UCS 3.0 LDAP
From Univention Wiki
UCS 3.0 will be shipped with OpenLDAP 2.4.25. The major configuration changes are the new default port and the deactivation of the anonymous bind.
Port configuration
By default OpenLDAP in UCS 3.0 is started on the following ports
- Port 389 and port 7389: LDAP connections for OpenLDAP
- Port 636 and port 7636: LDAPS connections for OpenLDAP
Once Samba 4 will be installed, it is required that Samba 4 starts its own LDAP server on port 389. These steps will be configured automatically during the Samba 4 installation. After that the port configuration is:
- Port 389: LDAP connections for Samba 4
- Port 636: LDAPS connections for Samba4
- Port 7389: LDAP connections for OpenLDAP
- Port 7636: LDAPS connections for OpenLDAP
All connections, with the exception of Samba / Windows connections, should use port 7389 or port 7636.
UCR variables to configure the port of a remote LDAP server:
- ldap/server/port
- ldap/master/port
UCR variable to configure the local OpenLDAP server port:
- slapd/port
- slapd/port/ldaps
More details: Bug #20026
Anonymous bind
By default the anonymous bind will be disabled during the UCS 3.0 installation. During an update from UCS 2.4 the configuration will be untouched.
- Using the ldapi interface
This is only possible on systems with a local OpenLDAP server:
ldapsearch -x -H ldapi:/// uid=user
- Using univention-ldapsearch
The tool univention-ldapsearch uses the host account and needs access to the file /etc/machine.secret.
univention-ldapsearch uid=user
- Use a different account
ldapsearch -x -D <DN> -w <secret> uid=user
- Re-enable anonymous bind for specific hosts
ucr set ldap/acl/read/ips="127.0.0.1,192.168.0.5" invoke-rc.d slapd restart
- Re-enable anonymous bind for all
ucr set ldap/acl/read/anonymous=yes invoke-rc.d slapd restart
More details: Bug #17516
