I'm using the MeshCentral application and trying to configure ldap to use groups. But group authentication is not working.
I use Open LDAP to authenticate Linux systems and workstations.
Here's the configuration I'm using:
api: https://github.com/vesse/node-ldapauth-fork
"ldapOptions": {
"url": "URL",
"bindDN": "USERBIND",
"bindCredentials": "SUPERPASS",
"searchBase": "ou=test,dc=DC,dc=DC,dc=br",
"searchFilter": "(&(objectClass=posixAccount)(uid={{username}}))",
"groupSearchBase": "ou=test,dc=DC,dc=DC,dc=br",
"groupSearchFilter": "(&(objectClass=posixAccount)(cn=group1)(memberUid={{username}}))",
"tlsOptions": { "rejectUnauthorized": false }
},
Group1 data for groupSearchFilter search:
dn: cn=group1,ou=test,dc=DC,dc=DC,dc=br
cn: group1
gidNumber: 11111
objectClass: top
objectClass: posixGroup
memberUid: user1
memberUid: user2
memberUid: user3
What could I be doing wrong in the group consultation?
Related
i'll try and be concise:
i'm running a Ubuntu server 20.04 VM, i've installed OpenLDAP and Samba (this is an assignment, so i'm not worrying very much that those both are hosted on same server for the time being). I set Samba up and create my shares; then i set LDAP on, and by looking at my LDAP structure, it seems that it's working fine, i installed SSSD to bind the two and allow me to authenticate with my samba credentials, but i'm hitting my head against a brick wall.
I'll explain the passages here:
installed packages:
slapd ldap-utils samba smbldap-tools locate net-tools fusiondirectory-plugin-samba-schema sssd-ldap phpldapadmin
I followed the procedure at these 2 links:
https://ubuntu.com/server/docs/service-ldap
https://ubuntu.com/server/docs/samba-openldap-backend
and yet, whenever i try to log from my guest to the server, using my LDAP credentials, it just yeets me off. It works if i try and log in as a guest tho, so i'm really wondering what's the problem. I've been dealing with it within the past 4 days :(.
I'll post my config files, with all of the sensitive info masked:
smb.conf:
[global]
workgroup = SHELLERATI
netbios name = ldamba
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
#ldap idmap suffix = ou=Idmap
idmap config * : range = 10000-199999
#idmap config * : backend = ldapsam:ldapi://server-ip/
logging = syslog#1 /var/log/samba/log.%m
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
#map to guest = bad password
security = domain
realm = ws-samba.it
# LDAP Settings
passdb backend = ldapsam:ldap://server-hostname
ldap suffix = dc=ws-samba,dc=it
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=ws-samba,dc=it
ldap ssl = no
ldap passwd sync = yes
[docs]
comment = Comment
browseable = yes
path = /mnt/docs
guest ok = yes
read only = yes
create mask = 0700
[hr]
comment = Comment
path = /mnt/hr
browseable = no
read only = no
guest ok = no
create mask = 0755
[devel]
comment = Comment
browseable = yes
path = /mnt/devel
guest ok = no
read only = no
create mask = 0755
[tech]
comment = Comment
browseable = yes
path = /mnt/tech
guest ok = no
read only = no
create mask = 0755
sssd.conf:
[sssd]
config_file_version = 2
domains = ws-samba.it
services = nss, pam, autofs
[nss]
homedir_substring = /home
[pam]
[domain/ws-samba.it]
ldap_autofs_map_object_class = automountMap
ldap_autofs_map_name = ou
ldap_autofs_entry_object_class = automount
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = automountInformation
id_provider = ldap
#autofs_provider = ldap
auth_provider = ldap
ldap_uri = ldap://server-ip/
#cache credentials= True
ldap_search_base = dc=ws-samba,dc=it
smbldap.conf:
SID="{correct-sid}"
sambaDomain="SHELLERATI"
slaveLDAP="server-hostname"
slavePort="389"
masterLDAP="server-hostname"
masterPort="389"
ldapTLS="0"
verify=""
cafile=""
clientcert=""
clientkey=""
suffix="dc=ws-samba,dc=it"
usersdn="ou=People,${suffix}"
computersdn="ou=,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=SHELLERATI,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format=""
userLoginShell="/bin/false"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\ldamba\%U"
userProfile="\\ldamba\profiles\%U"
userHomeDrive=""
userScript=""
mailDomain=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
last, and i don't know if i'm making it any easier for you, my ldap structure:
dn: ou=People,dc=ws-samba,dc=it
objectClass: organizationalUnit
ou: hr
dn: ou=Groups,dc=ws-samba,dc=it
objectClass: organizationalUnit
ou: hr
dn: cn=employees,ou=Groups,dc=ws-samba,dc=it
objectClass: posixGroup
cn: employees
gidNumber: 5000
dn: cn=hr,ou=Groups,dc=ws-samba,dc=it
objectClass: posixGroup
cn: hr
gidNumber: 5001
dn: cn=tech,ou=Groups,dc=ws-samba,dc=it
objectClass: posixGroup
cn: tech
gidNumber: 5002
dn: cn=devel,ou=Groups,dc=ws-samba,dc=it
objectClass: posixGroup
cn: devel
gidNumber: 5003
dn: uid=panna,ou=People,dc=ws-samba,dc=it
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: panna
sn: surname
givenName: name
cn: name-surname
displayName: name-surname
uidNumber: 10001
gidNumber: 5002
userPassword: password
loginShell: /bin/false
homeDirectory: /home/panna
dn: uid=marcoz,ou=People,dc=ws-samba,dc=it
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marcoz
sn: surname
givenName: name
cn: name surname
displayName: name surname
uidNumber: 10002
gidNumber: 5003
userPassword: password
loginShell: /bin/false
homeDirectory: /home/marcoz
dn: uid=pmarco,ou=People,dc=ws-samba,dc=it
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: pmarco
sn: surname
givenName: name
cn: name surname
displayName: name surname
uidNumber: 10003
gidNumber: 5001
userPassword: password
loginShell: /bin/false
homeDirectory: /home/pmarco
I manually created the home directories for my 3 users, and checking the password, it matches with the one in my possession. If i launch smbldap-useradd -a panna it tells me that it already exists, but when i run a search on my local machine, it doesn't exist.
as of now, if i try and run an ldapsearch, it finds any parameter i look for, but by running pdbedit -L it returns blanks, and I really don't know where to look for anymore, Needless to say, whenever I try and reach for my shares, i find them as guest, but when I try to log to any one share which is not the [docs] one, it gives me:
$ smbclient //server-ip/tech -U panna
Password for [SHELLERATI\panna]:
session setup failed: NT_STATUS_NO_LOGON_SERVERS
I'm sorry for the long post, and i'm grateful in advance for your attention.
Cheers!
i tried editing manually all of these 3 conf files, following many guides online, studying ldap structure, clearly rebooting and/or restarting services, changing user, changing password, adding a user locally to the machine, nothing worked.
I set a centos 8 server as openldap server and kerberos auth. and I'm not able to get userldap remotely
#server:
[15:04 root#server ~] > ldapsearch -x -b "dc=bravo,dc=lab" -H ldap:/// -D "cn=admin,dc=bravo,dc=lab" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=bravo,dc=lab> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# bravo.lab
dn: dc=bravo,dc=lab
objectClass: dcObject
objectClass: organization
objectClass: top
o: bravo
dc: bravo
# groups, bravo.lab
dn: ou=groups,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: groups
# people, bravo.lab
dn: ou=people,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: people
# kb_user01, people, bravo.lab
dn: uid=kb_user01,ou=people,dc=bravo,dc=lab
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kb_user01
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/kb_user01
userPassword:: e1NTSEF9S3hGUnozUnUzTVMxZXQvNDVLdFFYSHVWVU4vajV1MVI=
# kb_user01, groups, bravo.lab
dn: cn=kb_user01,ou=groups,dc=bravo,dc=lab
objectClass: posixGroup
cn: kb_user01
gidNumber: 10000
memberUid: kb_user01
# kb_user02, people, bravo.lab
dn: uid=kb_user02,ou=people,dc=bravo,dc=lab
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kb_user02
cn: Adam
sn: blanc
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/kb_user02
userPassword:: e1NTSEF9SUFrSkUvQmZObHdlSmpUblFaMWxjMWRMR1k3MFh5Nlg=
# kb_user02, groups, bravo.lab
dn: cn=kb_user02,ou=groups,dc=bravo,dc=lab
objectClass: posixGroup
cn: kb_user02
gidNumber: 10001
memberUid: kb_user02
# system, bravo.lab
dn: ou=system,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: system
# readonly, system, bravo.lab
dn: cn=readonly,ou=system,dc=bravo,dc=lab
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword:: e1NTSEF9M3lSV2wzdkhpc0UzR2w3d3JqMDR4dTF6R3NDajB3Rm4g
description: Bind DN user for LDAP Operations
# search result
search: 2
result: 0 Success
# numResponses: 10
enter code here`# numEntries: 9
I created user readonly to query ldapDatabase with those Access
[15:16 root#server ~] > ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People
,dc=bravo,dc=lab" write by dn="cn=readonly,ou=People,dc=bravo,dc=lab" read by
self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,ou=People,dc=bravo,dc=lab" write by dn="cn=
readonly,ou=People,dc=bravo,dc=lab" read by self write by anonymous auth by *
none
client nslcd configuration
uri ldap://server.bravo.lab/
base dc=bravo,dc=lab
binddn cn=readonly,ou=People,dc=bravo,dc=lab
When i launch this it does not work
id kb_user01
I get on the server
Oct 7 15:26:28 server slapd[114988]: conn=1312 fd=17 ACCEPT from IP=10.0.0.111:48728 (IP=0.0.0.0:389)
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=0 BIND dn="cn=readonly,ou=People,dc=bravo,dc=lab" method=128
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=1 UNBIND
Oct 7 15:26:28 server slapd[114988]: conn=1312 fd=17 closed
Do you have any Idea because from my point of view I would like to grant read access without password but still i get the error.
