Some issues with OpenLDAP Settings - uid search, Bind User, TLS failure
Attempting to setup the OpenLDAP authentication and ran into the following:
This is all using an LDAP v3 server not Active Directory and selecting the OpenLDAP settings.
1. Setting port to 636 and enable SSL yields the following error to my LDAP server (It has a valid SSL certificate signed by globalsign) and I've got about 2 dozen other systems working with it just fine.
This happened : {'info': 'A TLS fatal alert has been received.', 'desc': "Can't contact LDAP server"}.
2. Not sure why there is a Domain setting. Should just have a Base DN as to where to start searching for the UID.
3. It does not appear that a search is performed to find a uid but just prepends uid=username, to what is in the Domain box. Or it could be that the search score is set to BASE or maybe One but I think it's BASE and not SUBTREE. Here is a decent page on the differences http://www.idevelopment.info/data/LDAP/LDAP_Resources/SEARCH_Setting_the_SCOPE_Parameter.shtml
4. There should be a provision added for a Bind DN User and Bind Password for LDAP directories that do not allow anonymous bind. (At least one of our LDAP servers does not allow anonymous bind and as we are building a new one we don't want that one to allow anonymous binds either).
5. It would be go to add a field for user attribute mapping (UID is good but some directories may be setup for something else such as mail or krbprincipalname).
6. The example wording under Domain and Base don't seem to make sense, nor do I see why both of them are there as the only thing that should be relevant is the Base DN.
Domain says:
Full Domain DN where the user resides, e.g. for uid=john,ou=people,dc=device42,dc=pvt, it would be ou=people,dc=device42,dc=pvt
Base says:
DN(distinguished name) where username search is performed, e.g. for ou people in device42.pvt, this would be ou=people,dc=awesome,dc=device42,dc=pvt
If you are searching (Base) for username within "dc=awesome,dc=device42,dc=pvt" I can't see how you would find that if the "user resides" in (Domain) "ou=people,dc=device42,dc=pvt". Those are two totally different branches? Maybe I'm not following this correctly but don't recall seeing a Domain and a Base specified in any of my other products that connect to LDAP, just a Base DN (and usually Bind DN and Bind Password along with the typical server name, port, and SSL or not).
thanks,
-Tomas
-
I should have mentioned that with 1 above, if I change port to 389 and disable SSL then it connects.
0 -
Tomas,
1. OpenLDAP was added few releases ago with experimental support. We haven't gotten a chance to test with ldaps till now for Open LDAP(only with MS AD). That said, it is on our list to look into.
2. You are right regarding Base and Domain. You generally don't need 2 in open LDAP. Initially our logic was built for AD only, so both fields are required for now. If you make these 2 same, you should be good to go.
3. We do SUBTREE search. Please make sure domain and base is same.
4. We don't do anonymous bind.
5. This is a good point. We would look into this further.
6. As discussed in point 2 above, you are right. We will see if we can simplify this for openLDAP.
Thanks,
Raj Jalan.
0
Please sign in to leave a comment.
Comments
2 comments