I got no response when I do ldapsearch like this.
> ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "ou=group,dc=example,dc=org" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Openldap log is here
5c10a31c conn=1029 fd=13 ACCEPT from IP=172.17.0.1:34710 (IP=0.0.0.0:389)
5c10a31c conn=1029 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" method=128
5c10a31c conn=1029 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" mech=SIMPLE ssf=0
5c10a31c conn=1029 op=0 RESULT tag=97 err=0 text=
5c10a31c conn=1029 op=1 SRCH base="ou=group,dc=example,dc=org" scope=2 deref=0 filter="(objectClass=*)"
5c10a31c conn=1029 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
5c10a31c conn=1029 op=2 UNBIND
5c10a31c conn=1029 fd=13 closed
this is ldif file for user and group
# People, example.org
dn: ou=people,dc=example,dc=org
ou: people
objectClass: organizationalUnit
# Groups, example.org
dn: ou=group,dc=example,dc=org
ou: group
objectClass: organizationalUnit
dn: uid=joe,ou=people,dc=example,dc=org
objectClass: person
objectClass: inetOrgPerson
uid: joe
cn: Joe Doe
sn: Doe
givenName: Joe
userPassword: joe
description: This is an example user
dn: cn=c3admin,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3admin
member: uid=joe,ou=people,dc=example,dc=org
It seems like binding user and base dn are not correctly setup.
Please give me a advise for solving this problem.
I am using osixia/docker-openldap:1.2.2 for the openldap. and it has auto setting for admin user at "cn=admin,dc=example,dc=org"
docker run -p 389:389 -p 689:689 --name my-openldap-container --detach osixia/openldap:1.2.2
Update
Do search with member filter then got the error.
ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "ou=group,dc=example,dc=org" "(member=uid=joe,ou=people,dc=example,dc=org)"
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=example,dc=org> with scope subtree
# filter: (member=uid=joe,ou=people,dc=example,dc=org)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Do search with base DN then got the error.
ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "dc=example,dc=org" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Do search with binding admin dn, then got the 5 entries.
ldapsearch -x -D "cn=admin,dc=example,dc=org" -w admin -b "ou=group,dc=example,dc=org" "(objectclass=)"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=)
# requesting: ALL
#
# group, example.org
dn: ou=group,dc=example,dc=org
ou: group
objectClass: organizationalUnit
# admin, group, example.org
dn: cn=admin,ou=group,dc=example,dc=org
cn: admin
objectClass: groupOfNames
member: uid=john,ou=group,dc=example,dc=org
# john, group, example.org
dn: uid=john,ou=group,dc=example,dc=org
uid: john
givenName: Joe
description: This is an example user
sn: Doe
cn: Joe Doe
objectClass: person
objectClass: inetOrgPerson
userPassword:: am9obg==
# c3admin, group, example.org
dn: cn=c3admin,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3admin
member: uid=joe,ou=people,dc=example,dc=org
# c3viewer, group, example.org
dn: cn=c3viewer,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3viewer
member: uid=tom,ou=people,dc=example,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
Your search is asking to return the entries "(objectclass=*)" below the entry "ou=group,dc=example,dc=org".
I am guessing there are none.
To find the members which are within the group ou=group,dc=example,dc=org, use a filter similar to:
"(member=*)"
to find all the entries use:
Filter: "(objectclass=*)"
Base (-b): "dc=example,dc=org"
-jim
Related
I am trying to integrate LDAP authentication to rundeck.
I can query the users using ldapsearch successfully like below
ldapsearch -v -x -D "some_address#myorg.lan" -b "dc=myorg,dc=lan" -H ldap://ldaphost.myorg.lan -w **** "uid=user_1"
which returns:
ldap_initialize( ldap://ldaphost.myorg.lan:389/??base )
filter: uid=user_1
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=myorg,dc=lan> with scope subtree
# filter: uid=user_1
# requesting: ALL
#
# user_1#myorg.lan, Users, myorg, Zones, Circular, warehouse, myorg
.lan
dn: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan
objectClass: top
objectClass: posixAccount
objectClass: leaf
objectClass: connectionPoint
objectClass: serviceConnectionPoint
cn: user_1#myorg.lan
distinguishedName: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan
instanceType: 4
whenCreated: 20190128081317.0Z
whenChanged: 20200128081329.0Z
displayName: $CimsUserVersion5
uSNCreated: 221081209
uSNChanged: 221081209
showInAdvancedViewOnly: TRUE
name: user_1#myorg.lan
objectGUID:: XG234o3+m0iVYGHHJKODVQ==
keywords: parentLink:S-1-5-21-******-*****-*****-1***3
objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=myorg,DC=lan
dSCorePropagationData: 20210805091319.0Z
dSCorePropagationData: 20210805084748.0Z
dSCorePropagationData: 20210921114113.0Z
dSCorePropagationData: 20210405111238.0Z
dSCorePropagationData: 16020914223649.0Z
uid: user_1
unixHomeDirectory: %{home}/%{user}
uidNumber: 763534041
gecos: %{u:displayName}
loginShell: /bin/bash
gidNumber: 20003
# search reference
ref: ldap://myorg.lan/CN=Configuration,DC=myorg,DC=lan
# search reference
ref: ldap://ForestDnsZones.myorg.lan/DC=ForestDnsZones,DC=myorg,DC=lan
# search reference
ref: ldap://DomainDnsZones.myorg.lan/DC=DomainDnsZones,DC=myorg,DC=lan
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
However, now I am confused which information maps to which parameter in Rundeck's JettyCachingLdapLoginModule. e.g. whether distinguishedName: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan is a bindDn, userBaseDn or roleBaseDn?
