I set a centos 8 server as openldap server and kerberos auth. and I'm not able to get userldap remotely
#server:
[15:04 root#server ~] > ldapsearch -x -b "dc=bravo,dc=lab" -H ldap:/// -D "cn=admin,dc=bravo,dc=lab" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=bravo,dc=lab> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# bravo.lab
dn: dc=bravo,dc=lab
objectClass: dcObject
objectClass: organization
objectClass: top
o: bravo
dc: bravo
# groups, bravo.lab
dn: ou=groups,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: groups
# people, bravo.lab
dn: ou=people,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: people
# kb_user01, people, bravo.lab
dn: uid=kb_user01,ou=people,dc=bravo,dc=lab
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kb_user01
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/kb_user01
userPassword:: e1NTSEF9S3hGUnozUnUzTVMxZXQvNDVLdFFYSHVWVU4vajV1MVI=
# kb_user01, groups, bravo.lab
dn: cn=kb_user01,ou=groups,dc=bravo,dc=lab
objectClass: posixGroup
cn: kb_user01
gidNumber: 10000
memberUid: kb_user01
# kb_user02, people, bravo.lab
dn: uid=kb_user02,ou=people,dc=bravo,dc=lab
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kb_user02
cn: Adam
sn: blanc
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/kb_user02
userPassword:: e1NTSEF9SUFrSkUvQmZObHdlSmpUblFaMWxjMWRMR1k3MFh5Nlg=
# kb_user02, groups, bravo.lab
dn: cn=kb_user02,ou=groups,dc=bravo,dc=lab
objectClass: posixGroup
cn: kb_user02
gidNumber: 10001
memberUid: kb_user02
# system, bravo.lab
dn: ou=system,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: system
# readonly, system, bravo.lab
dn: cn=readonly,ou=system,dc=bravo,dc=lab
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword:: e1NTSEF9M3lSV2wzdkhpc0UzR2w3d3JqMDR4dTF6R3NDajB3Rm4g
description: Bind DN user for LDAP Operations
# search result
search: 2
result: 0 Success
# numResponses: 10
enter code here`# numEntries: 9
I created user readonly to query ldapDatabase with those Access
[15:16 root#server ~] > ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People
,dc=bravo,dc=lab" write by dn="cn=readonly,ou=People,dc=bravo,dc=lab" read by
self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,ou=People,dc=bravo,dc=lab" write by dn="cn=
readonly,ou=People,dc=bravo,dc=lab" read by self write by anonymous auth by *
none
client nslcd configuration
uri ldap://server.bravo.lab/
base dc=bravo,dc=lab
binddn cn=readonly,ou=People,dc=bravo,dc=lab
When i launch this it does not work
id kb_user01
I get on the server
Oct 7 15:26:28 server slapd[114988]: conn=1312 fd=17 ACCEPT from IP=10.0.0.111:48728 (IP=0.0.0.0:389)
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=0 BIND dn="cn=readonly,ou=People,dc=bravo,dc=lab" method=128
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=1 UNBIND
Oct 7 15:26:28 server slapd[114988]: conn=1312 fd=17 closed
Do you have any Idea because from my point of view I would like to grant read access without password but still i get the error.
Please help thanks and best regards
Finally I got it,
I did three mistakes:
1 : On the client side (nslcd configuration) the right Binddn was
binddn cn=readonly,ou=***SYSTEM***,dc=bravo,dc=lab
2 : On the client side (nslcd configuration) in BindPW I put the Hashed password instant of clair on
3 : the same mistake as #1 but this time on ACL of the ldap
by dn="cn=readonly,ou=***SYSTEM***,dc=bravo,dc=lab" read by self write
Related
I've been strugling/googling for hours about this, just trying a very simple thing add entries to my ldap using ldapadd (OpenLDAP on Ubuntu).
my structure.ldif looks like this :
dn: ou=Personnes,dc=odi,dc=com
objectClass: organizationalUnit
ou: Personnes
description: Employes de l entreprise
dn: ou=Machines,dc=odi,dc=com
objectClass: organizationalUnit
ou: Machines
description: Ordinateurs de l entreprise
dn: cn=Marie Dupond,ou=Personnes,dc=odi,dc=com
objectClass: inetOrgPerson
givenName: Marie
sn: Dupond
cn: Marie Dupond
uid: mdupond
userPassword: mdupond
and my ldap config :
version: 1
#
# LDAPv3
# base <dc=odi,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# odi.com
dn: dc=odi,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: odi
dc: odi
# admin, odi.com
dn: cn=admin,dc=odi,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
and I can understand why when I add it through ldapadd -x -W -D “cn=admin,dc=odi,dc=com” -H ldapi:/// -f structure.ldif Iget an ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Any help would be really appreciated,
I had the exact same problem! Highlighted from your comment above:
was using “ instead of "
Not the same characters! How frustrating!
I have done LDAP setup on ubuntu, using apt install slapd ldap-utils
after doing all setup/configuration, added one test user also and here I get:
$ ldapsearch -x -b "dc=param,dc=co,dc=in"
# extended LDIF
#
# LDAPv3
# base <dc=param,dc=co,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# param.co.in
dn: dc=param,dc=co,dc=in
objectClass: top
objectClass: dcObject
objectClass: organization
o: param
dc: param
# admin, param.co.in
dn: cn=admin,dc=param,dc=co,dc=in
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# testuser, param.co.in
dn: uid=testuser,dc=param,dc=co,dc=in
cn: test
sn: test
mail: testuser#param.co.in
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Now I wanted to add OU with following ou.ldif file:
cn: ou=people,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: people
cn: ou=groups,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: groups
But it is giving no results i.e. no success neither error after adding this file using command:
$ ldapadd -x -W -D "cn=admin,dc=param,dc=co,dc=in" -f ou.ldif
Enter LDAP Password:
$
What wrong thing exactly am i doing here?
change 'cn' to 'dn' for distinguished name. 'cn' is common name which would just be 'people' or 'groups' (except OUs don't need a CN). so it would be:
dn: ou=people,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: groups
On current setup I have OpenLDAP server on which I had manually added eduPerson schema and from it I can retrieve without any problem attributes like eduPersonPrincipalName, eduPersonPrimaryAffiliation etc.
Now I want to test with 389 Directory Server which from what I have understood it has pre-added eduPerson schema. The problem is that even after I create a user with eduPerson attributes like eduPersonPrincipalName etc, I can not retrieve any attribute value of eduPerson schema. I need it because of SimpleSAMLphp SSO we use. Below is an search example of a user with multiple eduPerson attributes and none of them gets shown:
ldapsearch -x -b "cn=John Doe,ou=people,dc=domain,dc=com" -H ldap://127.0.0.1:389
# extended LDIF
#
# LDAPv3
# base <cn=John Doe,ou=people,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# John Doe, people, domain.com
dn: cn=John Doe,ou=people,dc=domain,dc=com
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationcomPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: John Doe
gidNumber: 10000
homeDirectory: /home/user#domain.com
uid: user#domain.com
uidNumber: 10055
description: Authenticated at 2020-04-28 12:27:08.657033
loginShell: /bin/bash
mail: user#domain.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Thank you,
EDIT:
Another example which might help more. Below is a ldif file of a user:
version: 1
dn: cn=John Doe,ou=people,dc=domain,dc=com
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: John Doe
gidNumber: 10000
homeDirectory: /home/jdoe#domain.com
sn: Doe
uid: jdoe#domain.com
uidNumber: 10057
carLicense: AA123BB
departmentNumber: IT
eduPersonPrimaryAffiliation: employee
eduPersonPrincipalName: jdoe#domain.com
eduPersonScopedAffiliation: employee#domain.com
employeeNumber: 1234567890
givenName: John
initials: JD
loginShell: /bin/bash
mail: jdoe#domain.com
title: Software Developer
userPassword:: e0NSWVBUfSQ2JG1LcDlHUmRUcENBRVZ1ZkUkc0djRkNsalcyWEVoby9FRlNGS
jhLRXRYR1dmTGFUNXNYUk9BbHFRSHhoWXN4TWlZWEl6SEFCa0U1UzN3cm5uSktMSVAyTlg1d0V5
YXN1U1laNXJocDA=
When I try to search for this user I get only the attributes below:
ldapsearch -x -b "cn=John Doe,ou=people,dc=rash,dc=al" -H ldap://127.0.0.1:389
# extended LDIF
#
# LDAPv3
# base <cn=John Doe,ou=people,dc=rash,dc=al> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# John Doe, people, rash.al
dn: cn=John Doe,ou=people,dc=rash,dc=al
objectClass: eduPerson
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
loginShell: /bin/bash
homeDirectory: /home/jdoe#domain.com
uid: jdoe#domain.com
cn: John Doe
uidNumber: 10057
gidNumber: 10000
mail: jdoe#domain.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm running OpenLDAP 2.4.42, and this is my configuration file:
include C:/OpenLDAP/schema/core.schema
include C:/OpenLDAP/schema/cosine.schema
include C:/OpenLDAP/schema/inetorgperson.schema
pidfile C:/data/slapd/pidfile.pid
database config
database monitor
access to dn.subtree="cn=Monitor" by dn.exact="uid=Admin,dc=my,dc=org" write
access to * by * write
database bdb
include C:/data/pwm/openldap.schema
directory C:/data/slapd/db/bdb
suffix dc=example,dc=it
rootdn cn=root,dc=example,dc=it
rootpw secret
access to * by * manage
index default pres,eq
index cn eq,sub
index sn pres,eq,sub
index objectClass eq
With this slapcat (cut) output:
dn: cn=paul,dc=example,dc=it
objectClass: organizationalRole
cn: paul
dn: l=somewhere,dc=example,dc=it
objectClass: top
objectClass: locality
l: somewhere
dn: cn=john,l=somewhere,dc=example,dc=it
objectClass: organizationalRole
cn: john
structuralObjectClass: organizationalRole
dn: ou=users,dc=example,dc=it
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
dn: cn=charles,ou=users,dc=example,dc=it
objectClass: person
objectClass: pwmUser
cn: charles
sn: charles
userPassword:: bWFyY28y
structuralObjectClass: person
Why does this return results (actually the "charles" entry):
ldapsearch -W -D cn=root,dc=example,dc=it -b "ou=users,dc=example,dc=it"
while this gives "no such object"?
