Cool Solution - LDAP search user / simple authentication account

From Univention Wiki

Revision as of 09:34, 5 October 2016 by Hpeter (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.

For security reasons we recommend to create a simple authentication user, which can read LDAP entries, but is not able to login to any service provided.

Create a User with LDAP read permission

First create a new user using the UMC by opening the Users module and then using the "Add" button. Click on Advanced in the new window.

This site shows you the advanced settings of a user creation

Fill out all neccessary text fields (lastname, username and a safety password) and go to the "Option" tab. Untag all checkboxes except "simple authentication".

Untag all checkboxes except simple authentication

Test commands

With the following shell command you can check if the created user is able to read the LDAP entries:

ldapsearch -x -D uid=<LDAP user>,cn=users,$(/usr/sbin/uct get ldap/base) -W uid=Administrator

and enter the password of the LDAP search user. If you can see the Administrator's user object the search user is configured correctly and can be used in services to query the LDAP.

LDAP attributes and values

attribute values command
ldap hostname <ip of the server> or <FQDN of the server> hostname -f
ldap port 7389 or 7636 for SSL
ldap method plain
ldap base output from 'ucr get ldap/base'
ldap uid uid
ldap bind dn DN of your LDAP search user univention-ldapsearch uid=<username of your LDAP search user> | grep ^dn
ldap password <password of your LDAP search user>
ldap filter objectClass=person
user DN cn=users,<LDAP base> ucr get ldap/base
group DN cn=groups,<LDAP base> ucr get ldap/base
group filter objectClass=univentionGroup
group attribute cn


Possible error messages may appear:

> (ldap) Authentication failure! invalid_credentials encountered.

Solution: Check, with the following command, if your bind user (LDAP search user) has enough credentials to search through the LDAP entries.

univention-ldapsearch -D <DN of your user> -W

If you receive no error message , so check your entries in the configuration of the LDAP plugin. Otherwise, try to work through these wiki article again.

Another error message could be:

> (ldap) Authentication failure! ldap_error: Net::LDAP::Error, Connection reset by peer - SSL_connect

Solution: This error message can have several causes. One of the common reason is, that the port number has been set incorrectly.

  • LDAP Port: 7389
  • LDAP Port (SSL): 7636
Personal tools