Difference between revisions of "Cool Solution - LDAP search user / simple authentication account"

From Univention Wiki

Jump to: navigation, search
(Updated the article)
Line 3: Line 3:
 
{{Review-Status}}
 
{{Review-Status}}
  
For security reasons we recommend to create a '''simple authentication user''', which can read LDAP entries, but is not able to login to any service provided.
+
For security reasons we recommend to create a '''simple authentication user''', which can read LDAP entries but is not able to login to any service provided.
  
 
{{TOC}}
 
{{TOC}}
  
 
== How to open the Users module ==
 
== How to open the Users module ==
Open the Univention Management Console via a webbrowser of your choice with the FQDN or the ip address of your server, like ucs.example.com. After the login you should see the following overview site.
+
Open the Univention Management Console via a webbrowser of your choice with the FQDN or the ip address of your server, like ucs.example.com. After the login you should see the following overview site:
 
[[File:Overview User.png|400px|thumb|center| This site shows you the UMC overview site with a marker on the users sector]]
 
[[File:Overview User.png|400px|thumb|center| This site shows you the UMC overview site with a marker on the users sector]]
  
Line 17: Line 17:
  
 
== Create a User with LDAP read permission ==
 
== Create a User with LDAP read permission ==
If you've installed UCS@school please make sure to select the right container for the LDAP search user.
+
If you've installed UCS@school please make sure to select the right container (<LDAP Base>:users) for the LDAP search user.
 
[[File:Overview User1.png|400px|thumb|center| This site shows you right container for your LDAP search user]]
 
[[File:Overview User1.png|400px|thumb|center| This site shows you right container for your LDAP search user]]
  
Line 29: Line 29:
 
With the following shell command you can check if the created user is able to read the LDAP entries:
 
With the following shell command you can check if the created user is able to read the LDAP entries:
 
<pre>
 
<pre>
ldapsearch -x -D uid=<LDAP user>,cn=users,$(/usr/sbin/uct get ldap/base) -W uid=Administrator
+
ldapsearch -x -D uid=<LDAP user>,cn=users,$(/usr/sbin/ucr get ldap/base) -W uid=Administrator
 
</pre>
 
</pre>
 
and enter the password of the LDAP search user. If you can see the Administrator's user object the search user is configured correctly and can be used in services to query the LDAP.
 
and enter the password of the LDAP search user. If you can see the Administrator's user object the search user is configured correctly and can be used in services to query the LDAP.
Line 37: Line 37:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! attribute                                          !! values !! command
+
! Attribute      || Values                                      || Explanation
 
|-
 
|-
| ldap hostname || <ip of the server> or <FQDN of the server>  || hostname -f
+
| LDAP hostname   || <ip of the server> or <FQDN of the server>  || To get the FQDN, run <code>hostname -f</code> on the UCS DC Master
 
|-
 
|-
| ldap port || 7389 or 7636 for SSL
+
| LDAP port       || 7389, or 7636 for SSL                       || If the app [https://www.univention.com/products/univention-app-center/app-catalog/samba4/ Active Directory-compatible Domain Controller] is installed, the ports 389 and 636 are reserverd for Samba/AD
 
|-
 
|-
| ldap method || plain
+
| LDAP method     || plain                                       ||
 
|-
 
|-
| ldap base || output from 'ucr get ldap/base'
+
| LDAP base       ||                                            || To get the LDAP base from your domain, run <code>ucr get ldap/base</code> on any UCS system.
 
|-
 
|-
| ldap uid || uid
+
| LDAP uid       || uid                                         || The attribute "uid" contains the username for the LDAP search user.
 
|-
 
|-
| ldap bind dn || DN of your LDAP search user || {{!}}  univention-ldapsearch uid=<username of your LDAP search user> | grep ^dn
+
| LDAP bind dn   || DN of your LDAP search user                 || To get the DN, run <code><nowiki>univention-ldapsearch -D uid=Administrator,cn=users,$(/usr/sbin/ucr get ldap/base) uid=<username of your LDAP search user> dn</nowiki></code> on any UCS system.
 
|-
 
|-
| ldap password || <password of your LDAP search user>
+
| LDAP password   || <password of your LDAP search user>         ||
 
|-
 
|-
| ldap filter || objectClass=person
+
| LDAP filter     || objectClass=organizationalPerson            || Only users matching the filter are found using the LDAP filter. Can be expaneded.
 
|-
 
|-
| user DN || cn=users,<LDAP base> || ucr get ldap/base
+
| User DN         || cn=users,<LDAP base>                       || Default LDAP path to where the users are stored.
 
|-
 
|-
| group DN || cn=groups,<LDAP base> || ucr get ldap/base
+
| Group DN       || cn=groups,<LDAP base>                       || Default LDAP path to where the groups are stored.
 
|-
 
|-
| group filter || objectClass=univentionGroup
+
| Group filter   || objectClass=univentionGroup                 || Only groups matching the filter are found using the LDAP filter. Can be expaneded.
 
|-
 
|-
| group attribute || cn
+
| Group attribute || cn                                         || Attribute the group name is stored in the LDAP.
 
|}
 
|}
  
 
== Troubleshooting ==
 
== Troubleshooting ==
 
 
Possible error messages may appear:
 
Possible error messages may appear:
 +
<pre>
 +
> (ldap) Authentication failure! invalid_credentials encountered.
 +
</pre>
 +
Solution: Check, with the following command, if your bind user (LDAP search user) has the needed access rights to search through the LDAP entries.
  
