Howto Ldap Auth
Jump to navigation
Jump to search
External services that authenticate users often use Ldap for authentication.
Create a service account
Many, but not all, services require a user account and password to do authentication.
Use pwgen 64
to generate a password. Then create your user.
samba-tool user create ps1-sa-servicename
Common Settings
Field | Value | Description |
---|---|---|
server | bob.ad.pumpingstationone.org | |
port | 389 | |
Security | TLS or set useTLS to True | TLS is a non-port changing encryption setting. Do not deploy with this setting off or disabled. |
BindDN | CN=ps1-sa-serviceaccount,CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is the username that the ldapclient is going to bind to ldap with |
BindDN password | xienaiK0ohchaCao7pohv9auw2ohgaixieReeY7ahngoo1uingu9Shaokohfiej7 | The password for the service account you created earlier. |
BaseDN | CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is where the user list is filtered from. |
uid or username | sAMAccountName | Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. |
filter | (userAccountControl:1.2.840.113556.1.4.803:=2) | Filters on not disabled account. Sometimes this needs to be preceded with a ! to negate the filter.
|
Account Suffix | @PS1 | When attempting to check password, the sAMAccountName needs the suffix appeneded to it. |
ldap field that stores the user's email address | ||
Minimum password length | 1 | AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted. |
- Depending on how the filter is applied, you may need to put a
!
in front to negate it. The current format filters on users that are not disabled. - You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
- Start without the filter field, add it later.
- When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1
- Some services apply setting different e.g. as a regex on the user, or as a template setting.
- If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct.