in freeradius ldap-module it exist an Expiration attribute which I can map to an LDAP attribute, but in which format? The Documentation is not clear. I've the following LDAP attributes, which one works?
sambaKickoffTime: 1580252400
krb5ValidEnd: 20200129000000Z
shadowExpire: 18290
thanks in advance
You're probably looking for implementing a password policy with password expiration. Since you've tagged your question with [openldap] you should look into man-page slapo-ppolicy(5) - especially how to use attribute pwdMaxAge.
If you've implemented this in your OpenLDAP server there is no need to configure anything in FreeRADIUS.
Related
Is it possible to connect to an OpenLDAP server as the active directory with this form
" username#domain "
I have tested this form, it connects with active directory but with openLdap i have to put the full DN.
Does anyone has any idea how to modify my openLDAP to connect as AD if it's possible
Thanks.
If you wants to authenticate Openldap and AD users using same DN you need to add proxy to AD server from openldap server.
You need to use back_ldap module to make AD database as subordinate of Openldap database.
You can add custom attribute in openldap/ad for uniqueness of user mostly we find email attribute as common on both sides.
If you want to use alternative bind names like the userPrincipalName (username#realm) with openLDAP, you need the rewrite/remap overlay slapo-rwm coming with version 2.4.
A very simple example would be:
# Typed and not tested!
rwm-rewriteEngine on
rwm-rewriteContext addName
rwm-rewriteRule "(.*)" "userPrincipalName=$1" ":"
rwm-rewriteMap ldap upn2dn "ldap://host/dc=my,dc=org?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule ".*" "${upn2dn($0)}" ":#I"
EDIT
In reply to the question in your comment: LDAP as a protocol has no concept of uniqueness, it's a product feature. With OpenLDAP for example, you can use the unique overlay to enforce uniqueness for certain attribute types in suitable backends. With phpLDAPAdmin you can configure the attribute types that shall be tested for uniqueness by that client.
I'm using CKAN with Apache and an SSO system called Cosign. Cosign works as an authenticator in Apache and ends up setting REMOTE_USER before the python code fires up. What I'm trying to do is use LDAP user lookup based on that preset REMOTE_USER. Can I do that with the CKAN ldap plugin (http://extensions.ckan.org/extension/ldap/)? Any advice greatly appreciated - I'm a Python and CKAN novice.
The short answer is that ckanext-ldap doesn't do that. What it does is provide a custom login form (username and password) that authenticates the credentials via LDAP. It then creates a session for the corresponding CKAN user, creating a user account first if required. Having it do anything else would require customisation of the extension although there are a number of options documented in its readme that alter the behaviour in small ways.
Whether ckanext-ldap would be a suitable extension to build upon to achieve what you want depends on what you want to do, which isn't clear from your question.
I'm writing my first Symfony app and and I need authenticate users over LDAP/AD, but I run out of documentation...
I found many solutions for use LdapClient, but it tagged as deprecated. So, i check for use the new one Ldap class as recommended, but I not found documentation for use it. The documentation of Ldap component for the current version (3.1) suggest to use LdapClient yet! It isn't updated yet?
I don't know how to do: must we create an adapter for add a Ldap service? If so, how to proceed?
Any help will be appreciated, thanks!
Check out this cookbook article for configuring LDAP authentication using the builtin Symfony component:
http://symfony.com/doc/current/cookbook/security/ldap.html
I also have a bundle I maintain that includes LDAP authentication that works well with AD called LdapToolsBundle. It has documentation on the main page for the app/config/config.yml entries needed to configure your domain for use in the bundle, and also some details on configuring authentication in app/config/security.yml here.
The bundle above provides a LDAP service called ldap_tools.ldap_manager that can be used to query/create/modify different types AD objects.
take a look at my Blog:
https://alvinbunk.wordpress.com/2016/03/25/symfony-ad-integration/
This requires FOSUserBundle and FR3DLdapBundle, but I think if you go through all that documentation you should be able to get LDAP/AD integration with Symfony3 working.
EDIT #2
Below is a second easier solution:
https://alvinbunk.wordpress.com/2017/09/07/symfony-ldap-component-ad-authentication/
Iam using Apache Directory Ldap. I started using it just recently. I had one query:
I had one attribute called 'user-last-date', so as soon as this user end-date reaches, I should be able to disable the user account in ldap and also should send out an automated email to his manager. So, Is that possible to disable the user automatically in ldap as soon as the 'user-last-date' reached?
I already searched in google on this, not finding much info on this.
No, it is not possible by default, however you can write a custom interceptor to achieve this.
Or you can set the value of attribute pwdAccountLockedTime to 000001010000Z to permanently lock the account, but this will be effective only if the passwordpolicy is enabled.
I have an LDAP error in c# code talking about an invalid customers username / password.
I need to confirm if the password is in fact correct, or the way I have manipulated the users DN to remove the escape characters has caused the user to be unknown.
I'm not that familiar with domains and how that fits in with windows, but I have access to some free LDAP browsers e.g. http://www.ldapbrowser.com/ or can download some other software but I need to validate a password with it somehow.
Any ideas how?
The "ldapbrowser" should work.
We prefer the http://directory.apache.org/studio/
What is the error code?
I assume you are using AD?
We also have some help with AD and LDAP
See my reply to the following thread:
LDAP - How to check a username/password combination?
If you need to only verify username and password, The LDAPWhoAmI Extended Operation will work (either in a custom test script, or via the dedicated binary 'ldapwhoami').
I hope this helps...
Max