Google Secure LDAP credentials not working - ldap

I'm trying to get a simple ldapsearch query working against Google Secure LDAP without using client certificate. I'm using Ubuntu 22.04 ldap-utils.
Am I doing something obviously wrong with my query below? Assume username generated by Google is LDAPUser1 and password is RAND123 and my domain is example.com:
ldapsearch -D "LDAPUser1" -w RAND123 -b "ou=Users,dc=example,dc=com" -H ldaps://ldap.google.com:636
Whenever I run it, I get the following error:
ldap_bind: Invalid credentials (49)
additional info: Incorrect password
I've copied the username and password verbatum from the Google Secure LDAP "Access Credentials" section. It's directly below the "Certificates" section.

Related

Google Secure LDAP (from Cloud Identity) returning wrong user DN

We have a Google G suite with multiple domains and users with email addresses not always having the primary domain extension.
When ldap searching the Secure LDAP environment for a user with a non primary domain we get the wrong user DN back.
Example:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)'
returns dn: uid=user,ou=Users,dc=example,dc=com
where it should return dn: uid=user,dc=company,dc=nl
But with this wrong DN the next step in my radius authentication (because that's where we are using this for) fails:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D uid=user,ou=Users,dc=example,dc=com -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)' with a
ldap_bind: Invalid credentials (49)
additional info: Incorrect password
which makes sense because LDAP cannot find the user.
whereas as binding with the right DN succeeds:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D uid=user,ou=Users,dc=company,dc=nl -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)'
If I query for the user with the corresponding base_dn from the user's email address the returned DN is ok, but I cannot dynamically adjust the based_dn depending on the users email address, I think, in freeradius
I’m not sure if this a problem of the google LDAP servers or a problem with the LDAP protocol or a problem with the way I/radius queries LDAP.
I'm thinking to implement scripting authentication in the authorize section and implement my own ldapsearch + bind , but I hope there's a better solution.
Thanks. Wessel
Try with ldaps://ldap.google.com:636.
We found unless the port is defined it does not work.
We also noticed that not all fields can be searched, i.e uidNumber.

OpenVPN + FreeIPA: memberOf Additional Requirement not working

My user authenticates fine through OpenVPN AS, using LDAP authentication over FreeIPA.
Now I want to restrict OpenVPN to enforce that they belong to a certain group.
I've created a User Group in FreeIPA, and changed OpenVPN to have an "Additional LDAP Requirement" of "memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk"
But when I try to authenticate now, I get access denied, with this error in openvpn logs:
2019-11-26T09:38:12+0000 [stdout#info] VPN Auth Failed: u"LDAP exception on ldaps://endpoint.free.ipa.internal/ (facility='search (u'cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk', 2, u'(&(uid=myUser)(memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk))')'): **user not found that meets specified requirements**: memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk: auth/authldap:178,python2.7/threading:774,python2.7/threading:801,python2.7/threading:754,_threads/_threadworker:46,_threads/_team:190,python/threadpool:250,python/threadpool:266,python/context:122,python/context:85,auth/authldap:138,auth/authldap:178,util/error:67,util/error:48" [None]
If I try (what I think is) the equivalent LDAP Search from command line, it works fine:
ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk" -W -H ldap://localhost -b "cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk" '(&(uid=myUser)(memberOf=cn=myGroup,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk))'
That returns the user, and even lists their memberOf attributes:
...
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk
memberOf: cn=myGroup,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk
...
So unsure what I've done wrong in OpenLDAP.
I read that memberOf only works retrospectively, so I removed and re-added myUser to myGroup. Still didn't work.
Ah found it.
OpenVPNAS was using anonymous binding to connect to FreeIPA in order to authenticate people. With anonymous binding, it isn't permitted to see group membership!
Fix was to change OpenVPNAS to bind as an admin user. Now it works fine.

LDAP - ldapwhoami returns "ldap_bind: Invalid credentials (49)"

I am new to working with LDAP, and my ultimate goal is to offer LDAP single sign-on in a web app. In order to achieve this, I'm trying to run ldapwhoami, but I'm running into issues. I am able to run other commands, like ldapsearch and ldapadd.
I'm running OpenLdap on Mac OS High Sierra.
My relevant slapd.conf looks like this:
access to *
by self write
by * read
by anonymous auth
database ldif
suffix "dc=test,dc=com"
directory openldap-data
rootdn "cn=admin,dc=test,dc=com"
## rootpw = secret
rootpw {SSHA}fFjKcZb4cfOAcwSjJer8nCGOEVRUnwCC
I then added a user with ldapadd -x -w secret -f shanson.ldif, where shanson.ldif looks like:
dn: cn=shanson,dc=test,dc=com
objectClass: inetOrgPerson
sn: Hanson
uid: shanson
cn: shanson
userPassword: secret
I am successfully able to search for and find this new user with ldapsearch -x "(cn=shanson)".
Now, I am trying to verify the user's credentials using ldapwhoami, and I keep getting an error:
> ldapwhoami -x -D cn=shanson,dc=test,dc=com -w secret
ldap_bind: Invalid credentials (49)
The same operation with my root admin user succeeds:
> ldapwhoami -x -D cn=admin,dc=test,dc=com -w secret
dn:cn=admin,dc=test,dc=com
I'm sure I'm just making a simple mistake or not understanding what I'm doing, but I don't really know where else to look right now for answers. Thanks!
It seems to have had something to do with the plain text password I set up. I installed Jxplorer and manually updated my user's password and hashed it with MD5, and now the ldapwhoami command works. If I set the password as plain text in JXplorer, ldapwhoami still does not work. Beyond that, I'm not entirely sure what I was doing wrong.
For me, my dn was wrong.
I did an ldapsearch with admin credentials to get the dn: uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx
Then I did an ldapwhoami -x -D "uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx" -w secret and it worked fine.

ldapsearch with username and password

Here is my LDAP ORG Structure:
I created user with first, last name with password. But it is not working when am trying to connect using jdbc. Error says invalid credentials. Then I tried ldapsearch as follows:
I followed this process for users and group creation:
root#ip:/home# ldapwhoami
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
root#ip:/# ldapsearch -x -LLL -h ip -D username -w password -b"cn=admin,dc=ivhdev,dc=local" -s sub "(objectClass=*)" "givenName=username*"
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Please suggest/correct me, if am passing the right info in DN syntax. I am unable to validate the user credentials with their name and password.
The -D option takes the DN for logging in to your LDAP server.
The -b option takes the search base in your LDAP tree where you want to search for the user's given name.
So, your ldapsearch command becomes:
ldapsearch -x -LLL -h ip -D 'cn=admin,dc=ivhdev,dc=local' -w password -b 'dc=users,dc=local' -s sub '(objectClass=*)' 'givenName=username*'
If you use the Apache Directory Studio (http://directory.apache.org/studio/) you can see the actual ldapsearch commands used by the application. Maybe this is useful for anyone.

Setting up Shibboleth IdP with LDAP

I am attempting to use LDAP with Shibboleth. I am nearly there, but I cannot authenticate. I followed these instructions, and my login.config file contains the following:
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="ldap://localhost:10389" base="ou=users,ou=system"
ssl="false" userField="uid";
};
I have tried several variations of the above.
I can use TestShib to reach my IdP's login page, but always receive "Login failed. Double-check your username and password" when I attempt to authenticate.
This might be easier to debug myself if I could manage to get any authentication log messages, but I can't seem to get those working either.
Note that the following ldapsearch command works perfectly fine:
ldapsearch -h "ldap.example.com:10389" -w testpass -x -D "uid=testuser,ou=users,ou=system" -b "dc=example,dc=com" '(objectclass=*)'
If you could tell me what my problem might be, or at least how to enable logging, that would be very helpful.
I have this working locally. I have taken my working config and replaced my LDAP host and base path with yours from the question above.
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:10389"
baseDn="ou=users,ou=system"
userFilter="uid={0}";
};