I'm trying to understand how ldap work. I tried to list the olcAccess of ldap with this command
$ ldapsearch -x -b 'cn=config' "objectclass=*" -s sub
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
I also tried with the admin user (ldapsearch -x -W -D 'cn=admin,dc=example,dc=com' -s sub -b 'cn=config' 'objectclass=*'). Same output as above.
But with slapcat -b 'cn=config', I get everything.
Why ?
I believe it is not posible to do this with simple authentication.
You have to use the EXTERNAL mechanism for operations against the config DIT of the local ldap server:
sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config
Related
I've configured an ldap app in G Suite and I've downloaded the cert & key. I'm trying to query it via ldapsearch:
LDAPTLS_CERT="Google_cert.crt" \
LDAPTLS_KEY="Google_cert.key" \
ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX -x '(mail=first.last#XXXXX.XXX)'
The response I get is this:
# extended LDIF
#
# LDAPv3
# base <dc=XXXXX,dc=XXX> with scope subtree
# filter: (mail=first.last#XXXXX.XXX)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I'm not sure how to interpret the response. Did it execute the search and find nothing? What do the search, result, and numResponses mean?
I would expect more information, as I'm searching for myself, so I know I'm in there. Is my query messed up?
EDIT
Based on the comments, I changed my query to *:
LDAPTLS_CERT="Google_cert.crt" \
LDAPTLS_KEY="Google_cert.key" \
ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX -x '*'
and got this:
# extended LDIF
#
# LDAPv3
# base <dc=XXXXX,dc=XXX> with scope subtree
# filter: (objectclass=*)
# requesting: *
#
# XXXXX.XXX
dn: dc=XXXXX,dc=XXX
objectClass: top
objectClass: domain
objectClass: dcObject
dc: XXXXX
# Groups, XXXXX.XXX
dn: ou=Groups,dc=XXXXX,dc=XXX
objectClass: top
objectClass: organizationalUnit
ou: Groups
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Does this mean the only next level container is Groups and that next I need to search down in that ou?
I'm on a Mac, and ldapsearch on Mac is different. Instead of using LDAPTLS_CERT & LDAPTLS_KEY, I had to convert the certificate and key files to one PKCS12 formatted file and import them into my MacBook's keychain, then use the LDAPTLS_IDENTITY environment variable with the ldapsearch command. This page Connect LDAP clients to the Secure LDAP service has specific instructions for using ldapsearch on MacOS.
After that, this is the command that found my user:
LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX '(uid=first.last)'
Hope this saves somebody else some time.
I think what I am trying to do is fairly simple, I want to setup ldap so that incoming binds check that the password is correct and the user is a member of a specific group.
Running the following query yields the following
ldapsearch -x -LLL -H ldap:/// -b uid=myname,ou=users,dc=example,dc=com dn memberof
Result
dn: uid=myname,ou=users,dc=example,dc=com
memberOf: cn=admin,ou=groups,dc=example,dc=com
I have tried the following query
ldapsearch -x -H "ldap://localhost" -D "(&(cn=My Name)(memberOf=cn=admin,ou=groups,dc=example,dc=com))" -W -b "dc=example,dc=com"
ldapsearch keeps throwing the following error
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
What am I doing wrong?
There are 2 things to fix in your search query :
the filter part should be placed after all options and before the list of attributes if any.
the -D option requires an argument, a bind dn to bind to the LDAP directory.
In other words : ldapsearch -x -H <ldapuri> -D <binddn> -W -b <basedn> <filter>
Assuming you can use this bind dn cn=manager,dc=example,dc=com, you should end up with a query looking like this :
ldapsearch -x -H "ldap://localhost" -D "cn=manager,dc=example,dc=com" -W -b "dc=example,dc=com" "(&(cn=My Name)(memberOf=cn=admin,ou=groups,dc=example,dc=com))"
https://linux.die.net/man/1/ldapsearch
I add a new domain to openldap mdb database, but I can not access it, what's the problem?
