Howto Ldap Auth

From Pumping Station One

External services that authenticate users often use Ldap for authentication.

Create a service account

Many, but not all, services require a user account and password to do authentication.

Use pwgen 64 to generate a password. Then create your user.

   samba-tool user create ps1-sa-servicename

Common Settings

Field Value Description
port 389
Security TLS or set useTLS to True TLS is a non-port changing encryption setting. Do not deploy with this setting off or disabled.
BindDN CN=ps1-sa-serviceaccount,CN=Users,DC=ad,DC=pumpingstationone,DC=org This is the username that the ldapclient is going to bind to ldap with
BindDN password xienaiK0ohchaCao7pohv9auw2ohgaixieReeY7ahngoo1uingu9Shaokohfiej7 The password for the service account you created earlier.
BaseDN CN=Users,DC=ad,DC=pumpingstationone,DC=org This is where the user list is filtered from.
uid or username sAMAccountName Our user's difinitive username is stored in the sAMAccountName Field on the ldap object.
filter (userAccountControl:1.2.840.113556.1.4.803:=2) Filters on not disabled account. Sometimes this needs to be preceded with a ! to negate the filter.
Account Suffix @PS1 When attempting to check password, the sAMAccountName needs the suffix appeneded to it.
mail mail ldap field that stores the user's email address Minimum password length
1 AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted.

  • Depending on how the filter is applied, you may need to put a ! in front to negate it. The current format filters on users that are not disabled.
  • You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
  • Start without the filter field, add it later.
  • When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1
    • Some services apply setting different e.g. as a regex on the user, or as a template setting.
  • If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct.