I have configured OpenLDAP to store user information.
In Ping Federate, I have given the OpenLDAP connection information. LDAP connection has been established. I am using HTTP Basic adapter on the PF IDP side.
How to give search filter?I have given something like:
cn=$username.
The following is the User information in OpenLDAP directory server.
dn: cn=John Smith,ou=people,dc=highroads,dc=com
objectclass: inetOrgPerson
cn: John Smith
cn: John J Smith
sn: Smith
uid: jsmith
userpassword: jSmitH
ou: Sales
On single sign-on authentication, I gave:
Username : uid
Password : userpassword
from the user information in OpenLDAP directory. But I am not able to access SP resource.
Please let me know about the configuration information I should provide on the Ping Federate side.
Thanks,
Aswini J
You would manage this in your Password Credential Validator that you have assigned to the HTTP Basic Adapter. If the user is providing the attribute value stored in the "uid" attribute, then you would typically specify "uid=${username}" as the Search Filter and "dc=highroads,dc=com" as the Search Base for the PCV. You can make this more complex/specific as needed to ensure you only get a single user identity returned from your LDAP.
Related
I have a Keycloak with an openLDAP User Federation. In the LDAP, I have a user 'someUser' that belongs to multiple groups, namely:
dn: cn=developers,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: cn=architects,ou=groups,dc=example,dc=com
dn: cn=architects,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: uid=someUser,ou=People,dc=example,dc=com
On my Keycloak, for the LDAP I have created an LDAP Mapper for the roles, like the following
Mapper Type : role-ldap-mapper
LDAP Roles DN : ou=groups,dc=example,dc=com
Role Name LDAP Attribute : cn
Role Object Classes: groupOfNames
Membership LDAP Attribute: member Membership
Attribute Type : DN Membership
User LDAP Attribute : uid
LDAP Filter:
MODE : READ_ONLY
User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_ATTRIBUTE
Member-Of LDAP Attribute : memberOf
Use Realm Roles Mapping : ON
The problem is that when I try to get a token on behalf of the user 'someUser' only the role 'architects' appears on the token. Based on the LDAP nesting grouping, I expected that both 'architects' and 'developer' roles would have appear on the token.
Based on other answers on similar topics I try to add to the LDAP filter the following:
memberOf:1.2.840.113556.1.4.1941
But this seams to only work with Microsoft Active Directory.
My question is, what do I have to do in order to have both roles 'architects' and 'developer' in token? ( besides having to hardcoding them).
Try replacing member and objectclass in:
dn: cn=developers,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfURLs
memberURL: ldap:///cn=architects,ou=groups,dc=example,dc=com?sub?(objectclass=*)
This kind of group defining is called dynamic groups, you should try ldapsearch in your openldap to see if the directory send the correct objects, for example:
./ldapsearch -h localhost--port 1389 -D "cn=Directory Manager" -w "password" -b "uid=someUser,ou=People,dc=example,dc=com" -s sub "(objectclass=*)" member
For more info: https://www.zytrax.com/books/ldap/ch11/dynamic.html
I've got LDAP working with OpenFire, at least for users and authentication, but I'm having some trouble getting it to see my group's members.
A sample group in our LDAP schema (which is IPA-based) looks like:
dn: cn=infrastructure,cn=groups,cn=accounts,dc=our,dc=net
member: uid=bretw,cn=users,cn=accounts,dc=our,dc=net
member: uid=bobs,cn=users,cn=accounts,dc=our,dc=net
:
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: infrastructure
description: Infrastructure group
ipaUniqueId: <blah>
gidNumber: 9590000048
My group settings are default, except that I added a group filter of "(objectClass=ipausergroup)" to catch the actual groups and screen out the ones that are just for individual users. I'm using "cn=accounts,dc=our,dc=net" as our base DN.
What should I be doing to ensure that OpenFire 4.5.1 can see into our groups? It finds them, but says each has 0 members, which we know to not be true.
Turns out using anonymous logins don't work for filling out groups. Once I set an administrator DN, groups populated properly.
I am quite new in administering LDAP, but I have come quite far...
On my OpenLDAP server I am using phpLDAPadmin to do the following:
I have an entry with a structural objectclass account because I need the attribute host.
Now I want to add the attribute mail to this entry, but this does not appear in the list when selecting Add new attribute.
So I thought I could add the objectClass inetOrgPerson which has the attribute mail but this objectClass is not in the list of classes I can add to this entry; only non-structural classes are listed...
How can I add this attribute mail to a an entry with the structural class account ?
This is the current ldif for this user (with some parts changed/removed for privacy)
# Entry 1: cn=intrixius,ou=Admins,ou=Managed,dc=bla,dc=eu
dn: cn=intrixius,ou=Admins,ou=Managed,dc=bla,dc=eu
cn: intrixius
gecos: intrixius
gidnumber: 500
homedirectory: /home/intrixius
host: host1
host: host2
loginshell: /bin/bash
objectclass: top
objectclass: account
objectclass: posixAccount
objectclass: shadowAccount
objectclass: ldapPublicKey
sshpublickey: ssh-rsa ... intrixius#arch
uid: intrixius
uidnumber: 16859
userpassword: {CRYPT}$6$X...
You can't have multiple STRUCTURAL object classes unless they form a single inheritance hierarchy.
If you can modify the schema of your LDAP server, you could create a new auxiliary class with the attribute 'mail' and assign it to your account. Some implementations also support the 'extensibleObject' auxiliary class that allows adding all attributes that are defined in the schema.
A good overview about class types etc. can be found here
I have configured LDAP server in my ubuntu 12.04 in the same server Cloudera core hadoop service installed . Here i want to integrate cloudera hue with LDAP server.
Following is my LDAP users
root#ip-10-81-160-152:/home/ubuntu# ldapsearch -x -b "dc=gmps,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=gmps,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# gmps.com
dn: dc=gmps,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: gmps
dc: gmps
# admin, gmps.com
dn: cn=admin,dc=gmps,dc=com
cn: admin
description: LDAP administrator
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: uidObject
uid: admin
ou: admin
# aaryan aditya, students, users, gmps.com
dn: cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com
cn: aaryan aditya
givenName: aaryan
gidNumber: 500
homeDirectory: /home/users/aditya
sn: aditya
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: aditya
i use phpldapadmin to login my LDAP server which was working fine ..
My Login DN: cn=admin,dc=gmps,dc=com
I have configured this ldap server in Hue cloudera as
ldap_url : ldap://75.101.250.10
LDAP Username Pattern : "uid=admin,ou=admin,dc=greycampus,dc=com"
user_name_attr: admin
After this i restarted HUE and i just logged into HUE web UI there if click on
Hue ---> Manage Users ---> Sync LDAP users and groups --> Sync
i am not getting any users syced from LDAP server ..
if i click Add/Sync LDAP user .. then enter username and ok .. i am getting
There was an error when communicating with LDAP
{'info': 'invalid DN', 'desc': 'Invalid DN syntax'}
i dont know where i did wrong .. and its still confusing where i have supply my LDAP password .. and how hue communicate with LDAP without password .. kindly any one please help
I can't understand neither your LDAP configuration nor your Hue configuration.
firstly you define your LDAP root, dc=gmps,dc=com, ok.
Next, you define an admin role, which is definitly not a user, just a role.
dn: cn=admin,dc=gmps,dc=com
Finally you define a user, which doesn't seem to be linked to the admin role.
If you don't have any relation defined between a user and a role, it'll be difficult for hue to grant something to your user.
Next, about yourr Hue configuration:
The user should be a parameter of the pattern.
If a user DN is dn: cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com, your pattern should be at least something like cn=
Hue webapp substitute by the typed login and make a first request to validate the authentification of your user (aka username/password against the LDAP user information).
To perform the search, you need to define the LDAP base search (dc=gmps,dc=com) and a bind user, authorized user DN to look into your LDAP (for instance, cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com)
If you want to limit the global access to just a portion of your LDAP, you can specify an additional filter. When you'll define a relation between users and roles, you'll can restrict the access to the users by their roles.
You have to specify what's the attribute you're considerating to identify the user (in your case, it seems to be cn, so user_name_attr = cn)
To do the mapping between LDAP and Hue permissions, you have to tell Hue which roles are considerated, throw the group_filter. Next you have to specify the attribute of the role which allow to identify the role (in your case, it seems to be cn)
Finally, you have to tell to hue which attribute allows you to link a role to a user (which doesn't seem to be undefined in your configuration)
Next, restarting your cluster, everything should be ok. Syncing your users/group will load users and roles from your LDAP to Hue, next step will be configure each role in HUE to give it the expected permissions.
Password History check in openldap not working when I am using SHA-256 password hashing in openldap.
So I am sending clear text password from my java application to openLDAP and it is storing as SHA-256 hashed form on its own.
whenever I am changing password, openLDAP is storing the previous password in pwdHistory.
There is no problem in that but when I am changing password with the same password previously used it is taking up without throwing any error.
I am struggling to make it work for few weeks. Please somebody help me.
My environment details:
OpenLDAP 2.4.38
RHEL 6
Following details also mentioned in slapd.conf
include ../etc/openldap/schema/ppolicy.schema
password-hash {SHA256}
overlay ppolicy
ppolicy_default "cn=default,ou=pwdpolicies,dc=my-domain,dc=com"
ppolicy_hash_cleartext
my password policy:
dn: cn=Default,ou=pwdpolicies,dc=my-domain,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: Default
sn: Default
pwdAttribute: userPassword
pwdMinAge: 0
pwdInHistory: 5
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE
Kindly let me know if I have to give me more information to nail down the issue. Please Please Please someone help me on this. I am badly need a solution on this.