Howto integrate Debian Client into ldap base

ucs-4
debian
domainjoin

#1

Hi,
what are the right steps to integrate a debain Client for authentification via the ucs ldap Server?
I know, i need on the client at minimal these additional packages:
libnss-ldap libpam-ldap nscd ldapscripts
Also this packages are configured with the infos from
/usr/sbin/ucr get ldap/base
I also can run on ucs server successfully this command from https://wiki.univention.de/index.php/Cool_Solution_-LDAP_search_user/_simple_authentication_account

ldapsearch -x -D uid=<my LDAP user>,cn=users,$(/usr/sbin/ucr get ldap/base) -W uid=Administrator

On the client i cant connect via ldaps. With ldap and this command
ldapsearch -H ldap://<my-server> -D uid=<my LDAP user>,cn=users,dc=foo,dc=bar -W uid=*
i get no results like this

Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=*
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

So where is the problem and why ldaps is not working?

Jan


#2

Hi @Jan

you need to connect to the proper port so please try:

user@debian:~$ ldapsearch -d8 -H ldaps://ucs-master:7636 -D "cn=$(hostname),cn=computers,dc=domain,dc=tld" -W "cn=$(hostname)"

or

user@debian:~$ ldapsearch -d8 -H ldap://ucs-master:7389 -D "cn=$(hostname),cn=computers,dc=domain,dc=tld" -W "cn=$(hostname)"

If it works you might remove the debugging flag -d8

Keep in mind that you can’t access the whole LDAP directory by a restricted account! Often you’re only allowed to access your own entry.


#3

Hi Stoeckigt,

with this command

user@debian:~$ ldapsearch -d8 -H ldaps://ucs-master:7636 -D "cn=$(hostname),cn=computers,dc=domain,dc=tld" -W "cn=$(hostname)"

i get only the question for the Password - but from which user (so i cant login).
And with

user@debian:~$ ldapsearch -d8 -H ldap://ucs-master:7389 -D "cn=$(hostname),cn=computers,dc=domain,dc=tld" -W "cn=$(hostname)"

i get

Enter LDAP Password: 
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

You wrote: Keep in mind that you can’t access the whole LDAP directory by a restricted account! Often you’re only allowed to access your own entry.

I have already created an user for accessing the ldap base - and it worked (like described above) - so how is the recommended method to auth any (linux-) Client over the UCS Ldap?

Jan


#4

Hi @Jan,

we documented the necessary steps in our manuals. Please refer to them:

https://docs.software-univention.de/manual-4.3.html#domaenenbeitritt

https://docs.software-univention.de/domain-4.3.html

In case you’ve trouble feel free to post again!

Kind Regards


#5

Hello Stoeckigt,

very well info… but we have a lot of debian systems - i cannot install the repositorys and the “univention-domain-join” scripts … Is there another chance to use it or detail step by step Information for debian?

After playing with the deb Files and installing some additional software, i get the error from cli.py

The used distribution "Debian" is not supported.

and if i change the python script to do like it would be a “ubuntu” System, i get these error after User/Password question:

./cli.py --master-ip 192.168.113.110
Please enter the user name of a domain administrator: Administrator
Please enter the password for Administrator: 
An error occurred. Please check /var/log/univention/domain-join-cli.log for more information.

and the log:

tail /var/log/univention/domain-join-cli.log
    check_if_ssh_works_with_given_account(master_ip, master_username, master_pw)
  File "/usr/lib/python2.7/dist-packages/univention_domain_join/utils/general.py", line 40, in root_wrapper
    return_value = func(*args, **kwargs)
  File "./cli.py", line 112, in check_if_ssh_works_with_given_account
    stdin=subprocess.PIPE, stdout=OUTPUT_SINK, stderr=OUTPUT_SINK
  File "/usr/lib/python2.7/subprocess.py", line 390, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

I’m not a python developer, so i cant modify the scripts for running with debian.
We need urgently a solution, for integrating our debian Servers into the domain.

Jan


#6

Hello stoeckigt

Do you have an idea?

Jan


#7

Hi @Jan

You might have another look at

But plz mention that the univention-domain-join script was never intended to be used with anything else than ubuntu.

Kind regards


#8

Yes … thats clear.
So i ask my question again: How can i connect a debian server (no gui, only console) to the LDAPof UCS?

Jan


#9

@stoeckigt already mentioned our extended domain services documentation. Does chapter 2, Integration of Linux/Unix systems into a UCS domain provide enough information for your scenario?