Hi,
what are the right steps to integrate a debain Client for authentification via the ucs ldap Server?
I know, i need on the client at minimal these additional packages: libnss-ldap libpam-ldap nscd ldapscripts
Also this packages are configured with the infos from /usr/sbin/ucr get ldap/base
I also can run on ucs server successfully this command from https://wiki.univention.de/index.php/Cool_Solution_-LDAP_search_user/_simple_authentication_account
ldapsearch -x -D uid=<my LDAP user>,cn=users,$(/usr/sbin/ucr get ldap/base) -W uid=Administrator
On the client i cant connect via ldaps. With ldap and this command ldapsearch -H ldap://<my-server> -D uid=<my LDAP user>,cn=users,dc=foo,dc=bar -W uid=*
i get no results like this
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=*
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
So where is the problem and why ldaps is not working?
Enter LDAP Password:
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
You wrote: Keep in mind that you canât access the whole LDAP directory by a restricted account! Often youâre only allowed to access your own entry.
I have already created an user for accessing the ldap base - and it worked (like described above) - so how is the recommended method to auth any (linux-) Client over the UCS Ldap?
very well info⊠but we have a lot of debian systems - i cannot install the repositorys and the âunivention-domain-joinâ scripts ⊠Is there another chance to use it or detail step by step Information for debian?
After playing with the deb Files and installing some additional software, i get the error from cli.py
The used distribution "Debian" is not supported.
and if i change the python script to do like it would be a âubuntuâ System, i get these error after User/Password question:
./cli.py --master-ip 192.168.113.110
Please enter the user name of a domain administrator: Administrator
Please enter the password for Administrator:
An error occurred. Please check /var/log/univention/domain-join-cli.log for more information.
and the log:
tail /var/log/univention/domain-join-cli.log
check_if_ssh_works_with_given_account(master_ip, master_username, master_pw)
File "/usr/lib/python2.7/dist-packages/univention_domain_join/utils/general.py", line 40, in root_wrapper
return_value = func(*args, **kwargs)
File "./cli.py", line 112, in check_if_ssh_works_with_given_account
stdin=subprocess.PIPE, stdout=OUTPUT_SINK, stderr=OUTPUT_SINK
File "/usr/lib/python2.7/subprocess.py", line 390, in __init__
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
Iâm not a python developer, so i cant modify the scripts for running with debian.
We need urgently a solution, for integrating our debian Servers into the domain.
Iâve two debian servers in my ucs domain. I was following the bash-scripts from https://docs.software-univention.de/domain-4.3.html#ext-dom-ubuntu by the book - taking the first chapter. There are 7 grey blocks Iâve copied to 7 .sh - files, made them executable.
In the first one you have to change the IP address to your ucs-master IP.
And in the second one Iâve changed the section # Create account and save the password. Here it depends whether you have already created an account on your ucs-server or not. If the server is already registered as a linux computer you will have something like:
# Create an account and save the password
password="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c20)"
ssh -n root@${ldap_master} udm computers/linux modify \
--dn "cn=your-debian-hostname,cn=computers,${ldap_base}" \
--position "cn=computers,${ldap_base}" \
--set password="${password}" \
--set operatingSystem="$(lsb_release -is)" \
--set operatingSystemVersion="$(lsb_release -rs)"
printf '%s' "$password" >/etc/ldap.secret
chmod 0400 /etc/ldap.secret
If you donât have the account you will just change from udm computers/ubuntu create to udm computers/linux create.
Thatâs about it. Make the files, modifiy the first two, chmod +x and run them. Your debian server is part of the domain and you can login with the users from the domain. (probably you wonât need file number 6 if you havenât installed a desktop)