ldapsearch -W -D cn=root,dc=example,dc=it -b "dc=example,dc=it"
I would think that the latter is the most general version of a search, where I'm asking for everything under that suffix.
I want to use LDAP to automount the user's home and the nfs. I followed this tutorial to configure ldap and automount. (automount information: fstype=nfs,hard,intr,nodev,nosuid,rw 192.168.0.1:/home/serveur/dupont)
dn: cn=dupont, ou=nfs, ou=services, dc=projet, dc=sys
objectClass: top
objectClass: automount
cn: dupont
I have a syntax error when trying to add this file.
$ ldapadd -x -f au.ldif -W -D cn=admin,dc=projet,dc=sys
ldap_add: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax
I can't seem to find the source of this error.
$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=projet,dc=sys> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# projet.sys
dn: dc=projet,dc=sys
objectClass: top
objectClass: dcObject
objectClass: organization
o: nsalab
dc: projet
# admin, projet.sys
dn: cn=admin,dc=projet,dc=sys
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# people, projet.sys
dn: ou=people,dc=projet,dc=sys
objectClass: top
objectClass: organizationalUnit
ou: people
description: Branche gens
# etudiants, people, projet.sys
dn: ou=etudiants,ou=people,dc=projet,dc=sys
objectClass: top
objectClass: organizationalUnit
ou: etudiants
description: Branche etudiants
# personnel, people, projet.sys
dn: ou=personnel,ou=people,dc=projet,dc=sys
objectClass: top
objectClass: organizationalUnit
ou: personnel
description: Branche personnel
# services, projet.sys
dn: ou=services,dc=projet,dc=sys
objectClass: top
objectClass: organizationalUnit
ou: services
description: Branche services
# groupes, services, projet.sys
dn: ou=groupes,ou=services,dc=projet,dc=sys
objectClass: top
objectClass: organizationalUnit
ou: groupes
description: Branche groupes
# nfs, services, projet.sys
dn: ou=nfs,ou=services,dc=projet,dc=sys
objectClass: top
objectClass: organizationalUnit
ou: nfs
description: Branche nfs
# mongroupe, groupes, services, projet.sys
dn: cn=mongroupe,ou=groupes,ou=services,dc=projet,dc=sys
objectClass: top
objectClass: posixGroup
cn: mongroupe
gidNumber: 1111
description: groupe de test mongroupe
# dupont, etudiants, people, projet.sys
dn: uid=dupont,ou=etudiants,ou=people,dc=projet,dc=sys
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: dupont
cn: Dupont Jean
sn: Dupont
givenName: Jean
uidNumber: 1100
gidNumber: 1111
homeDirectory: /home/aware/dupont
loginShell: /bin/bash
mail: dupont#projet.sys
l: France
ou: mongroupe
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10
I had to activate the right schema.
The autofs-ldap.schema file needs to be converted to LDIF format. You
can do this with the slapcat utility as described in the
OpenLDAPServer guide, or you can just visit
launchpadlibrarian.net/55451730/autofs.ldif and grab this one
that's already been converted (rename it autofs-ldap.ldif and put it
in /etc/ldap/schema for consistency's sake).
And use ldapadd to import it into the database.
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif
You have to activate the right schema:
The autofs-ldap.schema file needs to be converted to LDIF format. You can do this with the slapcat utility as described in the OpenLDAPServer guide, or you can just visit launchpadlibrarian.net/55451730/autofs.ldif and grab this one that's already been converted (rename it autofs-ldap.ldif and put it in /etc/ldap/schema for consistency's sake).
And use ldapadd to import it into the database.
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif