MeshCentral
MeshCentral copied to clipboard
Ylianst
LDAP Binding fields to users in MeshCentral
I love MeshCentral, since in my organization we use Active Directory as the authentication method, it would be great to be able to use the data currently uploaded to Active Directory to fill in the fields for each user automatically.
This is the case for GLPI, each field is bind to an actual Active Directory (ldap) field:
Since a lot of companies uses ldap for their users it could be populated automatically:
This is a very good request. I don't have much knowledge of LDAP, but I think I can give this request a try.
Looking at the code, can you try this line in your config.json at the same level at "auth":"ldap":
"auth": "ldap",
"LDAPUserEmail": "mail" <--------
This should indicate to MeshCentral to grab the email address from "mail". let me know if this works, If it does, I will add values for "RealName" and "Phone" since I don't have these yet. "Phone" is just in case you are using a SMS provider and want to support SMS 2FA.
Thanks, Ylian
Looking at the code, can you try this line in your config.json at the same level at "auth":"ldap":
"auth": "ldap", "LDAPUserEmail": "mail" <--------This should indicate to MeshCentral to grab the email address from "mail". let me know if this works, If it does, I will add values for "RealName" and "Phone" since I don't have these yet. "Phone" is just in case you are using a SMS provider and want to support SMS 2FA.
Thanks, Ylian
Thanks for the fast response, I've tested some combinations but none of them seem to work.
Test 1:
"Auth": "sspi",
"Auth": "ldap",
"LDAPUserEmail": "mail",
Since I use sspi as auth method, try to keep this in config file, server service didn't start.
Test 2:
"Auth": "sspi",
"Auth": "_ldap",
"LDAPUserEmail": "mail",
Server service starts but didn't fill the email field, tested with existing and new accounts.
Test 3:
"Auth": "_sspi",
"Auth": "ldap",
"LDAPUserEmail": "mail",
Server service didn't start, I guess I'm missing LDAPUserName or LDAPOptions.
Test 4:
"_Auth": "sspi",
"Auth": "ldap",
"_LDAPUserEmail": "mail",
"LDAPOptions": {
"URL": "ldap://1.2.3.4:389",
"BindDN": "CN=Admin,CN=Users,DC=contoso,DC=com",
"BindCredentials": "Admin_password_plain_text",
"SearchBase": "OU=Users,DC=contoso,DC=com",
"SearchFilter": "(sAMAccountName={{username}})"
},
Where 1.2.3.4 is my main Domain Controller, the BindDN, the BindCredentials and SearchBase have been ofuscated but were correct (GLPI uses them). I received the following error when trying to login (lost sspi):
AssertionError [ERR_ASSERTION]: LDAP server URL not defined (opts.url)
at new LdapAuth (C:\Program Files\Open Source\MeshCentral\node_modules\ldapauth-fork\lib\ldapauth.js:63:10)
at Object.obj.authenticate (C:\Program Files\Open Source\MeshCentral\node_modules\meshcentral\webserver.js:461:28)
at handleLoginRequest (C:\Program Files\Open Source\MeshCentral\node_modules\meshcentral\webserver.js:898:13)
at handleRootPostRequest (C:\Program Files\Open Source\MeshCentral\node_modules\meshcentral\webserver.js:2473:29)
at Layer.handle [as handle_request] (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\layer.js:95:5)
at next (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\route.js:137:13)
at Route.dispatch (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\route.js:112:3)
at Layer.handle [as handle_request] (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\layer.js:95:5)
at C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\index.js:281:22
at Function.process_params (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\index.js:335:12
I think I came to a dead end, I'll continue testing...
Thank you!
Oh. In your first post you make it sound like everything is working except you don't have the email and real name set in the server. It looks like you don't have LDAP setup at all.
MeshCentral uses "ldapauth-fork" and so, the "LDAPOptions" are passed as-is to that library.
At some point I need to setup a LDAP server myself for testing, but I can't seem to find any easy way to get started with that. If you have suggestions, that would be great.
Sorry for the misunderstood, I'll check that library to know how to use it with Active Directory, thank you!
Oh. In your first post you make it sound like everything is working except you don't have the email and real name set in the server. It looks like you don't have LDAP setup at all.
MeshCentral uses "ldapauth-fork" and so, the "LDAPOptions" are passed as-is to that library.
At some point I need to setup a LDAP server myself for testing, but I can't seem to find any easy way to get started with that. If you have suggestions, that would be great.
After checking the library now the server starts but there is no authentication login, it asks for username and password, but the "Incorrect username or password message" appears when trying to login.
old setup:
"_Auth": "sspi",
"Auth": "ldap",
"_LDAPUserEmail": "mail",
"LDAPOptions": {
"URL": "ldap://1.2.3.4:389",
"BindDN": "CN=Admin,CN=Users,DC=contoso,DC=com",
"BindCredentials": "Admin_password_plain_text",
"SearchBase": "OU=Users,DC=contoso,DC=com",
"SearchFilter": "(sAMAccountName={{username}})"
},
new setup (options are case sensitive):
"_Auth": "sspi",
"Auth": "ldap",
"_LDAPUserEmail": "mail",
"LDAPOptions": {
"url": "ldap://1.2.3.4:389",
"BindDN": "CN=Admin,CN=Users,DC=contoso,DC=com",
"BindCredentials": "Admin_password_plain_text",
"searchBase": "CN=Users,DC=contoso,DC=com",
"searchFilter": "(sAMAccountName={{Username}})"
},
I'll continue testing but my skills are very limited. Maybe this could help: https://github.com/gheeres/node-activedirectory
@LFM8787 at the moment, I had to manually edit node_modules/meshcentral/webserver.js and change the below code in 2 places
var userid = 'user/' + domain.id + '/' + shortname;
to
var userid = 'user/' + domain.id + '/' + xxuser.sAMAccountName;
to make it work, it was requested as a temporary solution the change to be added by default so we don't have to do this each time, but maybe it interferes with the default auth method hence the reason was not added.
You should be able to auth using LDAP if you do the change manually.
Ref: https://github.com/Ylianst/MeshCentral/issues/336
Instead of making the change to the code, you can revert the code change and add this line to the config.json file:
"auth": "ldap",
"ldapUserName": "sAMAccountName" <-----------
It should do the same thing.
My config has the ldapUserName field since long time but without editing the webserver.js when a user logs in is generated a long code as the username rather than the actual sAMAccountName and as I remember you can't assign users to groups since it expects a username in the field which doesn't exist.
At some point I need to setup a LDAP server myself for testing, but I can't seem to find any easy way to get started with that. If you have suggestions, that would be great.
you should Checkout Nethserver for that.
Looking at the code, can you try this line in your config.json at the same level at "auth":"ldap":
"auth": "ldap", "LDAPUserEmail": "mail" <--------This should indicate to MeshCentral to grab the email address from "mail". let me know if this works, If it does, I will add values for "RealName" and "Phone" since I don't have these yet. "Phone" is just in case you are using a SMS provider and want to support SMS 2FA.
Thanks, Ylian
Sorry for answering in this old thread but I'm struggling with ldapUserRealName. Whatever I try, the real name is never populated with any information. I tried "ldapUserRealName": "displayName" and also "ldapUserRealName": "name" but it is still empty. ldapUserEmail and the rest is working like a charm.
An just to add, it would be very nice to pick the user image from LDAP, too. We are managing all our pictures there. The image is in the attribute thumbnailPhoto and is base64 encoded. Some setting like "ldapUserImage": true would be perfect.
What do you think about this?
Cheers, Timo
