By: Andrej Simon user 05 Jun 2022 at 3:51 p.m. CDT

3 Responses
Andrej Simon gravatar
Greatings, I am a beginner with Gluu. I have started to read the book "Securing the Perimeter: Deploying Identity and Access Management with Free Open Source Software" by Michael Schwartz, Maciej Machulak. Very nice written! I was reading the LDAP chapter and wanted to test it live with Gluu. Unfortunately I have some problems now with this book and Gluu. The Gluu installation is nice documented. I have create Ubuntu VM 20.04 LTS (KVM) and installed Gluu. This worked without any problems. The book (Chapter LDAP) provides many examples with ldapsearch etc. I prefer command-line tools as well. In the book you would find: ``` $ /opt/opendj/bin/ldapsearch -h idp.example.com -p 1636 \ -D "cn=directory manager" -j ~/.pw -Z -X \ -b "o=gluu" -s one "objectclass=*" dn ``` Unfortunately this does not work. At least on Ubuntu VM with Gluu container you have to: * Connect as root. (ssh root@gluu-server) * Login into container (/sbin/gluu-serverd login) * Run ldapsearch command without hostname *-h idp.example.com* or using *-h localhost*. I have tried to use some other Ubuntu VMs as clients and have installed standard Ubuntu LDAP tools. According to the documentation I had to create a SSH tunel (https://gluu.org/docs/gluu-server/4.4/user-management/local-user-management/ ). I have not managed to work with ldapsearch after trying many combination of certificates etc. My ticket was closed (?) with recommendation to use Apache Directory Studio. In fact I have tried some hours to get ldapsearch work without any success. The only way Gluu LDPA work is as root from the container or by using GUI. It's your software and it's ok for me, if you don't support Ubuntu LDAP tools. But maybe you could document this fact. For instance, that Gluu LDAP prefers working with GUI or using root in the chroot container and no support for Ubuntu as a LDAP client using standard LDAP tools? Regards, Andrej

By Michael Schwartz Account Admin 05 Jun 2022 at 6:25 p.m. CDT

Michael Schwartz gravatar
The ldap server that ships with the Gluu Server is the user and config store for the IDP, so it needs to be protected. We don't want it used for anything except the Gluu Server database. It is not listening on any interface other then localhost. You can use ssh tunnel to connect to the Gluu ldap server from another host. From your ubuntu box, try something like ``` $ ssh -L 1636:127.0.0.1:1636 root@myhost ``` And then run your client and connect LDAPS to localhost:1636 BTW, if you want a plain vanilla OpenDJ, we are collaborating in this project: https://github.com/OpenIdentityPlatform/OpenDJ

By Andrej Simon user 06 Jun 2022 at 4:14 a.m. CDT

Andrej Simon gravatar
My Ubuntu Gluu server is rkubgl02. Here is the connect to Gluu container: ``` ssh root@rkubgl02 /sbin/gluu-serverd login ldapsearch -p 1636 -Z -X -D 'cn=directory manager' -w MyLDAPPwd -b o=gluu -s sub "(uid=admin)" ``` It works. My Ubuntu LDAP client with standard Ubuntu LDAP tools: Terminal 1: ``` sudo su - ssh -fNL 1636:127.0.0.1:1636 root@rkubgl02 ``` Terminal 2: ``` ldapsearch -p 1636 -Z -X -D 'cn=directory manager' -w MyLDAPPwd -b o=gluu -s sub "(uid=admin)" ldapsearch: -p without -h is invalid. ``` Ok, added *-h localhost*. ``` ldapsearch -p 1636 -Z -X -D 'cn=directory manager' -w MyLDAPPwd -b o=gluu -s sub "(uid=admin)" -h localhost ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) ldapsearch -p 1636 -Z -X -D 'cn=directory manager' -w MyLDAPPwd -b o=gluu -s sub "(uid=admin)" -h 127.0.0.1 ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) ``` Changed -Z to -ZZ and trying to use different -H options instead of -h and -p. ``` andrej@ryzen3ub> ldapsearch -ZZ -X -D 'cn=directory manager' -w MyLDAPPwd -b o=gluu -s sub "(uid=admin)" -H ldap://localhost:1636 ldap_start_tls: Can't contact LDAP server (-1) andrej@ryzen3ub> ldapsearch -ZZ -X -D 'cn=directory manager' -w MyLDAPPwd -b o=gluu -s sub "(uid=admin)" -H ldaps://localhost:1636 ldap_start_tls: Can't contact LDAP server (-1) additional info: (unknown error code) ``` The LDAP connection using Apache Directory Studio works. In my opinion, the error is in TLS between my LDAP client and LDAP server. I have tried to use TLS_REQCERT *allow* or *demand* in */etc/ldap/ldap.conf* on the LDAP client, but it did not help.

By Mobarak Hosen Shakil staff 15 Jun 2022 at 3:27 a.m. CDT

Mobarak Hosen Shakil gravatar
Hi Andrej, Sorry for being late to reply. Please do following things: 1. Create a tunnel from your ldap client (VM/Desktop): - `ssh -fNL 1636:localhost:1636 root@gluu-server-ip` 2. now modify the `/etc/ldap/ldap.conf` and add below line: - `TLS_REQCERT never` 3. Try to use the `ldapsearch` command, for example: - `ldapsearch -H ldaps://localhost:1636 -D "cn=directory manager" -w password -b "o=gluu" ` It should print the search result with your gluu server ldap data. Kindly check the attached image files. Thanks, Regards ~ Shakil