the same as specified in "user DN pattern"
2-If I use the "Manager DN" field and enter the password, even when I use the same user specified in the "Manager DN" as a test user, the authentifacation fails.
Part1: 
Part2: 
=>Even if the test user is the same, it's unable to authenticate.
A lot of confusion: Which method I have to use to establish connexion to LDAP server? Is there Any difference between connecting through User DN pattern and Manager DN? Which fields(Search Filter, Search Base...) should not be kept empty for each method? And what to do to authenticate with a different test user?
In the tutoriel provided by the Jfrog, the authentification using the "Manager DN method" with a different test user that is already created in the DIT works normally.
=>The tutoriel: https://www.youtube.com/watch?v=_nT76RgXA2c
Finally I want to ask if to create LDAP groups I need the pro version of Artifactory, because it's disabled in the oss version? Can I get that module for free?!
I need a clear explanation please, thank you.
1 Answer
1
There are two "methods" of authentication you can choose from, or you can configure both:
"Search-based" authentication requires you to fill in Search Filter and Manager DN/Password, and optionally Search Base. Artifactory will connect to LDAP using the Manager DN user, and run a search for Search Filter. The LDAP server finds the appropriate user DN (Distinguished Name, basically a unique user id), and sends it back to Artifactory. Then Artifactory logs in using that user's DN.
Search Filter
Manager DN/Password
Search Base
Manager DN
Search Filter
"Direct" authentication requires you to only fill in the User DN Pattern field. This method skips the user search step, and just logs in with whatever DN is in the User DN Pattern field.
User DN Pattern
User DN Pattern
Both the User DN Pattern and Search Filter fields are patterns. Specifically, if these fields contain a "0", this gets replaced with the name of the user trying to authenticate.
User DN Pattern
Search Filter
0
The reason your User DN Pattern only allowed you to log in with the user admin is because it was hardcoded to always authenticate as admin regardless of which user was actually trying to log in. Instead of uid=admin,ou=system, the value should be uid=0,ou=system.
User DN Pattern
admin
admin
uid=admin,ou=system
uid=0,ou=system
The reason your Manager DN was failing is probably because your Search Filter is wrong. Its value is sAMAccountName=0, but I'm not seeing any property called sAMAccountName in your LDAP configuration. Instead, try setting the Search Filter to uid=0 (or alternatively, add a sAMAccountName field to each of your users in LDAP). Your Manager DN/Password and your Search Base seem fine as they are I think.
Manager DN
Search Filter
sAMAccountName=0
sAMAccountName
Search Filter
uid=0
sAMAccountName
Manager DN/Password
Search Base
Finally I want to ask if to create LDAP groups I need the pro version of Artifactory, because it's disabled in the oss version? Can I get that module for free?!
LDAP groups synchronization is a Pro feature, and is unavailable in OSS, so you do need to buy a Pro license to use it. You can't get it for free.
I agree that it is a little confusing. Technically, most attributes in LDAP are just generic attributes, and don't really have inherent special meanings, so it's up to the people managing the LDAP server to decide which things mean what. In practice, people mostly stick to a standard format for the basic stuff. Here is an RFC I found describing a common standard. Active Directory has its own set of attributes that it uses as well.
– DarthFennec
Aug 29 at 16:53
I looked it up, and I found that
sAMAccountName is specifically used by Active Directory on Windows Server prior to Windows 2000. In Windows 2000 and above, the attribute was deprecated in favor of userPrincipalName to mean the same thing, but people do still use the old standard. Of course, if you don't use Active Directory, you won't see either of these attributes.– DarthFennec
Aug 29 at 17:01
sAMAccountName
userPrincipalName
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Thanks a lot for your help, well when I entrer uid=0 as a search filter, and authenticated with any user that is already created in the LDAP server, everything works correctly. I concluded that I dont understand well the meaning of the different "LDAP's attributes" like sAMAccountName...., in fact I entred it because thats what I found in the tutoriel video provided by JFROG. So do you recommend me any source to understand the meaning of each attribute? when and where to use each one? the schema or the structure on how LDAP organizes things?! A book, a tutoriel, an online class...?
– XYZmita
Aug 29 at 12:39