Re: 389ds External LDAP Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry for the delay I've been unwell. 

> On 13 May 2022, at 20:05, parimala nitesh <parimalanitesh@xxxxxxxxx> wrote:
> 
> Hi Pierre Rogier,
> 
> I've tried to follow this document for pass through authentication
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases-creating_and_maintaining_database_links
> 
> For that i've create two 389ds ldap servers
> 
> i've created ldap1 with ldap1.inf
> 
> # ldap1.inf
> 
> [general]
> config_version = 2
> 
> [slapd]
> self_sign_cert = False
> instance_name = ldap1
> port = 1389
> # root_dn (str)
> # Description: Sets the Distinquished Name (DN) of the administrator account for this
> instance.
> # Default value: cn=Directory Manager
> root_dn = cn=ldap2
> 
> # root_password (str)
> # Description: Sets the password of the account specified in the "root_dn"
> parameter. You can either set this parameter
> # to a plain text password dscreate hashes during the installation or to a
> "{algorithm}hash" string generated by the pwdhash utility.
> # Note that setting a plain text password can be a security risk if unprivileged users
> can read this INF file!
> # Default value: Directory_Manager_Password
> root_password = #CEEadmin123

You probably shouldn't plaintext your dev password here ... 

> 
> 
> [backend-userroot]
> sample_entries = yes
> suffix = dc=openstack,dc=org
> 
> Ldap2 with below file ldap2.inf
> 
> # ldap2.inf
> 
> [general]
> config_version = 2
> 
> [slapd]
> self_sign_cert = False
> instance_name = ldap2
> port = 2389
> # root_dn (str)
> # Description: Sets the Distinquished Name (DN) of the administrator account for this
> instance.
> # Default value: cn=Directory Manager
> root_dn = cn=ldap2
> 
> # root_password (str)
> # Description: Sets the password of the account specified in the "root_dn"
> parameter. You can either set this parameter
> # to a plain text password dscreate hashes during the installation or to a
> "{algorithm}hash" string generated by the pwdhash utility.
> # Note that setting a plain text password can be a security risk if unprivileged users
> can read this INF file!
> # Default value: Directory_Manager_Password
> root_password = #CEEadmin123
> 
> 
> [backend-userroot]
> sample_entries = yes
> suffix = dc=openstack,dc=org
> 
> 
> Created a "ou=users" for ldap1 and added users under that "ou=users"
> 
> ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org"
> slapd-ldap1 account list
> dc=openstack,dc=org
> ou=groups,dc=openstack,dc=org
> ou=people,dc=openstack,dc=org
> ou=permissions,dc=openstack,dc=org
> ou=services,dc=openstack,dc=org
> uid=demo_user,ou=people,dc=openstack,dc=org
> cn=demo_group,ou=groups,dc=openstack,dc=org
> ou=users,dc=openstack,dc=org
> uid=ldap1_user1,ou=users,dc=openstack,dc=org
> uid=ldap1_user2,ou=users,dc=openstack,dc=org
> uid=ldap1_user3,ou=users,dc=openstack,dc=org
> 
> Created a "ou==people" for ldap2 and added users under that
> "ou=people"
> 
> 
> ceeinfra@infra3:~/389ds/ldap2> sudo dsidm -b "dc=openstack,dc=org"
> slapd-ldap2 account list
> dc=openstack,dc=org
> ou=groups,dc=openstack,dc=org
> ou=people,dc=openstack,dc=org
> ou=permissions,dc=openstack,dc=org
> ou=services,dc=openstack,dc=org
> uid=demo_user,ou=people,dc=openstack,dc=org
> cn=demo_group,ou=groups,dc=openstack,dc=org
> uid=ldap2_user1,ou=people,dc=openstack,dc=org
> uid=ldap2_user2,ou=people,dc=openstack,dc=org
> uid=ldap2_user3,ou=people,dc=openstack,dc=org
> 
> Now i've followed your the steps from this link
> 
> sudo dsconf -D "cn=ldap1" ldap://localhost:1389 chaining link-create --suffix="ou=users,dc=example,dc=com" --server-url="ldap://localhost:2389"; --bind-mech="Simple" --bind-dn="uid=ldap2_user3,ou=people,dc=openstack,dc=org" --bind-pw="ldap2_user3" "example_chain_name"
> 
> 
> after that it stated that i've to give proxy admin permission to userroot
> in this case i think i've give permisson for "uid=ldap2_user3,ou=people,dc=openstack,dc=org"
> 
> 
> I tried that with below file and command
> 
> #aci.ldif
> dn: ou=people,dc=openstack,dc=org
> changetype: modify
> add: aci
> aci: (targetattr = "*")(version 2; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";;)
> 
> 
> and below command 
> 
> ceeinfra@infra2:~/389ds/ldap2> sudo ldapmodify -x -h infra2 -p 2389 -D "cn=ldap2" -w "#CEEadmin123" -f aci.ldif -v
> ldap_initialize( ldap://infra2:2389 )
> add aci:
>        (targetattr = "*")(version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org";;)
> modifying entry "ou=people,dc=openstack,dc=org"
> ldap_modify: Invalid syntax (21)
>        additional info: ACL Syntax Error(-5):(targetattr = \22\2a\22)(version 3.0; acl \22Proxied authorization for database links\22; allow (proxy) userdn = \22ldap://localhost:2389/uid=ldap2_user3,ou=people,dc=openstack,dc=org\22;)
> 		
> 
> I might have messed up some where. I'm stuck and i'm not able to proceed with chaining. Can you please help me
> 
> I've below queries also can you please answer them
> 
> 1) Can you tell me if i've two ldap's whose suffixes are not same i.e.
> for ldap1 id suffix is dc=openstack,dc=com
> for ldap2 suffix is dc=nitesh,com=org

Pretty sure that it works yes. That's the whole reason for chaining. 

> 
> Can i do pass through authentication or chaining between those two LDAP's?
> 
> 2) Can you tell me how to check bind of the users with ldapserver also ?

I think it doesn't work the way you think.

Chaining creates a backend database and "routes" through the mapping tree for queries to that. So  Ithink in your config you've potentially confused it.


The mapping tree lets you assemble a variety of databases into a consistent tree. So when you added:

chaining link-create --suffix="ou=users,dc=example,dc=com"

Your mapping tree will probably contain something like:


dc=openstack,dc=org -> route-to local DB userRoot
ou=users,dc=example,dc=com -> route-to chain DB

If you look at the rootDSE with:


ldapsearch -x -b '' -s base \* \+

You'll see that there is another suffix, probably the ou=users,dc=example,dc=com one.

So if you were to search under ou=users,dc=example,dc=com  on ldap1 that should chain to ldap2. 

Does that help? 



> 
> Regards
> Nitesh
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux