Is it possible to connect to an OpenLDAP server as the active directory with this form
" username#domain "
I have tested this form, it connects with active directory but with openLdap i have to put the full DN.
Does anyone has any idea how to modify my openLDAP to connect as AD if it's possible
Thanks.
If you wants to authenticate Openldap and AD users using same DN you need to add proxy to AD server from openldap server.
You need to use back_ldap module to make AD database as subordinate of Openldap database.
You can add custom attribute in openldap/ad for uniqueness of user mostly we find email attribute as common on both sides.
If you want to use alternative bind names like the userPrincipalName (username#realm) with openLDAP, you need the rewrite/remap overlay slapo-rwm coming with version 2.4.
A very simple example would be:
# Typed and not tested!
rwm-rewriteEngine on
rwm-rewriteContext addName
rwm-rewriteRule "(.*)" "userPrincipalName=$1" ":"
rwm-rewriteMap ldap upn2dn "ldap://host/dc=my,dc=org?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule ".*" "${upn2dn($0)}" ":#I"
EDIT
In reply to the question in your comment: LDAP as a protocol has no concept of uniqueness, it's a product feature. With OpenLDAP for example, you can use the unique overlay to enforce uniqueness for certain attribute types in suitable backends. With phpLDAPAdmin you can configure the attribute types that shall be tested for uniqueness by that client.
Related
in freeradius ldap-module it exist an Expiration attribute which I can map to an LDAP attribute, but in which format? The Documentation is not clear. I've the following LDAP attributes, which one works?
sambaKickoffTime: 1580252400
krb5ValidEnd: 20200129000000Z
shadowExpire: 18290
thanks in advance
You're probably looking for implementing a password policy with password expiration. Since you've tagged your question with [openldap] you should look into man-page slapo-ppolicy(5) - especially how to use attribute pwdMaxAge.
If you've implemented this in your OpenLDAP server there is no need to configure anything in FreeRADIUS.
I currently try to configure Discourse to only allow users in a specific ldap group to log in. Discourse has a plugin called discourse-ldap auth ( https://github.com/jonmbake/discourse-ldap-auth ). This plugin uses the omniauth ldap module: https://github.com/omniauth/omniauth-ldap
My discourse plugin configuration (the configuration is actually used by the discourse plugin for the omniauth ldap module):
ldap enabled: true
ldap hostname: the hostname of my ldap server
ldap port: 389
ldap method: plain
ldap base: the base of my ldap server
ldap uid: userPrincipalName
ldap bind dn: Nothing
ldap password: Nothing
ldap filter: (&(userPrincipalName=%{username})(memberOf=cn=[the name of the required group],ou=....,[base]))
When using this configuration, nobody can log in to the forum. When I use the bind dn and password, everybody can log in.
I also tried this filter without success (copied from my ldap servers filter):
(&(&(&(userPrincipalName=%{username})(memberOf=[dn of the group]))))
What do I have to configure, to only allow users in that specific group to log in?
I didn't found any errors or indicators in the log. Please help!
Thanks fou your help and attention!
You do need the "ldap dn" and "ldap password". Those are the credentials used to authenticate to LDAP so you can lookup people's accounts. Usually, that is a service account only used by your application.
The filter should probably look something like this:
(&(sAMAccountName=%{username})(memberOf:1.2.840.113556.1.4.1941:=[dn of the group]))
Users will usually log in with the sAMAccountName, which is usually called just the "username". Whenever you see an account in the DOMAIN\username format, that username is the sAMAccountName.
The userPrincipalName is usually in the format of username#domain.com. It is sometimes the same as the email address, but it doesn't have to be.
The crazy number I put in that query tells Active Directory to search recursively through groups. So that would allow you to put groups into your authentication group, and members of that new group would be given access to your application too. Without that, only direct members of that group will have access.
I'm evaluating keycloak for identity management using an existing (open)ldap server.
I've managed to get the telephoneNumber ldap attribute into keycloak.
The problem occurs if I try to remove a telephone number via keycloak: keycloak tries to set the ldap attribute to an empty string, which is not allowed. Is there a way to configure the user-attribute-ldap-mapper to delete the attribute if its empty?
Best wishes
Daniel
[edit] I've opend a bug report at keyloak for this issue
I am basically using Datapower AAA policy and in that I have configured 'using LDAP to bind DN' as authenticate mechanism.
Now i have made rules and configured host and LDAP port
I have a user and Password to test whether it exist or not
How to test
Is there any gateway present to test(like MCCP)?
You need to attach this AAA Policy with some top level service objects [Web Service proxy, Multi Protocol Gateway, XML Firewall etc]. After that test the service to see if authentication is working fine or not? If you already did that, can you specify what is the exact problem you are facing?
You can extract the user name and password and u can send over to LDAP server .
This you can achieve using an xsl to connect to LDAP and check the authentication.
We have pre-defined functions for LDAP search and authentication.
search : dp:ldap-search(address, port, bindDN, bindPassword, targetDN, attributeName, filter, scope, sslProxyProfile, ldapLBGroup, ldapVersion, ldapReadTimeout)
Auth : dp:ldap-authen(bindDN, bindPassword, serverAddress, sslProxyProfileName, ldapLBGroup, "", ldapVersion, ldapReadTimeout)
I am now trying to configure for the LDAP authentication in /admin/auth_config.php?auth=ldap.
I would like to know what the Bind settings does? Is it necessary to fill in the DN and Password under Bind settings for LDAP to work?
And I have encountered an error code auth_ldap_noconnect when trying to sync the users through LDAP from the cron script. What could be the causes for this error?
The Bind settings are necessary - without them Moodle can't connect to your LDAP server. They determine how Moodle will access the LDAP server.
CN = your Common Name
OU = your Organizational Unit
DC = your Domain Component
Those are all part of the LDAP data Interchange Format (LDIF) and they determine how the LDAP tree is filtered. See http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format.
So in Moodle you probably need a Distinguished name like:
cn=YourServiceAccountName,ou=YourSchool,ou=Service Accounts,DC=yourdc,DC=co,DC=uk
And you'll probably also have to list the Contexts where your students are found:
ou=yourschool,DC=yourdc,DC=co,DC=uk;
User attribute might = samaccountname (for MS Active Directory)