LDAP usage on 6.6

paspo · May 11, 2016, 1:37pm

Hi all.

I’ve found a strange issue with LDAP: if I search the directory via

ldapsearch -Y EXTERNAL

I get the correct output, but when I use explicit credentials

ldapsearch  -D "cn=libuser,dc=directory,dc=nh" -w $(cat /var/lib/nethserver/secrets/libuser)

or in this way

ldapsearch  -h $NETHSERVER_LAN_IP -D "uid=admin,ou=People,dc=directory,dc=nh" -w $MY_SECRET_PASSWORD -b "ou=People,dc=directory,dc=nh"

I get a “No such object” error.

The last command gives error even if executed on nethserver itself, so I can exclude any firewall issues.

The result of this behavior is that I have no access to the LDAP directory from any client…

Am I missing something?

giacomo · May 11, 2016, 2:04pm

You can use this command:

ldapsearch -h localhost -D "cn=libuser,dc=directory,dc=nh" -w `cat /var/lib/nethserver/secrets/libuser` -b "ou=People,dc=directory,dc=nh"

paspo · May 11, 2016, 2:37pm

Giacomo, thanks for your reply.

Your command is working but it’s not solving my problem…
I CAN query the LDAP directory from the nethserver itself, but I CANNOT query from other hosts inside the LAN.

so:

ldapsearch -h localhost -D "cn=libuser,dc=directory,dc=nh" -w $(cat /var/lib/nethserver/secrets/libuser ) -b "ou=People,dc=directory,dc=nh"

is working on the nethserver and is (obviously) failing on any client.

ldapsearch -h 192.168.1.1 -D "cn=libuser,dc=directory,dc=nh" -w $(cat /var/lib/nethserver/secrets/libuser ) -b "ou=People,dc=directory,dc=nh"

is not working at all, even from nethserver. (let’s say 192.168.1.1 is the IP address of the nethserver)
This is the output of the command, if it gives you any clue…

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=directory,dc=nh> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

paspo · May 11, 2016, 5:16pm

I’ve managed to find a solution.

Here’s the background:
/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif defines the underlying ldap storage database and ACL.
The default .ldif has 3 “olcAccess” lines:

olcAccess: {0}to attrs=sambaNTPassword by dn.exact="gidNumber=0+uidNumber=0,cn
 =peercred,cn=external,cn=auth" manage by dn.exact="cn=samba,dc=directory,dc=n
 h" peername.ip="127.0.0.1" write by self write by * none
olcAccess:: ezF9dG8gYXR0cnM9dXNlclBhc3N3b3JkIGJ5IGRuLmV4YWN0PSJnaWROdW1iZXI9MC
 t1aWROdW1iZXI9MCxjbj1wZWVyY3JlZCxjbj1leHRlcm5hbCxjbj1hdXRoIiBtYW5hZ2UgYnkgZG4
 uZXhhY3Q9ImNuPXBhbSxkYz1kaXJlY3RvcnksZGM9bmgiIHBlZXJuYW1lLnBhdGg9Ii92YXIvcnVu
 L2xkYXBpIiB3cml0ZSBieSBkbi5leGFjdD0iY249bGlidXNlcixkYz1kaXJlY3RvcnksZGM9bmgiI
 HBlZXJuYW1lLmlwPSIxMjcuMC4wLjEiIHdyaXRlIGJ5IGFub255bW91cyBhdXRoIGJ5IHNlbGYgd3
 JpdGUgYnkgKiBub25lIA==
olcAccess:: ezJ9dG8gKiBieSBkbi5leGFjdD0iZ2lkTnVtYmVyPTArdWlkTnVtYmVyPTAsY249cG
 VlcmNyZWQsY249ZXh0ZXJuYWwsY249YXV0aCIgbWFuYWdlIGJ5IGRuLmV4YWN0PSJjbj1zYW1iYSx
 kYz1kaXJlY3RvcnksZGM9bmgiIHBlZXJuYW1lLmlwPSIxMjcuMC4wLjEiIHdyaXRlIGJ5IGRuLmV4
 YWN0PSJjbj1wYW0sZGM9ZGlyZWN0b3J5LGRjPW5oIiBwZWVybmFtZS5wYXRoPSIvdmFyL3J1bi9sZ
 GFwaSIgd3JpdGUgYnkgZG4uZXhhY3Q9ImNuPWxpYnVzZXIsZGM9ZGlyZWN0b3J5LGRjPW5oIiBwZW
 VybmFtZS5pcD0iMTI3LjAuMC4xIiB3cml0ZSBieSB1c2VycyBzc2Y9NzEgcmVhZCBieSAqIG5vbmU
 g

The 2nd and 3rd statements are base63 encoded, here’s the cleaned out version:

olcAccess: {0}to attrs=sambaNTPassword 
 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
 by dn.exact="cn=samba,dc=directory,dc=nh" peername.ip="127.0.0.1" write 
 by self write 
 by * none
olcAccess:: {1}to attrs=userPassword 
 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
 by dn.exact="cn=pam,dc=directory,dc=nh" peername.path="/var/run/ldapi" write 
 by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write 
 by anonymous auth 
 by self write 
 by * none 
olcAccess:: {2}to * 
 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
 by dn.exact="cn=samba,dc=directory,dc=nh" peername.ip="127.0.0.1" write 
 by dn.exact="cn=pam,dc=directory,dc=nh" peername.path="/var/run/ldapi" write 
 by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write 
 by users ssf=71 read 
 by * none

I so created a new LDIF with these modifications:

olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
 by self write
 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
 by dn.exact="cn=samba,dc=directory,dc=nh" peername.ip="127.0.0.1" write 
 by dn.exact="cn=pam,dc=directory,dc=nh" peername.path="/var/run/ldapi" write 
 by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write 
 by users ssf=71 read 
 by * read

And this is the resulting LDIF

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=sambaNTPassword by dn.exact="gidNumber=0+uidNumber=0,cn
 =peercred,cn=external,cn=auth" manage by dn.exact="cn=samba,dc=directory,dc=n
 h" peername.ip="127.0.0.1" write by self write by * none
olcAccess:: ezF9dG8gYXR0cnM9dXNlclBhc3N3b3JkIA0KIGJ5IGRuLmV4YWN0PSJnaWROdW1iZXI9MCt1aWROdW1iZXI9MCxjbj1wZWVyY3JlZCxjbj1leHRlcm5hbCxjbj1hdXRoIiBtYW5hZ2UNCiBieSBkbi5leGFjdD0iY249cGFtLGRjPWRpcmVjdG9yeSxkYz1uaCIgcGVlcm5hbWUucGF0aD0iL3Zhci9ydW4vbGRhcGkiIHdyaXRlIA0KIGJ5IGRuLmV4YWN0PSJjbj1saWJ1c2VyLGRjPWRpcmVjdG9yeSxkYz1uaCIgcGVlcm5hbWUuaXA9IjEyNy4wLjAuMSIgd3JpdGUNCiBieSBhbm9ueW1vdXMgYXV0aCANCiBieSBzZWxmIHdyaXRlIA0KIGJ5ICogbm9uZQ==
olcAccess:: ezJ9dG8gZG4uYmFzZT0iIg0KIGJ5ICogcmVhZA==
olcAccess:: ezN9dG8gKg0KIGJ5IHNlbGYgd3JpdGUNCiBieSBkbi5leGFjdD0iZ2lkTnVtYmVyPTArdWlkTnVtYmVyPTAsY249cGVlcmNyZWQsY249ZXh0ZXJuYWwsY249YXV0aCIgbWFuYWdlDQogYnkgZG4uZXhhY3Q9ImNuPXNhbWJhLGRjPWRpcmVjdG9yeSxkYz1uaCIgcGVlcm5hbWUuaXA9IjEyNy4wLjAuMSIgd3JpdGUgDQogYnkgZG4uZXhhY3Q9ImNuPXBhbSxkYz1kaXJlY3RvcnksZGM9bmgiIHBlZXJuYW1lLnBhdGg9Ii92YXIvcnVuL2xkYXBpIiB3cml0ZSANCiBieSBkbi5leGFjdD0iY249bGlidXNlcixkYz1kaXJlY3RvcnksZGM9bmgiIHBlZXJuYW1lLmlwPSIxMjcuMC4wLjEiIHdyaXRlIA0KIGJ5IHVzZXJzIHNzZj03MSByZWFkIA0KIGJ5ICogcmVhZA==

You can import this with this command:

ldapmodify -Y EXTERNAL -f filename.ldif

No need to restart openldap, external queries will be accepted instantaneously.

BIG FAT WARNING:
I’ve still not tested the security implications of these modifications. I will do it in future (I hope :))

giacomo · May 12, 2016, 7:12am

I didn’t understand you needed access from other clients, sorry!
By the way, great show LDAP configuration: I still have problems after years of development

Take a look also at this: http://docs.nethserver.org/projects/nethserver-devel/en/latest/directory.html#anonymous-access-to-user-account-entries