I don't have direct access to the LDAP server, so only way to retrieve information is through ldapsearch.
It looks like the user name to access the LDAP binDn.
Here you can see all attributes explained.
bindDn: is optional. If not using "binding" authentication, set this to the root DN that should bind, e.g. "cn=Manager,dc=example,dc=com".
userBaseDn: is the base DN to search for users, example: "ou=People,dc=test1,dc=example,dc=com".
roleBaseDN: is the Base DN for role membership search, e.g. "ou=Groups,dc=test1,dc=example,dc=com".
Another great tool to check your LDAP server is Apache Directory Studio.
I've been strugling/googling for hours about this, just trying a very simple thing add entries to my ldap using ldapadd (OpenLDAP on Ubuntu).
my structure.ldif looks like this :
dn: ou=Personnes,dc=odi,dc=com
objectClass: organizationalUnit
ou: Personnes
description: Employes de l entreprise
dn: ou=Machines,dc=odi,dc=com
objectClass: organizationalUnit
ou: Machines
description: Ordinateurs de l entreprise
dn: cn=Marie Dupond,ou=Personnes,dc=odi,dc=com
objectClass: inetOrgPerson
givenName: Marie
sn: Dupond
cn: Marie Dupond
uid: mdupond
userPassword: mdupond
and my ldap config :
version: 1
#
# LDAPv3
# base <dc=odi,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# odi.com
dn: dc=odi,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: odi
dc: odi
# admin, odi.com
dn: cn=admin,dc=odi,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
and I can understand why when I add it through ldapadd -x -W -D “cn=admin,dc=odi,dc=com” -H ldapi:/// -f structure.ldif Iget an ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Any help would be really appreciated,
I had the exact same problem! Highlighted from your comment above:
was using “ instead of "
Not the same characters! How frustrating!
I have done LDAP setup on ubuntu, using apt install slapd ldap-utils
after doing all setup/configuration, added one test user also and here I get:
$ ldapsearch -x -b "dc=param,dc=co,dc=in"
# extended LDIF
#
# LDAPv3
# base <dc=param,dc=co,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# param.co.in
dn: dc=param,dc=co,dc=in
objectClass: top
objectClass: dcObject
objectClass: organization
o: param
dc: param
# admin, param.co.in
dn: cn=admin,dc=param,dc=co,dc=in
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# testuser, param.co.in
dn: uid=testuser,dc=param,dc=co,dc=in
cn: test
sn: test
mail: testuser#param.co.in
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Now I wanted to add OU with following ou.ldif file:
cn: ou=people,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: people
cn: ou=groups,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: groups
But it is giving no results i.e. no success neither error after adding this file using command:
$ ldapadd -x -W -D "cn=admin,dc=param,dc=co,dc=in" -f ou.ldif
Enter LDAP Password:
$
What wrong thing exactly am i doing here?
change 'cn' to 'dn' for distinguished name. 'cn' is common name which would just be 'people' or 'groups' (except OUs don't need a CN). so it would be:
dn: ou=people,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: groups
I set a centos 8 server as openldap server and kerberos auth. and I'm not able to get userldap remotely
#server:
[15:04 root#server ~] > ldapsearch -x -b "dc=bravo,dc=lab" -H ldap:/// -D "cn=admin,dc=bravo,dc=lab" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=bravo,dc=lab> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# bravo.lab
dn: dc=bravo,dc=lab
objectClass: dcObject
objectClass: organization
objectClass: top
o: bravo
dc: bravo
# groups, bravo.lab
dn: ou=groups,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: groups
# people, bravo.lab
dn: ou=people,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: people
# kb_user01, people, bravo.lab
dn: uid=kb_user01,ou=people,dc=bravo,dc=lab
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kb_user01
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/kb_user01
userPassword:: e1NTSEF9S3hGUnozUnUzTVMxZXQvNDVLdFFYSHVWVU4vajV1MVI=
# kb_user01, groups, bravo.lab
dn: cn=kb_user01,ou=groups,dc=bravo,dc=lab
objectClass: posixGroup
cn: kb_user01
gidNumber: 10000
memberUid: kb_user01
# kb_user02, people, bravo.lab
dn: uid=kb_user02,ou=people,dc=bravo,dc=lab
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kb_user02
cn: Adam
sn: blanc
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/kb_user02
userPassword:: e1NTSEF9SUFrSkUvQmZObHdlSmpUblFaMWxjMWRMR1k3MFh5Nlg=
# kb_user02, groups, bravo.lab
dn: cn=kb_user02,ou=groups,dc=bravo,dc=lab
objectClass: posixGroup
cn: kb_user02
