Ldap configuration and root connection - ldap

Mac: Open Ldap
I am new to Open LDAP, i google it and found that max OS comes with default open ldap installed.
I followed this tutorial MAC Ldap tutorial
Following is my slapd.conf
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}xEYpp/gcd4Mmf6j756LX4kBjSyYyZFz8
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /private/var/db/openldap/openldap-data
# Indices to maintain
index objectClass eq
Now i am using Jxplorere as a client.
I tried following credentials, i don't know what will be user name so i assumed like other apps may be default username is root. and password i used was which i generated.
when i tried to login got following error.
any help is appreciated.

The BaseDN is the suffix, and the username is the rootDN.

Related

nss_ldap failed to bind to LDAP server

i have configured ldap client (ubuntu 20.04) with nss_ldap to connect on ldap server and accept users in a specific group, it seems that everything is working fine, the client can access the ldap server and ldap users can access the client machine. however i am receiving the following error message when the client connects to ldap server:
systemd-logind: nss_ldap: failed to bind to LDAP server ldap://[IP address]: Can't contact LDAP server
systemd-logind: nss_ldap: reconnecting to LDAP server...
systemd-logind: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable
and here is my configuration files:
/etc/ldap.conf
regarding that parameter (nss_initgroups_ignoreusers) is auto-generated.
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://[IP address]
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=example,dc=com
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
nss_initgroups_ignoreusers _apt,backup,bin,clamav,daemon,fwupd-refresh,games,gnats,irc,landscape,list,lp,lxd,mail,man,messagebus,mysql,news,pollinate,proxy,root,sshd,sync,sys,syslog,systemd-coredump,systemd-network,systemd-resolve,systemd-timesync,tcpdump,tss,uucp,uuidd,www-data
/etc/ldap.secret --> contain the password.
/etc/nsswitch.conf
passwd: files ldap systemd
group: files ldap systemd
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/security/access.conf
added this line [ -:ALL EXCEPT root khloud (ldap-group) (admin) ubuntu:ALL EXCEPT LOCAL ]
/etc/pam.d/sshd --> uncomment the following line:
account required pam_access.so
Note:
i tested the connection also with ldapsearch and it works.
i tried to change in nsswitch.conf file or reinstalling nss_ldap client again but i still receiving the same error while everything is working right.

OpenLDAP Won't Set Encyrpted Password: attribute 'userPassword' is not present in entry

I'm trying to set up an OpenLDAP server in a docker container on my local network. I got it set up and connected using Apache Directory Studio and created some posix groups/accounts with no trouble. The problem is, I can add a plaintext userPassword for my users but trying to use any type of encryption scheme results in the error:
entry failed schema check: value of naming attribute 'userPassword' is not present in entry
Other notes about my configuration:
I'm using a self signed certificate using the LAN address to connect over LDAPS
Using the docker image osixia/openldap
I can provide any other configurations if needed.
Normally you would install the ppolicy module and set the "ppolicy_hash_cleartext" variable in slapd.conf to enable password hashing. Since you're using a docker container this will work slightly differently.
Check out the following page from the docker image you are using:
https://github.com/osixia/docker-openldap/issues/208

Since Removing Samba, Winbind, Krb5 - sudo: PAM authentication error: Module is unknown

I have purged a variety of packages in an effort to reinstall Samba and related DC AD from scratch.
Soon after, I receive this error at a prompt and am unable to login with my normally working local user credentials.
Fortunately, I was still logged in via SSH but even there I get the following error anytime I try to use the sudo command.
sudo: PAM authentication error: Module is unknown
Any thoughts on how to cure this? I have found another post in stackoverflow with a similar error but its resolution was of no value here.
This seemed to indicate a problem with the "sudo" module in /etc/pam.d/sudo but if you inspect the contents of /etc/pam.d/sudo you find there are 3 include statements in there:
#include common-auth
#include common-account
#include common-session-noninteractive
Solution:
In my case, if I restored common-account to the values found in any default Linux installation, the problem went away.
Further investigation showed me that since installing I had installed Samba, the only 4 files that changed in the /etc/pam.d/ folder since the original installation was the updated common-* files.  So I went ahead and restored those 4 common-* files to their original version from any similar Linux installation even though the problem was already solved by just restoring the common-account file.
Here is a copy of the content of common-account for Ubuntu 18.04 - 20.04 and possibly more
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package

OpenLDAP does not validate TLS certificate

I am trying to run OpenLDAP (2.4.44 on RedHat 7.6) as a client against an existing LDAP server with TLS. This is working well - too well, actually. It looks to me as if OpenLDAP accepts any server certificate, instead of validating it against the CAs I provided.
Here is my ldap.conf file:
TLS_CACERT /etc/openldap/cacerts/ldap-2019.pem
TLS_REQCERT demand
URI ldaps://ldap.mydomain.com/
BASE ou=people,dc=mydomain,dc=com
# Some optimizations suggested by
# https://sourceforge.net/p/xcat/wiki/Setting_up_LDAP_in_xCAT/
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
What I want to accomplish is of course that OpenLDAP validates the certificate for ldaps://ldap.mydomain.com against the list of CAs in TLS_CACERT.
But in reality, no matter what I put into the TLS_CACERT file, openldap seems to connect successfully, just as long as it is a valid PEM file.
What am I missing? Is there a second list of CAs that OpenLDAP consults? I also removed the CAs in /etc/pki/tls, just in case.
More details:
ldapsearch -x -uid=somename fails if I delete the file I specified in TLS_CACERT. It also fails if TLS_CACERT is not a valid PEM file. This is of course expected behavior when the client cannot validate a TLS certificate:
ldapsearch -x uid=somename
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
But if I put a completely nonsensical certificate into the TLS_CACERT file, ldapsearch will return a result as if the server's certificate was valid.
ldapsearch -x uid=somename
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mydomain,dc=com> (default) with scope subtree
# filter: uid=somename
# requesting: ALL
#
# somename, People, mydomain.com
dn: uid=somename,ou=People,dc=mydomain,dc=com
...
For example, I tried using a certificate for www.google.com as a TLS_CACERT. I would have expected this connection to fail with the same "Can't contact LDAP server" error.
Update:
I found the cause but not the solution. OpenLDAP uses the certificate bundle in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Renaming this file causes ldapsearch to behave as I expected, but of course that is not an acceptable solution since this is a systemwide file, not just for OpenLDAP.
So my new question is: how do I prevent OpenLDAP from using this file?
Update 2:
For clarification, this is on RedHat 7.6, and OpenLDAP 2.4.44. I assume that using the systemwide CA bundle is a RedHat modification to the stock OpenLDAP.

