We Keep Coding

nss_ldap failed to bind to LDAP server

i have configured ldap client (ubuntu 20.04) with nss_ldap to connect on ldap server and accept users in a specific group, it seems that everything is working fine, the client can access the ldap server and ldap users can access the client machine. however i am receiving the following error message when the client connects to ldap server:
systemd-logind: nss_ldap: failed to bind to LDAP server ldap://[IP address]: Can't contact LDAP server
systemd-logind: nss_ldap: reconnecting to LDAP server...
systemd-logind: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable
and here is my configuration files:
/etc/ldap.conf
regarding that parameter (nss_initgroups_ignoreusers) is auto-generated.
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://[IP address]
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=example,dc=com
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
nss_initgroups_ignoreusers _apt,backup,bin,clamav,daemon,fwupd-refresh,games,gnats,irc,landscape,list,lp,lxd,mail,man,messagebus,mysql,news,pollinate,proxy,root,sshd,sync,sys,syslog,systemd-coredump,systemd-network,systemd-resolve,systemd-timesync,tcpdump,tss,uucp,uuidd,www-data
/etc/ldap.secret --> contain the password.
/etc/nsswitch.conf
passwd: files ldap systemd
group: files ldap systemd
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/security/access.conf
added this line [ -:ALL EXCEPT root khloud (ldap-group) (admin) ubuntu:ALL EXCEPT LOCAL ]
/etc/pam.d/sshd --> uncomment the following line:
account required pam_access.so
Note:
i tested the connection also with ldapsearch and it works.
i tried to change in nsswitch.conf file or reinstalling nss_ldap client again but i still receiving the same error while everything is working right.

How do you use client certificates when authenticating using SALS External mechanism on OpenLDAP Server?

I have generated client certificates, how do I use the client certificates to authenticate the user to LDAP server just using LDAP utils ldapsearch,ldapmodify? I want a password less authentication process for the user.

The certificate and key settings are documented in the ldap.conf(5) man page. You are looking for the TLS_CERT and TLS_KEY options.
Note that these are documented as user-only options, meaning that they can be set as environment variables (respectively LDAPTLS_CERT and LDAPTLS_KEY) or in a personal ldaprc file, but not in the system-wide ldap.conf file.
With the certificate and key settings, use -Y EXTERNAL with the ldap tools. For example (using the environment variables):
LDAPTLS_CERT=user-cert.pem LDAPTLS_KEY=user-priv.key ldapwhoami -H ldap://server -ZZ -Y EXTERNAL

Enabling TLS in NiFi

I enabled TLS in NiFi by running the below command,
nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/bin/tls-toolkit.sh standalone -n "{my-ip},localhost" -C 'CN={my-ip}' -C 'CN=localhost' -o ./certs
This created the files required for TLS under the directory certs.
I moved the files under the directory certs into the conf folder of the deployment in my machine.
Installed the certificate to my machine's Keychain Access.
Now started the server using bin/nifi.sh start. My server starts, I am able to hit the server, But my request is not authorized.
I am getting the below error,
Not authorized for the requested resource. Contact the system
administrator.

Once TLS is enabled in Apache NiFi, anonymous access is no longer enabled by default. You will need to authenticate as a user in order to access the UI/API. There are three authentication mechanisms available -- client certificates, LDAP, or Kerberos. Once you configure an Initial Admin Identity in $NIFI_HOME/conf/authorizers.xml (this would be the exact CN of the client certificate you issued in the TLS Toolkit command), that user can authenticate and use the user management tools in NiFi to add additional users.
You can find more information in the NiFi Admin Guide. Bryan Bende has also written a detailed walkthrough of the process.
One note about the command you posted above -- I am not sure what your desired output is, but the command is issuing a server certificate for my-ip and another for hostname, but then two client certificates with those DNs as well. In general, you want a server certificate for hostname (possibly with a SAN entry for my-ip), and a client certificate with a DN like CN=alopresto, OU=Apache NiFi.
For example:
./bin/tls-toolkit.sh standalone
-n 'nifi.nifi.apache.org'
--subjectAlternativeNames '123.234.234.123'
-C 'CN=alopresto, OU=Apache NiFi'
-P password
-S password
-B password
-f ...conf/nifi.properties
-o ...conf/

Samba4/LDAP authentication and nginx

Before i start with my problem:
I've got a website which is protected by a reverse proxy (nginx). So the client is not allowed to connect directly to the website. It must connect to nginx and nginx shows then the content of the website.
Now i wanted to add more "security" features. I installed samba4 as it is usable as a AD DC and wanted to use LDAP (which is included in samba4?) to authenticate the clients which are trying to reach the website.
So before a client can actually see the website it must connect to nginx and then authenticate itself (with LDAP credentials) and then it can view the websites content.
I configured nginx with the module ldap_http_authentication (see configuration below) and it is working. When the client tries to view the website i need to login with some LDAP Credentials, but when i try to authenticate the client it just doesn't work. it says that the LDAP credentials are wrong.
How can i add LDAP users when LDAP comes with samba? I just don't know which credentials to use. I added some users to samba like "test" and tried to use their credentials to authenticate, but they don't work as well.
So which credentials do i have to use for "binddn" and "binddn_passwd"? Where do I have to create them or get them?
My nginx ldap configuration:
ldap_server adds {
url "ldap://192.168.50.131/dc=test,dc=dom?sAMAccountName?sub?";
binddn "TEST\\USERNAME";
binddn_passwd "password";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
require valid_user;
satisfy any;
}
Thanks!
edit:
i tried to add some users with the command:
ldapadd -x -D cn=admin,dc=test,dc=dom -W -f add_user.ldif
but it just returns:
"Enter LDAP Password: ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required."
Btw: I've never set an LDAP Password, i just installed samba4. That's all!

By default samba4 require start_tls.
For a start you should try to switch the url to ldaps://
Then you need:
if you don't have a certified certificate
ssl_check_cert off
a certificate for the tls transaction
ssl_ca_file /etc/pki/tls/certs/whatever.crt
For ldapXXXXX commands you need the -Z switch
You also need to check that you ldap.conf file contains the URI and BASE:
URI ldaps://ldap.server.com
BASE "dc=domain,dc=example,dc=com"
You also need the 2 following:
a client certificate for the tls transaction
TLS_CACERT=/etc/pki/tls/certs/whatever.crt
What to do if certificate is not valid
TLS_REQCERT allow

Ldap configuration and root connection

Mac: Open Ldap
I am new to Open LDAP, i google it and found that max OS comes with default open ldap installed.
I followed this tutorial MAC Ldap tutorial
Following is my slapd.conf
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}xEYpp/gcd4Mmf6j756LX4kBjSyYyZFz8
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /private/var/db/openldap/openldap-data
# Indices to maintain
index objectClass eq
Now i am using Jxplorere as a client.
I tried following credentials, i don't know what will be user name so i assumed like other apps may be default username is root. and password i used was which i generated.
when i tried to login got following error.
any help is appreciated.

The BaseDN is the suffix, and the username is the rootDN.