• Created by Unknown User (anna), last modified on Jul 10, 2013

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

LDAP Authentication

 

Starting in 3.6, ProVision supports LDAP authentication. To an LDAP server for authentication, you must perform the following three procedures:

  • Configure the LDAP Server
  • Configure ProVision for LDAP Authentication

Configure the LDAP Server

 

To query the LDAP server, punch this line into any server which has openLDAP enabled, which is almost all of them.

ldapsearch -h [IPADDRESS] -D [DOMAIN] -w [PASSWORD] [USER]

 The "-h" flag is straightforward, indicating the IP of the server. Don't even try getting this to accept IPv6 addresses -- every site mentions a different format; none of them work.

 The "-w" flag indicates the password.

 The "-D" flag marks the descent into crazypants wackytown.  This is the "domain" of the LDAP search, which I don't understand one bit, but is apparently super-important.  I guess its analogous to the database selector when querying off a MySQL server?  I dunno.  You should not need to modify this field.

 And at the end you add in the User (or users, or groups, or whatever) you want to query the LDAP server on, again in that fun fun LDAP format.

 Here is a practical example of an LDAP query:

 ldapsearch -h 50.240.195.129 -D "cn=Mayor,ou=people,dc=6connect,dc=com" -w testpass "cn=MajorMiner" 

Configure ProVision for LDAP Authentication 

    LDAP Enable:  check

 

    LDAP Server Address:  50.240.195.129

 

    LDAP Port:  389 (SSL/TLS port is 636, but is not enabled on ad.6connect.com)

 

    LDAP Security:  None

 

    LDAP Auth DN:  cn=%LOGIN%,ou=people,dc=6connect,dc=com

 

    LDAP Fetch DN:  cn=%LOGIN%

 

 

 

Right now the only configured user is:

 

 

 

    Login:  MajorMiner

 

    Password:  testpass

 

 

 

This user is part of the Global Admins group, as well as a few nonexistant groups.

 

 

 

Adding new users to LDAP is an incredible pain.  You have to SSH into ad.6connect.com and create an 'ldif' file.  Example:

 

 

 

    dn: cn=MajorMiner,ou=people,dc=6connect,dc=com

 

    cn: MajorMiner

 

    sn: MajorMiner

 

    objectclass: top

 

    objectclass: person

 

    objectclass: sixConnectPermissionsV2

 

    sixConnGroup: "Global Admins"

 

    sixConnGroup: "bonk"

 

    sixConnGroup: "poof"

 

    sixConnGroup: "grood"

 

    userPassword: testpass

 

 

 

To create a new user, make a new ldif file and change all instances of "MajorMiner" to whatever username you wish to create.  Do not remove any of the objectclass definitions.  Change the userPassword to whatever the password is going to be.  Yes, in plaintext.  I KNOW.  Add as many "sixConnGroup" declarations as groups the user is in.

 

 

 

After the file is created, run the following command to add the new user to LDAP server:

 

 

 

ldapadd -h [SERVER] -x -f [LDIF FILE] -D [ROOTDN] -w [ROOT PW] -v

 

 

 

Example:

 

 

 

ldapadd -h localhost -x -f 6connect.ldif -D "cn=Manager,dc=6connect,dc=com" -w secret -v

 

 

 

I'm just going to say straight-up that I don't know what the -x and -v flags do, but they sure do do it.

 

 

 

[SERVER] and [LDIF FILE] are self, explanitory, but "-D [ROOTDN]" is another spate of LDAP-speak tourettes.  Just don't change it.

 

 

 

After that command is run, the new user should be active.  You don't have to restart the server.  But honestly, I wouldn't be surprised if you had to on MS implementations.


  • No labels