openshift oo-install:The implied host domain 'com' does not match the specified host domain of 'demo.com' for DNS

all. I am trying to install openshift with one command
[root#demo ~]# sh <(curl -s https://install.openshift.com/)
Checking for necessary tools...
...looks good.
Downloading oo-install package...
Extracting oo-install to temporary directory...
Starting oo-install...
OpenShift Installer (Build 20140722-1618)
.....
....
....
Deploying workflow 'origin_deploy'.
The OpenShift deployment configuration has the following errors:
* The implied host domain 'com' does not match the specified host domain of 'demo.com' for DNS
Rerun the installer to correct these errors.
I don't know what is the reason it keeps telling me that 'the implied host domain 'com' ...' what need to be changed?
[root#demo ~]# sh <(curl -s https://install.openshift.com/)
Checking for necessary tools...
...looks good.
Downloading oo-install package...
Extracting oo-install to temporary directory...
Starting oo-install...
OpenShift Installer (Build 20140722-1618)
Welcome to OpenShift.
This installer will guide you through a basic system deployment, based
on one of the scenarios below.
Select from the following installation scenarios.
You can also type '?' for Help or 'q' to Quit:
Install OpenShift Origin
Add a Node to an OpenShift Origin deployment
Generate a Puppet Configuration File
Type a selection and press : 1
Your system deployment configuration is incomplete.
The installer will guide you through the necessary configuration
steps.
Note: ActiveMQ and MongoDB will be installed on all Broker instances.
For more flexibility, rerun the installer in advanced mode (-a).
DNS Settings
Installer will deploy DNS
Application Domain: example.com
Register OpenShift hosts with DNS? Yes
Component Domain: demo.com
Global Gear Settings
Account Settings
![enter image description here][2]
Node Districts
Role Assignments
Host Information
The configuration file does not include some of the required settings
for host instance demo.com. Please provide them here.
Hostname (the FQDN that other OpenShift hosts will use to connect to
the host that you are describing): |demo.com|
Hostname / IP address for SSH access to demo.com from the host where
you are running oo-install. You can say 'localhost' if you are running
oo-install from the system that you are describing: |demo.com| 10.1.14.145
Username for SSH access to 10.1.14.145: |root|
Validating root#10.1.14.145... looks good.
Detected multiple network interfaces for this host:
* 192.168.142.128 on interface eth2
* 10.1.14.145 on interface eth3
Do you want to use one of these as the public IP information for this
Node? (y/n/q/?) y
The following network interfaces were found on this host. Choose the
one that it uses for communication on the local subnet:
1. 192.168.142.128 on interface eth2
2. 10.1.14.145 on interface eth3
Type a selection and press : 2
Normally, the BIND DNS server that is installed on this host will be
reachable from other OpenShift components using the host's configured
IP address (10.1.14.145).
If that will work in your deployment, press to accept the
default value. Otherwise, provide an alternate IP address that will
enable other OpenShift components to reach the BIND DNS service on
this host: |10.1.14.145|
This Node host is currently associated with the Default district. Do
you want to change this district assignment? (y/n/q) n
Do you want to modify the account info settings for the various role
services? (y/n/q/?) n
Here are the details of your current deployment.
Note: ActiveMQ and MongoDB will be installed on all Broker instances.
For more flexibility, rerun the installer in advanced mode (-a).
DNS Settings
Installer will deploy DNS
Application Domain: example.com
Register OpenShift hosts with DNS? Yes
Component Domain: demo.com
Choose from the following deployment configuration options:
1. Change the DNS configuration
2. Manage Hosts
3. Services Accounts Settings
4. Global Gear Settings
5. Node Districts
6. Display full Host details
7. Finish editing the deployment configuration
Type a selection and press : 7
Here is the subscription configuration that the installer will use for
this deployment.
Do you want to make any changes to the subscription info in the
configuration file? (y/n/q/?) n
Do you want to set any temporary subscription settings for this
installation only? (y/n/q/?) n
Preflight check: verifying system and resource availability.
Checking demo.com:
* SSH connection succeeded
* Target host is running CentOS
* Located getenforce
* SELinux is running in enforcing mode
* Located yum
* puppet RPM is installed.
* openssh-clients RPM is installed.
* bind RPM is installed.
Deploying workflow 'origin_deploy'.
The OpenShift deployment configuration has the following errors:
* The implied host domain 'com' does not match the specified host domain of 'demo.com' for DNS
Rerun the installer to correct these errors.
The issue is that OpenShift requires hosts to be part of a second-level domain. myhost.openshift.localdomain works, while myhost.localdomain does not.
I entered oshost.localdomain as component domain (configured right after the application domain) and 0.oshost.localdomain for the actual host and now it installs just fine.