gidNumber: 10001
memberUid: kb_user02
# system, bravo.lab
dn: ou=system,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: system
# readonly, system, bravo.lab
dn: cn=readonly,ou=system,dc=bravo,dc=lab
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword:: e1NTSEF9M3lSV2wzdkhpc0UzR2w3d3JqMDR4dTF6R3NDajB3Rm4g
description: Bind DN user for LDAP Operations
# search result
search: 2
result: 0 Success
# numResponses: 10
enter code here`# numEntries: 9
I created user readonly to query ldapDatabase with those Access
[15:16 root#server ~] > ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People
,dc=bravo,dc=lab" write by dn="cn=readonly,ou=People,dc=bravo,dc=lab" read by
self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,ou=People,dc=bravo,dc=lab" write by dn="cn=
readonly,ou=People,dc=bravo,dc=lab" read by self write by anonymous auth by *
none
client nslcd configuration
uri ldap://server.bravo.lab/
base dc=bravo,dc=lab
binddn cn=readonly,ou=People,dc=bravo,dc=lab
When i launch this it does not work
id kb_user01
I get on the server
Oct 7 15:26:28 server slapd[114988]: conn=1312 fd=17 ACCEPT from IP=10.0.0.111:48728 (IP=0.0.0.0:389)
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=0 BIND dn="cn=readonly,ou=People,dc=bravo,dc=lab" method=128
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=1 UNBIND
Oct 7 15:26:28 server slapd[114988]: conn=1312 fd=17 closed
Do you have any Idea because from my point of view I would like to grant read access without password but still i get the error.
Please help thanks and best regards
Finally I got it,
I did three mistakes:
1 : On the client side (nslcd configuration) the right Binddn was
binddn cn=readonly,ou=***SYSTEM***,dc=bravo,dc=lab
2 : On the client side (nslcd configuration) in BindPW I put the Hashed password instant of clair on
3 : the same mistake as #1 but this time on ACL of the ldap
by dn="cn=readonly,ou=***SYSTEM***,dc=bravo,dc=lab" read by self write
On current setup I have OpenLDAP server on which I had manually added eduPerson schema and from it I can retrieve without any problem attributes like eduPersonPrincipalName, eduPersonPrimaryAffiliation etc.
Now I want to test with 389 Directory Server which from what I have understood it has pre-added eduPerson schema. The problem is that even after I create a user with eduPerson attributes like eduPersonPrincipalName etc, I can not retrieve any attribute value of eduPerson schema. I need it because of SimpleSAMLphp SSO we use. Below is an search example of a user with multiple eduPerson attributes and none of them gets shown:
ldapsearch -x -b "cn=John Doe,ou=people,dc=domain,dc=com" -H ldap://127.0.0.1:389
# extended LDIF
#
# LDAPv3
# base <cn=John Doe,ou=people,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# John Doe, people, domain.com
dn: cn=John Doe,ou=people,dc=domain,dc=com
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationcomPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: John Doe
gidNumber: 10000
homeDirectory: /home/user#domain.com
uid: user#domain.com
uidNumber: 10055
description: Authenticated at 2020-04-28 12:27:08.657033
loginShell: /bin/bash
mail: user#domain.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Thank you,
EDIT:
Another example which might help more. Below is a ldif file of a user:
version: 1
dn: cn=John Doe,ou=people,dc=domain,dc=com
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: John Doe
gidNumber: 10000
homeDirectory: /home/jdoe#domain.com
sn: Doe
uid: jdoe#domain.com
uidNumber: 10057
carLicense: AA123BB
departmentNumber: IT
eduPersonPrimaryAffiliation: employee
eduPersonPrincipalName: jdoe#domain.com
eduPersonScopedAffiliation: employee#domain.com
employeeNumber: 1234567890
givenName: John
initials: JD
loginShell: /bin/bash
mail: jdoe#domain.com
title: Software Developer
userPassword:: e0NSWVBUfSQ2JG1LcDlHUmRUcENBRVZ1ZkUkc0djRkNsalcyWEVoby9FRlNGS
jhLRXRYR1dmTGFUNXNYUk9BbHFRSHhoWXN4TWlZWEl6SEFCa0U1UzN3cm5uSktMSVAyTlg1d0V5
YXN1U1laNXJocDA=
When I try to search for this user I get only the attributes below:
ldapsearch -x -b "cn=John Doe,ou=people,dc=rash,dc=al" -H ldap://127.0.0.1:389
# extended LDIF
#
# LDAPv3
# base <cn=John Doe,ou=people,dc=rash,dc=al> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# John Doe, people, rash.al
dn: cn=John Doe,ou=people,dc=rash,dc=al
objectClass: eduPerson
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
loginShell: /bin/bash
homeDirectory: /home/jdoe#domain.com
uid: jdoe#domain.com
cn: John Doe
uidNumber: 10057
gidNumber: 10000
mail: jdoe#domain.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1