How to authenticate via AD to non-domain server
-
Best title I could come up with, but specifically the issue I'm having is with Bookstack LDAP authentication. In AD, most of our user accounts are limited to what machines they can logon to via the "Log On To..." function. We'll generally input the machine or machines their account can log in to on the list and we're good. In every previous case, the machines they were logging into were domain joined so we just input the computer name and moved on. With this new install of Bookstack, if I enter the computer name, I still can't log in. I'm guessing it has to do with the fact the server isn't joined to the domain. If I remove the "Log On To" restriction, it logs in fine.
Anyone run across this and can point out what I'm missing?
-
@zachary715 said in How to authenticate via AD to non-domain server:
Best title I could come up with, but specifically the issue I'm having is with Bookstack LDAP authentication. In AD, most of our user accounts are limited to what machines they can logon to via the "Log On To..." function. We'll generally input the machine or machines their account can log in to on the list and we're good. In every previous case, the machines they were logging into were domain joined so we just input the computer name and moved on. With this new install of Bookstack, if I enter the computer name, I still can't log in. I'm guessing it has to do with the fact the server isn't joined to the domain. If I remove the "Log On To" restriction, it logs in fine.
Anyone run across this and can point out what I'm missing?
What is Bookstack running on? Why not join it to the domain?
-
Ubuntu 18.04 on VMware. Would consider joining to domain if it's the easier option. Just didn't know if it was something basic I was missing.
-
@zachary715 said in How to authenticate via AD to non-domain server:
Ubuntu 18.04 on VMware. Would consider joining to domain if it's the easier option. Just didn't know if it was something basic I was missing.
I know that joining CentOS and Fedora to a domain is quick and easy, but I've not attempted it with Ubuntu.
-
@travisdh1 said in How to authenticate via AD to non-domain server:
@zachary715 said in How to authenticate via AD to non-domain server:
Ubuntu 18.04 on VMware. Would consider joining to domain if it's the easier option. Just didn't know if it was something basic I was missing.
I know that joining CentOS and Fedora to a domain is quick and easy, but I've not attempted it with Ubuntu.
Ubuntu is easy too in basically the same way.
-
Can you use RADIUS? Was able to get our firewalls to authenticate VPN users against Microsoft's RADIUS implementation and validate against specific security groups in AD.
-
Interesting the use of "Log On to", I am not sure you can without joining the domain or having a DNS entry.
-
@dbeato said in How to authenticate via AD to non-domain server:
Interesting the use of "Log On to", I am not sure you can without joining the domain or having a DNS entry.
It has a DNS entry, but still doesn't work. I'll just join to domain and see how that goes.
-
@notverypunny said in How to authenticate via AD to non-domain server:
Can you use RADIUS? Was able to get our firewalls to authenticate VPN users against Microsoft's RADIUS implementation and validate against specific security groups in AD.
Don't currently have RADIUS setup, so this seems to be the long way around the issue. Thanks for the suggestion.
-
This is definitely because it's not domain joined
-
@Obsolesce said in How to authenticate via AD to non-domain server:
@travisdh1 said in How to authenticate via AD to non-domain server:
@zachary715 said in How to authenticate via AD to non-domain server:
Ubuntu 18.04 on VMware. Would consider joining to domain if it's the easier option. Just didn't know if it was something basic I was missing.
I know that joining CentOS and Fedora to a domain is quick and easy, but I've not attempted it with Ubuntu.
Ubuntu is easy too in basically the same way.
18.04 changes quite a bit of stuff. Typically easy though
-
Just joined to domain and still having same issue. I even limited my own account to just bookstack and it wouldn't let me log in. Error says "These credentials do not match our records". As soon as I remove Log On To restrictions, these accounts can sign in.
Verified domain join by running
id DOMAIN\\userand ensured I was getting user properties back.Followed these steps to join to domain... https://www.server-world.info/en/note?os=Ubuntu_18.04&p=realmd
Server gets IP from DHCP, there's a new computer entry in AD further verifying it successfully joined domain, and I also verified the DNS entry for the server. Not having passed AD authentication before for a scenario like this, not sure if this is typical or some issue with bookstack authentication specifically.
-
@zachary715 post your .env file
-
# Database details DB_HOST=localhost DB_DATABASE=bookstack DB_USERNAME=bookstack DB_PASSWORD=PASSWORD # Mail system to use # Can be 'smtp', 'mail' or 'sendmail' MAIL_DRIVER=smtp # SMTP mail options MAIL_HOST=localhost MAIL_PORT=1025 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null # General auth AUTH_METHOD=ldap # The LDAP host, Adding a port is optional LDAP_SERVER=10.10.168.10:389 # If using LDAP over SSL you should also define the protocol: # LDAP_SERVER=ldaps://example.com:636 # The base DN from where users will be searched within LDAP_BASE_DN=dc=domain,dc=local # The full DN and password of the user used to search the server # Can both be left as false to bind anonymously [email protected] LDAP_PASS=Password # A filter to use when searching for users # The user-provided user-name used to replace any occurrences of '${user}' LDAP_USER_FILTER=(&(sAMAccountName=${user})) # Set the LDAP version to use when connecting to the server LDAP_VERSION=3 # Set the default 'email' attribute. Defaults to 'mail' LDAP_EMAIL_ATTRIBUTE=mail # Set the property to use for a user's display name. Defaults to 'cn' LDAP_DISPLAY_NAME_ATTRIBUTE=cn -
@zachary715 Try using your hostname without the port specified for
LDAP_SERVER= -
@wirestyle22 said in How to authenticate via AD to non-domain server:
@zachary715 post your .env file
I followed the thread you and @dbeato were discussing setting it up, so I'm assuming you have it running and authenticating. If you specify machines in AD via Log On To, can you still have them log in?
-
@zachary715 said in How to authenticate via AD to non-domain server:
@wirestyle22 said in How to authenticate via AD to non-domain server:
@zachary715 post your .env file
I followed the thread you and @dbeato were discussing setting it up, so I'm assuming you have it running and authenticating. If you specify machines in AD via Log On To, can you still have them log in?
Yes I can. I'm also running it on 16.04 though
-
@wirestyle22 said in How to authenticate via AD to non-domain server:
@zachary715 Try using your hostname without the port specified for
LDAP_SERVER=Same results...
-
@zachary715 Everything looks correct to me in your .env file. Not sure
-
Yeah I've gone back to Ubuntu's documentation and even added some of the things for AD join that the other tutorial didn't mention, and still no luck. What a pain. I may spin up a 16.04 server and see if I can get that to work.
@wirestyle22 If you have time and can make a clone of your bookstack install and upgrade it to 18.04 and test, that might be helpful as well.
