Tuesday, May 17, 2022

[389-users] Re: 389ds External LDAP Authentication

Sorry for the delay I've been unwell.

> On 13 May 2022, at 20:05, parimala nitesh <parimalanitesh@gmail.com> wrote:
>
> Hi Pierre Rogier,
>
> I've tried to follow this document for pass through authentication
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases-creating_and_maintaining_database_links
>
> For that i've create two 389ds ldap servers
>
> i've created ldap1 with ldap1.inf
>
> # ldap1.inf
>
> [general]
> config_version = 2
>
> [slapd]
> self_sign_cert = False
> instance_name = ldap1
> port = 1389
> # root_dn (str)
> # Description: Sets the Distinquished Name (DN) of the administrator account for this
> instance.
> # Default value: cn=Directory Manager
> root_dn = cn=ldap2
>
> # root_password (str)
> # Description: Sets the password of the account specified in the "root_dn"
> parameter. You can either set this parameter
> # to a plain text password dscreate hashes during the installation or to a
> "{algorithm}hash" string generated by the pwdhash utility.
> # Note that setting a plain text password can be a security risk if unprivileged users
> can read this INF file!
> # Default value: Directory_Manager_Password
> root_password = #CEEadmin123

You probably shouldn't plaintext your dev password here ...

>
>
> [backend-userroot]
> sample_entries = yes
> suffix = dc=openstack,dc=org
>
> Ldap2 with below file ldap2.inf
>
> # ldap2.inf
>
> [general]
> config_version = 2
>
> [slapd]
> self_sign_cert = False
> instance_name = ldap2
> port = 2389
> # root_dn (str)
> # Description: Sets the Distinquished Name (DN) of the administrator account for this
> instance.
> # Default value: cn=Directory Manager
> root_dn = cn=ldap2
>
> # root_password (str)
> # Description: Sets the password of the account specified in the "root_dn"
> parameter. You can either set this parameter
> # to a plain text password dscreate hashes during the installation or to a
> "{algorithm}hash" string generated by the pwdhash utility.
> # Note that setting a plain text password can be a security risk if unprivileged users
> can read this INF file!
> # Default value: Directory_Manager_Password
> root_password = #CEEadmin123
>
>
> [backend-userroot]
> sample_entries = yes
> suffix = dc=openstack,dc=org
>
>
> Created a "ou=users" for ldap1 and added users under that "ou=users"
>
> ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org"
> slapd-ldap1 account list
> dc=openstack,dc=org
> ou=groups,dc=openstack,dc=org
> ou=people,dc=openstack,dc=org
> ou=permissions,dc=openstack,dc=org
> ou=services,dc=openstack,dc=org
> uid=demo_user,ou=people,dc=openstack,dc=org
> cn=demo_group,ou=groups,dc=openstack,dc=org
> ou=users,dc=openstack,dc=org
> uid=ldap1_user1,ou=users,dc=openstack,dc=org
> uid=ldap1_user2,ou=users,dc=openstack,dc=org
> uid=ldap1_user3,ou=users,dc=openstack,dc=org
>
> Created a "ou==people" for ldap2 and added users under that
> "ou=people"
>
>
> ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org"
> slapd-ldap2 account list
> dc=openstack,dc=org
> ou=groups,dc=openstack,dc=org
> ou=people,dc=openstack,dc=org
> ou=permissions,dc=openstack,dc=org
> ou=services,dc=openstack,dc=org
> uid=demo_user,ou=people,dc=openstack,dc=org
> cn=demo_group,ou=groups,dc=openstack,dc=org
> uid=ldap2_user1,ou=people,dc=openstack,dc=org
> uid=ldap2_user2,ou=people,dc=openstack,dc=org
> uid=ldap2_user3,ou=people,dc=openstack,dc=org
>
> Now i've followed your the steps from this link
>
> sudo dsconf -D "cn=ldap1" ldap://localhost:1389 chaining link-create --suffix="ou=users,dc=example,dc=com" --server-url="ldap://localhost:2389" --bind-mech="Simple" --bind-dn="uid=ldap2_user3,ou=people,dc=openstack,dc=org" --bind-pw="ldap2_user3" "example_chain_name"
>
>
> after that it stated that i've to give proxy admin permission to userroot
> in this case i think i've give permisson for "uid=ldap2_user3,ou=people,dc=openstack,dc=org"
>
>
> I tried that with below file and command
>
> #aci.ldif
> dn: ou=people,dc=openstack,dc=org
> changetype: modify
> add: aci
> aci: (targetattr = "*")(version 2; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";)
>
>
> and below command
>
> ceeinfra@infra2:~/389ds/ldap2> sudo ldapmodify -x -h infra2 -p 2389 -D "cn=ldap2" -w "#CEEadmin123" -f aci.ldif -v
> ldap_initialize( ldap://infra2:2389 )
> add aci:
> (targetattr = "*")(version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";)
> modifying entry "ou=people,dc=openstack,dc=org"
> ldap_modify: Invalid syntax (21)
> additional info: ACL Syntax Error(-5):(targetattr = \22\2a\22)(version 3.0; acl \22Proxied authorization for database links\22; allow (proxy) userdn = \22ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org\22;)
>
>
> I might have messed up some where. I'm stuck and i'm not able to proceed with chaining. Can you please help me
>
> I've below queries also can you please answer them
>
> 1) Can you tell me if i've two ldap's whose suffixes are not same i.e.
> for ldap1 id suffix is dc=openstack,dc=com
> for ldap2 suffix is dc=nitesh,com=org

Pretty sure that it works yes. That's the whole reason for chaining.

>
> Can i do pass through authentication or chaining between those two LDAP's?
>
> 2) Can you tell me how to check bind of the users with ldapserver also ?

I think it doesn't work the way you think.

Chaining creates a backend database and "routes" through the mapping tree for queries to that. So Ithink in your config you've potentially confused it.


The mapping tree lets you assemble a variety of databases into a consistent tree. So when you added:

chaining link-create --suffix="ou=users,dc=example,dc=com"

Your mapping tree will probably contain something like:


dc=openstack,dc=org -> route-to local DB userRoot
ou=users,dc=example,dc=com -> route-to chain DB

If you look at the rootDSE with:


ldapsearch -x -b '' -s base \* \+

You'll see that there is another suffix, probably the ou=users,dc=example,dc=com one.

So if you were to search under ou=users,dc=example,dc=com on ldap1 that should chain to ldap2.

Does that help?



>
> Regards
> Nitesh
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment