ldapdelete and ldapsearch on linux platform - ldap

i am new to stackoverflow and Ldap if am asking stupid / easy pls do not mind.
am using linux platform i need command for below two thing
1) list all the users of a LDAP group name called Group1
i used filter with (objectclass=*) it showing all the information but i need to have only users name of group1.
And the other one
2) It has to delete all the users one by one or all together at once of group name called group1.
Platform : linux
i used ldapdelete but not succussed
Here is the query I'm trying to use, and its result:
ldapdelete -h myhost.com -p 389 -v "CN=sharma\,varma,CN=GAS_TEST2,OU=Delegated,OU=Groups,DC=gar,DC=corp,DC=xyz,DC=com" ldap_initialize( ldap://myhost.com:389 )
SASL/GSSAPI authentication started SASL username: lab_bldmstr#myhost.COM SASL SSF: 56 SASL installing layers deleting entry "CN=sharma\,varma,CN=GAS_TEST2,OU=Delegated,OU=Groups,DC=gar,DC=corp,DC=xyz,DC=com" –
ldap_delete: No such object (32) matched DN: CN=GAS_TEST2,OU=Delegated,OU=Groups,DC=gar,DC=corp,DC=xyz,DC=com
additional info: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=GAS_TEST2,OU=Delegated,OU=Groups,DC=gar,DC=corp,DC=xyz,DC=com'
Can somebody give me a hint of what I'm doing wrong?

Related

Hydra can't detect any correct password on https form

I tried to use hydra for my sample website below:
https://demo.leafworks.jp/package/loginplus/admin.php
login id: admin
password: leafworks
login error message: ログインに失敗しました。
I tried this command:
hydra -l admin -p leafworks demo.leafworks.jp http-post-form "/package/loginplus/admin.php:login_key=^USER^&pass=^PASS^:ログインに失敗しました。"
But it returns:
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-29 00:30:28
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking http-post-form://demo.leafworks.jp:80/package/loginplus/admin.php:login_key=^USER^&pass=^PASS^:ログインに失敗しました。
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-29 00:30:30
What is the problem with my command?
environment: Ubuntu 20.04.1 LTS

How to configure IBM MQ v9 to use Microsoft AD for user authentication

I'm trying to set up Microsoft AD like user repository for IBM MQ v9 Queue Manager , but without success. I read the document https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q085490_.htm, but it's very unclear with all those diagrams, dashes and arrows. My final goal is to have ability to grant or rewoke authorizations based od AD groups. Can someone give me complete commands example how to configure queue manager to use AD for user repository?
IBM MQ is v9.0.0.0 and runs on CentOS v7. Active Directory is on Windows Server 2019 machine.
I tried to set AUTHINFO with MQSC commands. All commands are executed without problems. After that I refreshed security and tried to grant authorizations with setmqaut command, but unsuccessful.
I tried with this below MQSC commands:
DEFINE AUTHINFO(MY.AD.CONFIGURATION) AUTHTYPE(IDPWLDAP) AUTHORMD(SEARCHGRP) FINDGRP(member) CONNAME('192.168.100.100') BASEDNG('OU=Groups,OU=MyCompany,DC=mycompany,DC=us') SHORTUSR('sAMAccountName') LDAPUSER('mybinduser') LDAPPWD('mypassword')
ALTER QMGR CONNAUTH(MY.AD.CONFIGURATION)
REFRESH SECURITY TYPE(CONNAUTH)
setmqaut -m MY.QUEUE.MANAGER -t qmgr -g myadgroup +all
After I execute command:
setmqaut -m MY.QUEUE.MANAGER -t qmgr -g myadgroup +all
This error is displyed i console: AMQ7026: A principal or group name was invalid.
And these below lines are recorded in queue manager log:
AMQ5531: Error locating user or group in LDAP
EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'myadgroup '. Returned count is 0.
Additional context is 'rc = 87 (Bad search filter)
[(&(objectClass=groupOfNames)(=myadgroup ))]'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
----- amqzfula.c : 2489 -------------------------------------------------------
On Active Directory side these lines are recorded in log:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: MYADSERVER$
Account Domain: MYDOMAINNAME
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: mybinduser
Account Domain: MYDOMAINNAME
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x280
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: MYADSERVER
Source Network Address: 192.168.100.101
Source Port: 55592
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Here beleow is output of the command DIS AUTHINFO(MY.AD.CONFIGURATION) ALL
AMQ8566: Display authentication information details.
AUTHINFO(MY.AD.CONFIGURATION) AUTHTYPE(IDPWLDAP)
ADOPTCTX(NO) DESCR( )
CONNAME(192.168.100.100) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) CLASSGRP( )
CLASSUSR( ) FAILDLAY(1)
FINDGRP(MEMBER) BASEDNG(OU=Groups,OU=MyCompany,DC=mycompany,DC=us)
BASEDNU( )
LDAPUSER(CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us)
LDAPPWD( ) SHORTUSR(sAMAccountName)
GRPFIELD( ) USRFIELD( )
AUTHORMD(SEARCHGRP) NESTGRP(NO)
SECCOMM(NO) ALTDATE(2019-07-25)
ALTTIME(08.14.20)
Here below is output from LdapAuthentication.jar tool:
java -jar LdapAuthentication.jar ldap://192.168.100.100:389 CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us mybinduserpassword OU=MyCompany,DC=mycompany,DC=us sAMAccountName adminusername adminpassword
#WMBL3: successful bind
#WMBL3: successfull search Starting Authentication Found the user, DN is CN=adminusername,OU=MyCompany,OU=Users,OU=MyCompany,DC=mycompany,DC=us
#WMBL3 : check if the password is correct
#WMBL3: successful authentication
#WMBL3 : Commands for WebUI ldap authentication :
1. mqsisetdbparms <INodeName> -n ldap::LDAP -u "CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us" -p mybinduserpassword
Or
mqsisetdbparms <INodeName> -n ldap::192.168.100.100 -u "CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us" -p mybinduserpassword
2. mqsichangeproperties <INodeName> -b webadmin -o server -n ldapAuthenticationUri -v \"ldap://192.168.100.100:389/OU=MyCompany,DC=mycompany,DC=us?sAMAccountName\"
3. mqsiwebuseradmin <INodeName> -c -u adminusername -x -r <sysrole for eg: local userid >
Here below is qmanager log after I applied changes in my AUTHINFO what you suggested Jul 25.
AMQ5531: Error locating user or group in LDAP
EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'wasadmin'. Returned count is 0.
Additional context is 'rc = 1 (Operations error)
[(&(objectClass=GROUP)(SAMACCOUNTNAME=wasadmin))]'.
ACTION: Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
This is myadgroup full DN:
CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us
This is output of the setmqaut command with full group DN:
setmqaut -m MY.QUEUE.MANAGER -t qmgr -g 'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us' +all
AMQ7047: An unexpected error was encountered by a command. Reason code is 2063.
And this is qmanager log after that command was executed:
AMQ5531: Error locating user or group in LDAP
EXPLANATION: The LDAP authentication and authorization service has failed in the ldap_search call while trying to find user or group 'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us'.
Returned count is 0.
Additional context is 'rc = 1 (Operations error) [(objectClass=groupOfNames)]'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
If I try with CLASSGRP(GROUP) output of the setmqaut is:
AMQ7047: An unexpected error was encountered by a command. Reason code is 2063.
And qmqnager log is:
AMQ5531: Error locating user or group in LDAP
EXPLANATION: The LDAP authentication and authorization service has failed in the
ldap_search call while trying to find user or group
'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us'.
Returned count is 0.
Additional context is 'rc = 1 (Operations error) [(objectClass=GROUP)]'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
Below is my last configured authinfo object:
AMQ8566: Display authentication information details.
AUTHINFO(MY.AD.CONFIGURATION) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(192.168.100.100) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) CLASSGRP(group)
CLASSUSR(USER) FAILDLAY(1)
FINDGRP(member)
BASEDNG(OU=Groups,OU=MyCompany,DC=mycompany,DC=us)
BASEDNU(OU=Users,OU=MyCompany,DC=mycompany,DC=us)
LDAPUSER(CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us)
LDAPPWD( ) SHORTUSR(sAMAccountName)
GRPFIELD(sAMAccountName) USRFIELD(sAMAccountName)
AUTHORMD(SEARCHGRP) NESTGRP(NO)
SECCOMM(NO) ALTDATE(2019-08-07)
ALTTIME(08.44.40)
Based on the your output I noted that you did not set LDAPPWD which is used by MQ to authenticate the LDAPUSER that you specified.
This is supported by the windows error you provided:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: mybinduser
Account Domain: MYDOMAINNAME
Failure Information:
Failure Reason: Unknown user name or bad password.
In the output of LdapAuthentication.jar it appears that you have the correct password available:
CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us mybinduserpassword
You can either specify the LDAPPWD or you can blank out your LDAPUSER and see if your AD allows anonymous bind (this is rare).
I noted that you have some other fields left blank that probably need to be filled in. I also suggest you always use ADOPTCTX(YES).
Below is my suggested updates to your AUTHINFO object:
ALTER AUTHINFO(MY.AD.CONFIGURATION) +
AUTHTYPE(IDPWLDAP) +
AUTHORMD(SEARCHGRP) +
FINDGRP('member') +
ADOPTCTX(YES) +
CONNAME(192.168.100.100) +
CHCKCLNT(REQUIRED) +
CHCKLOCL(OPTIONAL) +
CLASSGRP(GROUP) +
CLASSUSR(USER) +
FAILDLAY(1) +
BASEDNG('OU=MyCompany,DC=mycompany,DC=us') +
BASEDNU('OU=MyCompany,DC=mycompany,DC=us') +
LDAPUSER('CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us') +
LDAPPWD(mybinduserpassword) +
SHORTUSR(sAMAccountName) +
GRPFIELD(sAMAccountName) +
USRFIELD(sAMAccountName) +
NESTGRP(NO) +
SECCOMM(NO)
*Note I have not tested this against AD, but I have setup IIB to authenticate the WebUI/REST calls against AD and also took inspiration from two presentations/write ups from Mark Taylor from IBM:
MQ Integration with Directory Services - Presented at MQTC v2.0.1.6
MQdev Blog: IBM MQ - Using Active Directory for authorisation in Unix queue managers

