Howto integrate Debian Client into ldap base

Jan · January 8, 2019, 12:48pm

Hi,
what are the right steps to integrate a debain Client for authentification via the ucs ldap Server?
I know, i need on the client at minimal these additional packages:
libnss-ldap libpam-ldap nscd ldapscripts
Also this packages are configured with the infos from
/usr/sbin/ucr get ldap/base
I also can run on ucs server successfully this command from https://wiki.univention.de/index.php/Cool_Solution_-LDAP_search_user/_simple_authentication_account

ldapsearch -x -D uid=<my LDAP user>,cn=users,$(/usr/sbin/ucr get ldap/base) -W uid=Administrator

On the client i cant connect via ldaps. With ldap and this command
ldapsearch -H ldap://<my-server> -D uid=<my LDAP user>,cn=users,dc=foo,dc=bar -W uid=*
i get no results like this

Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=*
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

So where is the problem and why ldaps is not working?

Jan

stoeckigt · January 8, 2019, 3:08pm

Hi @Jan

you need to connect to the proper port so please try:

user@debian:~$ ldapsearch -d8 -H ldaps://ucs-master:7636 -D "cn=$(hostname),cn=computers,dc=domain,dc=tld" -W "cn=$(hostname)"

or

user@debian:~$ ldapsearch -d8 -H ldap://ucs-master:7389 -D "cn=$(hostname),cn=computers,dc=domain,dc=tld" -W "cn=$(hostname)"

If it works you might remove the debugging flag -d8

Keep in mind that you can’t access the whole LDAP directory by a restricted account! Often you’re only allowed to access your own entry.

Jan · January 8, 2019, 3:33pm

Hi Stoeckigt,

with this command

user@debian:~$ ldapsearch -d8 -H ldaps://ucs-master:7636 -D "cn=$(hostname),cn=computers,dc=domain,dc=tld" -W "cn=$(hostname)"

i get only the question for the Password - but from which user (so i cant login).
And with

user@debian:~$ ldapsearch -d8 -H ldap://ucs-master:7389 -D "cn=$(hostname),cn=computers,dc=domain,dc=tld" -W "cn=$(hostname)"

i get

Enter LDAP Password: 
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

You wrote: Keep in mind that you can’t access the whole LDAP directory by a restricted account! Often you’re only allowed to access your own entry.

I have already created an user for accessing the ldap base - and it worked (like described above) - so how is the recommended method to auth any (linux-) Client over the UCS Ldap?

Jan

stoeckigt · January 8, 2019, 3:56pm

Hi @Jan,

we documented the necessary steps in our manuals. Please refer to them:

https://docs.software-univention.de/manual-4.3.html#domaenenbeitritt

https://docs.software-univention.de/domain-4.3.html

In case you’ve trouble feel free to post again!

Kind Regards

Jan · January 9, 2019, 7:51am

Hello Stoeckigt,

very well info… but we have a lot of debian systems - i cannot install the repositorys and the “univention-domain-join” scripts … Is there another chance to use it or detail step by step Information for debian?

After playing with the deb Files and installing some additional software, i get the error from cli.py

The used distribution "Debian" is not supported.

and if i change the python script to do like it would be a “ubuntu” System, i get these error after User/Password question:

./cli.py --master-ip 192.168.113.110
Please enter the user name of a domain administrator: Administrator
Please enter the password for Administrator: 
An error occurred. Please check /var/log/univention/domain-join-cli.log for more information.

and the log:

tail /var/log/univention/domain-join-cli.log
    check_if_ssh_works_with_given_account(master_ip, master_username, master_pw)
  File "/usr/lib/python2.7/dist-packages/univention_domain_join/utils/general.py", line 40, in root_wrapper
    return_value = func(*args, **kwargs)
  File "./cli.py", line 112, in check_if_ssh_works_with_given_account
    stdin=subprocess.PIPE, stdout=OUTPUT_SINK, stderr=OUTPUT_SINK
  File "/usr/lib/python2.7/subprocess.py", line 390, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

I’m not a python developer, so i cant modify the scripts for running with debian.
We need urgently a solution, for integrating our debian Servers into the domain.

Jan

Jan · January 10, 2019, 2:25pm

Hello stoeckigt

Do you have an idea?

Jan

stoeckigt · January 14, 2019, 5:34pm

Hi @Jan

You might have another look at

But plz mention that the univention-domain-join script was never intended to be used with anything else than ubuntu.

Kind regards

Jan · January 15, 2019, 7:07am

Yes … thats clear.
So i ask my question again: How can i connect a debian server (no gui, only console) to the LDAPof UCS?

Jan

damrose · January 15, 2019, 8:48am

@stoeckigt already mentioned our extended domain services documentation. Does chapter 2, Integration of Linux/Unix systems into a UCS domain provide enough information for your scenario?

Jan · February 19, 2019, 2:32pm

Hello damrose,

not really. It is to unspecific. Is nobody out there, who has joined a debine Server into the ucs domain?

Jan

lebernd · February 21, 2019, 11:13pm

Hallo Jan,

I’ve two debian servers in my ucs domain. I was following the bash-scripts from https://docs.software-univention.de/domain-4.3.html#ext-dom-ubuntu by the book - taking the first chapter. There are 7 grey blocks I’ve copied to 7 .sh - files, made them executable.
In the first one you have to change the IP address to your ucs-master IP.
And in the second one I’ve changed the section # Create account and save the password. Here it depends whether you have already created an account on your ucs-server or not. If the server is already registered as a linux computer you will have something like:

# Create an account and save the password
password="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c20)"
ssh -n root@${ldap_master} udm computers/linux modify \
    --dn "cn=your-debian-hostname,cn=computers,${ldap_base}" \
    --position "cn=computers,${ldap_base}" \
    --set password="${password}" \
    --set operatingSystem="$(lsb_release -is)" \
    --set operatingSystemVersion="$(lsb_release -rs)"
printf '%s' "$password" >/etc/ldap.secret
chmod 0400 /etc/ldap.secret

If you don’t have the account you will just change from udm computers/ubuntu create to udm computers/linux create.

That’s about it. Make the files, modifiy the first two, chmod +x and run them. Your debian server is part of the domain and you can login with the users from the domain. (probably you won’t need file number 6 if you haven’t installed a desktop)

Best,
Bernd

DaEm · August 23, 2019, 12:49pm

Hi Bernd,

thanks to this great hint. I am now struggeling with part 3 SSSD Config. How did you solve the non-existing packet auth-client-config in Debian?

Best regards,
Daniel