Friday, May 13, 2022

[389-users] Re: 389ds External LDAP Authentication

Hi Pierre Rogier,

I've tried to follow this document for pass through authentication
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases-creating_and_maintaining_database_links

For that i've create two 389ds ldap servers

i've created ldap1 with ldap1.inf

# ldap1.inf

[general]
config_version = 2

[slapd]
self_sign_cert = False
instance_name = ldap1
port = 1389
# root_dn (str)
# Description: Sets the Distinquished Name (DN) of the administrator account for this
instance.
# Default value: cn=Directory Manager
root_dn = cn=ldap2

# root_password (str)
# Description: Sets the password of the account specified in the "root_dn"
parameter. You can either set this parameter
# to a plain text password dscreate hashes during the installation or to a
"{algorithm}hash" string generated by the pwdhash utility.
# Note that setting a plain text password can be a security risk if unprivileged users
can read this INF file!
# Default value: Directory_Manager_Password
root_password = #CEEadmin123


[backend-userroot]
sample_entries = yes
suffix = dc=openstack,dc=org

Ldap2 with below file ldap2.inf

# ldap2.inf

[general]
config_version = 2

[slapd]
self_sign_cert = False
instance_name = ldap2
port = 2389
# root_dn (str)
# Description: Sets the Distinquished Name (DN) of the administrator account for this
instance.
# Default value: cn=Directory Manager
root_dn = cn=ldap2

# root_password (str)
# Description: Sets the password of the account specified in the "root_dn"
parameter. You can either set this parameter
# to a plain text password dscreate hashes during the installation or to a
"{algorithm}hash" string generated by the pwdhash utility.
# Note that setting a plain text password can be a security risk if unprivileged users
can read this INF file!
# Default value: Directory_Manager_Password
root_password = #CEEadmin123


[backend-userroot]
sample_entries = yes
suffix = dc=openstack,dc=org


Created a "ou=users" for ldap1 and added users under that "ou=users"

ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org"
slapd-ldap1 account list
dc=openstack,dc=org
ou=groups,dc=openstack,dc=org
ou=people,dc=openstack,dc=org
ou=permissions,dc=openstack,dc=org
ou=services,dc=openstack,dc=org
uid=demo_user,ou=people,dc=openstack,dc=org
cn=demo_group,ou=groups,dc=openstack,dc=org
ou=users,dc=openstack,dc=org
uid=ldap1_user1,ou=users,dc=openstack,dc=org
uid=ldap1_user2,ou=users,dc=openstack,dc=org
uid=ldap1_user3,ou=users,dc=openstack,dc=org

Created a "ou==people" for ldap2 and added users under that
"ou=people"


ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org"
slapd-ldap2 account list
dc=openstack,dc=org
ou=groups,dc=openstack,dc=org
ou=people,dc=openstack,dc=org
ou=permissions,dc=openstack,dc=org
ou=services,dc=openstack,dc=org
uid=demo_user,ou=people,dc=openstack,dc=org
cn=demo_group,ou=groups,dc=openstack,dc=org
uid=ldap2_user1,ou=people,dc=openstack,dc=org
uid=ldap2_user2,ou=people,dc=openstack,dc=org
uid=ldap2_user3,ou=people,dc=openstack,dc=org

Now i've followed your the steps from this link

sudo dsconf -D "cn=ldap1" ldap://localhost:1389 chaining link-create --suffix="ou=users,dc=example,dc=com" --server-url="ldap://localhost:2389" --bind-mech="Simple" --bind-dn="uid=ldap2_user3,ou=people,dc=openstack,dc=org" --bind-pw="ldap2_user3" "example_chain_name"


after that it stated that i've to give proxy admin permission to userroot
in this case i think i've give permisson for "uid=ldap2_user3,ou=people,dc=openstack,dc=org"


I tried that with below file and command

#aci.ldif
dn: ou=people,dc=openstack,dc=org
changetype: modify
add: aci
aci: (targetattr = "*")(version 2; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";)


and below command

ceeinfra@infra2:~/389ds/ldap2> sudo ldapmodify -x -h infra2 -p 2389 -D "cn=ldap2" -w "#CEEadmin123" -f aci.ldif -v
ldap_initialize( ldap://infra2:2389 )
add aci:
(targetattr = "*")(version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";)
modifying entry "ou=people,dc=openstack,dc=org"
ldap_modify: Invalid syntax (21)
additional info: ACL Syntax Error(-5):(targetattr = \22\2a\22)(version 3.0; acl \22Proxied authorization for database links\22; allow (proxy) userdn = \22ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org\22;)


I might have messed up some where. I'm stuck and i'm not able to proceed with chaining. Can you please help me

I've below queries also can you please answer them

1) Can you tell me if i've two ldap's whose suffixes are not same i.e.
for ldap1 id suffix is dc=openstack,dc=com
for ldap2 suffix is dc=nitesh,com=org

Can i do pass through authentication or chaining between those two LDAP's?

2) Can you tell me how to check bind of the users with ldapserver also ?

Regards
Nitesh
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment