A user left the organization, so I removed him from all of his groups. Afterward, he still seems to be in one group but not in the group's members. See below:
[bauron#ldapmaster ~]$ ldapsearch -x -b"dc=domain,dc=com" "(uniqueMember=uid=TARGETUSER,ou=users,dc=domain,dc=com)" dn uniqueMember
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (uniqueMember=uid=TARGETUSER,ou=users,dc=domain,dc=com)
# requesting: dn uniqueMember
#
# jca, roles, groups, domain.com
dn: cn=jca,ou=roles,ou=groups,dc=domain,dc=com
uniqueMember: uid=user1,ou=users,dc=domain,dc=com
uniqueMember: uid=user2,ou=users,dc=domain,dc=com
uniqueMember: uid=user3,ou=users,dc=domain,dc=com
... # rest of list omitted
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[bauron#ldapmaster ~]$ ldapsearch -x -b"dc=domain,dc=com" "(uniqueMember=uid=TARGETUSER,ou=users,dc=domain,dc=com)" dn uniqueMember | grep TARGETUSER
# filter: (uniqueMember=uid=TARGETUSER,ou=users,dc=domain,dc=com)
[bauron#ldapmaster ~]$
As you can see, grep'ing the list for TARGETUSER fails even though I'm explicitly asking for groups which have TARGETUSER as a uniqueMember. I have no idea how this is possible or what I can do to fix it. Thanks in advance!
Related
I am trying to integrate LDAP authentication to rundeck.
I can query the users using ldapsearch successfully like below
ldapsearch -v -x -D "some_address#myorg.lan" -b "dc=myorg,dc=lan" -H ldap://ldaphost.myorg.lan -w **** "uid=user_1"
which returns:
ldap_initialize( ldap://ldaphost.myorg.lan:389/??base )
filter: uid=user_1
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=myorg,dc=lan> with scope subtree
# filter: uid=user_1
# requesting: ALL
#
# user_1#myorg.lan, Users, myorg, Zones, Circular, warehouse, myorg
.lan
dn: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan
objectClass: top
objectClass: posixAccount
objectClass: leaf
objectClass: connectionPoint
objectClass: serviceConnectionPoint
cn: user_1#myorg.lan
distinguishedName: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan
instanceType: 4
whenCreated: 20190128081317.0Z
whenChanged: 20200128081329.0Z
displayName: $CimsUserVersion5
uSNCreated: 221081209
uSNChanged: 221081209
showInAdvancedViewOnly: TRUE
name: user_1#myorg.lan
objectGUID:: XG234o3+m0iVYGHHJKODVQ==
keywords: parentLink:S-1-5-21-******-*****-*****-1***3
objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=myorg,DC=lan
dSCorePropagationData: 20210805091319.0Z
dSCorePropagationData: 20210805084748.0Z
dSCorePropagationData: 20210921114113.0Z
dSCorePropagationData: 20210405111238.0Z
dSCorePropagationData: 16020914223649.0Z
uid: user_1
unixHomeDirectory: %{home}/%{user}
uidNumber: 763534041
gecos: %{u:displayName}
loginShell: /bin/bash
gidNumber: 20003
# search reference
ref: ldap://myorg.lan/CN=Configuration,DC=myorg,DC=lan
# search reference
ref: ldap://ForestDnsZones.myorg.lan/DC=ForestDnsZones,DC=myorg,DC=lan
# search reference
ref: ldap://DomainDnsZones.myorg.lan/DC=DomainDnsZones,DC=myorg,DC=lan
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
However, now I am confused which information maps to which parameter in Rundeck's JettyCachingLdapLoginModule. e.g. whether distinguishedName: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan is a bindDn, userBaseDn or roleBaseDn?
I don't have direct access to the LDAP server, so only way to retrieve information is through ldapsearch.
It looks like the user name to access the LDAP binDn.
Here you can see all attributes explained.
bindDn: is optional. If not using "binding" authentication, set this to the root DN that should bind, e.g. "cn=Manager,dc=example,dc=com".
userBaseDn: is the base DN to search for users, example: "ou=People,dc=test1,dc=example,dc=com".
roleBaseDN: is the Base DN for role membership search, e.g. "ou=Groups,dc=test1,dc=example,dc=com".
Another great tool to check your LDAP server is Apache Directory Studio.
I got no response when I do ldapsearch like this.
> ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "ou=group,dc=example,dc=org" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Openldap log is here
5c10a31c conn=1029 fd=13 ACCEPT from IP=172.17.0.1:34710 (IP=0.0.0.0:389)
5c10a31c conn=1029 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" method=128
5c10a31c conn=1029 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" mech=SIMPLE ssf=0
5c10a31c conn=1029 op=0 RESULT tag=97 err=0 text=
5c10a31c conn=1029 op=1 SRCH base="ou=group,dc=example,dc=org" scope=2 deref=0 filter="(objectClass=*)"
5c10a31c conn=1029 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
5c10a31c conn=1029 op=2 UNBIND
5c10a31c conn=1029 fd=13 closed
this is ldif file for user and group
# People, example.org
dn: ou=people,dc=example,dc=org
ou: people
objectClass: organizationalUnit
# Groups, example.org
dn: ou=group,dc=example,dc=org
ou: group
objectClass: organizationalUnit
dn: uid=joe,ou=people,dc=example,dc=org
objectClass: person
objectClass: inetOrgPerson
uid: joe
cn: Joe Doe
sn: Doe
givenName: Joe
userPassword: joe
description: This is an example user
dn: cn=c3admin,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3admin
member: uid=joe,ou=people,dc=example,dc=org
It seems like binding user and base dn are not correctly setup.
Please give me a advise for solving this problem.
I am using osixia/docker-openldap:1.2.2 for the openldap. and it has auto setting for admin user at "cn=admin,dc=example,dc=org"
docker run -p 389:389 -p 689:689 --name my-openldap-container --detach osixia/openldap:1.2.2
Update
Do search with member filter then got the error.
ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "ou=group,dc=example,dc=org" "(member=uid=joe,ou=people,dc=example,dc=org)"
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=example,dc=org> with scope subtree
# filter: (member=uid=joe,ou=people,dc=example,dc=org)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Do search with base DN then got the error.
ldapsearch -x -D "uid=joe,ou=people,dc=example,dc=org" -w joe -b "dc=example,dc=org" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Do search with binding admin dn, then got the 5 entries.
ldapsearch -x -D "cn=admin,dc=example,dc=org" -w admin -b "ou=group,dc=example,dc=org" "(objectclass=)"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=)
# requesting: ALL
#
# group, example.org
dn: ou=group,dc=example,dc=org
ou: group
objectClass: organizationalUnit
# admin, group, example.org
dn: cn=admin,ou=group,dc=example,dc=org
cn: admin
objectClass: groupOfNames
member: uid=john,ou=group,dc=example,dc=org
# john, group, example.org
dn: uid=john,ou=group,dc=example,dc=org
uid: john
givenName: Joe
description: This is an example user
sn: Doe
cn: Joe Doe
objectClass: person
objectClass: inetOrgPerson
userPassword:: am9obg==
# c3admin, group, example.org
dn: cn=c3admin,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3admin
member: uid=joe,ou=people,dc=example,dc=org
# c3viewer, group, example.org
dn: cn=c3viewer,ou=group,dc=example,dc=org
objectClass: groupOfNames
cn: c3viewer
member: uid=tom,ou=people,dc=example,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
Your search is asking to return the entries "(objectclass=*)" below the entry "ou=group,dc=example,dc=org".
I am guessing there are none.
To find the members which are within the group ou=group,dc=example,dc=org, use a filter similar to:
"(member=*)"
to find all the entries use:
Filter: "(objectclass=*)"
Base (-b): "dc=example,dc=org"
-jim
I had LDAP authentication working with Apache, but I keep getting 401s, and I'm not sure what I changed in the interim. I even had authentication for specific URLs based on group membership. I tried to simplify as much as I could but am still getting 401s.
Apache Configuration:
Order deny,allow
AuthName "Authentication Required"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://localhost:389/ou=people,dc=mysite,dc=com?uid
Require valid-user
Satisfy all
Apache Log:
[Sun Jun 17 23:47:51.454443 2018] [auth_basic:error] [pid 10801] [client 98.113.59.60:52870] AH01618: user myusername not found: /
OpenLDAP log:
[17-06-2018 23:47:51] slapd debug conn=1150 fd=24 ACCEPT from IP=127.0.0.1:38178 (IP=0.0.0.0:389)
[17-06-2018 23:47:51] slapd debug conn=1150 op=0 BIND dn="" method=128
[17-06-2018 23:47:51] slapd debug conn=1150 op=0 RESULT tag=97 err=0 text=
[17-06-2018 23:47:51] slapd debug conn=1150 op=1 SRCH base="ou=people,dc=mysite,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=myusername))"
[17-06-2018 23:47:51] slapd debug conn=1150 op=1 SRCH attr=uid
[17-06-2018 23:47:51] slapd debug conn=1150 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
I figured I'd try to replicate the filter in the OpenLDAP log. First, a little sanity check, checking that people actually exists:
$ ldapsearch -x -b "dc=mysite,dc=com" -s one
# extended LDIF
#
# LDAPv3
# base <dc=mysite,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#
# ... stuff
# people, mysite.com
dn: ou=people,dc=mysite,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
# ... stuff
Now checking that the user actually exists:
$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" -s one
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#
# ... stuff
# My User, people, mysite.com
dn: cn=My User,ou=people,dc=mysite,dc=com
givenName: My
gidNumber: 500
homeDirectory: /home/users/myusername
sn: User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: myusername
cn: My User
loginShell: /bin/bash
uidNumber: 2000
Neat! The person exists. Now when I copy the filter from the OpenLDAP logs to the command line, I get no entries:
$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" "(&(objectClass=*)(uid=myusername))" uid
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope subtree
# filter: (&(objectClass=*)(uid=myusername))
# requesting: uid
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Now, if I insert at least one asterisk into the uid portion of the filter, it returns the requested entry. I can put the asterisk at the end or at the beginning or in the middle. I can put as many or as few as I want. It doesn't matter.
$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" "(&(objectClass=*)(uid=my*user*name))" uid
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope subtree
# filter: (&(objectClass=*)(uid=my*user*name))
# requesting: uid
#
# My User, people, mysite.com
dn: cn=My User,ou=people,dc=mysite,dc=com
uid: myusername
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm running Ubuntu 16.04. How can I resolve this so I can authenticate into Apache using UID?
edit: I also found I could no longer SSH using LDAP uids.
Since the filter (&(objectClass=*)(uid=my*user*name)) hitting substring matching rule does work (with (objectClass=*) always evaluating to true) I suspect that you've added an eq-index to your slapd configuration after adding the user entry without re-indexing your database.
See also: OpenLDAP FAQ: How do I add an index after populating the database?
I cannot add uniqueMembers to a static group (objectClass: groupOfUniqueNames)
According to this documentation:
Modifying group entries: In order to add a member to a static group, add the user's distinguished name as an additional value for the member or uniqueMember attribute. Following is an example:
ldapmodify -h 127.0.0.1 -D "cn=admin" -w xxxx -f modStaticGrp.ldif
Where modStaticGrp.ldif contains:
dn: cn=group1, o=Your Company
changetype: modify
add: member
member: cn=jeff, cn=tim, o=Your Company
dn: cn=group2, o=Your Company
changetype: modify
add: uniqueMember
uniqueMember: cn=joe,o=Your Company
When I try to add a uniqueMember with ldapmodify with the following ldif file:
dn: cn=Private,o=My Company
changetype: modify
add: uniqueMember
uniqueMember: uid=1234567890,ou=My Company
I get the error:
ldapmodify: wrong attributeType at line 4, entry "cn=Private,o=My Company”
What am I missing? Any ideas?
uid=1234567890,ou=My Company
A uniqueMember value is a complete DN. Judging by the rest of your DNs this should be something like
uid=1234567890,o=My Company
although I woudl have expected to see something more like this:
uid=1234567890,ou=Users,o=My Company
actually, depending on exactly how you've designed your DIT. You shouldn't be adding user entries at its top level.
I have a problem with connecting foswiki to ldap. I want to authenticate users against LDAP directory (as it is stated in the requirements of school seminar work ). But it doesn't work. When I try to login with my name already saved in LDAP, it just writes "Oops: we could not recognize you. Try again or reset your password.". I will be thankful for any help and I will provide any further information necessary.
Foswiki config: http://pastebin.com/NRx4V9Ck
I am trying to login with name MarianBaca and here is the output of
ldapsearch -H ldap://localhost -b dc=bis01,dc=vse,dc=cz -x '(givenName=Marian)'
# extended LDIF
#
# LDAPv3
# base <dc=bis01,dc=vse,dc=cz> with scope subtree
# filter: (givenName=Marian)
# requesting: ALL
#
# MarianBaca, bis01.vse.cz
dn: cn=MarianBaca,dc=bis01,dc=vse,dc=cz
cn: MarianBaca
givenName: Marian
gidNumber: 500
sn: Baca
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: MarianBaca
homeDirectory: /home/MarianBaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Output of /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=bis01,dc=vse, dc=cz
URI ldap://bis01.vse.cz
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Since your pasted foswiki configuration has been removed, I will try to answer to my best knowledge.
I am assuming you are using LdapContrib
Ensure your UserMappingManager is set to Foswiki::Users::LdapUserMapping.
Ensure your PasswordManager is set to something sensible, i.e. Foswiki::Users::LdapPasswduser