TACTIC Open Source
Active Directory Issue with Tactic4.8 - Printable Version

+- TACTIC Open Source (http://forum.southpawtech.com)
+-- Forum: TACTIC Open Source (http://forum.southpawtech.com/forumdisplay.php?fid=3)
+--- Forum: TACTIC Discussion (http://forum.southpawtech.com/forumdisplay.php?fid=4)
+--- Thread: Active Directory Issue with Tactic4.8 (/showthread.php?tid=163)

Pages: 1 2


Active Directory Issue with Tactic4.8 - lzzzz - 08-13-2020

Hello Everyone,

I am new in Tactic and I am facing some issues that confused me several days....

I am using Windows Server 2016Tactic4.8.b04 and Python3.7.5 now.

What I want to do is using domain users login to Tactic, but after setup it gives the same error every time.

=======================================================================
  File "C:/Program Files/Southpaw/tactic/src/pyasm/web/app_server.py", line 130, in execute
    self._get_display()
  File "C:/Program Files/Southpaw/tactic/src/pyasm/web/app_server.py", line 339, in _get_display
    security = self.handle_security(security)
  File "C:/Program Files/Southpaw/tactic/src/pyasm/web/app_server.py", line 765, in handle_security
    login_cmd.execute()
  File "C:/Program Files/Southpaw/tactic/src/pyasm/web/web_login_cmd.py", line 138, in execute
    except SecurityException as e:
  File "C:/Program Files/Southpaw/tactic/src/pyasm/security/security.py", line 1758, in login_user
    is_authenticated = authenticate.verify(auth_login_name, password)
  File "C:/Program Files/Southpaw/tactic/src/tactic/active_directory/ad_authenticate.py", line 94, in verify
    info = ad_connect.lookup()


An Error has occurred.  Please see your Tactic Administrator
Error Message: name 'ADConnect' is not definedError Id: 116

=======================================================================

Here is my settings.
<security>
    <version>2</version>

    <ticket_expiry>10 hour</ticket_expiry>

    <case_insensitive_login>false</case_insensitive_login>

    <authenticate_mode>default</authenticate_mode>

    <authenticate_class>tactic.active_directory.ADAuthenticate</authenticate_class>

    <authenticate_domains></authenticate_domains>

    <authenticate_version>2</authenticate_version>

    <auto_create_user>true</auto_create_user>

    <api_require_password>true</api_require_password>

    <api_password></api_password>

</security>



<active_directory>

    <allow>all</allow>

    <domains>coffee</domains>

    <handle_groups>true</handle_groups>

    <default_groups>user</default_groups>

    <default_license_type>user</default_license_type>
</active_directory>


[b]=======================================================================[/b]

And I test with the ad_test.py under C:\Program Files\Southpaw\tactic\src\tactic\active_directory\ad_test.py

The test is OK and I can see domain user tactic01 is under Tactic group also.

However when I try to login from browser there is always an issue:
An Error has occurred.  Please see your Tactic Administrator
Error Message: name 'ADConnect' is not definedError Id: 116


And I have checked the document also but it is not working...
http://community.southpawtech.com/docs/sys-admin/active-directory/

This is my login page:


Does anybody have the same problem and fix it?

Thank you very much and sorry about my poor English.. Shy Shy


RE: Active Directory Issue with Tactic4.8 - lzzzz - 08-13-2020

Anybody knows something about this?

I still cannot fix this yet, maybe it is a python issue but I am also new in python.

Waiting..


RE: Active Directory Issue with Tactic4.8 - remkonoteboom - 08-13-2020

Thanks for reporting this.

Looking at the code, it is like that this hasn't been ported to Python 3. We are using a 3rd party lightweight wrapper to bind to Microsofts COM support for Active Directory. I don't think this library will run on Python 3. There are some other imports in that folder that are also not Python 3 compliant.

I am not sure how much of this authentication library has been used, but everyone who has is obviously running Python 2. We have switched to using an LDAP binding to Active Directory for our clients so haven't used the COM support libraries for a while. I am not sure if you have LDAP support on your Active Directory installation, but you could use that instead.

