Author Topic: Struggling with LDAP authentication  (Read 4226 times)

stetho

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Struggling with LDAP authentication
« on: July 03, 2019, 08:53:54 am »
Hi all,

I've spent way too much time trying to understand what I'm doing wrong. I have searched these forums and Google in general, tried all the suggestions and still can't figure out which bit is incorrect. I'm using an up-to-date "Zentyal Development Server 6.0"

Just to clarify it's not anything "obvious", I can:

○ → ssh steve@zentyal.23wwc.io
steve@zentyal.23wwc.io's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-54-generic x86_64)


And I can even

○ → kinit steve@23WWC.IO
steve@23WWC.IO's password:

○ → klist
Credentials cache: API:2A75BED1-1C30-4585-991E-6681BEC9CB99
        Principal: steve@23WWC.IO

  Issued                Expires               Principal
Jul  3 07:30:46 2019  Jul  3 17:30:43 2019  krbtgt/23WWC.IO@23WWC.IO


But no matter what I try, doing anything with LDAP fails

○ → ldapsearch -h zentyal.23wwc.io  -b dc=23wwc,dc=io -D CN=steve,CN=Users,DC=23wwc,DC=io -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
   additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1


And the Zentyal Samba logs show

Auth: [LDAP,simple bind/TLS] user [(null)]\[CN=steve,CN=Users,DC=23wwc,DC=io] at [Wed, 03 Jul 2019 07:35:10.123764 BST] with [Plaintext] status [NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:192.168.3.50:63405] mapped to [(null)]\[(null)]. local host [ipv4:192.168.2.1:389]



My main path of testing has been that the DN CN=steve,CN=Users,DC=23wwc,DC=io is wrong so I've tried 23WWC/Steve and uid= and samAccountName= and other variations but I get the same result. I did notice in my searching that in screenshots for 5.0 the LDAP page used to display the bind user and bind password. In 6.0 it only shows the base DN. This also made me wonder if there's another step I have to do to "activate" LDAP

Can anyone point out what I'm missing or doing wrong?

Thanks

Steve

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Struggling with LDAP authentication
« Reply #1 on: July 04, 2019, 12:38:57 pm »
Hi stetho!  :)

Samba4 uses his own LDAP "almost compliant" implementation that is called "LDB". So you should use the ldbsearch command instead of ldapsearch. Read  this https://wiki.samba.org/index.php/LDB

Could be this the problem?

Best regards,


- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

stetho

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Struggling with LDAP authentication
« Reply #2 on: July 06, 2019, 12:50:32 am »
I read your response and I thought "That's a bit silly - it means Zentyal has LDAP in the interface but you can't query the LDAP using standard LDAP tools". But I did a bit of Googling and figured out how ldbsearch works and I found this

CN=Administrator Administrator,CN=Users,DC=23wwc,DC=io


The admin account's DN is 'Administrator Administrator'. And now, using that account, I can do queries. I would never have guessed that so thank you for pointing me in the right direction.

Steve

davidb

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +1/-0
    • View Profile
Re: Struggling with LDAP authentication
« Reply #3 on: September 14, 2019, 01:10:17 pm »
Just to save myself from future hairpulling and to help others...

In zentyal 6:

The DN for an account is CN=[concatination of first and last name],CN=Users,DC=domainname,DC=tld

(zentyal ldap)