Question:
How to handle DNs like this in Active Directory:
"myAttribute1=val1 + myAttribute2=val2 + myAttribute3=val3,
OU=instance1, DC=adtest"
Note: I don't have a CN here, the RDN is solely defined by custom defined classes myAttribute1, myAttribute2 and myAttribute3.
Details:
I have a schema description that I have to migrate vom OpenDS to Active Directory.
But it seems that multi-valued RDNs are a problem in Active Directory.
A lookup with the DN mentioned above works fine in OpenDS. But when I do the same lookup in Active Directory, I get this exception:
javax.naming.InvalidNameException: "myAttribute1=val1 +
myAttribute2=val2 myAttribute3=val3": [LDAP: error code 34 -
0000208F: LdapErr: DSID-0C090715, comment: Error processing name, data
0, v1db1 ];
Here are my schema definitions. First in OpenDS:
objectClasses: ( 1.3.6.1.4.1.99.2
NAME 'myNewClass'
SUP top STRUCTURAL
MUST ( myAttribute1 $ myAttribute2 $ myAttribute3 )
MAY someOtherAttribute
)
And this is what I did for Active Directory:
# Class: myNewClass
dn: cn=myNewClass,cn=Schema,cn=Configuration,dc=X
changetype: add
objectClass: classSchema
governsID: 1.3.6.1.4.1.99.2
ldapDisplayName: myNewClass
adminDisplayName: myNewClass
objectClassCategory: 0
systemOnly: FALSE
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: myAttribute1
rdnAttId: 1.3.6.1.4.1.99.1
# mustContain: myAttribute2
mustContain: 1.3.6.1.4.1.99.2
# mustContain: myAttribute3
mustContain: 1.3.6.1.4.1.99.3
# mayContain: someOtherAttribute
mayContain: 1.3.6.1.4.1.99.4
# possSuperiors: organizationalUnit
possSuperiors: 2.5.6.5
# defaultObjectCategory: myNewClass
defaultObjectCategory: cn=myNewClass,cn=Schema,cn=Configuration,dc=X
I assume the problem is related to rdnAttId - I'm not sure which value I should put there. First I've tried to put CN there -> did not work. Second I've tried to use any of my custom defined attributes (myAttribute1) -> did not work either.
After some research: It seems to be not possible to use/define multivalued RDNs in Active Directory.
See: http://msdn.microsoft.com/en-us/library/cc223237.aspx
Quote: "... [RFC2253] section 2 defines the following grammar rule for RelativeDistinguishedName, which explicitly allows RDNs to contain multiple attributes and values:
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
AttributeTypeAndValue
Active Directory is conformant with this rule, with the restriction that MAX equals 1 within the scope of the rule. ...".
LOL ( -> "MAX equals 1").
Related
I have Airflow successfully setup to work with my AD/LDAP when everyone is a superuser and data profiler. But now I want to define an admin group and a regular user group. I have the following settings,
Working Config Where Everyone Is An Admin:
# set a connection without encryption: uri = ldap://<your.ldap.server>:<port>
uri = ldap://123.456.789:123
user_filter = objectClass=*
# in case of Active Directory you would use: user_name_attr = sAMAccountName
user_name_attr = sAMAccountName
# group_member_attr should be set accordingly with *_filter
# eg :
# group_member_attr = groupMembership
# superuser_filter = groupMembership=CN=airflow-super-users...
group_member_attr = member
group_name_attr = CN
group_filter = objectclass=group
bind_user = CN=blah,OU=foo,DC=us,DC=bar,DC=com
bind_password = yahoo
basedn = DC=us,DC=bar,DC=com
# Set search_scope to one of them: BASE, LEVEL , SUBTREE
# Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit
search_scope = SUBTREE
New Config With Specific Admin Group Set:
