sssd and internal ldap server integration

By: Bardos Matyas user 05 May 2016 at 5:28 a.m. CDT

12 Responses
Bardos Matyas gravatar
Dear support team, is it somehow possible to authenticate from my ubuntu servers against the internal ldap server of gluu? I have tried the authentication via sssd, but in the logs i saw, that no users were found. I tried the ldap query, and it is not giving back the ldap accounts: ldapsearch -D "cn=directory manager" -w password -H ldaps://serverfqdn:1636 -b "ou=people,o=1234,o=gluu" -s sub "(&(objectclass=gluuPerson)(uid=*)(uidNumber=*))" I investigated, that it is because in the ldap schema there are missing some attributes, for example : uidNumber. So my question is, is it somehow possible to use these ldap for my ubuntu servers, or the only way is install another ldap server, and configure gluus cash refresh? I would like to use the internal server, because of the cool self registration possibilities, and nice user management gui. If I'm right there is no way to use these feathers to manage external ldap users. Thank you! Regards: Matyas
None
closed

Answers

By Mohib Zico staff 05 May 2016 at 5:38 a.m. CDT

Copy
Mohib Zico gravatar
Hey Bardos, Please allow me to ask few questions as I am not exactly clear about your target. 1. What are those 'Ubuntu Servers' you are mentioning? 2. True, there is nothing called 'uidNumber' attribute available for users. By default, an user has givenName, sn, userPassword, displayName, uid and few other Gluu related attributes ( i.e. memberOf, inum ). 3. It would be helpful if you can share any use case diagram with us,we would be able to understand your target.

By Bardos Matyas user 05 May 2016 at 5:46 a.m. CDT

Copy
Bardos Matyas gravatar
Hello, thank you for the fast response, and sorry for the 4 posts. My browser had some problems.... I use ubuntu linux on my servers, and I would like to log in to the linux os, with my gluu account. So my target would be ldap authentication on my linux (ubuntu) os. But I can't configure the ldap authentication, because linux needs these ldap attributes (for example uidNumber).

By Mohib Zico staff 05 May 2016 at 5:51 a.m. CDT

Copy
Mohib Zico gravatar
Woah... That is an interesting thing.... so here is what you want? Login into your own Ubuntu servers with ldap authentication? And for ldap authentication, you want to use the Gluu Server's own ldap server?

By Bardos Matyas user 05 May 2016 at 5:55 a.m. CDT

Copy
Bardos Matyas gravatar
Yes, exactly. :)

By Mohib Zico staff 05 May 2016 at 8:57 a.m. CDT

Copy
Mohib Zico gravatar
Okay... This is really an interesting use case. You can try to 'manually' add uidNumber for this user in Gluu Server and see if anything changes or not.

By Bardos Matyas user 06 May 2016 at 3:04 a.m. CDT

Copy
Bardos Matyas gravatar
Hello, ok, I will try. And what is the preferred way to do this? With ldif file, or is there an other option? Thank you!

By Mohib Zico staff 06 May 2016 at 3:31 a.m. CDT

Copy
Mohib Zico gravatar
Whichever is comfortable to you. Either ldif or using Gluu Server GUI ( oxTrust ): https://gluu.org/docs/oxtrust/configuration/#attributes

By Bardos Matyas user 06 May 2016 at 8:04 a.m. CDT

Copy
Bardos Matyas gravatar
Hello, i have created the attributes via the gui. If i try to save for example uidNumber I get this message: "Warning: Specified attribute name already exists in LDAP schema. Are you going to use it?" And if I choose ok, it is not visible on the attributes page (i clicked "show all attributes"), neither on the create person page. If I try to create the same attribute again, I get an error, that it already exists. So my question would be, is it possible to get this attribute visible on the gui, for example on the create person page, or i must edit the person via ldif files? Thank you!

By Aliaksandr Samuseu staff 06 May 2016 at 8:39 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Bardos. > "Warning: Specified attribute name already exists in LDAP schema. Are you going to use it?" May I ask you to provide output of `# cat /opt/opendj/config/schema/100-user.ldif` from within the container?

By Bardos Matyas user 06 May 2016 at 9:55 a.m. CDT

Copy
Bardos Matyas gravatar
The output is: ``` cat /opt/opendj/config/schema/100-user.ldif dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema ``` End some extra, if you need it: ``` cat /opt/opendj/config/schema/99-user.ldif dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema objectClasses: ( ox-19B87CF7509F2D060001D8534ACF-oid NAME 'ox-19B87CF7509F2D060001D8534ACF' SUP top STRUCTURAL MUST objectClass MAY ( telephoneNumber $ title $ roomNumber $ mobile $ postalCode $ manager $ facsimileTelephoneNumber $ uidNumber $ gidNumber ) X-ORIGIN 'gluu' ) modifiersName: cn=Directory Manager,cn=Root DNs,cn=config modifyTimestamp: 20160506111627Z ```

By Aliaksandr Samuseu staff 06 May 2016 at 10:57 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Yes, that indeed was helpful, thanks (I've fixed markup a bit). Could you also run `# ll /opt/opendj/config/schema/`? After that, may I ask you to run `# tail -F /opt/tomcat/logs/wrapper.log` in the container, while trying to create that attribute again, with all the same settings? If it will ask you for confirmation to override existing, try to answer "yes". Then please provide us any errors you'll see in log using [pastebin.com](pastebin.com) **Update:** Please also let us know full version of the Gluu CE package you are using and what is your linux distro.

By Bardos Matyas user 09 May 2016 at 9:32 a.m. CDT

Copy
Bardos Matyas gravatar
Hello. Thank you for the great and fast support. For some weeks i do not have possibility to work on this project. I will try to work on it in June - July so you can close this ticket. If have questions, i will contact you again! Thank you! Regards: Matyas

Post an answer