I would like to use ldapsearch for an authentication test to a remote Windows server from a Linux instance (Amazon Linux OS). Kerberos bind is working via GSS-API installed from package cyrus-sasl-gssapi, is there an equivalent package that can be used for GSS-SPNEGO? I would like the ability to fall back to NTLM authentication in case Kerberos is not working.
The server supports both GSSAPI and GSS-SPNEGO but from the client side it appears that GSS-SPNEGO is not available. Output from ldapsearch is shown below:
ldapsearch -H "ldap://$HOST_NAME" -b "" -s base -Y GSS-SPNEGO
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Using cyrus-sasl-ntlm did not work because it appears the server does not support this:
ldapsearch -H "ldap://$HOST_NAME" -b "" -s base -Y NTLM
SASL/NTLM authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: 00002027: LdapErr: DSID-0C0905ED, comment: Invalid Authentication method, data 0, v2580
Is it possible to use SPNEGO bind with ldapsearch? Or is there another way to authenticate over NTLM?
#Grant,
You need to change the -Y option to "-Y GSSAPI"
For example:
ldapsearch -H ldap://example.com -b 'DC=example,DC=com' -Y GSSAPI
Related
Use ldapsearch -Y GSSAPI -h ihuorong.com -U zxx#xx.com -w 'Abc123qwe' -b 'DC=ihuorong,DC=com' '(objectClass=computer)' command bind windows ldap server, get this error message
"ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:0))"
But use windows LDAPAdmin can use GSSAPI connect the Server.
So it's werid.
I'm setting up this authentication through OpenLDAP:
OpenLDAP -> Pass-through (External authentication) -> SASL -> PAM -> RSA Agent
In order to access to an application via a RSA Token.
Starting from the bottom to the top:
This is my PAM configuration:
#%PAM-1.0
auth required pam_securid.so
account sufficient pam_ldap.so
account include password-auth
password sufficient pam_ldap.so
password include password-auth
This test works great:
[root#ldap ~]# testsaslauthd -u goingsolo -p 11111111
0: OK "Success."
OpenLdap is correctly configured to works with the SASL Authenticatino in PLAIN:
[root#ldap /]# ldapsearch -h localhost -b "" -LLL -s base supportedSASLMechanisms -x
dn:
supportedSASLMechanisms: PLAIN
And the userPassword of my goingsolo user is configured with {SASL}goingsolo And if I do a SASL bind it works:
[root#datap-keldap-1-n01 /]# ldapsearch -h localhost -b dc=ldap,dc=com -U "goingsolo" -w 11111111
SASL/PLAIN authentication started
0: OK "Success."
The problem is when I perform a simple bind with -D instead of -U, I receive invalid credentials:
[root#datap-keldap-1-n01 /]# ldapsearch -h localhost -b dc=ldap,dc=com -D "cn=goingsolo,ou=People,dc=ldap,dc=com" -w 11111111
ldap_bind: Invalid credentials (49)
Also when performing a sasl bind with the full dn, the authentication fails because from the /var/lag/messages:
Mar 27 19:01:00 ldap saslauthd[11777]: do_auth : auth failure: [user=cn=goingsolo,ou=People,dc=ldap,dc=com] [service=ldap] [realm=] [mech=pam] [reason=PAM auth error]
I guess this is because it does not a translate from the full dn to the simple user (goingsolo).
Any tips on what should I check?
The problem was how OpenLdap was build (I guess wrong compiling). I tryed to reinstall it and then it worked. Be sure the SASL machanism is set to plain.
I'm going to start TLS connection for LDAP. I have followed this link which uses gnuTLS tool for generating self-signed certificates.
Slapd starts well.
When i run the command:
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldaps://122.129.79.69' -ZZ
it shows my whole DIT structure.
But wen i run this command:
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldaps://122.129.79.69' -ZZ
it gives error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I'm new to LDAP. I don't have much understanding. Can anyone please explain what could be the issue?
Also i came to know conventional SSL certificates does not work well with LDAP. We have to create separate certificates for LDAP to startTLS connection. Is it the case?
looks like your commands are the same?
For StartTLS Use
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldap://122.129.79.69' -ZZ
(ie not LDAPS) when using StartTLS.
-jim
Using chef-12.1.2-1, all nodes running Centos 7.
I've setup up host based ssh authentication on my nodes and can successfully ssh without passwords between them.
I start up a chef server by doing the following:
/opt/chef/bin/chef-zero -H <ip> -p 8889 -d
and try to bootstrap my nodes using knife bootstrap which takes me to a password prompt:
[root#node]# knife bootstrap <ip> -r <role>
Connecting to <ip>
Failed to authenticate root - trying password auth
Enter your password:
After doing some digging I found that knife uses the Ruby implementation of SSH, using the gem net-ssh-multi. I can't find specifically why this wouldn't work with host based authentication.
Why is it prompting me for a password and not using my host based authentication?
Could you try HostbasedAuthentication as an ssh flag passed into knife?
knife bootstrap <ip> -r <role> -a HostbasedAuthentication
I have currently installed OID (Oracle Internet Directory) and created some roles and users in them. I intend to access them using LDAP commands.
$ldapbind -p <port_number> -h <ip> -D "cn=orcladmin"
bind sucessful
$ ldapsearch -h <port_number> -p <ip> "dc=<name>"
ldap_search: Inappropriate authentication
ldap_search: additional info: Server is Configured to Deny Anonymous Binds
Is there something I am missing ?
On your ldapsearch command, add the -D "cn=orcladmin" for who you are binding as, -w "Password" or -W to prompt at run time. Probably you want a -b "ou=Base,dc=DNtoSearch" and then your filter as you have it.
You need to bind each time.