> (ldap) Authentication failure! invalid_credentials encountered.
+
<pre>
 +
univention-ldapsearch -D <DN of your user> -W
 +
</pre>
  
Solution: Check, with the following command, if your bind user (LDAP search user) has enough credentials to search through the LDAP entries.
+
If you receive no error message, re-check the configuration of the LDAP plugin. Otherwise, try to work through these wiki article again.
 
 
univention-ldapsearch -D <DN of your user> -W
 
 
 
If you receive no error message , so check your entries in the configuration of the LDAP plugin. Otherwise, try to work through these wiki article again.
 
  
 
Another error message could be:
 
Another error message could be:
> (ldap) Authentication failure! ldap_error: Net::LDAP::Error, Connection reset by peer - SSL_connect
+
<pre>
 +
> (ldap) Authentication failure! ldap_error: Net::LDAP::Error, Connection reset by peer - SSL_connect
 +
</pre>
  
Solution: This error message can have several causes. One of the common reason is, that the port number has been set incorrectly.
+
Solution: This error message can have several causes. One of the common reason is that the port number has been set incorrectly.  
  
 
* LDAP Port: 7389
 
* LDAP Port: 7389

Revision as of 11:22, 11 November 2016

Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


For security reasons we recommend to create a simple authentication user, which can read LDAP entries but is not able to login to any service provided.

How to open the Users module

Open the Univention Management Console via a webbrowser of your choice with the FQDN or the ip address of your server, like ucs.example.com. After the login you should see the following overview site:

This site shows you the UMC overview site with a marker on the users sector

Click on the sector "Users" to get an overview of all modules in this category. Your site should be look like the following picture.

This site shows you the overview site of the users sector

Click on the "Users"-module to get an overview of all your users and the option to create a new user.

Create a User with LDAP read permission

If you've installed UCS@school please make sure to select the right container (<LDAP Base>:users) for the LDAP search user.

This site shows you right container for your LDAP search user

First create a new user using the UMC by opening the Users module and then using the "Add" button. Click on Advanced in the new window.

This site shows you the advanced settings of a user creation

Fill out all neccessary text fields (lastname, username and a safety password) and go to the "Option" tab. Untag all checkboxes except "simple authentication".

Untag all checkboxes except simple authentication

Test commands

With the following shell command you can check if the created user is able to read the LDAP entries:

ldapsearch -x -D uid=<LDAP user>,cn=users,$(/usr/sbin/ucr get ldap/base) -W uid=Administrator

and enter the password of the LDAP search user. If you can see the Administrator's user object the search user is configured correctly and can be used in services to query the LDAP.

LDAP attributes and values

Attribute Values Explanation
LDAP hostname <ip of the server> or <FQDN of the server> To get the FQDN, run hostname -f on the UCS DC Master
LDAP port 7389, or 7636 for SSL If the app Active Directory-compatible Domain Controller is installed, the ports 389 and 636 are reserverd for Samba/AD
LDAP method plain
LDAP base To get the LDAP base from your domain, run ucr get ldap/base on any UCS system.
LDAP uid uid The attribute "uid" contains the username for the LDAP search user.
LDAP bind dn DN of your LDAP search user To get the DN, run univention-ldapsearch -D uid=Administrator,cn=users,$(/usr/sbin/ucr get ldap/base) uid=<username of your LDAP search user> dn on any UCS system.
LDAP password <password of your LDAP search user>
LDAP filter objectClass=organizationalPerson Only users matching the filter are found using the LDAP filter. Can be expaneded.
User DN cn=users,<LDAP base> Default LDAP path to where the users are stored.
Group DN cn=groups,<LDAP base> Default LDAP path to where the groups are stored.
Group filter objectClass=univentionGroup Only groups matching the filter are found using the LDAP filter. Can be expaneded.
Group attribute cn Attribute the group name is stored in the LDAP.

Troubleshooting

Possible error messages may appear:

> (ldap) Authentication failure! invalid_credentials encountered.

Solution: Check, with the following command, if your bind user (LDAP search user) has the needed access rights to search through the LDAP entries.

univention-ldapsearch -D <DN of your user> -W

If you receive no error message, re-check the configuration of the LDAP plugin. Otherwise, try to work through these wiki article again.

Another error message could be:

> (ldap) Authentication failure! ldap_error: Net::LDAP::Error, Connection reset by peer - SSL_connect

Solution: This error message can have several causes. One of the common reason is that the port number has been set incorrectly.

  • LDAP Port: 7389
  • LDAP Port (SSL): 7636
Personal tools