Ldap/ldaps - Remote Bind - Applications #darkcoffe

v7
openldap

(Zwordi) #1

NethServer Version: 7.4
Module: nethserver-directory

Hello Everyone,

I’m kind of stuck with remote bind using service account in order to connect a range of webapplication that i don’t want to host on Nethserver also from a green network.

I can see my packet using tcpdump, i used slapd.log but still unable to get connect under SSL or STARTTLS from an out-netserver applications.

There is my example:

I want to connect a Racktables to the ldap so there it is my configuration :

# Default setting is to authenticate users locally, but it is possible to
# employ existing LDAP or Apache user accounts. Check RackTables wiki for
# more information, in particular, this page for LDAP configuration details:
# http://wiki.racktables.org/index.php?title=LDAP

$LDAP_options = array
(
	'server' => 'ldap://192.168.1.1',
//	'port' => '389',
//	'domain' => 'directory.nh',
	'search_attr' => 'uid',
	'search_dn' => 'dc=directory,dc=nh',
 // The following credentials will be used when searching for the user's DN:
	// u=People,dc=directory,dc=nh
	'search_bind_rdn' => 'cn=ldapservice,dc=directory,dc=nh',
	'search_bind_password' => '*******************',
	'displayname_attrs' => 'cn',
	'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3,LDAP_OPT_DEBUG_LEVEL => 7),
	'use_tls' => 1 ,         // 0 == don't attempt, 1 == attempt, 2 == require
);

I dug my logs whitout finding any leads.
Then i get stuck so i tried to troubleshoot this by trying to setup nextcloud for the gui config.
I’m stuck also with nextcloud as event if i made anonymous bind using ldap/ldaps i can’t log with my users.
I generated a valid letsencrypt certificate in order to avoid error about tls on linux.

I feel a bit lost as it’s not my first ldap server ( i tried Zentyal whitout issue about theses settings months ago).

Could someone guide me on the right path as my main focus is to centralized lots of remote applications on the Nethserver LDAP provider.

Hope i’m clear enough in my description.

Regards,
Zwordi


(Markus Neuberger) #2

Hi @Zwordi,

I think if you want to connect to LDAP you need port 389 and activate TLS and maybe you need some ldap search filter. You may also try to connect with a user instead of ldapservice. Did you compare your bind password with the result of “account-provider-test dump”?

[root@testserver ~]# account-provider-test dump
{
   "BindDN" : "cn=ldapservice,dc=directory,dc=nh",
   "LdapURI" : "ldap://127.0.0.1",
   "StartTls" : "",
   "port" : 389,
   "host" : "127.0.0.1",
   "isAD" : "",
   "isLdap" : "1",
   "UserDN" : "ou=People,dc=directory,dc=nh",
   "GroupDN" : "ou=Groups,dc=directory,dc=nh",
"BindPassword" : "***********************",
   "BaseDN" : "dc=directory,dc=nh",
   "LdapUriDn" : "ldap:///dc%3Ddomain%2Cdc%3Dlocal"
}

Here are some config examples of my remote ldap server:

My Sogo.conf:

/* 45 ldap authentication */
    SOGoUserSources =(
     {
        id = groups;
        type = ldap;
        CNFieldName = cn;
        UIDFieldName = cn;
        IDFieldName = cn;
        baseDN = "ou=Groups,dc=directory,dc=nh";
        bindDN = "cn=ldapservice,dc=directory,dc=nh";
        bindPassword = "***********************";
        scope = ONE;
        canAuthenticate = YES;
        MailFieldNames = ("mail");
        displayName = "nethvm2 groups";
        hostname = ldap://192.168.1.187:389;
        isAddressBook = NO;
     },
     {
        id = users;
        type = ldap;
        CNFieldName = cn;
        UIDFieldName = uid;
        IDFieldName = mail;
        bindFields = (
                mail,
                uid
            );
        IMAPLoginFieldName = mail;
        baseDN = "ou=People,dc=directory,dc=nh";
        bindDN = "cn=ldapservice,dc=directory,dc=nh";
        bindPassword = "**********************";
        scope = ONE;
        MailFieldNames = ("mail");
        canAuthenticate = YES;
        displayName = "nethvm2 users";
        hostname = ldap://192.168.1.187:389;
        isAddressBook = YES;
     }
    );

My roundcube config as example (/etc/roundcubemail/config.php):

$config['ldap_public']['public'] = array(
    'name'                   => 'Public LDAP Addressbook',
    'hosts'                  => array('ldap://192.168.1.187:389'),
    'port'                   => 389,
    'use_tls'                => true,
    'user_specific'          => false,
    'base_dn'                => 'ou=People,dc=directory,dc=nh',
    'bind_dn'                => 'cn=ldapservice,dc=directory,dc=nh',
    'bind_pass'              => '******************',
    'scope'                  => 'sub',
    'referrals'              => 0,
    'filter'                 => '(objectClass=inetOrgPerson)',
    'search_fields'          => array('mail','cn'),
    'fuzzy_search'           => true,
    'groups'                 => array(
        'base_dn'            => '',
        'filter'             => '(objectClass=posixGroup)',
        'object_classes'     => array("top", "posixGroup"),
        'member_attr'        => 'uid',
  ),
  'fieldmap' => array(
    'name'         => 'cn',
    'surname'      => 'sn',
    'firstname'    => 'givenName',
    'jobtitle'     => 'title',
    'email'        => 'mail:*',
    'locality'     => 'l',
    'organization' => 'o',
    'department'   => 'ou',
    'phone'        => 'telephoneNumber',
    'street'       => 'street',
  ),
);

Don’t know anything about racktables, but they have some docs about ldap:

https://wiki.racktables.org/index.php/LDAP

My Nextcloud LDAP config:


(Zwordi) #3

Hello @mrmarkuz,

I was ok to connect an other applications to the ldap with Kanboard yesterday afternoon.
I’m aware of the Racktables documentation (which is a good tools for managing Network/Server etc).

I’m gonna try again this morning based on your screenshot.

I will let you know, thanks for your time.
#teanotcoffe


(Zwordi) #4

So it seems that a good night was all i was looking for.
I succeed on connecting my racktables and Kanboard to Nethserver but i still have issue with the Nextcloud
(I succeed once than i reset it, put the same, get «can’t connect LDAP Server»).

Thanks @mrmarkuz for your time.
I will put this as solved as soon as i will fix it.

Regards,
Zwordi


(Davide Principi) #5

A post was split to a new topic: Password Management based on PWM