LDAP + Subsonic

vejitaku · July 15, 2015, 10:56pm

Hello,

I’m trying to configure subsonic to use the LDAP server installed with my nethserver but I’m having some troubles with the configuration.

As you can see in the picture:

I have to write 3 parameters,

LDAP URL: The URL of the LDAP server. The protocol must be either ldap:// or ldaps:// (for LDAP over SSL). See here for a more detailed description.
LDAP search filter:The filter expression used in the user search. This is an LDAP search filter (as defined in RFC 2254). The pattern “{0}” is replaced by the username, for instance: (uid={0}) - this would search for a username match on the uid attribute.(sAMAccountName={0}) - typically used for authentication in Microsoft Active Directory.
LDAP manager DN: If the LDAP server doesn’t support anonymous binding you must specify the DN (Distinguished Name) and password of the LDAP user to use when binding.

I create a group named subsonic and and want that only the members of that group can access this app.

After a lot of tries i figured out that if i run this command:

ldapsearch -D cn=libuser,dc=directory,dc=nh -W -H ldap://server-ip

i get this result

extended LDIF
LDAPv3
base <> (default) with scope subtree
filter: (objectclass=*)
requesting: ALL
search result
search: 2
result: 32 No such object

but if run the command like this:

ldapsearch -D cn=libuser,dc=directory,dc=nh -W -H ldap://127.0.0.1

i can list all the information of the users and groups.

The subsonic is not in the same server as the ldap, so i don’t know if have to modidy the OpenLDAP Acls and I don´t know how to do it.

Someone can help me?

Thanks

Nas · July 16, 2015, 9:34pm

Go to Network Services and append Ldap to Green. Then you could to connect.

vejitaku · July 17, 2015, 12:43pm

As you can see in the picture, i already have the slapd and slapds opened for the green network.

I can do telnet to those ports. I think that the problem that I have is that I can not search inside the ldap tree.

I dont want to mess with all the ldap configuration manually because i dont know if I do that Ill damage the nethserver configuration

Nas · July 17, 2015, 2:27pm

Use Ldap admin from Windows or Apache directory studio and try to connect ! Libuser credenials /usr/share/nethserver/secret

vejitaku · July 17, 2015, 2:42pm

Ill try what you say and post here the results. thanks

vejitaku · July 17, 2015, 2:51pm

While im downloading the apache directory studio, ill let you the result of listing the openldap acls, i guess that the peername.ip="127.0.0.1 means that only is allowed the connection from that ip:

ldapsearch -LLL -Y EXTERNAL -b cn=config -s one ‘objectClass=olcDatabaseConfig’ olcAccess 2>/dev/null | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode(“UTF-8”,decode_base64($1))/eg;print’
dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by * none

dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read by dn.base=“cn=manager,dc=my-domain,dc=com” read by * none

dn: olcDatabase={2}bdb,cn=config
olcAccess: {0}to attrs=sambaNTPassword by dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by dn.exact=“cn=samba,dc=directory,dc=nh” peername.ip=“127.0.0.1” write by self write by * none
olcAccess:: {1}to attrs=userPassword by dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by dn.exact=“cn=pam,dc=directory,dc=nh” peername.path="/var/run/ldapi" write by dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write by anonymous auth by self write by * none
olcAccess:: {2}to * by dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by anonymous read by dn.exact=“cn=owncloud,dc=directory,dc=nh” peername.ip=“127.0.0.1” read by dn.exact=“cn=ejabberd,dc=directory,dc=nh” peername.ip=“127.0.0.1” read by dn.exact=“cn=samba,dc=directory,dc=nh” peername.ip=“127.0.0.1” write by dn.exact=“cn=pam,dc=directory,dc=nh” peername.path="/var/run/ldapi" write by dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write by users ssf=71 read by * none

dn: olcDatabase={3}relay,cn=config
olcAccess: {0}to attrs=sambaNTPassword by dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by dn.exact=“cn=samba,dc=directory,dc=nh” peername.ip=“127.0.0.1” write by self write by * none
olcAccess:: {1}to attrs=userPassword by dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by dn.exact=“cn=pam,dc=directory,dc=nh” peername.path="/var/run/ldapi" write by dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write by anonymous auth by self write by * none
olcAccess:: {2}to * by dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by anonymous read by dn.exact=“cn=owncloud,dc=directory,dc=nh” peername.ip=“127.0.0.1” read by dn.exact=“cn=ejabberd,dc=directory,dc=nh” peername.ip=“127.0.0.1” read by dn.exact=“cn=samba,dc=directory,dc=nh” peername.ip=“127.0.0.1” write by dn.exact=“cn=pam,dc=directory,dc=nh” peername.path="/var/run/ldapi" write by dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write by users ssf=71 read by * none

vejitaku · July 17, 2015, 7:16pm

after some test, this is the only thing that i can see with the apache directory studio

Nas · July 18, 2015, 4:07pm

here You are All is very simple !

alefattorini · July 28, 2015, 7:16am

@vejitaku did you resolve?

vejitaku · July 28, 2015, 1:15pm

Yes,

We created a service account and gave it permission to access from our lan, then we modified the access rules to allow each account to read his own attributes (because subsonic need it) and after that everything worked

thanks for the help

Mario_Lanno · June 29, 2016, 2:36pm

Hi Romero,

maybe we have the same problem, can you explain your tasks to reach the goal?

Thanks

Mario