That authentication class is:

pyasm.security.LdapADAuthenticate

I will try to find an example configuration for this. However, to be honest, I am not sure how Domains is used with this, but it could be in the binding path used.


RE: Active Directory Issue with Tactic4.8 - lzzzz - 08-14-2020

Thank you very much for your reply!

I don't have an LDAP on my AD, but I will continue to work hard to solve this problem.

Thank you.


RE: Active Directory Issue with Tactic4.8 - remkonoteboom - 08-14-2020

For reference, here is an example tactic configuration for connecting to Active Directory with LDAP class "pyasm.security.LdapADAuthenticate"


Code:
<security>
    <ldap_server>ldap.mycompany.com</ldap_server>
    <bind_dn>CN=Users,DC=mycompany,DC=ca</bind_dn>
    <bind_password>xxxxxx</bind_password>
    <base_dn>dc=mycompany,dc=ca</base_dn>
    <group_mapping>
        {
            "tac1ce" : "client_engineer",
            "tac1dse": "data_services",
            "tac1leg": "legal",
            "tac1sal": "sales",
            "tac1wa" : "admin"
        }
    </group_mapping>
</security>




The group mapping maps Active Directory groups to TACTIC Groups.


RE: Active Directory Issue with Tactic4.8 - lzzzz - 08-17-2020

Thank you very much!

I will try to do this.

I just set up LDAP on centOS now.

Thank you for this as I am new with IT..


RE: Active Directory Issue with Tactic4.8 - lzzzz - 08-20-2020

Hello Everyone,

I am facing a new issue here.

I can login with my active directory now, but anything I put in the login in window it will auto create the user also...

Here is my tactic-conf.xml.


Code:
<security>
    <authenticate_class>pyasm.security.LdapADAuthenticate</authenticate_class>
    <authenticate_mode>false</authenticate_mode>
    <allow_guest>false</allow_guest>
    <ldap_server>ldap://localhost:389</ldap_server>
    <bind_dn>cn=tactic01,ou=TacticOU,dc=coffee,dc=com</bind_dn>
    <bind_password>Abcd001</bind_password>
    <base_dn>dc=coffee,dc=com</base_dn>
    <group_mapping>
        {
            "TacticOU": "Users"
        }
    </group_mapping>
</security>

<active_directory>
    <allow>all</allow>
    <handle_groups>false</handle_groups>
</active_directory>


I tried the <auto_create_users>false</auto_create_users> and <authenticate_mode>default</authenticate_mode> but it not works.

And the <group_mapping> is not working either...

Here is what I did as:
http://community.southpawtech.com/docs/sys-admin/configure-tactic/

I think maybe I missed some step there.

Thank you.


RE: Active Directory Issue with Tactic4.8 - lzzzz - 08-20-2020

Found it in

ldap_ad_authenticate.py

def get_mode(self):
# return "cache"
return "default"

Change "cache" to "default". tactic-confi.xml is not affect to that.

(08-20-2020, 03:30 AM)lzzzz Wrote: Found it in

ldap_ad_authenticate.py

def get_mode(self):
#    return "cache"
    return "default"

Change "cache" to "default". tactic-confi.xml is not affect to that.

However I cannot login with a new created AD account anymore with "default"...

The old user is OK with login.

Anything I missed for login setup?

Did anyone have the same problem with me?

If you know this, please reply.

Thank you! Smile


RE: Active Directory Issue with Tactic4.8 - lwinmoe - 08-20-2020

If you are using only LDAP with LdapAdAuthenticate class, try taking out:


Code:
<active_directory>
    <allow>all</allow>
    <handle_groups>false</handle_groups>
</active_directory>



RE: Active Directory Issue with Tactic4.8 - lzzzz - 08-21-2020

(08-20-2020, 04:00 PM)lwinmoe Wrote: If you are using only LDAP with LdapAdAuthenticate class, try taking out:


Code:
<active_directory>
    <allow>all</allow>
    <handle_groups>false</handle_groups>
</active_directory>


Thank you for your reply, but I am using with AD now.

I tried that but didn't work..

But I'd like to know if this works well with only LDAP?

Thank you!