I installed Openldap and created one user by following this documentation https://help.ubuntu.com/lts/serverguide/openldap-server.html.
OpenLDAP is working fine.
I also configured LDAP authentication on Open Distro for Elasticsearch (debian package) by referring to this documentation https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/ldap/
I want login to kibana from my custom ldap user. So, I followed this documentation https://aws.amazon.com/blogs/opensource/ldap-integration-for-open-distro-for-elasticsearch/. But, still I am unable to login with my custom ldap user into my kibana.
This is my .ldif file :
dn: ou=People,dc=server,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=server,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=server,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=server,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
This is my config.yml file for ldap:
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- server.com:389
- localhost:389
bind_dn: 'uid=John,ou=People,dc=server,dc=com'
password: "johnldap"
userbase: 'ou=people,dc=server,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: 'uid'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- server.com:389
- localhost:389
bind_dn: 'uid=John,ou=People,dc=server,dc=com'
password: "johnldap"
rolebase: 'ou=People,dc=server,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=People,dc=server,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
What am I missing ?
I have recently installed openldap 2.4.42 and disabled anonymous login using the following content in ldif file.
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
I can even see access to dn.base="" by * read in slapd.conf file
Now, I have a application(wordpress blog) which is trying to connect to LDAP server using anonymous login and failing because of that reason. I tried few options but none of them are working. Can someone help me out on how to re-enable the LDAP anonymous login.
Thanks in advance
What type of configuration are you using ? slapd.conf or slapd.d/ folder ? You cannot use both at the same time.
Drop added olcDisallows & olcRequires configuration if you use slapd.d/ folder configuration.
Or
delete countrepart settings from slapd.conf file (disallow & require) if you use slapd.conf configuration file.
To delete what you said you added to activate this behavior, ie with an LDIF file for example:
dn: cn=config
changetype: modify
delete: olcDisallows
olcDisallows: bind_anon
-
dn: cn=config
changetype: modify
delete: olcRequires
olcRequires: authc
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcRequires
olcRequires: authc
You should also verify that targeted anonymous access is allowed by database ACLs (olcAccess parameter)
I have been trying to apply this dlif to my openldap server:
$ cat acl.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
I believe this should allow user with DN: "mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" to update the attributes ipServicePort and description on "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"
This seems to apply fine:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
When I search for it I can find my updated entry:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config 'olcDatabase={1}hdb'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={1}hdb
# requesting: ALL
#
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=thedomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" write by * n
one
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" w
rite by * read
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,
dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=p
eople,dc=thedomain,dc=com" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=thedomain,dc=com
olcRootPW: {SSHA}HASHEDPW
olcSyncrepl: {0}rid=003 provider=ldap://ldap.city.thedomain.com binddn="cn
=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2nU s
earchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:10 re
try="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=004 provider=ldap://ldap1.domain.ie.aws.thedomain.net binddn
="cn=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2
nU searchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:1
0 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However, when I try to make a change using these credentials, it still fails:
$ cat /tmp/modify.ldif
dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
changetype: modify
replace: ipServicePort
ipServicePort: 1485176342
dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
changetype: modify
replace: description
description: Updated by ldap.city.thedomain.com on Mon Jan 23 12:59:02 UTC 2017
Running:
$ ldapmodify -H ldap://localhost -w PASSWORD -D "mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" -f /tmp/modify.ldif
modifying entry "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"
ldap_modify: Insufficient access (50)
I also tried making my ACL slightly less restrictive to try to understand what wasn't working, I have tried the following acl.ldif files:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to * by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
The only thing I didn't try yet, as I was hoping to avoid making the db this insecure, even during testing, was to allow * to write this record, or * to write to all records.
I've taken the dn of the record I want to allow editing on from Apache Directory Studio, which shows me:
DN: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
And my users DN from the same:
DN: mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com
I'm sure I'm doing something obviously idiotic, as my knowledge of ldap is poor and reading the documentation is painful for me. I'm hoping someone can spot my obvious error and suggest a correction as I can't see what I have done wrong after a large number of hours of tinkering.
Thank you to JoBbZ in #openldap IRC. This is a simple misunderstanding on my part. Order matters in ACL rules. LDAP will stop looking on the first match, so I need to save my olcAccess as 2 not 3
I try to setup an OpenLDAP Server with mdb backend. But neither the version from packet repository nor a self compiled version (to be shure that back_mdb is compiled into slapd) works for me.
Config database is accessible, log doesn't print any errors and the database file is created (data.mdb) - but my root (suffix) won't show up and isn't writeable.
A basic configuration suggested by the OpenLDAP administrator's guide won't help either.
My config:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database mdb
maxsize 1073741824
suffix "dc=directory,dc=local"
rootdn "cn=admin,dc=directory,dc=local"
rootpw "{SSHA}Lh2sewmXFDo+bwc0Vqy12Xwc61n9sQ5t"
directory /var/lib/openldap/openldap-data
index objectClass eq
access to dn.subtree="ou=contacts,dc=directory,dc=local" by self write by dn="cn=server,ou=people,dc=directory,dc=local" write by dn="cn=phone,ou=people,dc=directory,dc=local" read
access to * by dn="cn=admin,dc=directory,dc=local" write by anonymous auth by dn.subtree="ou=people,dc=directory,dc=local" read by * none
database config
rootdn "cn=admin,cn=config"
rootpw "{SSHA}Lh2sewmXFDo+bwc0Vqy12Xwc61n9sQ5t"
I had to add the ldif to create my root dn on the localhost.
Create LDIF file:
dn: dc=directory,dc=local
dc: directory
o: directory.local
objectClass: top
objectClass: dcObject
objectClass: organization
structuralObjectClass: organization
Add the LDIF file and recreate database index:
slappadd -b "dc=directory,dc=local" -v -l basedn.ldif
slapindex
Start the ldap daemon and there it is: my root dn.
I am on OpenLdap and trying to modify an entry via an LDIF with slapadd command.
#LDIF
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: MyPassWord
But I am getting below error....
54a0fc8e <= str2entry: str2ad(changetype): attribute type undefined
Why changetype is not taken by slapadd command?
Also when I manually try to change the password on ldap browser I get following on the
logs
#!RESULT ERROR
#!CONNECTION ldap://<MY_MACHINENAME>:389
#!DATE 2014-12-29T10:14:16.930
#!ERROR [LDAP: error code 8 - modifications require authentication]
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: S2l0ZXNGbHk=
LDAP: error code 8 - modifications require authentication? Which Authenication is required?
An ldif file like this (containing changetype entries) should be used with ldapadd, not slapadd.