Cool Solution - LDAP search user / simple authentication account
From Univention Wiki
For security reasons we recommend to create a simple authentication user, which can read LDAP entries but is not able to login to any service provided.
How to open the Users module
Open the Univention Management Console via a webbrowser of your choice with the FQDN or the ip address of your server, like ucs.example.com. After the login you should see the following overview site:
Click on the sector "Users" to get an overview of all modules in this category. Your site should be look like the following picture.
Click on the "Users"-module to get an overview of all your users and the option to create a new user.
Create a User with LDAP read permission
Create a new user using the UMC by opening the Users module and then using the "Add" button. If you've installed UCS@school please make sure to remember the selected users container, in this case "cn=users".
Before filling out the necessary information to create the user, go to the button that says "ADVANCED".
On the following page select the "Option" tab on the left. Untag all checkboxes, except "simple authentication" and afterwards fill out all the necessary information (lastname, username and a safety password) for the creation of the user.
With the following shell command you can check if the created user is able to read the LDAP entries:
ldapsearch -x -D uid=<LDAP user>,cn=users,$(/usr/sbin/ucr get ldap/base) -W uid=Administrator
and enter the password of the LDAP search user. If you can see the Administrator's user object the search user is configured correctly and can be used in services to query the LDAP.
LDAP attributes and values
|LDAP hostname||<ip of the server> or <FQDN of the server>||To get the FQDN, run |
|LDAP port||7389, or 7636 for SSL||If the app Active Directory-compatible Domain Controller is installed, the ports 389 and 636 are reserverd for Samba/AD|
|LDAP base||To get the LDAP base from your domain, run |
|LDAP uid||uid||The attribute "uid" contains the username for the LDAP search user.|
|LDAP password||<password of your LDAP search user>|
|LDAP filter||objectClass=organizationalPerson||Only users matching the filter are found using the LDAP filter. Can be expaneded.|
|User DN||cn=users,<LDAP base>||Default LDAP path to where the users are stored.|
|Group DN||cn=groups,<LDAP base>||Default LDAP path to where the groups are stored.|
|Group filter||objectClass=univentionGroup||Only groups matching the filter are found using the LDAP filter. Can be expaneded.|
|Group attribute||cn||Attribute the group name is stored in the LDAP.|
Possible error messages may appear:
> (ldap) Authentication failure! invalid_credentials encountered.
Solution: Check, with the following command, if your bind user (LDAP search user) has the needed access rights to search through the LDAP entries.
univention-ldapsearch -D <DN of your user> -W
If you receive no error message, re-check the configuration of the LDAP plugin. Otherwise, try to work through these wiki article again.
Another error message could be:
> (ldap) Authentication failure! ldap_error: Net::LDAP::Error, Connection reset by peer - SSL_connect
Solution: This error message can have several causes. One of the common reason is that the port number has been set incorrectly.
- LDAP Port: 7389
- LDAP Port (SSL): 7636