I am trying to integrate LDAP authentication to rundeck.
I can query the users using ldapsearch successfully like below
ldapsearch -v -x -D "some_address#myorg.lan" -b "dc=myorg,dc=lan" -H ldap://ldaphost.myorg.lan -w **** "uid=user_1"
which returns:
ldap_initialize( ldap://ldaphost.myorg.lan:389/??base )
filter: uid=user_1
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=myorg,dc=lan> with scope subtree
# filter: uid=user_1
# requesting: ALL
#
# user_1#myorg.lan, Users, myorg, Zones, Circular, warehouse, myorg
.lan
dn: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan
objectClass: top
objectClass: posixAccount
objectClass: leaf
objectClass: connectionPoint
objectClass: serviceConnectionPoint
cn: user_1#myorg.lan
distinguishedName: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan
instanceType: 4
whenCreated: 20190128081317.0Z
whenChanged: 20200128081329.0Z
displayName: $CimsUserVersion5
uSNCreated: 221081209
uSNChanged: 221081209
showInAdvancedViewOnly: TRUE
name: user_1#myorg.lan
objectGUID:: XG234o3+m0iVYGHHJKODVQ==
keywords: parentLink:S-1-5-21-******-*****-*****-1***3
objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=myorg,DC=lan
dSCorePropagationData: 20210805091319.0Z
dSCorePropagationData: 20210805084748.0Z
dSCorePropagationData: 20210921114113.0Z
dSCorePropagationData: 20210405111238.0Z
dSCorePropagationData: 16020914223649.0Z
uid: user_1
unixHomeDirectory: %{home}/%{user}
uidNumber: 763534041
gecos: %{u:displayName}
loginShell: /bin/bash
gidNumber: 20003
# search reference
ref: ldap://myorg.lan/CN=Configuration,DC=myorg,DC=lan
# search reference
ref: ldap://ForestDnsZones.myorg.lan/DC=ForestDnsZones,DC=myorg,DC=lan
# search reference
ref: ldap://DomainDnsZones.myorg.lan/DC=DomainDnsZones,DC=myorg,DC=lan
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
However, now I am confused which information maps to which parameter in Rundeck's JettyCachingLdapLoginModule. e.g. whether distinguishedName: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan is a bindDn, userBaseDn or roleBaseDn?
I don't have direct access to the LDAP server, so only way to retrieve information is through ldapsearch.
It looks like the user name to access the LDAP binDn.
Here you can see all attributes explained.
bindDn: is optional. If not using "binding" authentication, set this to the root DN that should bind, e.g. "cn=Manager,dc=example,dc=com".
userBaseDn: is the base DN to search for users, example: "ou=People,dc=test1,dc=example,dc=com".
roleBaseDN: is the Base DN for role membership search, e.g. "ou=Groups,dc=test1,dc=example,dc=com".
Another great tool to check your LDAP server is Apache Directory Studio.
Related
I got no response when I do ldapsearch like this.
> ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "ou=group,dc=example,dc=org" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Openldap log is here
5c10a31c conn=1029 fd=13 ACCEPT from IP=172.17.0.1:34710 (IP=0.0.0.0:389)
5c10a31c conn=1029 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" method=128
5c10a31c conn=1029 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" mech=SIMPLE ssf=0
5c10a31c conn=1029 op=0 RESULT tag=97 err=0 text=
5c10a31c conn=1029 op=1 SRCH base="ou=group,dc=example,dc=org" scope=2 deref=0 filter="(objectClass=*)"
5c10a31c conn=1029 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
5c10a31c conn=1029 op=2 UNBIND
5c10a31c conn=1029 fd=13 closed
this is ldif file for user and group
# People, example.org
dn: ou=people,dc=example,dc=org
ou: people
objectClass: organizationalUnit
# Groups, example.org
dn: ou=group,dc=example,dc=org
ou: group
objectClass: organizationalUnit
dn: uid=joe,ou=people,dc=example,dc=org
objectClass: person
objectClass: inetOrgPerson
uid: joe
cn: Joe Doe
sn: Doe
givenName: Joe
userPassword: joe
description: This is an example user
dn: cn=c3admin,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3admin
member: uid=joe,ou=people,dc=example,dc=org
It seems like binding user and base dn are not correctly setup.
Please give me a advise for solving this problem.
I am using osixia/docker-openldap:1.2.2 for the openldap. and it has auto setting for admin user at "cn=admin,dc=example,dc=org"
docker run -p 389:389 -p 689:689 --name my-openldap-container --detach osixia/openldap:1.2.2
Update
Do search with member filter then got the error.
ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "ou=group,dc=example,dc=org" "(member=uid=joe,ou=people,dc=example,dc=org)"
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=example,dc=org> with scope subtree
# filter: (member=uid=joe,ou=people,dc=example,dc=org)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Do search with base DN then got the error.
ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "dc=example,dc=org" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Do search with binding admin dn, then got the 5 entries.
ldapsearch -x -D "cn=admin,dc=example,dc=org" -w admin -b "ou=group,dc=example,dc=org" "(objectclass=)"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=)
# requesting: ALL
#
# group, example.org
dn: ou=group,dc=example,dc=org
ou: group
objectClass: organizationalUnit
# admin, group, example.org
dn: cn=admin,ou=group,dc=example,dc=org
cn: admin
objectClass: groupOfNames
member: uid=john,ou=group,dc=example,dc=org
# john, group, example.org
dn: uid=john,ou=group,dc=example,dc=org
uid: john
givenName: Joe
description: This is an example user
sn: Doe
cn: Joe Doe
objectClass: person
objectClass: inetOrgPerson
userPassword:: am9obg==
# c3admin, group, example.org
dn: cn=c3admin,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3admin
member: uid=joe,ou=people,dc=example,dc=org
# c3viewer, group, example.org
dn: cn=c3viewer,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3viewer
member: uid=tom,ou=people,dc=example,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
Your search is asking to return the entries "(objectclass=*)" below the entry "ou=group,dc=example,dc=org".
I am guessing there are none.
To find the members which are within the group ou=group,dc=example,dc=org, use a filter similar to:
"(member=*)"
to find all the entries use:
Filter: "(objectclass=*)"
Base (-b): "dc=example,dc=org"
-jim
A user left the organization, so I removed him from all of his groups. Afterward, he still seems to be in one group but not in the group's members. See below:
[bauron#ldapmaster ~]$ ldapsearch -x -b"dc=domain,dc=com" "(uniqueMember=uid=TARGETUSER,ou=users,dc=domain,dc=com)" dn uniqueMember
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (uniqueMember=uid=TARGETUSER,ou=users,dc=domain,dc=com)
# requesting: dn uniqueMember
#
# jca, roles, groups, domain.com
dn: cn=jca,ou=roles,ou=groups,dc=domain,dc=com
uniqueMember: uid=user1,ou=users,dc=domain,dc=com
uniqueMember: uid=user2,ou=users,dc=domain,dc=com
uniqueMember: uid=user3,ou=users,dc=domain,dc=com
... # rest of list omitted
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[bauron#ldapmaster ~]$ ldapsearch -x -b"dc=domain,dc=com" "(uniqueMember=uid=TARGETUSER,ou=users,dc=domain,dc=com)" dn uniqueMember | grep TARGETUSER
# filter: (uniqueMember=uid=TARGETUSER,ou=users,dc=domain,dc=com)
[bauron#ldapmaster ~]$
As you can see, grep'ing the list for TARGETUSER fails even though I'm explicitly asking for groups which have TARGETUSER as a uniqueMember. I have no idea how this is possible or what I can do to fix it. Thanks in advance!
I'm trying to add 'mail' attribute to users on my openldap server but somehow it fails.
I tried using ldapmodify but I get this:
ldap_modify: Object class violation (65)
additional info: attribute 'mail' not allowed
Here's how my schema looks like:
# LDIF Export for ou=users,dc=mydomain,dc=com
# Server: (ldap.mydomain.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 63
version: 1
# Entry 1: ou=users,dc=mydomain,dc=com
dn: ou=users,dc=mydomain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users
# Entry 2: uid=tom.hanks,ou=users,dc=mydomain,dc=com
dn: uid=tom.hanks,ou=users,dc=mydomain,dc=com
cn: tom.hanks
description: User account
gecos: tom.hanks
gidnumber: 100
homedirectory: /home/tom.hanks
loginshell: /bin/bash
objectclass: account
objectclass: posixAccount
uid: tom.hanks
uidnumber: 1005
userpassword: blahblah
Include objectclass: iNetOrgPerson to add the mail attribute.
In order to give the user the Attribute mail you first have to add the mail attribute to the user's olcObjectClasses.
This can be done by a modification via an ldif like this:
dn: cn={12345}someName,cn=schema,cn=config
changetype: modify
delete: olcObjectClasses
olcObjectClasses: {1}
-
add: olcObjectClasses
olcObjectClasses: {1}( 1.3.6.1.4.1.12344556.1.1.1 NAME 'yourObjectClassEGAccount' DESC 'some description' SUP inetOrgPerson STRUCTURAL MUST ( requiredparam1 $ requiredParam2 $ reqParam3 ) MAY ( optionalParam1 $ optionalParam2 ) ) )
-
See the documentation for ldapmodify for details: Oracle ldapmodify Doc
The modification is then given to ldap via the following command (command line):
sudo ldapmodify -f filename.ldif
make sure to read the documentation on whether you need further parameters like eg. -h for hostname or -Y for a proxyDN: lmodify Doc
I have configured LDAP server in my ubuntu 12.04 in the same server Cloudera core hadoop service installed . Here i want to integrate cloudera hue with LDAP server.
Following is my LDAP users
root#ip-10-81-160-152:/home/ubuntu# ldapsearch -x -b "dc=gmps,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=gmps,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# gmps.com
dn: dc=gmps,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: gmps
dc: gmps
# admin, gmps.com
dn: cn=admin,dc=gmps,dc=com
cn: admin
description: LDAP administrator
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: uidObject
uid: admin
ou: admin
# aaryan aditya, students, users, gmps.com
dn: cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com
cn: aaryan aditya
givenName: aaryan
gidNumber: 500
homeDirectory: /home/users/aditya
sn: aditya
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: aditya
i use phpldapadmin to login my LDAP server which was working fine ..
My Login DN: cn=admin,dc=gmps,dc=com
I have configured this ldap server in Hue cloudera as
ldap_url : ldap://75.101.250.10
LDAP Username Pattern : "uid=admin,ou=admin,dc=greycampus,dc=com"
user_name_attr: admin
After this i restarted HUE and i just logged into HUE web UI there if click on
Hue ---> Manage Users ---> Sync LDAP users and groups --> Sync
i am not getting any users syced from LDAP server ..
if i click Add/Sync LDAP user .. then enter username and ok .. i am getting
There was an error when communicating with LDAP
{'info': 'invalid DN', 'desc': 'Invalid DN syntax'}
i dont know where i did wrong .. and its still confusing where i have supply my LDAP password .. and how hue communicate with LDAP without password .. kindly any one please help
I can't understand neither your LDAP configuration nor your Hue configuration.
firstly you define your LDAP root, dc=gmps,dc=com, ok.
Next, you define an admin role, which is definitly not a user, just a role.
dn: cn=admin,dc=gmps,dc=com
Finally you define a user, which doesn't seem to be linked to the admin role.
If you don't have any relation defined between a user and a role, it'll be difficult for hue to grant something to your user.
Next, about yourr Hue configuration:
The user should be a parameter of the pattern.
If a user DN is dn: cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com, your pattern should be at least something like cn=
Hue webapp substitute by the typed login and make a first request to validate the authentification of your user (aka username/password against the LDAP user information).
To perform the search, you need to define the LDAP base search (dc=gmps,dc=com) and a bind user, authorized user DN to look into your LDAP (for instance, cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com)
If you want to limit the global access to just a portion of your LDAP, you can specify an additional filter. When you'll define a relation between users and roles, you'll can restrict the access to the users by their roles.
You have to specify what's the attribute you're considerating to identify the user (in your case, it seems to be cn, so user_name_attr = cn)
To do the mapping between LDAP and Hue permissions, you have to tell Hue which roles are considerated, throw the group_filter. Next you have to specify the attribute of the role which allow to identify the role (in your case, it seems to be cn)
Finally, you have to tell to hue which attribute allows you to link a role to a user (which doesn't seem to be undefined in your configuration)
Next, restarting your cluster, everything should be ok. Syncing your users/group will load users and roles from your LDAP to Hue, next step will be configure each role in HUE to give it the expected permissions.
I have a problem with connecting foswiki to ldap. I want to authenticate users against LDAP directory (as it is stated in the requirements of school seminar work ). But it doesn't work. When I try to login with my name already saved in LDAP, it just writes "Oops: we could not recognize you. Try again or reset your password.". I will be thankful for any help and I will provide any further information necessary.
Foswiki config: http://pastebin.com/NRx4V9Ck
I am trying to login with name MarianBaca and here is the output of
ldapsearch -H ldap://localhost -b dc=bis01,dc=vse,dc=cz -x '(givenName=Marian)'
# extended LDIF
#
# LDAPv3
# base <dc=bis01,dc=vse,dc=cz> with scope subtree
# filter: (givenName=Marian)
# requesting: ALL
#
# MarianBaca, bis01.vse.cz
dn: cn=MarianBaca,dc=bis01,dc=vse,dc=cz
cn: MarianBaca
givenName: Marian
gidNumber: 500
sn: Baca
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: MarianBaca
homeDirectory: /home/MarianBaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Output of /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=bis01,dc=vse, dc=cz
URI ldap://bis01.vse.cz
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Since your pasted foswiki configuration has been removed, I will try to answer to my best knowledge.
I am assuming you are using LdapContrib
Ensure your UserMappingManager is set to Foswiki::Users::LdapUserMapping.
Ensure your PasswordManager is set to something sensible, i.e. Foswiki::Users::LdapPasswduser