Docker Community Forums

Share and learn in the Docker community.

LDAP Authentication


(Rlaing) #1

Hi I am looking for some help to setup Authentication via an LDAP server.

I have the following error message.

level=error msg="error binding reader: LDAP Result Code 48 “Inappropriate Authentication”: " LDAPSearchURL={server.yourname.com dc=yourname,dc=com}

I have looked my setting however I am also new to LDAP, I would like to know what the setting for “User Login Attribute” should like with my current base dn of dc=yourname,dc=com


(Jeff Anderson) #2

Hello,

The value for “User Login Attribute” can vary from ldap server to ldap server.

On my test server, I use uid. Depending on what your ldap objects look like, this may or may not work for your case.

The way that the DTR ldap works is that it will first bind to the ldap server using the search user credentials. Next, it’ll do a search for an ldap object by taking the username that you input, and searching for a corresponding ldap object that has the value of that username for the “User Login Attribute” field. If mine is set to ‘uid’, and I put in ‘bob’, it will search for uid=bob in the base DN you provide. Once it finds that entry, it will try to bind again to the ldap server using that ldap object and the password that was provided along with the username.

Hopefully this helps.


(Rlaing) #3

ldapsearch -x -h “aserver.yourname.com” -D “uid=admin,cn=users,cn=accounts,dc=yourname,dc=com” -W -b “dc=yourname,dc=com” I can log into the LDAP server with the following command on cli, so I the uid is correct for this instance.

Also I am looking for some information on what input I should put in for the admin group? Also how should I query the server in order to extract this information? Any advice would be gratefully received at this present point in time.


(Jeff Anderson) #4

The admin group is optional. It should be the ldap object name of the group whose members will have DTR admin access.

If I have a group called ou=dtradmins,dc=example,dc=com, and all its members I want to be DTR admins, then I can put that in the field.


(Rlaing) #5

Thank you for the info I did indeed spot a mistake on my group line. Do you know what the Admin Group member attribute should look like?

Also what should I use for the Search User DN?


(Jeff Anderson) #6

again, it depends largely on what your ldap looks like. In my ldap server, the proper value is ‘memberUid’. Do an ‘ldapsearch’ on the group itself, and it should list all the group members. The attribute that each member is listed as will be what you want to use.

Here’s what an example group might look like that uses memberUid:

dn: cn=sysadmins,ou=Groups,dc=test,dc=com
gidNumber: 1000
objectClass: posixGroup
cn: sysadmins
memberUid: uid=bob,ou=Users,dc=test,dc=com
memberUid: uid=alice,ou=Users,dc=test,dc=com

(Rlaing) #7

Hi and thank you for your help so far, I have set-up a test server that offers LDAP in my lab set-up where the docker registry is installed. The lap is setup as follows.

Pfsense box with a domain override for ipa7.example.com
Onelaptop with the freeipa server and the docker registry setup in the same subnet.
All the machines can talk with one another and I can login to make changes etc.

freeipa is 192.168.1.113
registry is on 192.168.109

I would like to know from the information below how I should set-up the docker registry as i would like to demo the LDAP sync however I am still learning this deployment and I am unsure of the syntax and what information the registry is requesting of me.

extended LDIF

LDAPv3

base <dc=example,dc=com> with scope subtree

filter: (objectclass=*)

requesting: ALL

computers, compat, example.com

dn: cn=computers,cn=compat,dc=example,dc=com
objectClass: extensibleObject
cn: computers

groups, compat, example.com

dn: cn=groups,cn=compat,dc=example,dc=com
objectClass: extensibleObject
cn: groups

admins, groups, compat, example.com

dn: cn=admins,cn=groups,cn=compat,dc=example,dc=com
gidNumber: 1113200000
ipaAnchorUUID:: OklQQTpleGFtcGxlLmNvbTowZWZlZDU3YS1jMDVhLTExZTUtODk5MS0wODAwMj
c0ZTgzZTY=
memberUid: admin
memberUid: rlaing
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
cn: admins

rlaing, groups, compat, example.com

dn: cn=rlaing,cn=groups,cn=compat,dc=example,dc=com
gidNumber: 1113200001
ipaAnchorUUID:: OklQQTpleGFtcGxlLmNvbTpjZmM3MWQxZS1jMDVkLTExZTUtYTVlZC0wODAwMj
c0ZTgzZTY=
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
cn: rlaing

