Authentication with LDAP from Docker (Collabora Online)

timar · April 10, 2018, 1:34pm

The goal is that Domain Admins can log in to Collabora Online Admin Console.

I started with https://wiki.univention.de/index.php/Integration_with_UCS/LDAP. I have UCS 4.3. Despite what this documentation says, I have the following environment variables in the container:

root@colla-21091438:/# env | grep -i ldap
LDAP_MASTER=ucs-4067.collabora.intranet
ldap_master=ucs-4067.collabora.intranet
LDAP_HOSTDN=cn=colla-21091438,cn=memberserver,cn=computers,dc=collabora,dc=intranet
ldap_hostdn=cn=colla-21091438,cn=memberserver,cn=computers,dc=collabora,dc=intranet
LDAP_MASTER_PORT=7389
ldap_master_port=7389

I miss the LDAP_BASE the most, because it is required to make queries. I see that the wiki page was created a few days ago. Why do I see different environment variables?

root@colla-21091438:/# ldapsearch -D $LDAP_HOSTDN -y /etc/machine.secret  -H ldap://$LDAP_MASTER:$LDAP_MASTER_PORT 
Warning: Password file /etc/machine.secret is publicly readable/writeable
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

On the other hand:

root@colla-21091438:/# ldapsearch -D $LDAP_HOSTDN -y /etc/machine.secret -b dc=collabora,dc=intranet -H ldap://$LDAP_MASTER:$LDAP_MASTER_PORT

… lists everything. So we need the base.

dwiesent · April 10, 2018, 7:45pm

Hi,

the wiki page was indeed created a few days ago. In fact, it was written with https://forge.univention.org/bugzilla/show_bug.cgi?id=46779 in mind without waiting until it is actually fixed. Sorry for the inconvenience. This should work - in a few days.

Please use $LDAP_SERVER, not $LDAP_MASTER, as soon as this works. Some systems do not have access to the LDAP on the DC Master, but only to one on a DC Slave.

Kind regards,
Dirk Wiesenthal

timar · April 11, 2018, 11:27am

Hi Dirk,

Thanks for your answer. On my test system, I still can experiment, using the actual values. I can bind to the host’s LDAP from the container with ldapsearch. Next I tried to configure pam_ldap.so, but it did not work, it failed silently.

/etc/pam.d/loolwsd

account     [success=done new_authtok_reqd=ok          user_unknown=die          service_err=die authinfo_unavail=die          default=die] pam_ldap.so
account     required      pam_permit.so
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

/etc/ldap.conf

uri ldap://ucs-4067.collabora.intranet:7389
binddn cn=colla-21091438,cn=memberserver,cn=computers,dc=collabora,dc=intranet
bindpw 35b983003025e037d1f7dde377a7a74a1737b68cadfbea360c62000fc767ee1a

base dc=collabora,dc=intranet
ldap_version 3
scope sub
pam_password crypt
ssl start_tls

So far, I expected that LDAP users can be authenticated this way, but it did not happen, I get PAM authentication failure. Any ideas, what’s missing, please?

dwiesent · June 12, 2018, 10:27pm

Hi,

/etc/ldap.conf does not really accept BINDDN nor BINDPW. The former is a user-only option (goes into ~/.ldaprc), the latter does not exist for OpenLDAP.

This works for me:

ldapsearch -ZZ -D cn=colla-21091438,cn=memberserver,cn=computers,dc=collabora,dc=intranet -y /etc/machine.secret uid=Administrator

Is passing the credentials possible for you?