LDAP Authentication - OpenShift - OKD

I have deployed a new OKD cluster (3.11) and as Identity Provider I have selected LDAPPasswordIdentityProvider
The configuration goes like this:
openshift_master_identity_providers=[{'name': 'idm', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': 'uid=service,cn=users,cn=accounts,dc=myorg,dc=com', 'bindPassword': 'reallysecurepasswordhere', 'insecure': 'false', 'url': 'ldaps://idm.myorg.com:636/dc=myorg,dc=com?uid??(memberof=cn=openshift,cn=accounts,dc=myorg,dc=com)'}]
I have tried two dozens of possibilities with this URL.
On the logs I always get:
I0528 15:23:38.491659 1 ldap.go:122] searching for (&(objectClass=*)(uid=user1))
E0528 15:23:38.494172 1 login.go:174] Error authenticating "user1" with provider "idm": multiple entries found matching "user1"
I don't get it why is the filter showing as (&(objectClass=*)(uid=... appears as the filter isn't being parsed correctly, despite the URL being as above.
I also checked the master-config.yaml and it is correct as my ini file.
If I do ldapsearch I get the expected results:
$ ldapsearch -x -D "uid=service,cn=users,cn=accounts,dc=myorg,dc=com" -W -H ldaps://idm.myorg.com -s sub -b "cn=accounts,dc=myorg,dc=com" '(&(uid=user1)(memberof=cn=openshift,cn=groups,cn=accounts,dc=myorg,dc=com))' uid
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=myorg,dc=com> with scope subtree
# filter: (&(uid=user1)(memberof=cn=openshift,cn=groups,cn=accounts,dc=myorg,dc=com))
# requesting: uid
#
# user1, users, accounts, myorg.com
dn: uid=user1,cn=users,cn=accounts,dc=myorg,dc=com
uid: user1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The LDAP Server is FreeIPA.
Help please!
Ok, I found the solution to the problem.
I assumed ... incorrectly ... that running the playbook openshift-ansible/playbook/openshift-master/config.yml would restart the openshift-master API.
It doesn't.
I noticed this when, instead of editing my ini inventory where I have this set and running config, I started editing directly on /etc/origin/master/master-config.yaml and using master-restart api to restart the API.
Several URL alterations (many incorrect actually) had never been ran. Config uploaded them, but the master api doesn't restart, so new config doesn't go in place, and I kept hitting the wall.

Adding new objectclass/attribute to existing ldap entry returns error

I have created 4 new attributes on cn=schema and also created a new objectclass with the 4 attributes set as MUST.
I tried to add the objectclass to existing entry which obviously return an error because those 4 new attributes are not setup for the ldap entry.
I created an ldif file and ran ldapmodify but get object violation error. Can anyone tellme whats causing this error and if I'm missing anything.
ldif
#ldapmodify.bat -h localhost -p 1389 -D "cn=Directory Manager" -w xxxxx -a -f entry.ldif
dn: uid=user.0,ou=People,dc=example,dc=com
changetype: modify
add: disabledFlag
disabledFlag: n
-
add: passwordData
passwordData:< file:/C:\\oud\\asinst_1\\OUD\\bat\\images.png
-
add: anonymousID
anonymousID: nah
-
add: challengeResponse
challengeResponse: nah
Error after executing the command.
Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
MODIFY operation failed
Result Code: 65 (Object Class Violation)
Additional Information: Entry uid=user.0,ou=People,dc=example,dc=com cannot not be modified because the resulting entry would have violated the server schema: Entry uid=user.0,ou=People,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute anonymousID which is not allowed by any of the objectclasses defined in that entry
LDAP installed is OUD 11gR2.
Finally able to solve the question myself.
This is what I did
Changed STRUCTURAL to ABSTRACT for the objectclass since there can be only one STRUCTURAL and updated objectclass to have MAY attributes instead of MUST.
used ldap port instead of admin port in the ldap modify command.
I still couldn't figure out why cant objectclass be created with MUST ? Is this chicken and egg kind of problem?

memberOf vs. groupMembership in LDAP (Liferay)

What is the difference b/n memberOf attribute and groupMembership attribute when used in LDAP Authentication settings in Liferay?
The users are imported successfully.
The groups are also imported successfully.
But the users are not assigned to the groups automatically. And when I changed the group variable from 'groupMembership' to 'memberOf', several users are not able to login to Liferay.
What exactly are memberOf and groupMembership variables?
memberOf is not a "variable", it is an attribute, or more accurately, it is a virtual attribute, or a dynamic attribute generated on the fly by some directory servers, but not all. Some use memberOf to use in search filters or in the attribute list of a search request, some use isMemberOf for the same purpose, some support both or neither, and there are probably other idioms of which I am not aware.
Generally speaking, to determine group membership, issue a search request to the directory server and specify memberOf or isMemberOf to be returned in the attribute list. Here is an example using a modern ldapsearch command line tool:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile '(uid=user.0)' isMemberOf
dn: uid=user.0,ou=people,dc=example,dc=com
isMemberOf: cn=Dynamic Home Directories,ou=groups,dc=example,dc=com
isMemberOf: cn=bellevue,ou=groups,dc=example,dc=com
isMemberOf: cn=shadow entries,ou=groups,dc=example,dc=com
isMemberOf: cn=persons,ou=groups,dc=example,dc=com
This search response indicated that user.0 is a member of the listed groups.
To reverse the sense of the query, that is, to determine which entries are the member of a group, use the isMemberOf or memberOf with an assertion in the filter used in the search request:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile \
'(isMemberOf=cn=persons,ou=groups,dc=example,dc=com)' 1.1
dn: uid=terrygardner,ou=people,dc=example,dc=com
dn: uid=user.0,ou=people,dc=example,dc=com
dn: uid=user.1,ou=People,dc=example,dc=com
dn: uid=user.10,ou=People,dc=example,dc=com
This search response indicates that there are several member of the group whose distinguished name is cn=persons,ou=groups,dc=example,dc=com.
While not specific to LifeRay, the above is a general explanation of one way to deal with group membership and also of reverse group membership from an LDAP perspective.