Here is the process:
$ ldapadd -H ldapi:// -Y EXTERNAL -f newdb.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=mdb,cn=config"
cat newdb.ldif
dn: olcDatabase=mdb,cn=config
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example01,dc=com
olcRootDN: cn=admin,dc=example01,dc=com
olcRootPW: {SSHA}J9qNsUzm8nVDQdqWV6XUC0vZQWtml7Cs
I can list it through search base "cn=config":
$ ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={21}mdb,cn=config
olcSuffix: dc=example01,dc=com
olcRootDN: cn=admin,dc=example01,dc=com
olcRootPW: {SSHA}J9qNsUzm8nVDQdqWV6XUC0vZQWtml7Cs
But I can not access it, and I can not add items to it:
$ ldapsearch -H ldapi:// -Y EXTERNAL -b 'dc=example01,dc=com' -s base '(objectclass=*)' -LLL -Q
No such object (32)
Any help is appreciated.
Adding the configuration for a new database doesn't create the top entry of in that database.
You need to use ldapadd to add the entry "dc=example01,dc=com" (with an objectClass Domain)
I am on artifactory version 4.6 and have the following requirement on the docker registry.
Allow anonymous pulls on docker repository
Force authentication on the SAME docker repository
I know this is avaliable out of the box on the later versions of artifactory. However upgrading isnt an option for us for a while.
Does the following work around work?
Create a virtual docker repository on port 8443 and don't force authentication , call it docker-virtual
Create a local docker repository and force authentication, call it docker-local on port 8444
Configure 'docker-virtual' with the default deployment directory as 'docker-local'
docker pull docker-virtual should work
docker push docker-virtual should ask for credentials
Upon failure , I should be able to docker login docker-virtual
and docker push docker-virtual/myImage
Not sure about the artifactory side, but perhaps the following Docker advice helps.
You can start run two registries, one RW with authentication, and a second RO without any authentication, in Docker:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=My Registry" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
docker run -d -p 5001:5000 --restart=always --name registry-ro \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry:ro \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
Note the volume settings for /var/lib/registry in each container. Then to pull from the anonymous registry, you'd just need to change the port. Since the filesystem is RO, any attempt to push to 5001 will fail.
The closest thing you can achieve is failing on docker push without credentials (while succeeding with pull).
No idea if this works with artifactory sorry.... you could try this handy project for docker registry auth.
Configure the registry to use this https://hub.docker.com/r/cesanta/docker_auth/
# registry config.yml
...
auth:
token:
# can be the same as your docker registry if you use nginx to proxy /auth to docker_auth
# https://docs.docker.com/registry/recipes/nginx/
realm: "example.com:5001/auth"
service: "Docker registry"
issuer: "Docker Registry auth server"
rootcertbundle: /certs/domain.crt
And allow anonymous with the corresponding ACL
# cesanta/docker_auth auth_config.yml
...
users:
# Password is specified as a BCrypt hash. Use htpasswd -B to generate.
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
"": {} # Allow anonymous (no "docker login") access.
ldap_auth:
# See: https://github.com/cesanta/docker_auth/blob/master/examples/ldap_auth.yml
acl:
# See https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml#L178
- match: {account: "/.+/"}
actions: ["*"]
comment: "Logged in users do anything."
- match: {account: ""}
actions: ["pull"]
comment: "Anonymous users can pull anything."
# Access is denied by default.
I have ran into problem using memberOf filter in my ldapsearch query. The customer is using `OpenLDAP.
I have a group of users with 3 members
When I query for users using ldapsearch:
ldapsearch -h hostname -p 393 -x -z 3 -b "o=XY,dc=group,dc=com,dc=xyz,dc=cz" "(&(objectClass=person))" 1.1
I get results containing also user XYZ.
# extended LDIF
#
# LDAPv3
# base <o=XYZ,dc=group,dc=com,dc=xyz,dc=cz> with scope subtree
# filter: (&(objectClass=person))
# requesting: 1.1
#
# XYZ, People, XY, xyz.com
dn: cn=XYZ,ou=People,o=XY,dc=group,dc=com,dc=xyz,dc=cz
...
# search result
search: 2
result: 4 Size limit exceeded
# numResponses: 4
# numEntries: 3
But when I use the filter:
ldapsearch -h hostname -p 393 -x -z 3 -b "o=XY,dc=group,dc=com,dc=xyz,dc=cz" "(&(objectClass=person)(memberOf=cn=X,ou=BusinessRoles,ou=AccessControl,o=XYZ,dc=group,dc=com,dc=xyz,dc=cz))"
I get no results.
Did I make any mistake in the query? Is the memberOf syntax OK?
Check with your admin to make sure that memberOf is enabled on the OpenLDAP server
Check with your admin that anonymous access is allowed to this attribute