Difference between revisions of "Cool Solution - LDAP search user / simple authentication account"

From Univention Wiki

Jump to: navigation, search
(Replaced content with "This page has been moved to the Knowledge Base Cool Solutions in the Forum. [https://help.univention.com/t/cool-solution-ldap-search-user-simple-authentication-account/11...")
Tag: Replaced
 
(29 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Version|UCS=4.1}}
+
This page has been moved to the Knowledge Base Cool Solutions in the Forum.
{{Cool Solutions Disclaimer|Repository=no}}
 
{{Review-Status}}
 
  
For security reasons we recommend to create a '''simple authentication user''', which can read LDAP entries, but is not able to login to any service provided.
+
[https://help.univention.com/t/cool-solution-ldap-search-user-simple-authentication-account/11818 Cool Solution - LDAP search user/simple authentication account]
 
 
{{TOC}}
 
 
 
== How to open the Users Module ==
 
Open the Univention Management Console via a webbrowser of your choice with the FQDN or the ip address of your server, like ucs.example.com. After the login you should see the following overview site. To add a new user open the users module.
 
[[File:Overview User.png|400px|thumb|center| This site shows you the UMC overview site with a marker on the users module]]
 
 
 
Your site should be look like the following picture.
 
[[File:Overview UMC.png|400px|thumb|center| This site shows you the users module overview]]
 
Click on "Users" to get an overview of all your users and the option to create a new user.
 
 
 
== Create a User with LDAP read permission ==
 
If you've installed UCS@school please make sure to select the right container for the LDAP search user.
 
[[File:Overview User1.png|400px|thumb|center| This site shows you right container for your LDAP search user]]
 
 
 
First create a new user using the UMC by opening the Users module and then using the "Add" button. Click on '''Advanced''' in the new window.
 
[[File:LDAP search user1.png|400px|thumb|center| This site shows you the advanced settings of a user creation]]
 
 
 
Fill out all neccessary text fields (lastname, username and a safety password) and go to the "'''Option'''" tab. Untag all checkboxes except "'''simple authentication'''".
 
[[File:LDAP search user2.png|400px|thumb|center| Untag all checkboxes except simple authentication]]
 
 
 
== Test commands ==
 
With the following shell command you can check if the created user is able to read the LDAP entries:
 
<pre>
 
ldapsearch -x -D uid=<LDAP user>,cn=users,$(/usr/sbin/uct get ldap/base) -W uid=Administrator
 
</pre>
 
and enter the password of the LDAP search user. If you can see the Administrator's user object the search user is configured correctly and can be used in services to query the LDAP.
 
 
 
== LDAP attributes and values ==
 
 
 
{| class="wikitable"
 
|-
 
! attribute                                          !! values !! command
 
|-
 
| ldap hostname || <ip of the server> or <FQDN of the server>  || hostname -f
 
|-
 
| ldap port || 7389 or 7636 for SSL
 
|-
 
| ldap method || plain
 
|-
 
| ldap base || output from 'ucr get ldap/base'
 
|-
 
| ldap uid || uid
 
|-
 
| ldap bind dn || DN of your LDAP search user || {{!}}  univention-ldapsearch uid=<username of your LDAP search user>  | grep ^dn
 
|-
 
| ldap password || <password of your LDAP search user>
 
|-
 
| ldap filter || objectClass=person
 
|-
 
| user DN || cn=users,<LDAP base> || ucr get ldap/base
 
|-
 
| group DN ||  cn=groups,<LDAP base> || ucr get ldap/base
 
|-
 
| group filter || objectClass=univentionGroup
 
|-
 
| group attribute || cn
 
|}
 
 
 
== Troubleshooting ==
 
 
 
Possible error messages may appear:
 
 
 
> (ldap) Authentication failure! invalid_credentials encountered.
 
 
 
Solution: Check, with the following command, if your bind user (LDAP search user) has enough credentials to search through the LDAP entries.
 
 
 
univention-ldapsearch -D <DN of your user> -W
 
 
 
If you receive no error message , so check your entries in the configuration of the LDAP plugin. Otherwise, try to work through these wiki article again.
 
 
 
Another error message could be:
 
> (ldap) Authentication failure! ldap_error: Net::LDAP::Error, Connection reset by peer - SSL_connect
 
 
 
Solution: This error message can have several causes. One of the common reason is, that the port number has been set incorrectly.
 
 
 
* LDAP Port: 7389
 
* LDAP Port (SSL):  7636
 
 
 
[[Category:EN]][[Category:Howtos]]
 

Latest revision as of 13:04, 9 August 2019

This page has been moved to the Knowledge Base Cool Solutions in the Forum.

Cool Solution - LDAP search user/simple authentication account

Personal tools