I'm going to start TLS connection for LDAP. I have followed this link which uses gnuTLS tool for generating self-signed certificates.
Slapd starts well.
When i run the command:
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldaps://122.129.79.69' -ZZ
it shows my whole DIT structure.
But wen i run this command:
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldaps://122.129.79.69' -ZZ
it gives error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I'm new to LDAP. I don't have much understanding. Can anyone please explain what could be the issue?
Also i came to know conventional SSL certificates does not work well with LDAP. We have to create separate certificates for LDAP to startTLS connection. Is it the case?
looks like your commands are the same?
For StartTLS Use
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldap://122.129.79.69' -ZZ
(ie not LDAPS) when using StartTLS.
-jim
Related
I would like to use ldapsearch for an authentication test to a remote Windows server from a Linux instance (Amazon Linux OS). Kerberos bind is working via GSS-API installed from package cyrus-sasl-gssapi, is there an equivalent package that can be used for GSS-SPNEGO? I would like the ability to fall back to NTLM authentication in case Kerberos is not working.
The server supports both GSSAPI and GSS-SPNEGO but from the client side it appears that GSS-SPNEGO is not available. Output from ldapsearch is shown below:
ldapsearch -H "ldap://$HOST_NAME" -b "" -s base -Y GSS-SPNEGO
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Using cyrus-sasl-ntlm did not work because it appears the server does not support this:
ldapsearch -H "ldap://$HOST_NAME" -b "" -s base -Y NTLM
SASL/NTLM authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: 00002027: LdapErr: DSID-0C0905ED, comment: Invalid Authentication method, data 0, v2580
Is it possible to use SPNEGO bind with ldapsearch? Or is there another way to authenticate over NTLM?
#Grant,
You need to change the -Y option to "-Y GSSAPI"
For example:
ldapsearch -H ldap://example.com -b 'DC=example,DC=com' -Y GSSAPI
I am using curl command to invoke a rest service. It is as follows:
{curl -X POST --ssl-no-revoke --cacert xyz.pem -K urls.txt -H "Authorization:Basic XYZ" -H "Content-Type:application/json" -d #data.json}
The above command is used to hit the service using one way SSL and basic authorization. The data to be passed is enclosed in data.json file and the urls to be hit are enclosed in urls.txt file.
The above command works perfectly in Windows but when executed from linux, it says:
{curl: option --ssl-no-revoke: is unknown
curl: try 'curl --help' or 'curl --manual' for more information}
I want to disable certificate revocation checks altogether. It looks like {--ssl-no-revoke} works on Windows but not Unix/Linux.
Would like to know if any alternative.
ssl-no-revoke is Windows Only. The only alternative I'm aware of is to have a valid certificate or not use SSL.
https://curl.haxx.se/docs/manpage.html
Using a valid certificate is not always a solution as revocation checks will fail with a valid certificate too when there is no Internet connection (for example, in the presence of a captive portal).
One way is to disable certificate checking altogether, i.e.:
curl --insecure https://www.example.com
Note that this will greatly reduce the security as self signed certificates will also be accepted as well as revoked ones!
I am new to working with LDAP, and my ultimate goal is to offer LDAP single sign-on in a web app. In order to achieve this, I'm trying to run ldapwhoami, but I'm running into issues. I am able to run other commands, like ldapsearch and ldapadd.
I'm running OpenLdap on Mac OS High Sierra.
My relevant slapd.conf looks like this:
access to *
by self write
by * read
by anonymous auth
database ldif
suffix "dc=test,dc=com"
directory openldap-data
rootdn "cn=admin,dc=test,dc=com"
## rootpw = secret
rootpw {SSHA}fFjKcZb4cfOAcwSjJer8nCGOEVRUnwCC
I then added a user with ldapadd -x -w secret -f shanson.ldif, where shanson.ldif looks like:
dn: cn=shanson,dc=test,dc=com
objectClass: inetOrgPerson
sn: Hanson
uid: shanson
cn: shanson
userPassword: secret
I am successfully able to search for and find this new user with ldapsearch -x "(cn=shanson)".
Now, I am trying to verify the user's credentials using ldapwhoami, and I keep getting an error:
> ldapwhoami -x -D cn=shanson,dc=test,dc=com -w secret
ldap_bind: Invalid credentials (49)
The same operation with my root admin user succeeds:
> ldapwhoami -x -D cn=admin,dc=test,dc=com -w secret
dn:cn=admin,dc=test,dc=com
I'm sure I'm just making a simple mistake or not understanding what I'm doing, but I don't really know where else to look right now for answers. Thanks!
It seems to have had something to do with the plain text password I set up. I installed Jxplorer and manually updated my user's password and hashed it with MD5, and now the ldapwhoami command works. If I set the password as plain text in JXplorer, ldapwhoami still does not work. Beyond that, I'm not entirely sure what I was doing wrong.
For me, my dn was wrong.
I did an ldapsearch with admin credentials to get the dn: uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx
Then I did an ldapwhoami -x -D "uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx" -w secret and it worked fine.
I'm setting up this authentication through OpenLDAP:
OpenLDAP -> Pass-through (External authentication) -> SASL -> PAM -> RSA Agent
In order to access to an application via a RSA Token.
Starting from the bottom to the top:
This is my PAM configuration:
#%PAM-1.0
auth required pam_securid.so
account sufficient pam_ldap.so
account include password-auth
password sufficient pam_ldap.so
password include password-auth
This test works great:
[root#ldap ~]# testsaslauthd -u goingsolo -p 11111111
0: OK "Success."
OpenLdap is correctly configured to works with the SASL Authenticatino in PLAIN:
[root#ldap /]# ldapsearch -h localhost -b "" -LLL -s base supportedSASLMechanisms -x
dn:
supportedSASLMechanisms: PLAIN
And the userPassword of my goingsolo user is configured with {SASL}goingsolo And if I do a SASL bind it works:
[root#datap-keldap-1-n01 /]# ldapsearch -h localhost -b dc=ldap,dc=com -U "goingsolo" -w 11111111
SASL/PLAIN authentication started
0: OK "Success."
The problem is when I perform a simple bind with -D instead of -U, I receive invalid credentials:
[root#datap-keldap-1-n01 /]# ldapsearch -h localhost -b dc=ldap,dc=com -D "cn=goingsolo,ou=People,dc=ldap,dc=com" -w 11111111
ldap_bind: Invalid credentials (49)
Also when performing a sasl bind with the full dn, the authentication fails because from the /var/lag/messages:
Mar 27 19:01:00 ldap saslauthd[11777]: do_auth : auth failure: [user=cn=goingsolo,ou=People,dc=ldap,dc=com] [service=ldap] [realm=] [mech=pam] [reason=PAM auth error]
I guess this is because it does not a translate from the full dn to the simple user (goingsolo).
Any tips on what should I check?
The problem was how OpenLdap was build (I guess wrong compiling). I tryed to reinstall it and then it worked. Be sure the SASL machanism is set to plain.
I have currently installed OID (Oracle Internet Directory) and created some roles and users in them. I intend to access them using LDAP commands.
$ldapbind -p <port_number> -h <ip> -D "cn=orcladmin"
bind sucessful
$ ldapsearch -h <port_number> -p <ip> "dc=<name>"
ldap_search: Inappropriate authentication
ldap_search: additional info: Server is Configured to Deny Anonymous Binds
Is there something I am missing ?
On your ldapsearch command, add the -D "cn=orcladmin" for who you are binding as, -w "Password" or -W to prompt at run time. Probably you want a -b "ou=Base,dc=DNtoSearch" and then your filter as you have it.
You need to bind each time.