Difference between revisions of "Howto Ldap Auth"
Jump to navigation
Jump to search
Line 47: | Line 47: | ||
| This is where the user list is filtered from. | | This is where the user list is filtered from. | ||
|- | |- | ||
− | | uid or username | + | | uid or username |
| sAMAccountName | | sAMAccountName | ||
| Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. | | Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. |
Revision as of 00:48, 20 July 2014
External services that authenticate users often use Ldap for authentication.
Create a service account
Many, but not all, services require a user account and password to do authentication.
Use pwgen 64
to generate a password. Then create your user.
samba-tool user create ps1-sa-servicename
Common Settings
Field | Value | Description |
---|---|---|
server | bob.ad.pumpingstationone.org | |
port | 389 | |
Security | TLS or set useTLS to True | TLS is a non-port changing encryption setting. Do not deploy with this setting off or disabled. |
BindDN | CN=ps1-sa-serviceaccount,CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is the username that the ldapclient is going to bind to ldap with |
BindDN password | xienaiK0ohchaCao7pohv9auw2ohgaixieReeY7ahngoo1uingu9Shaokohfiej7 | The password for the service account you created earlier. |
BaseDN | CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is where the user list is filtered from. |
uid or username | sAMAccountName | Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. |
filter | (userAccountControl:1.2.840.113556.1.4.803:=2) | Filters on not disabled account. Sometimes this needs to be preceded with a ! to negate the filter.
|
ldap field that stores the user's email address |
- Depending on how the filter is applied, you may need to put a
!
in front to negate it. The current format filters on users that are not disabled. - You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
- Start without the filter field, add it later.