I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD with OpenLDAP.
The documentation says that I need to log on the domain controller as administrator, open the user management window, click on the appropriate organizational unit and add the userids to the proper groups (these groups should have scope "Global" and group type "Security").
I need to create the equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I don't know the class nor the attributes I should use, and I don't have access to a domain controller. The most problematic items seems to be group type and scope, because they seem to be binary values, not strings.
Please note that I don't want to replace Active Directory completely - I just need userids and groups. I've tried adding microsoft.schema to OpenLDAP, but it doesn't work. I've found some information about modifying the schema for Microsoft Outlook; I need something similar but simpler.
It's almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it's huge. However, we can add only the needed attributes and classes:
attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE
)
attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
)
objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
DESC 'a user'
SUP organizationalPerson STRUCTURAL
MUST ( cn )
MAY ( userPassword $ memberOf ) )
objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
DESC 'a group of users'
SUP top STRUCTURAL
MUST ( groupType $ cn )
MAY ( member ) )
Then it's easy to create an LDIF file for inserting the users and groups:
dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch
dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database
dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany
dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9
dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany
dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9
Ok, here is the begining of an answer :
Once you installed your OPENLdap
A - Edit your slapd.conf to :
1) Modify the schemas included
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetperson.schema
2) Modifiy schema files as explained in this FAQ
3) Modify your naming context (personaly I'am using HDB as backend)
database hdb
suffix "dc=dom,dc=com"
rootdn "cn=Manager,dc=dom,dc=com"
rootpw secret
directory /usr/local/var/openldap-hdb
4) Then restart your directory
B - Insert your root
Here is the LDIF file (root.ldif)
dn: dc=dom,dc=com
objectclass: dcObject
objectclass: organization
o: Company name
dc: dom
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif
C - Insert a user
Here is the LDIF file (user.ldif)
dn: cn=user1,dc=dom,dc=com
objectClass: inetOrgPerson
sn: users
cn: user1
telephoneNumber: 9999
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif
D - An advice
Apache directory studio, is for me, a VERY good LDAP Browser, it's Open Source, it works on the top of java on Linux and Windows. Using it you can graphicaly browse AD and OpenLdap and do parts B and C just clicking.
Active-Directory Schema (Classes and attributes) are documented in the MSDN. For example here are the information about groupType. Is it what you expect?
Related
So I have a SID of a FSP: S-1-5-21-2127521184-1604012920-1887927527-72713.
Translation worked in powershell but I would like to do the ldap query by myself, like here but have a little trouble with proper SID conversion.
Could you help me with query that give me a corresponding account name based on SID ?
You can bind directly to an object using the SID using LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>. Then get the username after that.
In PowerShell, it would look something like:
$account = [adsi]"LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
$username = $account.Properties["sAMAccountName"]
If the computer you run this from is on a different domain than the account, you may have to specify the domain:
$account = [adsi]"LDAP://domain.com/<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
If you have Java available you can query the ObjectSID directly.
We show an Example with code
I am able to use an ldapsearch like:
ldapsearch -h example.net -D "EXAMPLE\myID" -b "OU=Accounts,DC=EXAMPLE,DC=NET" -s sub -a search -z 1000 "(ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)" "objectClass"
And get results.
# extended LDIF
# LDAPv3
# base <OU=Accounts,DC=EXAMPLE,DC=NET> with scope subtree
# filter: (ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)
# requesting: objectClass samAccountName
#
# userid, sales, Accounts, EXAMPLE.NET
dn: CN=userid,OU=sales,OU=Accounts,DC=EXAMPLE,DC=NET
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: userid
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This search is done from a Linux machine and done by a user that is not represented by the ObjectSID.
I am trying to add a new attribute named sAMAccountName to an already existing LDAP schema definition which is read by IM-LDAP using UnboundID LDAP SDK.
