Cannot wildcard search "member" in openLDAP - ldap

.
I have an odd problem, where I cannot seem to use wildcard searches for the "member" or the "uniquemember" attibutes for a group.
Consider the following:
cn=myusers,ou=groups,dc=example,dc=com
objectClass=groupOfNames
objectClass=top
This returns fine:
ldapsearch -h ldap-server -p 389 -D "cn=admin,dc=example,dc=com" -w Password -s sub -b "ou=groups,dc=example,dc=com" "(objectclass=groupOfNames)" member
cn=myusers,ou=groups,dc=example,dc=com
member=cn=user1234,ou=groups,dc=example,dc=com
And if I use this, it also works fine:
ldapsearch -h ldap-server -p 389 -D "cn=admin,dc=example,dc=com" -w Password -s sub -b "ou=groups,dc=example,dc=com" "(&(member=cn=user1234,ou=groups,dc=example,dc=com)(objectclass=groupOfNames)" member
But, suppose I want to find all the groups, with member names that start with "user". I try this:
ldapsearch -h ldap-server -p 389 -D "cn=admin,dc=example,dc=com" -w Password -s sub -b "ou=groups,dc=example,dc=com" "(&(member=cn=user*)(objectclass=groupOfNames))" member
But nothing returns!
Now I have tried adding indexes to the "member" and "uniquemember" attibutes as:
member pres,eq,approx,sub
uniquemember pres,eq,approx,sub
... but get a returned error of 'additional info: approx index of attribute "member" disallowed', so I was left with:
member pres,eq
uniquemember pres,eq
Even after the change, I still cannot perform wildcard searches using "member" or "uniquemember" attibutes. Any ideas?
.

This works as expected with the UnboundID Directory Server. Try updating the directory server software - there are some similar questions on the OpenLDAP forums where this problem was resolved by a fix to DN normalization.
Also, there is no such thing as a 'wildcard' search. The assertion value to which you refer results in what is called a 'substring' search. For increased performance, the server should index the member and uniqueMember attribute values for substring (sub), assuming the legacy OpenLDAP server supports indexing those attributes for substrings.

Related

Google Secure LDAP (from Cloud Identity) returning wrong user DN

We have a Google G suite with multiple domains and users with email addresses not always having the primary domain extension.
When ldap searching the Secure LDAP environment for a user with a non primary domain we get the wrong user DN back.
Example:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)'
returns dn: uid=user,ou=Users,dc=example,dc=com
where it should return dn: uid=user,dc=company,dc=nl
But with this wrong DN the next step in my radius authentication (because that's where we are using this for) fails:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D uid=user,ou=Users,dc=example,dc=com -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)' with a
ldap_bind: Invalid credentials (49)
additional info: Incorrect password
which makes sense because LDAP cannot find the user.
whereas as binding with the right DN succeeds:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D uid=user,ou=Users,dc=company,dc=nl -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)'
If I query for the user with the corresponding base_dn from the user's email address the returned DN is ok, but I cannot dynamically adjust the based_dn depending on the users email address, I think, in freeradius
I’m not sure if this a problem of the google LDAP servers or a problem with the LDAP protocol or a problem with the way I/radius queries LDAP.
I'm thinking to implement scripting authentication in the authorize section and implement my own ldapsearch + bind , but I hope there's a better solution.
Thanks. Wessel
Try with ldaps://ldap.google.com:636.
We found unless the port is defined it does not work.
We also noticed that not all fields can be searched, i.e uidNumber.

ldap_simple_bind: Invalid credentials

I'm trying a ldapsearch.
The user is "domain\user" and the connection and bind is successfull with ApacheDirectoryStudio (see image), however I don't understand how to use the -D parameter in ldapsearch (maybe the problem is the bachslash ?).
I've tried with:
ldapsearch -h IT.xxxx.COM -D "CN=domain\user,DC=it,DC=xxxx,DC=com" -w Password -b base 'objectClass=*'
but I get the error:
ldap_simple_bind: Invalid credentials --- 80090308: LdapErr:
DSID-0C090400, comment: AcceptSecurityContext error, data 52e
Thanks for help.
Giuseppe.k
Apache-Connection
For connecting to AD over LDAP, you either specify the LDAP DN (e.g. CN=user,DC=domain) or the AD UPN (e.g. user#domain).
In your case, remove the domain from the LDAP DN:
ldapsearch -h IT.xxxx.COM -D "CN=user,DC=it,DC=xxxx,DC=com" -w Password -b base 'objectClass=*'
The domain is already represented by DC=it,DC=xxxx,DC=com.

How to bind a user and ensure they are in the correct group?

I think what I am trying to do is fairly simple, I want to setup ldap so that incoming binds check that the password is correct and the user is a member of a specific group.
Running the following query yields the following
ldapsearch -x -LLL -H ldap:/// -b uid=myname,ou=users,dc=example,dc=com dn memberof
Result
dn: uid=myname,ou=users,dc=example,dc=com
memberOf: cn=admin,ou=groups,dc=example,dc=com
I have tried the following query
ldapsearch -x -H "ldap://localhost" -D "(&(cn=My Name)(memberOf=cn=admin,ou=groups,dc=example,dc=com))" -W -b "dc=example,dc=com"
ldapsearch keeps throwing the following error
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
What am I doing wrong?
There are 2 things to fix in your search query :
the filter part should be placed after all options and before the list of attributes if any.
the -D option requires an argument, a bind dn to bind to the LDAP directory.
In other words : ldapsearch -x -H <ldapuri> -D <binddn> -W -b <basedn> <filter>
Assuming you can use this bind dn cn=manager,dc=example,dc=com, you should end up with a query looking like this :
ldapsearch -x -H "ldap://localhost" -D "cn=manager,dc=example,dc=com" -W -b "dc=example,dc=com" "(&(cn=My Name)(memberOf=cn=admin,ou=groups,dc=example,dc=com))"
https://linux.die.net/man/1/ldapsearch

ldapsearch with username and password

Here is my LDAP ORG Structure:
I created user with first, last name with password. But it is not working when am trying to connect using jdbc. Error says invalid credentials. Then I tried ldapsearch as follows:
I followed this process for users and group creation:
root#ip:/home# ldapwhoami
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
root#ip:/# ldapsearch -x -LLL -h ip -D username -w password -b"cn=admin,dc=ivhdev,dc=local" -s sub "(objectClass=*)" "givenName=username*"
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Please suggest/correct me, if am passing the right info in DN syntax. I am unable to validate the user credentials with their name and password.
The -D option takes the DN for logging in to your LDAP server.
The -b option takes the search base in your LDAP tree where you want to search for the user's given name.
So, your ldapsearch command becomes:
ldapsearch -x -LLL -h ip -D 'cn=admin,dc=ivhdev,dc=local' -w password -b 'dc=users,dc=local' -s sub '(objectClass=*)' 'givenName=username*'
If you use the Apache Directory Studio (http://directory.apache.org/studio/) you can see the actual ldapsearch commands used by the application. Maybe this is useful for anyone.

Open ldap modify - /usr/bin/modify problem

Can anyone help me out on this? I'am trying to add another attribute on my LDAP, but i don't know much about this. It returns an error after trying the sample i searched on net. This command will be used on my perl program to add new attribute "status" w/ value "yes"..
Help pls?
/usr/bin/ldapmodify -x -D "cn=Test,ou=mygroup.com,o=group2.com" -a "status=yes"??
the -W doesn't work too.
Error: ldap_bind: Can't contact LDAP server (-1)
Try -v for detail log and -w should be in lower case. As for excluding the password one way is to use '-w -' which you will be prompt to enter the password. Hope this helps.
Ensure that you have the status attribute defined in the schema (the attribute cannot be added to an entry unless the entry has an objectClass attribute value that allows the status attribute). Further, the authentication identity cn=Test,ou=mygroup.com,o=group2.com must have permission to add the attribute.
Use ldapmodify to add the status attribute:
ldapmodify -x -D "cn=Test,ou=mygroup.com,o=group2.com" -h hostname -p port <<!
version: 1
dn: uid=user.0,ou=people,dc=example,dc=com
changetype: modify
add: status
status: first value
status: second value
!
The above example adds two values to the status attribute (assuming it is a multi-valued attribute). For more information about the ldapmodify tool see "Using ldapmodify".