editors, groups, compat, example.com

dn: cn=editors,cn=groups,cn=compat,dc=example,dc=com
gidNumber: 1113200002
ipaAnchorUUID:: OklQQTpleGFtcGxlLmNvbTowZjA0MDAxOC1jMDVhLTExZTUtODllNS0wODAwMj
c0ZTgzZTY=
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
cn: editors

ng, compat, example.com

dn: cn=ng,cn=compat,dc=example,dc=com
objectClass: extensibleObject
cn: ng

users, compat, example.com

dn: cn=users,cn=compat,dc=example,dc=com
objectClass: extensibleObject
cn: users

rlaing, users, compat, example.com

dn: uid=rlaing,cn=users,cn=compat,dc=example,dc=com
cn: richard laing
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 1113200001
ipaAnchorUUID:: OklQQTpleGFtcGxlLmNvbTpjZmIxMDQ2Ni1jMDVkLTExZTUtYTVlZC0wODAwMj
c0ZTgzZTY=
gecos: richard laing
uidNumber: 1113200001
loginShell: /bin/sh
homeDirectory: /home/rlaing
uid: rlaing

admin, users, compat, example.com

dn: uid=admin,cn=users,cn=compat,dc=example,dc=com
cn: Administrator
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 1113200000
ipaAnchorUUID:: OklQQTpleGFtcGxlLmNvbTowZWY4YjEwZS1jMDVhLTExZTUtOWQ0Yi0wODAwMj
c0ZTgzZTY=
gecos: Administrator
uidNumber: 1113200000
loginShell: /bin/bash
homeDirectory: /home/admin
uid: admin

sudoers, example.com

dn: ou=sudoers,dc=example,dc=com
objectClass: extensibleObject
ou: sudoers

example.com

dn: dc=example,dc=com
objectClass: top
objectClass: domain
objectClass: pilotObject
objectClass: nisDomainObject
objectClass: domainRelatedObject
dc: example
info: IPA V2.0
nisDomain: example.com
associatedDomain: example.com

accounts, example.com

dn: cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: accounts

users, accounts, example.com

dn: cn=users,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: users

groups, accounts, example.com

dn: cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: groups

services, accounts, example.com

dn: cn=services,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: services

computers, accounts, example.com

dn: cn=computers,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: computers

hostgroups, accounts, example.com

dn: cn=hostgroups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: hostgroups

alt, example.com

dn: cn=alt,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: alt

ng, alt, example.com

dn: cn=ng,cn=alt,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: ng

automount, example.com

dn: cn=automount,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: automount

default, automount, example.com

dn: cn=default,cn=automount,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: default

auto.master, default, automount, example.com

dn: automountmapname=auto.master,cn=default,cn=automount,dc=example,dc=com
objectClass: automountMap
objectClass: top
automountMapName: auto.master

auto.direct, default, automount, example.com

dn: automountmapname=auto.direct,cn=default,cn=automount,dc=example,dc=com
objectClass: automountMap
objectClass: top
automountMapName: auto.direct

/- auto.direct, auto.master, default, automount, example.com

dn: description=/- auto.direct,automountmapname=auto.master,cn=default,cn=auto
mount,dc=example,dc=com
objectClass: automount
objectClass: top
automountKey: /-
automountInformation: auto.direct
description: /- auto.direct

hbac, example.com

dn: cn=hbac,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: hbac

hbacservices, hbac, example.com

dn: cn=hbacservices,cn=hbac,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: hbacservices

hbacservicegroups, hbac, example.com

dn: cn=hbacservicegroups,cn=hbac,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: hbacservicegroups

sudo, example.com

dn: cn=sudo,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: sudo

sudocmds, sudo, example.com

dn: cn=sudocmds,cn=sudo,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: sudocmds

sudocmdgroups, sudo, example.com

dn: cn=sudocmdgroups,cn=sudo,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: sudocmdgroups

sudorules, sudo, example.com

dn: cn=sudorules,cn=sudo,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: sudorules

etc, example.com

dn: cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: etc

sysaccounts, etc, example.com

dn: cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: sysaccounts

ipa, etc, example.com

dn: cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: ipa

replicas, ipa, etc, example.com

dn: cn=replicas,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: replicas

dna, ipa, etc, example.com

dn: cn=dna,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: dna

posix-ids, dna, ipa, etc, example.com

dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: posix-ids

ca_renewal, ipa, etc, example.com

dn: cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: ca_renewal

certificates, ipa, etc, example.com

dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: certificates

s4u2proxy, etc, example.com

dn: cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: s4u2proxy

admin, users, accounts, example.com

dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 1113200000
gidNumber: 1113200000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator

admins, groups, accounts, example.com

dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
cn: admins
description: Account administrators group
gidNumber: 1113200000
ipaUniqueID: 0efed57a-c05a-11e5-8991-0800274e83e6

ipausers, groups, accounts, example.com

dn: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: 0f037b20-c05a-11e5-a096-0800274e83e6

editors, groups, accounts, example.com

dn: cn=editors,cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
gidNumber: 1113200002
description: Limited admins who can edit other users
cn: editors
ipaUniqueID: 0f040018-c05a-11e5-89e5-0800274e83e6

ipaConfig, etc, example.com

dn: cn=ipaConfig,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
objectClass: ipaGuiConfig
objectClass: ipaConfigObject
objectClass: ipaUserAuthTypeClass
cn: ipaConfig

cosTemplates, accounts, example.com

dn: cn=cosTemplates,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: cosTemplates

selinux, example.com

dn: cn=selinux,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: selinux

usermap, selinux, example.com

dn: cn=usermap,cn=selinux,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: usermap

ranges, etc, example.com

dn: cn=ranges,cn=etc,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: ranges

ca, example.com

dn: cn=ca,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: ca

certprofiles, ca, example.com

dn: cn=certprofiles,cn=ca,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: certprofiles

caacls, ca, example.com

dn: cn=caacls,cn=ca,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: caacls

roles, accounts, example.com

dn: cn=roles,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: roles

pbac, example.com

dn: cn=pbac,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: pbac

privileges, pbac, example.com

dn: cn=privileges,cn=pbac,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: privileges

permissions, pbac, example.com

dn: cn=permissions,cn=pbac,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: permissions

virtual operations, etc, example.com

dn: cn=virtual operations,cn=etc,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: virtual operations

Managed Entries, etc, example.com

dn: cn=Managed Entries,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: Managed Entries

Templates, Managed Entries, etc, example.com

dn: cn=Templates,cn=Managed Entries,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: Templates

Definitions, Managed Entries, etc, example.com

dn: cn=Definitions,cn=Managed Entries,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: Definitions

automember, etc, example.com

dn: cn=automember,cn=etc,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: automember

topology, ipa, etc, example.com

dn: cn=topology,cn=ipa,cn=etc,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: topology

Domain Level, ipa, etc, example.com

dn: cn=Domain Level,cn=ipa,cn=etc,dc=example,dc=com
objectClass: top
objectClass: nsContainer
objectClass: ipaDomainLevelConfig
objectClass: ipaConfigObject
cn: Domain Level

CAcert, ipa, etc, example.com

dn: cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: pkiCA
objectClass: top
cn: CAcert
cACertificate;binary:: MIIDjDCCAnSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQ
KDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDEyMTE2
MTYxOFoXDTM2MDEyMTE2MTYxOFowNjEUMBIGA1UECgwLRVhBTVBMRS5DT00xHjAcBgNVBAMMFUNlc
nRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3XSY1AQW
481hWV7MFfqyWSjfZVmcQ52cOxFxVyynsUU1/6U0X2x6ztJgGmsnQLH7ahnUFYGAqVQfIqoQhSsOV
HSThFQXYI7qQvAba6ZB7o6CSPQiu/UbhaP92kK1FM5fu8H3ioy3YUhFJ+4DgpYbh6dOsf+/sOx2qN
yn+E8bu7JH5PplNX26uOn3GS+u13l3P5hci0QjVLFv0mM0B40P271wSLQmOaoNcRKV57WHjcJBN/H
1zOU9w6cX80IIcwqqUO4fe4UoAvsRy9oziYEppC/MgeONpclc17TT+dOzbeK2KWYyO1GxS/d0wZ/u
fvYYAzNWww2T1Z8F08C0qOpMsCAwEAAaOBpDCBoTAfBgNVHSMEGDAWgBR5AHhFCq2bln2HSkXbM5v
9Rv9wMTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUeQB4RQqtm5Z9
h0pF2zOb/Ub/cDEwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vaXBhNy5leGFtc
GxlLmNvbTo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQA/V3FNODzCEsDHe3msGfpoJpot7X
ZxtaHYf/Alia98gXNY013h6EfwZUVHkWkX5LQkW0KM69E1+gsALm1m7B73UQlHYlEJU/qPyYeKTwS
8hqqpG2I84pF9Nfm2wStV782gpfpDqOtRbem4OTbqv6eNmap2CNRWf217QjtdooiWTlPr4Vng4l2C
kcX/u/ZuQx9qh9yM6+u2B7YwAf9CT3JNlT3ZKGIbtRCyPiWhiuVZmtAAdgPuScOnk2+6jrUCtcmMr
WwoY0RAmEZcFEhuj1ytFze2mX+4W0eQn4NZkU0w3Q18htg8C4fAo4X1fibmhWeOiwrsuW4u7CNAXP
wGGOLC

EXAMPLE.COM IPA CA, certificates, ipa, etc, example.com

dn: cn=EXAMPLE.COM IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4
cn: EXAMPLE.COM IPA CA
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.COM
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzddJjUBBbjzWFZXswV+
rJZKN9lWZxDnZw7EXFXLKexRTX/pTRfbHrO0mAaaydAsftqGdQVgYCpVB8iqhCFKw5UdJOEVBdgju
pC8BtrpkHujoJI9CK79RuFo/3aQrUUzl+7wfeKjLdhSEUn7gOClhuHp06x/7+w7Hao3Kf4Txu7skf
k+mU1fbq46fcZL67XeXc/mFyLRCNUsW/SYzQHjQ/bvXBItCY5qg1xEpXntYeNwkE38fXM5T3Dpxfz
QghzCqpQ7h97hSgC+xHL2jOJgSmkL8yB442lyVzXtNP507Nt4rYpZjI7UbFL93TBn+5+9hgDM1bDD
ZPVnwXTwLSo6kywIDAQAB
cACertificate;binary:: MIIDjDCCAnSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQ
KDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDEyMTE2
MTYxOFoXDTM2MDEyMTE2MTYxOFowNjEUMBIGA1UECgwLRVhBTVBMRS5DT00xHjAcBgNVBAMMFUNlc
nRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3XSY1AQW
481hWV7MFfqyWSjfZVmcQ52cOxFxVyynsUU1/6U0X2x6ztJgGmsnQLH7ahnUFYGAqVQfIqoQhSsOV
HSThFQXYI7qQvAba6ZB7o6CSPQiu/UbhaP92kK1FM5fu8H3ioy3YUhFJ+4DgpYbh6dOsf+/sOx2qN
yn+E8bu7JH5PplNX26uOn3GS+u13l3P5hci0QjVLFv0mM0B40P271wSLQmOaoNcRKV57WHjcJBN/H
1zOU9w6cX80IIcwqqUO4fe4UoAvsRy9oziYEppC/MgeONpclc17TT+dOzbeK2KWYyO1GxS/d0wZ/u
fvYYAzNWww2T1Z8F08C0qOpMsCAwEAAaOBpDCBoTAfBgNVHSMEGDAWgBR5AHhFCq2bln2HSkXbM5v
9Rv9wMTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUeQB4RQqtm5Z9
h0pF2zOb/Ub/cDEwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vaXBhNy5leGFtc
GxlLmNvbTo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQA/V3FNODzCEsDHe3msGfpoJpot7X
ZxtaHYf/Alia98gXNY013h6EfwZUVHkWkX5LQkW0KM69E1+gsALm1m7B73UQlHYlEJU/qPyYeKTwS
8hqqpG2I84pF9Nfm2wStV782gpfpDqOtRbem4OTbqv6eNmap2CNRWf217QjtdooiWTlPr4Vng4l2C
kcX/u/ZuQx9qh9yM6+u2B7YwAf9CT3JNlT3ZKGIbtRCyPiWhiuVZmtAAdgPuScOnk2+6jrUCtcmMr
WwoY0RAmEZcFEhuj1ytFze2mX+4W0eQn4NZkU0w3Q18htg8C4fAo4X1fibmhWeOiwrsuW4u7CNAXP
wGGOLC
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.COM;1
ipaConfigString: compatCA
ipaConfigString: ipaCA

kerberos, example.com

dn: cn=kerberos,dc=example,dc=com
objectClass: krbContainer
objectClass: top
cn: kerberos

EXAMPLE.COM, kerberos, example.com

dn: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
cn: EXAMPLE.COM
objectClass: top
objectClass: krbrealmcontainer
objectClass: krbticketpolicyaux

anonymous-limits, etc, example.com

dn: cn=anonymous-limits,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: anonymous-limits

profile, example.com

dn: ou=profile,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: profiles
ou: profile

default, profile, example.com

dn: cn=default,ou=profile,dc=example,dc=com
defaultServerList: ipa7.example.com
defaultSearchBase: dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
searchTimeLimit: 15
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
bindTimeLimit: 5
authenticationMethod: none
cn: default

provisioning, example.com

dn: cn=provisioning,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: provisioning

accounts, provisioning, example.com

dn: cn=accounts,cn=provisioning,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: accounts

staged users, accounts, provisioning, example.com

dn: cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: staged users

deleted users, accounts, provisioning, example.com

dn: cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: deleted users

retrieve certificate, virtual operations, etc, example.com

dn: cn=retrieve certificate,cn=virtual operations,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: retrieve certificate

request certificate, virtual operations, etc, example.com

dn: cn=request certificate,cn=virtual operations,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: request certificate

request certificate different host, virtual operations, etc, example.com

dn: cn=request certificate different host,cn=virtual operations,cn=etc,dc=exam
ple,dc=com
objectClass: nsContainer
objectClass: top
cn: request certificate different host

certificate status, virtual operations, etc, example.com

dn: cn=certificate status,cn=virtual operations,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: certificate status

revoke certificate, virtual operations, etc, example.com

dn: cn=revoke certificate,cn=virtual operations,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: revoke certificate

certificate remove hold, virtual operations, etc, example.com

dn: cn=certificate remove hold,cn=virtual operations,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: certificate remove hold

request certificate with subjectaltname, virtual operations, etc, example.c

om
dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,dc
=example,dc=com
objectClass: nsContainer
objectClass: top
cn: request certificate with subjectaltname

request certificate ignore caacl, virtual operations, etc, example.com

dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=exampl
e,dc=com
objectClass: nsContainer
objectClass: top
cn: request certificate ignore caacl

otp, example.com

dn: cn=otp,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: otp

radiusproxy, example.com

dn: cn=radiusproxy,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: radiusproxy

Realm Domains, ipa, etc, example.com

dn: cn=Realm Domains,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
objectClass: domainRelatedObject
cn: Realm Domains

trust admins, groups, accounts, example.com

dn: cn=trust admins,cn=groups,cn=accounts,dc=example,dc=com
cn: trust admins
objectClass: top
objectClass: ipaobject
objectClass: groupofnames
objectClass: ipausergroup
objectClass: nestedgroup
description: Trusts administrators group
ipaUniqueID: fcbcbe0c-c05b-11e5-9497-0800274e83e6

trusts, example.com

dn: cn=trusts,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: trusts

views, accounts, example.com

dn: cn=views,cn=accounts,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: views

rlaing, users, accounts, example.com

dn: uid=rlaing,cn=users,cn=accounts,dc=example,dc=com
displayName: richard laing
uid: rlaing
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: ipauser
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipauserauthtypeclass
loginShell: /bin/sh
initials: rl
gecos: richard laing
sn: laing
homeDirectory: /home/rlaing
givenName: richard
cn: richard laing
uidNumber: 1113200001
gidNumber: 1113200001

rlaing, groups, accounts, example.com

dn: cn=rlaing,cn=groups,cn=accounts,dc=example,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: rlaing
gidNumber: 1113200001
description: User private group for rlaing
mepManagedBy: uid=rlaing,cn=users,cn=accounts,dc=example,dc=com
ipaUniqueID: cfc71d1e-c05d-11e5-a5ed-0800274e83e6

search result

search: 2
result: 0 Success

numResponses: 91

numEntries: 90


(Jeff Anderson) #8

You have a few groups in that output. If you wanted the cn=admins,cn=groups,cn=compat,dc=example,dc=com group to be the DTR admin group, you’d put cn=admins,cn=groups,cn=compat,dc=example,dc=com into the “Admin LDAP DN” field. That object has two entries with memberUid, so you would put memberUid into the “Admin Group Member Attribute” field.

/Jeff


(Qmay) #9

Jeff, thanks for the description of the DTR authentication process. Q: why are you binding to LDAP twice; why not just bind with the user who is signing in? I’ve done many LDAP integrations & have never had to bind more than once.

The reason I came across this post is because my company is evaluating DTR and we’re facing a challenge with the LDAP integration. We have many LDAP servers all named by the same load balancer. I’ve integrated many products & in-house applications with LDAP and have never run into an issue getting LDAP authentication working. I’m wondering if the double bind might be causing an issue.


(Jeff Anderson) #10

So, the two bind behavior really only happens during the “Test User” process. Once you have saved all the settings, it will do its ldap sync process, where it binds as the search user and then queries the ldap server for all users that might be able to log in. Once the sync is done, a user logging in will only result in a bind of their user to the ldap server.

This way the DTR server does some validation around whether a user actually exists before attempting the bind with that user.