Snipe-it authentication and user management using UCS LDAP

Hi ,
I configured a open source asset management system snipe-it. And it has a LDAP integration option. So using UCS documentations I done the LDAP setting in snipe-it. But I can import user from UCS but can’t login using the the user imported from UCS. So please help me to solve the same and also ldap settings not importing email details also.

Hey,

can you show us screenshots of the configuration you’ve created?

Kind regards,
mosu

Screenshot from 2018-03-27 17-50-42

This is the snipe-it LDAP settings page

Screenshot from 2018-03-27 17-52-43
Using samba AD settings. email address filed getting correctly but not importing any user. Snipe-it showing firstname and last name required error.

Hey,

the error message shown in the first screenshot should have given you a hint what’s wrong: the LDAP filter. A valid LDAP filter is fully enclosed in parenthesis, e.g. (&(key1=value1)(key=value2)) instead of just &(key1=value1)(key2=value2) as it is in your case.

Kind regards,
mosu

I also try with the enclosed format, but get the same error. Actually is there any search filter change in samba AD ?? . Using LDAP configuration from UCS server (Port 7386) I can able successfully import users to snipe-it but can’t authenticate and not import the email address of users also. After import the user snipe-it login shows the error username or password not correct. In the background log , snipe-it shows user not found on LDAP server

Hey,

if you’re connecting against OpenLDAP (port 7389 or 7636), you need to use mailPrimaryAddress as the attribute for the email address and uid as the attribute for the login name. If you’re connecting against Samba/AD (port 389 or 636), the corresponding attributes are mail and sAMAccountName.

In the first screenshot there’s a field labeled “LDAP authentication query”. This should probably be adjusted, too, depending on which port you’re connecting to.

Edit: Notice further that the format for the “Bind DN” is different for AD and OpenLDAP. For AD you can use three different formats:

  1. username@domain, e.g. administrator@internal.company.com
  2. SHORTDOMAIN\username, e.g. INTERNAL\administrator
  3. Full DN to the LDAP object, e.g. cn=administrator,cn=users,dc=internal,dc=company,dc=com

For OpenLDAP you must use the DN syntax; the other two won’t work. Additionally the user objects are named uid=… in OpenLDAP, not cn=…, which means that example 3 would be uid=administrator,cn=users,dc=internal,dc=company,dc=com for OpenLDAP.

Kind regards,
mosu

Hi Moritz ,

Thanks for the help. Using below settings now I can able to import users with email id to snipe-it. But I can’t able to login using UCS serever username and password. Snipe-it web page showing username or password incorect message. Also snipe-it shows the log “production.ERROR: There was an error authenticating the LDAP user: Could not find user in LDAP directory”. My LDAP settings is below

Serevr : ucs.server.com:389
bindusername : administrator@server.com
password : AdminPassword 
Base Bind DN : dc=server,dc=com
Ldap Filter :  objectClass=organizationalPerson 
User name field : samaccountname
Last Name : sn
LDAP First Name : givenname
LDAP Authentication query : uid
LDAP Version : 0
LDAP Active Flag : NIL
LDAP Employee Number : NIL
LDAP Email : mail

NOTE: Using samaccountname in LDAP Authentication query filed , log shows ldap_search(): Search: Bad search filter. So please help me to resolve the login issue.

Regards ,
Renjith

Hi Moritz ,

Below settings worked for me.

Server : ucs.server.com:389
bindusername : administrator@server.com
password : AdminPassword
Base Bind DN : dc=server,dc=com
Ldap Filter : objectClass=organizationalPerson
User name field : samaccountname
Last Name : sn
LDAP First Name : givenname
LDAP Authentication query : cn=
LDAP Version : 0
LDAP Active Flag : NIL
LDAP Employee Number : NIL
LDAP Email : mail

Thanks for help. Now I can able to login and import users to snipe-it.
Regards ,
Renjith

Hey,

I would say that LDAP authentication query should rather be samaccountname= and not cn=. My understanding is that this filter is used for looking up the user in the AD. If you filter on cn here, the user has to use his/her common name which is often of the Firstname Lastname variety instead of their logon name which is samaccountname. But then again, I’ve never used Swipe-IT myself; this is just conjecture on my part.

Kind regards,
mosu

Ok Moritz , Snipe-it is a good open source asset management tool