Please help thanks and best regards
Finally I got it,
I did three mistakes:
1 : On the client side (nslcd configuration) the right Binddn was
binddn cn=readonly,ou=***SYSTEM***,dc=bravo,dc=lab
2 : On the client side (nslcd configuration) in BindPW I put the Hashed password instant of clair on
3 : the same mistake as #1 but this time on ACL of the ldap
by dn="cn=readonly,ou=***SYSTEM***,dc=bravo,dc=lab" read by self write
I'm trying to get the dynamic memberOf attribute to work in my in-memory-ldap-server. I'm using the standard edition of UnboundID.
I tried with the following .ldif-files if it is activated by default:
base.ldif:
dn: dc=example,dc=com
objectclass: domain
dc: example
dn: ou=Group,dc=example,dc=com
objectclass: organizationalUnit
ou: Group
dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People
dn: uid=test1,ou=People,dc=example,dc=com
objectclass: account
uid: test1
#Group 1.1
dn: cn=testUndergroup,ou=Group,dc=example,dc=com
objectclass: groupOfNames
cn: testUndergroup
#Group 1
dn: cn=testgroup,ou=Group,dc=example,dc=com
objectclass: groupOfNames
cn: testgroup
modify.ldif:
dn: cn=testgroup,ou=Group,dc=example,dc=com
changetype: modify
add: member
member: uid=test1,ou=People,dc=example,dc=com
when i do this ldap-search:
seach:
ldapsearch --hostname localhost --port 3268 --baseDN dc=example,dc=com "(uid=test1)" memberOf
i dont get the memberof in the answer:
# Connected to localhost:3268
dn: uid=test1,ou=People,dc=example,dc=com
# The search operation was processed successfully.
# Entries returned: 1
# References returned: 0
# Disconnected from the server
So it isn't activated by default.
How can i activate the memberOf attribute in UnboundID?
BTW: i can not use dynamic groups like they are mentioned here
The in-memory directory server shipped with the LDAP SDK does not support groups. The document that you are referencing on our community portal refers to the UnboundID Directory Server - which is a commercial product and distinct from the in-memory directory server. You can request a free trial download to the UnboundID Directory Server through the main website (https://www.unboundid.com or https://www.pingidentity.com). I hope this helps.
I am using openldap to create a simple user and simple group.
dn: cn=User2 Engineer,ou=users,dc=example,dc=net
cn: User2 Engineer
gidnumber: 501
givenname: User2
homedirectory: /home/users/u2engineer
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Engineer
uid: u2engineer
uidnumber: 1002
userpassword: {MD5}xxxxxxx
# Entry 1: cn=network engineers,ou=groups,dc=example,dc=net
dn: cn=network engineers,ou=groups,dc=example,dc=net
cn: network engineers
gidnumber: 501
memberuid: user1ene
memberuid: u2engineer
objectclass: posixGroup
objectclass: top
I would like to relate the user to the group by adding memberof attribute to user entry.
it mean i need to add groupOfNames objectclass to user, groupOfNames is in core.schema
but it can add that objectclass to user neither via phpldapadmin nor ldapmodify.
i got error:
LDAP said: Object class violation
Error number: 0x41 (LDAP_OBJECT_CLASS_VIOLATION)
I am sure that core.schema has been imported to openldap successfully.
What is the possible cause?
How can I add memberof attribute to users?
Thanks!
-SG-
You can't. The memberOf attribute is an operational attribute maintained automatically by the memberof overlay. You can't set it yourself.
Adding the groupOfNames object class to the user entry doesn't make sense either. That object class is for, err, groups of names, such as roles, and it has a member attribute to which you add the DN of the user. Then the memberOf attribute of the user is automatically updated to include the DN of the group.
You're doing this all back to front.
I have several entries in my LDAP directory with different object class specified
dn: uid=user1,ou=users,dc=exampleCompany,dc=com
uid: user1
objectClass: user
objectClass: developer
cn: User1 User
dn: uid=user2,ou=users,dc=exampleCompany,dc=com
uid: user2
objectClass: user
objectClass: administrator
cn: User2 User
dn: uid=user3,ou=users,dc=exampleCompany,dc=com
uid: user3
objectClass: user
objectClass: developer
objectClass: administrator
cn: User3 User
dn: uid=user4,ou=users,dc=exampleCompany,dc=com
uid: user4
objectClass: anotherClass
cn: User4 User
I want to query all that don't have objectClass: developer, regardless of other object classes they have.
I tried
ldapsearch -x -b ou=users,dc=exampleCompany,dc=com "(&(objectClass=*)(!(objectClass=developer)))"
but I got
dn: ou=users,dc=exampleCompany,dc=com
objectClass: organizationalUnit
ou: users
# search result
search: 2
result: 0 Success
What would be the correct query?
As you have but without the & and the (objectClass=*) part.
You also need to specify a subtree search.