I have added an attributeTypes entry and sAMAccountName to matchingRuleUse.
attributeTypes: ( 2.5.18.11 NAME 'sAMAccountName' DESC 'MS Sec Principal User' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ ... $ sAMAccountName ) )
For every previously existing attribute a call to com.unboundid.ldap.sdk.schema.Schema.getAttributeType("attrName") returns the attribute type. But not for my new attribute.
What am I missing?
Edited 10/11/18 after #jwilleke comment:
What I am trying to achieve is a mock using IM-LDAP for a very limited functionality of an Active Directory server.
In the actual AD production environment, there are entries representing users with objectClass: person, organizationalPerson,simulatedMicrosoftSecurityPrincipal.
In AD these entries contain sAMAccountName and memberof attributes.
But they are not there in the schema that comes with IM-LDAP.
The authentication Java code first performs a search on
(&(objectClass=user)(sAMAccountName=userAccountName)
Then if an entry in found, it checks whether a given security group name is present in the multivalued attribute memberof.
An entry exported from the production AD server looks like this :
dn: cn=Smith\,John,ou=User Accounts,dc=ACME,dc=CORE,dc=INT
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: simulatedMicrosoftSecurityPrincipal
cn: Smith,John
sn: JohnS
sAMAccountName: JohnS
userPassword: johnspasswd
memberof: ou=Service Accounts,dc=ACME,dc=CORE,dc=INT
The two new attributes are added to objectClass simulatedMicrosoftSecurityPrincipal in the schema by adding:
objectClasses: ( 2.5.6.24 NAME 'simulatedMicrosoftSecurityPrincipal' DESC 'MSSecurityPrincipal' SUP top AUXILIARY MUST sAMAccountName MAY memberof )
But when I try to import these entries into the LDAP mock I get an error telling me that sAMAccountName and memberof are not defined.
EDIT 2:
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Wokrked for adding sAMAccountName, but still trying to figure out how to add memeberOf
Here is the complete .ldif file.
This is what finally worked for me
objectClasses: ( 1.2.840.113556.1.5.6 NAME 'microsoftSecurityPrincipal' DESC 'MS SecurityPrincipal' SUP top AUXILIARY MUST ( sAMAccountName $ memberOf ) )
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
I'm having trouble setting up access_provider = ldap in SSSD. Problem is with the ldap_access_filter.
LDAP side looks like this:
USER:
# username, users, location, dc1.dc2
dn: uid=username,ou=users,l=location,dc=dc1,dc=dc2
shadowExpire: 17507
shadowLastChange: 17494
shadowMin: 0
shadowMax: 0
shadowInactive: 0
shadowFlag: 0
shadowWarning: 0
loginShell: /bin/bash
homeDirectory: /home/username
gidNumber: 2341
uidNumber: 6432
uid: username
mail: username#company.com
sn: Name
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
cn: User Name
title: User Title
mobile: xxxxxxxxx
manager: uid=usermanager,ou=users,l=location,dc=dc1,dc=dc2
GROUP:
# allowed-group, groups, location, dc1.dc2
dn: cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc2
cn: allowed-group
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
gidNumber: 2140
description: Group description
uniqueMember: uid=username,ou=users,l=location,dc=dc1,dc=dc2
I've tried to set ldap_access_filter = uniqueMember=cn=allowed-group but it will always deny access with following message:
(Tue Dec 5 18:22:44 2017) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=username)(objectclass=posixAccount)(uniqueMember=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1))][uid=username,ou=users,l=location,dc=dc1,dc=dc2].
(Tue Dec 5 18:22:44 2017) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0100): User [username#ldap] was not found with the specified filter. Denying access.
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,nagios
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri = ldap://uri
ldap_schema = rfc2307bis
ldap_search_base = l=location,dc=dc1,dc=dc2
ldap_group_object_class = groupOfUniqueNames
ldap_group_member = uniqueMember
ldap_access_order = filter, expire
ldap_account_expire_policy = shadow
ldap_access_filter = uniqueMember=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1
cache_credentials = true
enumerate = true
debug_level = 8
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/pki/tls/cacert.pem
is anyone able to point how to create correct ldap_access_filter for that ldap schema ?
You need sssd to be looking at the user's attributes, not the group's list of users, e.g.
ldap_access_filter = memberOf=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1
To get that memberOf attribute into your users' records you need to use the memberof overlay (assuming your LDAP server is running OpenLDAP).
Alternatively, for group-based access control, you can use access_provider=simple and then list the allowed groups.
I built a database with the entity user and permission
user (id, email, password, permission)
permission (id, create_user, delete_user, user_fk)
create_user and delete_user is BOOLEAN.
Relationship: One-One
Now every user can have it's own permissions.
My question is: How can I use shiro to read the permissions from the database?
If you really only wish to assign permissions on user level, you can "fake" the roles table to make Shiro happy.
As Wouter mentioned, use the JdbcRealm and specify the 3 queries for your table setup.
You should modify your permission table to have this structure:
permission (id, permissionname, user_fk)
Then you insert rows for the create_user/delete_user rights as needed.
This way it's very simple to add another permission (reset_password for example) to your setup, without the need to modify the db schema.
In the shiro.ini (or how you call the your shiro config file):
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
For the queries use then this:
jdbcRealm.authenticationQuery = select password from user where email=?
jdbcRealm.userRolesQuery = select id from user where email=?
jdbcRealm.authenticationQuery = select permissionname from permission where user_fk=?
The small trick in your setup is: you don't have roles at all, so we just return the id of the user as the role name.
When the lookup in the permission table is done, it then uses the role name (=user pk) and returns the associated permissions.
You should configure a JdbcReam in your .ini file:
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
If you change your schema to adhere to the shiro queries, no extra config is needed. You need tables users, user_roles and roles_permissions.
See the source code how the exact column names should be:
https://svn.apache.org/repos/asf/shiro/trunk/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java
Alternatively you can configure your own queries to match your schema in the .ini file like so:
jdbcRealm.authenticationQuery=<your password select statement>
jdbcRealm.userRolesQuery=<your role names for username select statement>
jdbcRealm.authenticationQuery=<your permissions for role name select statement>
I am looking for a query to get default containers/folder for ex:Builtin, Users , Computer etc.
any Idea?
Thanx
I' don't understand why you want this query but here it is:
ldifde -f contaiers.LDIF -d "dc=dom,dc=fr" -r (objectclass=container) -p onelevel -l cn
-r (objectclass=container) is the LDAP filter
-l cn means that I just want to retreive one attribute (CN)
-p onelevel means that I'am just fing in one level under the nod where begin the search (-d "dc=dom,dc=fr")
It gives :
dn: CN=Computers,DC=dom,DC=fr
changetype: add
cn: Computers
dn: CN=ForeignSecurityPrincipals,DC=dom,DC=fr
changetype: add
cn: ForeignSecurityPrincipals
dn: CN=Managed Service Accounts,DC=dom,DC=fr
changetype: add
cn: Managed Service Accounts
dn: CN=Program Data,DC=dom,DC=fr
changetype: add
cn: Program Data
dn: CN=System,DC=dom,DC=fr
changetype: add
cn: System
dn: CN=Users,DC=dom,DC=fr
changetype: add
cn: Users
If you just want to see those you normaly view just change the filter to "-r (&(objectclass=container)(showInAdvancedViewOnly=FALSE))", you will receive :
dn: CN=Computers,DC=dom,DC=fr
changetype: add
cn: Computers
dn: CN=ForeignSecurityPrincipals,DC=dom,DC=fr
changetype: add
cn: ForeignSecurityPrincipals
dn: CN=Managed Service Accounts,DC=dom,DC=fr
changetype: add
cn: Managed Service Accounts
dn: CN=Users,DC=dom,DC=fr
changetype: add
cn: Users
JP
Are you referring to the well-known security principals ?
Those well-known principals (groups and users) have specific, pre-defined SID's which you can use to find them in the directory.