# set a connection without encryption: uri = ldap://<your.ldap.server>:<port>
uri = ldap://123.456.789:123
user_filter = objectclass=*
# in case of Active Directory you would use: user_name_attr = sAMAccountName
user_name_attr = sAMAccountName
# group_member_attr should be set accordingly with *_filter
# eg :
# group_member_attr = groupMembership
# superuser_filter = groupMembership=CN=airflow-super-users...
superuser_filter = memberOf=CN=MyAdminGroupName,OU=foo,DC=us,DC=bar,DC=com
data_profiler_filter = memberOf=CN=MyAdminGroupName,OU=foo,DC=us,DC=bar,DC=com
group_member_attr = member
group_name_attr = CN
group_filter = objectclass=group
bind_user = CN=blah,OU=foo,DC=us,DC=bar,DC=com
bind_password = yahoo
basedn = DC=us,DC=bar,DC=com
# Set search_scope to one of them: BASE, LEVEL , SUBTREE
# Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit
search_scope = SUBTREE
Resource: https://airflow.apache.org/security.html
With this new configuration I am able to log into the Airflow UI but I'm no longer able to view the Admin tab. I am 100% sure I am a part of the admin group MyAdminGroupName. I'm also not sure where to put my regular user group name MyRegularGroupName.
Can someone please guide me on how to configure my Admin group (MyAdminGroupName) and my regular user group (MyRegularGroupName)?
I also struggled with setting up LDAP in Airflow.
First of: What is group_filter = objectclass=group in your config? I cannot find it specified in the docs or in the ldap_auth.py.
Then, your group_member_attr is set to member, but in the filter queries you're using memberOf, so I guess that memberOf should be your group_member_attr (it usually is, if your using Active Directory).
Your superuser_filter and data_profiler_filter look good to me.
To whoever reads this: the filters are inserted into a string like this in the code: (&(<FILTER_HERE>)), so if you want to build a more sophisticated filter, take this into account.
E.g. I wanted to only give three users superuser rights (using environment variables for config):
AIRFLOW__LDAP__SUPERUSER_FILTER: "&(objectCategory=Person)(|(sAMAccountName=user1)(sAMAccountName=user2)(sAMAccountName=user3))(memberOf=CN=MyDepartment,OU=Departments,OU=UserGroup,DC=MyCompany,DC=local)"
Regarding your question about MyRegularUserGroup: I guess, you can specify the user filter to filter for persons in your regular user group and then specify the admin group for superuser and data profiler. But that would only work if the admin group is a subset of the regular user group.
Hope that helps.
So I have a SID of a FSP: S-1-5-21-2127521184-1604012920-1887927527-72713.
Translation worked in powershell but I would like to do the ldap query by myself, like here but have a little trouble with proper SID conversion.
Could you help me with query that give me a corresponding account name based on SID ?
You can bind directly to an object using the SID using LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>. Then get the username after that.
In PowerShell, it would look something like:
$account = [adsi]"LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
$username = $account.Properties["sAMAccountName"]
If the computer you run this from is on a different domain than the account, you may have to specify the domain:
$account = [adsi]"LDAP://domain.com/<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
If you have Java available you can query the ObjectSID directly.
We show an Example with code
I am able to use an ldapsearch like:
ldapsearch -h example.net -D "EXAMPLE\myID" -b "OU=Accounts,DC=EXAMPLE,DC=NET" -s sub -a search -z 1000 "(ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)" "objectClass"
And get results.
# extended LDIF
# LDAPv3
# base <OU=Accounts,DC=EXAMPLE,DC=NET> with scope subtree
# filter: (ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)
# requesting: objectClass samAccountName
#
# userid, sales, Accounts, EXAMPLE.NET
dn: CN=userid,OU=sales,OU=Accounts,DC=EXAMPLE,DC=NET
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: userid
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This search is done from a Linux machine and done by a user that is not represented by the ObjectSID.
I am trying to add a new attribute named sAMAccountName to an already existing LDAP schema definition which is read by IM-LDAP using UnboundID LDAP SDK.
I have added an attributeTypes entry and sAMAccountName to matchingRuleUse.
attributeTypes: ( 2.5.18.11 NAME 'sAMAccountName' DESC 'MS Sec Principal User' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ ... $ sAMAccountName ) )
For every previously existing attribute a call to com.unboundid.ldap.sdk.schema.Schema.getAttributeType("attrName") returns the attribute type. But not for my new attribute.
What am I missing?
Edited 10/11/18 after #jwilleke comment:
What I am trying to achieve is a mock using IM-LDAP for a very limited functionality of an Active Directory server.
In the actual AD production environment, there are entries representing users with objectClass: person, organizationalPerson,simulatedMicrosoftSecurityPrincipal.
In AD these entries contain sAMAccountName and memberof attributes.
But they are not there in the schema that comes with IM-LDAP.
The authentication Java code first performs a search on
(&(objectClass=user)(sAMAccountName=userAccountName)
Then if an entry in found, it checks whether a given security group name is present in the multivalued attribute memberof.
An entry exported from the production AD server looks like this :
dn: cn=Smith\,John,ou=User Accounts,dc=ACME,dc=CORE,dc=INT
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: simulatedMicrosoftSecurityPrincipal
cn: Smith,John
sn: JohnS
sAMAccountName: JohnS
userPassword: johnspasswd
memberof: ou=Service Accounts,dc=ACME,dc=CORE,dc=INT
The two new attributes are added to objectClass simulatedMicrosoftSecurityPrincipal in the schema by adding:
objectClasses: ( 2.5.6.24 NAME 'simulatedMicrosoftSecurityPrincipal' DESC 'MSSecurityPrincipal' SUP top AUXILIARY MUST sAMAccountName MAY memberof )
But when I try to import these entries into the LDAP mock I get an error telling me that sAMAccountName and memberof are not defined.
EDIT 2:
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Wokrked for adding sAMAccountName, but still trying to figure out how to add memeberOf
Here is the complete .ldif file.
This is what finally worked for me
objectClasses: ( 1.2.840.113556.1.5.6 NAME 'microsoftSecurityPrincipal' DESC 'MS SecurityPrincipal' SUP top AUXILIARY MUST ( sAMAccountName $ memberOf ) )
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
This query works fine:
(&(objectCategory=user)(objectClass=user)(memberOf=*) )
but any ever, with selection of group - with no result
(&(objectCategory=user)(objectClass=user)(memberOf=myGroup) )
(&(objectCategory=user)(objectClass=user)(memberOf=CN=myGroup) )
(&(objectCategory=user)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=myGroup) )
It's because memberof attribute stores dn values, so you have to provide a dn in the filter.
And by dn I mean a full dn all the way to the root of the ldap directory tree.
If your group : CN=myGroup is in the branch ou=groups and the baseDn of your directory is dc=local,dc=com, you have to specify a filter like :
memberof=CN=myGroup,ou=groups,dc=local,dc=com
I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD with OpenLDAP.
The documentation says that I need to log on the domain controller as administrator, open the user management window, click on the appropriate organizational unit and add the userids to the proper groups (these groups should have scope "Global" and group type "Security").
I need to create the equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I don't know the class nor the attributes I should use, and I don't have access to a domain controller. The most problematic items seems to be group type and scope, because they seem to be binary values, not strings.
Please note that I don't want to replace Active Directory completely - I just need userids and groups. I've tried adding microsoft.schema to OpenLDAP, but it doesn't work. I've found some information about modifying the schema for Microsoft Outlook; I need something similar but simpler.
It's almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it's huge. However, we can add only the needed attributes and classes:
attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE
)
attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
)
objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
DESC 'a user'
SUP organizationalPerson STRUCTURAL
MUST ( cn )
MAY ( userPassword $ memberOf ) )
objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
DESC 'a group of users'
SUP top STRUCTURAL
MUST ( groupType $ cn )
MAY ( member ) )
Then it's easy to create an LDIF file for inserting the users and groups:
dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch
dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database
dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany
dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9
dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany
dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9
Ok, here is the begining of an answer :
Once you installed your OPENLdap
A - Edit your slapd.conf to :
1) Modify the schemas included
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetperson.schema
2) Modifiy schema files as explained in this FAQ
3) Modify your naming context (personaly I'am using HDB as backend)
database hdb
suffix "dc=dom,dc=com"
rootdn "cn=Manager,dc=dom,dc=com"
rootpw secret
directory /usr/local/var/openldap-hdb
4) Then restart your directory
B - Insert your root
Here is the LDIF file (root.ldif)
dn: dc=dom,dc=com
objectclass: dcObject
objectclass: organization
o: Company name
dc: dom
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif
C - Insert a user
Here is the LDIF file (user.ldif)
dn: cn=user1,dc=dom,dc=com
objectClass: inetOrgPerson
sn: users
cn: user1
telephoneNumber: 9999
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif
D - An advice
Apache directory studio, is for me, a VERY good LDAP Browser, it's Open Source, it works on the top of java on Linux and Windows. Using it you can graphicaly browse AD and OpenLdap and do parts B and C just clicking.
Active-Directory Schema (Classes and attributes) are documented in the MSDN. For example here are the information about groupType. Is it what you expect?