Howto Ldap Auth
External services that authenticate users often use Ldap for authentication.
Create a service account
Many, but not all, services require a user account and password to do authentication.
Use pwgen 64 to generate a password. Then create your user.
samba-tool user create ps1-sa-servicename
Common Settings
| Field | Value | Description |
|---|---|---|
| server | bob.ad.pumpingstationone.org | |
| port | 389 | |
| Security | TLS or set useTLS to True | TLS is a non-port changing encryption setting. Do not deploy with this setting off or disabled. |
| BindDN | CN=ps1-sa-serviceaccount,CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is the username that the ldapclient is going to bind to ldap with |
| BindDN password | xienaiK0ohchaCao7pohv9auw2ohgaixieReeY7ahngoo1uingu9Shaokohfiej7 | The password for the service account you created earlier. |
| BaseDN | CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is where the user list is filtered from. |
| uid or username | sAMAccountName | Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. |
| filter | (userAccountControl:1.2.840.113556.1.4.803:=2) | Filters on not disabled account. Sometimes this needs to be preceded with a ! to negate the filter.
|
| ldap field that stores the user's email address |
- Depending on how the filter is applied, you may need to put a
!in front to negate it. The current format filters on users that are not disabled. - You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
- Start without the filter field, add it later.