How to bind with LDAPS to Azure AD Domain Services - ldap

I'm getting started with Azure AD Domain Services for a new company.
For some applications we need LDAPS access so I was able to set that up and I can connect to the instance from on-premise using ldp.exe.
However I cannot find out how to bind so that I'm authenticated. I tried the e-mailadress and password of an admin user and other various syntaxes but none seem to work.
Is there any guidance on this?


A little late, but I know of two bind DNs that work for me in Azure AD Domain Services:
ldapsearch -D "cn=<Full> <Name>,ou=AADDC Users,dc=<domain>,dc=<tld>" -W -H ldaps://XX.XX.XX.XX
or
ldapsearch -D "<samaccountname>#<domain>.<tld>" -W -H ldaps://XX.XX.XX.XX

Related

Google Secure LDAP credentials not working

I'm trying to get a simple ldapsearch query working against Google Secure LDAP without using client certificate. I'm using Ubuntu 22.04 ldap-utils.
Am I doing something obviously wrong with my query below? Assume username generated by Google is LDAPUser1 and password is RAND123 and my domain is example.com:
ldapsearch -D "LDAPUser1" -w RAND123 -b "ou=Users,dc=example,dc=com" -H ldaps://ldap.google.com:636
Whenever I run it, I get the following error:
ldap_bind: Invalid credentials (49)
additional info: Incorrect password
I've copied the username and password verbatum from the Google Secure LDAP "Access Credentials" section. It's directly below the "Certificates" section.

Cannot create VHost on RabbitMQ Management HTTP API

I've done some research as to how to create a vHost from the HTTP API on RabbitMQ. I am brand new to RabbitMQ so I just need some basic guidance. I've seen to add a vhost you go to the admin page and there is an option for virtual hosts. However, when I am in mine, I do not have said option. I don't know if there is something else I need to install or enable but I can't seem to find anyone else with this type of issue.

You might not have the right permissions to create a vhost. Check your permissions and make sure you are logged in with a user that has the administrator tag according to this: https://www.rabbitmq.com/management.html#:~:text=and%20credential%20management.-,Tag,-Capabilities
The HTTP API documentation has an example on how to create a vhost:
$ curl -i -u USER:PASSWORD -H "content-type:application/json"
-XPUT http://localhost:15672/api/vhosts/foo

Google Secure LDAP (from Cloud Identity) returning wrong user DN

We have a Google G suite with multiple domains and users with email addresses not always having the primary domain extension.
When ldap searching the Secure LDAP environment for a user with a non primary domain we get the wrong user DN back.
Example:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)'
returns dn: uid=user,ou=Users,dc=example,dc=com
where it should return dn: uid=user,dc=company,dc=nl
But with this wrong DN the next step in my radius authentication (because that's where we are using this for) fails:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D uid=user,ou=Users,dc=example,dc=com -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)' with a
ldap_bind: Invalid credentials (49)
additional info: Incorrect password
which makes sense because LDAP cannot find the user.
whereas as binding with the right DN succeeds:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D uid=user,ou=Users,dc=company,dc=nl -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)'
If I query for the user with the corresponding base_dn from the user's email address the returned DN is ok, but I cannot dynamically adjust the based_dn depending on the users email address, I think, in freeradius
I’m not sure if this a problem of the google LDAP servers or a problem with the LDAP protocol or a problem with the way I/radius queries LDAP.
I'm thinking to implement scripting authentication in the authorize section and implement my own ldapsearch + bind , but I hope there's a better solution.
Thanks. Wessel

Try with ldaps://ldap.google.com:636.
We found unless the port is defined it does not work.
We also noticed that not all fields can be searched, i.e uidNumber.

OpenVPN + FreeIPA: memberOf Additional Requirement not working

My user authenticates fine through OpenVPN AS, using LDAP authentication over FreeIPA.
Now I want to restrict OpenVPN to enforce that they belong to a certain group.
I've created a User Group in FreeIPA, and changed OpenVPN to have an "Additional LDAP Requirement" of "memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk"
But when I try to authenticate now, I get access denied, with this error in openvpn logs:
2019-11-26T09:38:12+0000 [stdout#info] VPN Auth Failed: u"LDAP exception on ldaps://endpoint.free.ipa.internal/ (facility='search (u'cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk', 2, u'(&(uid=myUser)(memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk))')'): **user not found that meets specified requirements**: memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk: auth/authldap:178,python2.7/threading:774,python2.7/threading:801,python2.7/threading:754,_threads/_threadworker:46,_threads/_team:190,python/threadpool:250,python/threadpool:266,python/context:122,python/context:85,auth/authldap:138,auth/authldap:178,util/error:67,util/error:48" [None]
If I try (what I think is) the equivalent LDAP Search from command line, it works fine:
ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk" -W -H ldap://localhost -b "cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk" '(&(uid=myUser)(memberOf=cn=myGroup,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk))'
That returns the user, and even lists their memberOf attributes:
...
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk
memberOf: cn=myGroup,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk
...
So unsure what I've done wrong in OpenLDAP.
I read that memberOf only works retrospectively, so I removed and re-added myUser to myGroup. Still didn't work.

Ah found it.
OpenVPNAS was using anonymous binding to connect to FreeIPA in order to authenticate people. With anonymous binding, it isn't permitted to see group membership!
Fix was to change OpenVPNAS to bind as an admin user. Now it works fine.

How was authentication built on LDAP?

I many times integrate authentication in application based on LDAP.
I just put configs: URL (like ldap.company.com:389), search base (like dc=europe,dc=com) and query pattern (like (uid=$)) to libraries and frameworks.
But I always wonder what really do libraries and frameworks to actually authenticate user by supplied login/password.
Seems that LDAP has three type of authentication itself - anonymous, plain password and SASL. So sometimes in order to authenticate you need application login/password to get access to LDAP service.
I am not sure that this blog answer the question: http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/ :
Get a connection to the LDAP server.
Bind as the application user.
Search for the DN (distinguished name) of the user to be authenticated.
Bind as user to be authenticated using DN from step 3.
Is that right?
That may be summarized as (as experiment in command line):
$ ldapsearch -x -h ldap.company.com -s sub -b 'dc=europe,dc=com' "uid=XYZ"
....
dn: uid=XYZ,dc=sales,dc=europe,dc=com
...
$ ldapsearch -W -h ldap.company.com -D 'uid=XYZ,dc=sales,dc=europe,dc=com' \
-s sub -b 'dc=europe,dc=com' "uid=XYZ"
Are there any other authentication schema like using specific DN attribute value as user secret? Or userPassword is that attribute itself?

Your four steps are basically correct. SASL is an External Authentication Mechanism where Authentication is "handed" off to the SASL Mechanism. RFC 4513 spells out Authentication and Security Mechanisms.
-jim