Dear All,
For the last few days I've been desperately reading official/user made guides in order to properly configure my openldap to allow users to login to a project management webapp (namely Redmine). With that said, please let me share the basic setup of the environment i'm dealing with.
Webapplication(s):
Redmine, Phpldapadmin
LDAP:
Openldap
After the installation, i took the following steps to re-configure my ldap to reflect better the ldap being used in production (since this whole redmine + ldap isn't in production yet)
1. Stopped slapd service and removed the *cn=config.ldif* from */etc/ldap/slapd.d* 2.
Modified */usr/share/slapd/slapd.conf* to this:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none
modulepath /usr/lib/ldap moduleload back_mdb
sizelimit 500 tool-threads 1
backend mdb database mdb suffix "o=testcompany.com" rootdn "cn=admin,o=testcompany.com" directory "/var/lib/tc-ldap" rootpw "password"
index objectClass eq index uid eq index ou eq index default eq,sub
lastmod on checkpoint 512 30
access to attrs=userPassword,shadowLastChange by dn="cn=admin,o=testcompany.com" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by dn="cn=admin,o=testcompany.com" write by * read
3.
Afterwards, *slaptest -f /usr/share/slapd/slapd.conf -F /etc/ldap/slapd.d* which generated my new *cn=config.ldif* 4.
Set the appropriate user/group to the new *cn=config.ldif* with *chown -R openldap:openldap /etc/ldap/slapd.d/* 5.
Fired up slapd service and checked if the ldap was running or not. Since it was and i could access it with phpldapadmin, i added an *organizationalUnit (ou=sales)*, all the country codes and imported 3000 users (by using *ldapadd*) Now my DIT looks as follows
- o=testcompany.com - ou=sales - AD + uid=123456,c=AD,ou=sales,o=testcompany.com + ...
which is great, this is exactly the way it should look like, however I've noticed, that *cn=admin,o=testcompany.com http://testcompany.com* entry doesn't exists, while it did using the default config after i've installed openldap. 6.
In Redmine, I've configured and tested the *ldap authentication*. It is working correctly (it can both connect to my ldap and If i wish to add a new user and choose the before configured ldap authentication for it, i can even choose from the entries that are in my ldap, which is also great) 7.
However (this is where my problem is) when i try to log into Redmine with a user that i've just created (with ldap authentication) i always get *Invalid credentials* error (while it works like a charm when i login with any other account, created with *Simple Authentication*)
These events led me to believe that the error is in the LDAP configuration. After a few more hours/days of fooling around with the *ACL*s and *dpkg-reconfigure slapd* (and even purging-reinstalling slapd and ldap-utils) i still can not get beyond this point. And one more bit of information, after *dpkg-reconfigure slapd* and creating a few users under the default *dc=example,dc=com*, i can get them to log into Redmine just fine (and even *cn=admin,o=testcompany.com http://testcompany.com* shows up...).
Below i'll attach a few things that I've tried. I hope someone can aid me with a few tips as to where i got off the trail (somehow i feel that i'm missing the obvious here).
What I have tried so far:
1. modify the default slapd.conf file, and repeat the process i've written above 2. create a completely new one 3. a lot of different ways to add/modify the ACL 4. read through a lot of mailing list, similar problems on redmine forums, and openldap mailing lists, still no success (i can paste a lot of links from my .txt if you need it)
On Sun, Aug 06, 2017 at 05:54:56PM +0200, R H wrote:
which is great, this is exactly the way it should look like, however I've noticed, that cn=admin,o=testcompany.com entry doesn't exists, while it did using the default config after i've installed openldap.
I assume that you cleared out the database at some point (which you should do, to get rid of example entries from the distro). Thus, cn=admin,o=testcompany.com will not exist unless you explicitly create it - and nor will o=testcompany.com which you need to create first.
In Redmine, I've configured and tested the ldap authentication. It is working correctly (it can both connect to my ldap and If i wish to add a new user and choose the before configured ldap authentication for it, i can even choose from the entries that are in my ldap, which is also great)
However (this is where my problem is) when i try to log into Redmine with a user that i've just created (with ldap authentication) i always get Invalid credentials error (while it works like a charm when i login with any other account, created with Simple Authentication)
These events led me to believe that the error is in the LDAP configuration.
Maybe, maybe not...
After a few more hours/days of fooling around with the ACLs and dpkg-reconfigure slapd (and even purging-reinstalling slapd and ldap-utils) i
No point in changing stuff without knowing what is going on.
Add this to your config and restart slapd:
loglevel stats,stats2
Find where the log stream goes to - probably /var/log/daemon.log or similar. Look at the LDAP operations and results when you try to login on your app. This will tell you what the app is actually doing.
Andrew
R H wrote:
rootdn "cn=admin,o=testcompany.com [..] however I've noticed, that *cn=admin,o=testcompany.com* entry doesn't exists, while it did using the default config after i've installed openldap.
The rootdn can be used without an LDAP entry existing for it. Otherwise you would have an hen-and-egg-problem when starting with an empty DB.
access to attrs=userPassword,shadowLastChange by dn="cn=admin,o=testcompany.com" write by anonymous auth by self write by * none [..] However (this is where my problem is) when i try to log into Redmine with a user that i've just created (with ldap authentication) i always get Invalid credentials error
You should likely check your ACLs. Order is significant in all parts: Order of access directives and order if <who> clauses.
https://www.openldap.org/doc/admin24/access-control.html
https://www.openldap.org/faq/data/cache/189.html
(while it works like a charm when i login with any other account, created with Simple Authentication)
This sentence does not make sense to me.
In Redmine, I've configured and tested the *ldap authentication*.
You'd better test with OpenLDAP command-line tools first, e.g. ldapsearch for testing the redmine user search and ldapwhoami for testing the password authentication.
These events led me to believe that the error is in the LDAP configuration. After a few more hours/days of fooling around with the *ACL*s and *dpkg-reconfigure slapd*
I'd recommend to write your slapd.conf completely yourself and don't use any external configuration tool. This leads to reproducible results and better insights.
Ciao, Michael.
openldap-technical@openldap.org
-
Andrew Findlay -
Michael Ströder -
R H