Ldap Puns

Anyone else have a LDAP in an EA? I get envious reading all these posts where you get to get together with APs. I just want to be able to spend time with him, touch him, have sex! We’ve only met once and outside of kissing nothing else physical happened but it was a wonderful day. I want to feel that again!

Is there anyway I can mock an LDAP auth server for my unit tests?.

Perhaps like miniredis is for redis db?

I love the idea behind matrix but I'm struggling get into the game, hoping you all can help!!

I have a synapse server working (at least I have the "it's working" page) & I have an existing (small) LDAP that I would like to use to authenticate to matrix. I've modified the existing LDAP config info in `homeserver.yaml` but when trying to login with LDAP credentials (cn as username & password) I just get a warning about bad credentials :(

If there are any logs/debug info I'd be happy to post them, but I'd need to find them first!

Also, do I have to create an account or does Synapse import those from LDAP? I've seen both approaches in other web services but I'm not having much luck finding documentation on logging in with LDAP. I've been using https://github.com/matrix-org/matrix-synapse-ldap3 since that's the official repo but there's also a 3rd party one https://github.com/ma1uta/ma1sd/blob/master/docs/getting-started.md That I haven't tried yet, not sure if it'll be easier to get working?

I'm using synapse as the server & Element as the client.

As you may have already heard there's a new Zero-Day exploit for log4j: Zero-Day RCE Vulnerability CVE-2021-44228 and a lot of discussion around it.

Out of curiosity, how many exploit attempts do you already have in your webserver logs?

I currently have only one with the payload in the user-agent. However, I suspect I would have a lot more if I didn't use a geo ip blocklist which blocks nearly all but my home country and a never expiring fail2ban block list with around 1000 blocked hosts on it already.

Was your home server already targeted?

Hi everyone. I hope all is well.

Are you guys running any specific queries to get visibility within Falcon for any outbound LDAP calls destined for the Internet?

Any help is greatly appreciated!

Thank you

I have an old Ubuntu 14.04 with slapd (v2.4.31) that i want to migrate to a Debian 11 (slapd v2.4.57).

The new server is just a clean install. I just basically did "apt install slapd".

So in the old server

# slapcat -n 0 -l conf.ldif
# slapcat -n 1 -l db.ldif

I scp those over to the new server, and log in there, and prep stuff

$ sudo bash
# mv *.ldif /etc/ldap/
# cd /etc/ldap/
# service slapd stop
# mv slapd.d/ slapd.d.original

# mkdir slapd.d
# chown openldap.openldap slapd.d

Then i try the conf

# (apparently i must/can not use -n0 here)
# slapadd -F /etc/ldap/slapd.d/ -b cn=config -l conf.ldif
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...

Ok, that seems to work fine.
Next the db (and here i have tried various versions of -F/-f/-n and such)

# slapadd -F /etc/ldap/slapd.d/ -n1 -l db.ldif
61d47e15 => hdb_tool_entry_put: id2entry_add failed: BDB0067 DB_KEYEXIST: Key/data pair already exists (-30994)
61d47e15 => hdb_tool_entry_put: txn_aborted! BDB0067 DB_KEYEXIST: Key/data pair already exists (-30994)
slapadd: could not add entry dn="dc=whetever,dc=se" (line=1): txn_aborted! BDB0067 DB_KEYEXIST: Key/data pair already exists (-30994)
_                       0.07% eta        elapsed            none spd 635.1 k/s 
Closing DB...

Any hints please? :)

I've been battling with Prisma Access and Group Mappings so that we can use AD groups for filtering for users whether they're on-prem or working remote.

We have an on-prem firewall with GP configured using Okta & LDAP Group Mappings which works fine but with Prisma Access, it never seems to pick up any groups nor does it add the domain to my username after i've connected (group mapping is set to override user domain as Okta does not pass this across).

Has anyone set their Prisma environment up in a similar way and if so, are there any kinks i need to tweak to make this work? Happy to send screenshots if requested also :)

RESOLVED
Within Okta we needed to add a new attribute to pass over the domain\samaccount name for the firewalls to match.

"yourdomain" + toLowerCase(active_directory_xxxx.samAccountName)

Probably seems like a straightforward question that a simple Google would find me an answer to but sadly, that doesn't appear to be the case and I get conflicting information.

When using LDAPS, which certificate does it choose? Microsoft says it chooses the certificate in the Computer's Personal Store, but others say it prioritises certificates in the Services Personal Store. So which is it? Or is it any of them?

Losing the will to live. Windows is not my area of expertise.

I have a very ancient OpenLDAP installation which I am trying to replace.

I have tried using FreeIPA, however the high POSIX id ranges it uses by default don't work with the user id mappings for unprivileged containers in Proxmox. I don't want to start tinkering with the proxmox side of things. Although I can add a lower range in FreeIPA, it seems to keep using the initial range until that is exhausted (at the current rate that will be around 3000 years from now).

I have no requirement to support Microsoft Active Directory. My use-case is:

• provide authentication on Linux hosts
• allow user to change their own passwords
• very simple user interface for the admins and helpdesk
• replication and sudo configuration would be nice

I don't need scalability. I need simple.

If it weren't for the range mapping thing FreeIPA would probably have been OK.

Is there a solution to the FreeIPA issue? Are there other products worth considering which you are currently using with Proxmox containers?

---- updated ----

Just setting --idstart / --idmax to a safe range caused a conflict with the values in /etc/login.defs. I was able to amend the range there, but the install script failed trying to restart chrony - even though I'd told it not use NTP on both an AlmaLinux image and the "official" docker image.

I then went with a full Alma Linux VM....and managed to get FreeIPA installed - but still causing a lot of pain.

As with most things, in our hour of need we turn to Reddit...

One of the things I ended up with responsibility for - in a it's-not-a-Windows-laptop so must be my probem kind of way - is a compute cluster running CentOS 7. Pretty simple design, there's a bunch of nodes that live on a private network, there's headnode that runs some services like OpenLDAP, DNS and DHCP plus a scheduler and there's a login node that users connect to.

A few days ago, for the first time in ages, I was able to run yum update on everything and reboot it all. Everything seemed to be working fine. Except one application no longer works... for LDAP users. The application is a CFD simulation package called Star CCM+.

I've spent a ton of time on trying to troubleshoot this. I at first thought it would be something like firewall rules, or a problem with the NFS server that software was installed on, or DNS to the license server. Except, all of these things work just fine and every other application (that I've tested so far anyway) is fine too. What I eventually deduced was that I could run the application as root, but not as a regular user with an LDAP account. I then created a local, non-admin account and it could also run Star CCM+.

Basically, the output looks like this, slightly redacted:

[testuser@login ~]$ /opt/Siemens/15.04.010-R8/STAR-CCM+15.04.010-R8/star/bin/starccm+ -power -podkey blahblah -licpath 1234@licserver -rsh ssh -batch input.sim

Starting local server: /opt/Siemens/15.04.010-R8/STAR-CCM+15.04.010-R8/star/bin/starccm+ -power -podkey blahblah -licpath 1234@licserver -server input.sim

Serial process 23184

Simcenter STAR-CCM+ 2020.2.1 Build 15.04.010 (linux-x86_64-2.12/gnu7.1-r8)

(This is where it hangs for LDAP users, local accounts continue as below)

License build date: 23 January 2020

This version of the code requires license version 2020.06 or greater.

Checking license file: 1234@licserver

1 copy of ccmppower checked out from 1234@licserver

Feature ccmppower expires in a long time

I'm really clutching at straws because nobody else is about for the next week or two and I can't think of anything else to troubleshoot. I don't get an error message. I don't get any other kind of output to tell me what the problem is. I've tried restarting slapd and nslcd and a bunch of other things including the login node etc. On the compute nodes in the private address space that users would never connect to, I can run the application as root, but not

I'm not sure how to approach the topic of sex with a potential LDAP. I'm pretty sure sex is expected during the first meetup, but I'm hesitant because that will be our first time meeting eachother in person. I'm not sure how I will feel when I'm face to face with this person but I also don't want to waste his money and time if he travels but I don't want to have sex. I also don't wat to directly say this as I know it might discourage him from wanting to meet up. We've known eachother for a few months.

First the questions, details afterwards: In a (small) home network, is it worth to introduce an LDAP and/or Kerberos server for secure and easy usage of NFS? If so, what is the best approach?

Currently, my main home network mainly consists of one desktop PC and a Laptop, a Synology NAS, a Raspberry PI as a DNS and OpenVPN server, and Internet/Wifi router. In addition, there are a media player (NVIDIA Shield) and some Android phones in this subnet, and the Jellyfin media server is running on the NAS. Other devices that only need internet access are in another subnet. In future, I will get one or two additional desktop PCs or another/different NAS but in general, the main subnet will not grow a lot.

I mainly use Linux so I access data on the NAS using NFS. Currently, I use NFSv3 so I have two issues what that:

1. All user IDs and group IDs need to synced by hand. With the low number of machines, it's certainly doable but an automatic approach would be nice.
2. The access to the NFS data is not secure. While I tried to exclude the devices that should not have access to the NFS server by IP address, one rogue device within the dedicated IP range could just get access to everything.

If I understand it correctly, issue 1 could be solved by using an LDAP server. Here, user and group IDs are stored so they are automatically in sync. Issue 2 could be solved by using NFSv4 and Kerberos. While an LDAP server seems to easy to set-up, Kerberos seems to be more complicated. And making both work together is even more difficult... My idea would be to have both services running also on the Raspberry Pi.

So what do you think, is LDAP/Kerberos worth the effort in my case? I so, how exactly? How to integrate one service into the other? While I found several guides, it's hard for me to assess what would be the best approach in my case.

Thanks a lot for input.

We had issues with the Nov patch on our W2K16 DCs and backed it out. We didn't do the OOB, but we were assured that Dec would have it, so we just waited until Dec. We installed the Dec patch and had the following symptoms:

• LSASS working private set went through the roof on all DCs. Normally 3-4gb, post patch it climbed to 28gb in 4 hours and still climbing
• 115k+ 35/36/37 KRB Warnings on the DCs, for every account/computer in the domain
• ATQ LDAP Handles on the DCs (normally < 10) consumed all available resources, spiking to 90+ and making the DC unresponsive
• LDAP Client Sessions, normally ~300, climbed to 900+ on all DCs
• LDAP "stickiness", where we'd reboot a DC and it would suddenly take all LDAP traffic, even though the DNS weights/priority are all the same.

Note, the traffic in the site did not change, the clients were all patched, the DCs were the last thing to be patched. We had to back out the Dec patch to get functionality back, authentication was failing all over the site, from LDAP to KCD.

Has anyone else seen anything like this?

Just had a strange thing happen today. We had one of our DCs receive a new cert issued from our local PKI server from our local domain. (The old one expired) When this happened it broke some applications on other servers that were using that DC for ldaps. For some reason it would only use the cert issued from our PKI server instead of the public CA cert we were using with other servers to authenticate to ldaps. I checked in the Certificates > Service Accounts >ADDS in the Personal store and there were no certificates listed there. (I know if there are any there that it will use those instead of the ones stored in the local computer cert store.)

I had to disable the local cert issued by our local PKI to fix the issue and get the ldaps to use the CA cert instead of our local issued PKI cert. We have never had this happen in the past, first time seeing it. Anyone else ever had this happen?

Hey there. I was wondering if it is still state of the art to use Radius Authentication against an NPS server and Active Directory, or should I use LDAP authentication to authenticate directly to AD and get rid of NPS.

I haven't really found any information on this in terms of stability/security. Most network engineers i talked to still use Radius and NPS and would not even consider using LDAP directly on the WLC.

Courtesy of The Register; h/t to XDCD 327

Hi everyone!

After posting a while ago asking if people were interested in a simple, light LDAP server to manage their users, I got an overwhelming YES! from the community! That was encouraging, so I got coding, and here I am a few months later with an MVP launch of the product: https://github.com/nitnelave/lldap

It's a simple user management webapp (SPA) with users and groups, that comes with a basic read-only LDAP server. That means you can plug in your Jellyfin, your Nextcloud, your Authelia or even your Keycloak and they will use this as the source of truth for your users!

Screenshot of the user management page

Note that this is a Minimum Viable Product, and as such it implements only the very basic features. The roadmap can be found here: https://github.com/nitnelave/lldap/projects/2, starting with allowing a password change through LDAP to reset the passwords via Authelia/Keycloak/other and allowing a password reset through email (currently only the admin can change your password if you forgot it).

If you find any bugs, feel free to create an issue on GitHub.

You can install it via docker (easiest) or run it directly from source, the instructions are in the README.

Feel free to join us on Discord, and follow me on Twitter for updates on the project!

For those who already tried the server before the MVP release: >!The password hashing scheme was slightly changed to speed up logging in, which has the unfortunate consequence that all passwords are now invalid, including the admin one. Either delete the DB (`rm users.db` or using SQlite, delete the admin user `DELETE FROM users WHERE id = "admin";`).!<

I'm trying to help an organization switch to Linux from Windows, however I want to help them know how to migrate Active Directory users and files to an LDAP based enviroment.

Does anyone know any guides or programs that can help?

Hello,

I've been tasked with figuring out whether or not it is possible to access our work macbooks through our Google login credentials (we have the enterprise/premium version of Google Workspace) instead of having just a regular profile. We are trying to do this to slim down on the amount of accountdetails my colleagues need to keep track off, and as an attempt to make things a little safer (the ability to remotely change the password of the computer is pretty important here).

I learned about the Google Secure LDAP service and followed the steps in their documentation. While everything seems to work according to the troubleshooting in the guide, I have absolutely no clue how to get the part where you actually have a user logging in to work. Adding profiles doesn't really do anything other than the default stuff.

In all honesty, I'm not that knowledgeable about all this stuff, so maybe I'm not doing what I think I'm doing...

Even if I get the above to work, I still need to figure out a way to remotely push software or wipe the entire computer clean, if possible without forcing the users to have an AppleID. Currently we do this through Cisco Meraki (making use of Apple VPP for the software licenses) but this is a pretty mediocre solution at best (we often have issues with this software).

I'm aware there are a lot of MDM solutions out there, but most of them (like JAMF for example) are just too expensive for us (we're managing about 30 laptops and a few iPads here + spares). I learned about the SimpleMDM + Munki combo, which sounds promising (might do what we want, costs $2.5 per device per month), but I'm not 100% sure.

Any help or more educated opinions (compared to mine) are very welcome. If the Secure LDAP way isn't possible or way too hard to get it to work properly, I need to be able to make a case as for why for example SimpleMDM would be a much better solution. :)

If this is too much of a ramble, I'd gladly clarify things if needed.

Thanks in advance!

I've grown quite tired of how painful it is to manage my LDAP server with multi-master replication. Currently I'm running osixia/openldap, with a wheelybird/ldap-user-manager frontend to manage users, all hosted on my Kubernetes cluster. Eventually, I'm looking to migrate to nitnelave/lldap as it seems way tidier as a containerized app.

Recently, I've started dabbling in Keycloak and Authentik. I've given up on the latter as it's a little too convoluted for my use cases. Keycloak seems promising but I haven't found out how I can use it as an LDAP replacement. I've read on LDAP federation which still requires an LDAP server (which I don't mind trying if it relieves the part on manual tinkering with LDAP servers).

My question here is, if you use Keycloak, how do you interface apps that require LDAP with it?

Examples:

• Vaultwarden
• Nextcloud (I know SAML is available)
• Home-assistant

Our User Database within Keycloak here, comes from a corporately managed LDAP instance, where HR systems, etc all output to manage the Millions of Employees.

All of that works well, except that some of the systems will create users where their Firstname and Lastname Attributes will be all caps. Its not a majority, but when those attributes are used from some of the software I manage, it gives this unpolished feeling where someone might be all caps and another will be case appropriate.

I know it sounds very picky, but you know how managers can be, when they outright ask, "why am I all caps and he's not?" lol

Is there a way to temper those names via regex, or some sort of transform to uniformly apply those attributes?

Hey all,

I had a client report an issue where the LDAP connection just stopped working for accessing vCenter.

There was a warning on the console that the SSL certificate (internal CA) that we use is going to expire "soon" in March.

I have tried every which way to connect LDAP over SSL/TLS to get the connection going but could not.

Just get a generic error that the connection cannot be made. The DC being used for the LDAP connection is live and well with both the 389 and 636 ports listening and accepting connections (tested with ldp.exe) but vCenter just says the connection cannot be made.

So I deleted that Identity Source and just enabled IWA instead and works perfectly fine.

Do I need to spend time trying to get the LDAP connection back? As the title says, is there any benefit over IWA other than the fact that it there is a certificate there for additional layer?

Thanks

I'm looking for a file server that supports access using both SMB and WebDAV. A huge plus would be if users could log in using LDAP and if it's easy to configure. A docker container would be ideal. Any suggeytions? ty

I'm an admin for my organization and we've recently implemented Splunk. I created a domain admin account for Splunk and it seems almost every week the LDAP breaks. The error I usually see for my LDAP server under Splunk -> Authenticatioin Methods is akin to:

"an error occurred completing this request: in handler ldap reason invalid credentials"

No modifications are being made and if I check ADUC the account is not locked out. The credentials are correctly entered into Splunk along with the base DN/user attributes.

If I reset the password in ADUC for the splunk admin to the EXACT same password it was already set to, splunk works just fine (no modifications made, and not re-entering the password in the authentication methods page).

