Difference between revisions of "Howto Ldap Auth"
Jump to navigation
Jump to search
| Line 54: | Line 54: | ||
| (userAccountControl:1.2.840.113556.1.4.803:=2) | | (userAccountControl:1.2.840.113556.1.4.803:=2) | ||
| Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter. | | Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter. | ||
| + | |- | ||
| + | | Account Suffix | ||
| + | | @PS1 | ||
| + | | When attempting to check password, the sAMAccountName needs the suffix appeneded to it. | ||
|- | |- | ||
| mail | | mail | ||
| mail | | mail | ||
| ldap field that stores the user's email address | | ldap field that stores the user's email address | ||
| + | | Minimum password length | ||
| + | | 1 | ||
| + | | AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted. | ||
|} | |} | ||
| Line 64: | Line 71: | ||
* You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong. | * You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong. | ||
* Start without the filter field, add it later. | * Start without the filter field, add it later. | ||
| + | * When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1 | ||
| + | * If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct. | ||
Revision as of 00:54, 20 July 2014
External services that authenticate users often use Ldap for authentication.
Create a service account
Many, but not all, services require a user account and password to do authentication.
Use pwgen 64 to generate a password. Then create your user.
samba-tool user create ps1-sa-servicename
Common Settings
| Field | Value | Description | |||
|---|---|---|---|---|---|
| server | bob.ad.pumpingstationone.org | ||||
| port | 389 | ||||
| Security | TLS or set useTLS to True | TLS is a non-port changing encryption setting. Do not deploy with this setting off or disabled. | |||
| BindDN | CN=ps1-sa-serviceaccount,CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is the username that the ldapclient is going to bind to ldap with | |||
| BindDN password | xienaiK0ohchaCao7pohv9auw2ohgaixieReeY7ahngoo1uingu9Shaokohfiej7 | The password for the service account you created earlier. | |||
| BaseDN | CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is where the user list is filtered from. | |||
| uid or username | sAMAccountName | Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. | |||
| filter | (userAccountControl:1.2.840.113556.1.4.803:=2) | Filters on not disabled account. Sometimes this needs to be preceded with a ! to negate the filter.
| |||
| Account Suffix | @PS1 | When attempting to check password, the sAMAccountName needs the suffix appeneded to it. | |||
| ldap field that stores the user's email address | Minimum password length | 1 | AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted. |
- Depending on how the filter is applied, you may need to put a
!in front to negate it. The current format filters on users that are not disabled. - You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
- Start without the filter field, add it later.
- When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1
- If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct.