SSSD.pm and phpldapadmin

Thinking loudly, if you can en-light me, please jump

I must admit, I’m a zero for what it concerns ldap (openldap or samba4 ad), I know to use, but with a lot of effort, anyway it is not the purpose of this post.

sometime if you can read it, you have one part solved of your problem, hence the necessity of a contrib.

first why phpldapadmin…there is plenty documentations, I know there is other software, I’m hearing you :slight_smile:

I want to do a phpldapadmin with two modes (two users)

readonly : $sssd->bindDN() and $sssd->bindPassword()

'cn=ldapservice,dc=stephdl,dc=dyndns,dc=org' #openldap
"cn=NS7DEV5,cn=Computers,dc=stephdl,dc=dyndns,dc=org"  #samba4

kamikaze mode (write access) ??? and ???

cn=libuser,dc=stephdl,dc=dyndns,dc=org
CN=Administrator,CN=Users,dc=stephdl,dc=dyndns,dc=org

for the kamikaze mode what is the sssd function to obtain the relevant name and password of users with write permissions

I know that for openldap we could use ‘cn=libuser,dc=directory,dc=nh’ but it is not nice

I could do two types of authentication with pro and cons

  • apache
    with this authentication, it is a convenient way to login with for example the user admin, but we let in apache all the security role.

  • ldap
    here the security is managed directly by ldap(openldap or samba4 ad), but if the password is secured, except for the password of ‘administrator’ it is not easy to find it. You needs to go to your terminal for libuser and ldapservice, and for the user ‘cn=NS7DEV5,cn=Computers,dc=stephdl,dc=dyndns,dc=org’ the password can be found only by the perl snippet $sssd->bindPassword()

One more question to @davidep, soon I figure that the write access to samba4 AD will be the user admin ?

Yes, I’d go with admin for both LDAP and AD. We’ll put admin in administrators group of AD in our Samba DC. On LDAP side, admin is now defined as “rootDN”, so it has full access to the whole LDAP tree: forget of libuser, it is for libuser only :wink:

IIRC you could configure phpldapadmin with BIND authentication: if feasible, it seems the best option to me.

1 Like

how the end user can retrieve the password of cn=NS7DEV5,cn=Computers,dc=stephdl,dc=dyndns,dc=org, the read accound of samba4 ???

The end user should bind with his credentials!

In other words: phpldapadmin does not have any credentials in its config files, it only forwards the user’s credentials to LDAP.

yep it works, but the login is really really long :frowning:

not convenient :slight_smile:

Do you mean the user name length?

IIRC there should be a configurable shortcut…

yep, or at least I can do a trick, I mean the user name is ‘cn=admin,cn=Users,dc=stephdl,dc=dyndns,dc=org’

this is only for samba4 for openldap, we must use ldapservice or libuser, or create our own ldap service user …I’m right ?

I don’t like that direct bind solution, I’d go with this one (from /etc/phpldapadmin/config.php):

/* If you specified ‘cookie’ or ‘session’ as the auth_type above, you can
optionally specify here an attribute to use when logging in. If you enter
‘uid’ and login as ‘dsmith’, phpLDAPadmin will search for (uid=dsmith)
and log in as that user.
Leave blank or specify ‘dn’ to use full DN for logging in. Note also that if
your LDAP server requires you to login to perform searches, you can enter the
DN to use when searching in ‘bind_id’ and ‘bind_pass’ above. */
// $servers->setValue(‘login’,‘attr’,‘dn’);

2 Likes

ok got it in work with simple login form

  • openldap
    ldapservice R
    libuser RW

  • samba4
    a user set in the SM R
    administrator RW

Isn’t it possible?

for samba4 I can use a user if I use ‘cn’

$servers->newServer('ldap_pla');
$servers->setValue('server','name','Samba4 Server');
$servers->setValue('server','host','ldap://nsdc-ns7dev5.stephdl.dyndns.org:389');
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=NS7DEV5,cn=Computers,dc=stephdl,dc=dyndns,dc=org');
$servers->setValue('login','bind_pass','?Y76cHM$JU,f@9');
$servers->setValue('server','tls',false);
$servers->setValue('login','attr','cn');
$servers->setValue('server','base',array('dc=stephdl,dc=dyndns,dc=org'));

sAMAccountName should work either… Did you try it?

will do, but it seems that it works also with ‘uid’ and openldap…of course read only

yep workable, I suppose you prefer to use it for samba4 ?

1 Like

Yes, and I’d like the same approach for LDAP, too!

what would be the best stuff then for openldap

cn
uid
???

is the sAMAccountName counterpart in our LDAP schema

Also see

/* If ‘login,attr’ is used above such that phpLDAPadmin will search for your DN
at login, you may restrict the search to a specific objectClasses. EG, set this
to array(‘posixAccount’) or array(‘inetOrgPerson’,…), depending upon your
setup. */
// $servers->setValue(‘login’,‘class’,array());

For AD, objectClass=user
For LDAP, objectClass=shadowAccount

ok thank @davidep for your time, but for the kamikaze mode (eg write permission) I must use the cn in openldap, since libuser uses it ?

I’d expect, to be granted write permissions, the user logins with the “admin” account and password. Then phpldapadmin BINDs with that credentials. As said, no libuser involvement at all!

trying to allow admin in slap I put this acl in /etc/openldap/ldap.conf

access to *
  by dn="uid=admin,ou=People,dc=stephdl,dc=dyndns,dc=org" write
  by dn="uid=toto,ou=People,dc=stephdl,dc=dyndns,dc=org" write

but when I try to delete an entry, or modify another one, I have an error

Dec  5 19:26:07 NS7DEV4 slapd[1722]: conn=1009 op=2 DEL dn="cn=admin,dc=stephdl,dc=dyndns,dc=org"
Dec  5 19:26:07 NS7DEV4 slapd[1722]: conn=1009 op=2 RESULT tag=107 err=50 text=no write access to parent
Dec  5 19:26:07 NS7DEV4 slapd[1722]: conn=1009 op=3 UNBIND

any clue accepted