An article I found on the splunk communities gave me a few queries to run and a tip to check my .conf file. The query is returning "no results found" going back as far as 30 days.

Reference: https://community.splunk.com/t5/Security/Error-binding-to-LDAP-reason-quot-Can-t-contact-LDAP-server-quot/m-p/324339

Any suggestions are appreciated!

Joined this firm recently. Doing an audit of everything. Find that they been just 'forgetting' accounts after employees leaves. 40% of the account should be locked out. Bring it to HR, they start being all bitchy that they change the passwords sometimes when employees leave and it was IT teams job.

Fuck me. That's just the LDAP, imagine the coffee machine 🤦‍♂️

Hey all, odd issue with Keycloak and I'm hoping for some guidance.

When I create a user directly in Keycloak, that user is able to log into my Outline wiki. When a user that exists in my AD and is present in Keycloak from syncing from AD tries to log in, the login doesn't work. I can see in Keycloak that the user has an active auth session but the user never actually gain access.

How would I go about troubleshooting this?

Has any got NetBox working with UCS (LDAP) or FreeIPA (tried both without luck)?

I'm looking for a complete config file which is working. I'm planning, once verified, on improving the documentation for LDAP, becaus a lot of people seem to be struggling with it (including myself and I'm by no means unexperienced IMO).

Apparently this is a new very dangerous Minecraft exploit that allows the hacker to run any script on your computer.

Is it mandatory for the nifi instance to be running on https to use LDAP authentication? I am trying to create a cluster of 3 instances that will be behind a https load balancer but the instances themselves will be running htttp. Can I still use LDAP authentication?

hi guys,

Does any one know which attributes are used when testing user authentication during LDAP configuration? I keep receiving "Incorrect user or password" and my suspicion is that zabbix doesn't lookup correct login attribute. Also any idea where are logs from that mechanism? Neither Apache conf nor PHP.ini logs show any related info.

Working with a vendor whose server used to bind to a legacy Linux-based LDAP server using simple authentication (username in the form of a DN and password), but now needs to be migrated over to an AD LDS server we stood up to replace the legacy one.

We created a service account for the vendor and when we test (with ldp.exe, Softerra LDAP Admin, ADSI Edit, and ldapsearch) we are able to authenticate just fine using SASL methods (Digest-MD5, GSSAPI, etc), but the vendor found out that their software can't do SASL binding and can't be customized to support it, so we're stuck having to find a solution that will allow them to use simple bind authentication over SSL. However, I cannot for the life of me figure out a way to get simple bind working.

I'm primarily testing with ldp.exe - I have the connection set to port 636 on the server with SSL enabled, and the SSL connection to server is successful, but every bind attempt fails with the errors below. I know the passwords are good, and I used ADSI Edit to add the accounts to the member attribute of the Administrators and Readers roles in the Configuration. The instance is running on 389 and 636

When I try domain\username, username@domain.example, or just the username, I get this error:

res = ldap_simple_bind_s(ld, '<username>', <unavailable>); // v.3

Error <49>: ldap_simple_bind_s() failed: Invalid Credentials

Server error: 8009030C: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 2030, v3839

Error 0x8009030C The logon attempt failed

When I try the full DN, I get:

res = ldap_simple_bind_s(ld, 'DN', <unavailable>); // v.3

Error <80>: ldap_simple_bind_s() failed: Other

Server error: 80090304: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 20ee, v3839

Error 0x80090304 The Local Security Authority cannot be contacted

Any ideas?

I keep getting this error when trying to add AD/LDAP as an Identity Source.

*Check the network settings and make sure you have network access to the identity source.*

I've already gone through the usual checks of my DNS records for both fwd/rev zone records, made sure I can connect to my DC using ldap and ldaps using ldp.exe on two different client PCs in different subnets and also used openssl command to show certs from the VCSA and verified connectivity using "netstat -a" command on the DC. Also made user I am using the correct DN strings as well and that the account I am using has Domain Admin privileges. Also made sure that Windows firewall was turned off on the DC just to test.

At this point, I am running out of ideas on what the problem is. Anyone have any other ideas as to what to look for and/or check?

EDIT: One thing I will point out that seems unusual is that when running wireshark on the DC and filtering using the VCSA IP, I see DNS queries from the VCSA for AAAA record instead of A record. I am not using IPv6 in my network either.

UPDATE: Looks like I needed to specify an ldaps url with a different port number, ie ldaps://dc.domain.com:3269