Howto LDAP Access from external (public) Services

UCS - Univention Corporate Server
#1

Hello,

i would like to access my LDAP for user-auth from external Services.

I guess its a bad idea just to port forward the ldap port to ucs.

I was thinking about a little LDAP proxy/gateway which is capable of filtering LDAP requests.
Or Replicate/Copy just the needed LDAP User part to an external OpenLDAP Auth Service?

Any ideas on this?

Cheers,
Michael

[HowTo] Use letsencrypt certificates for LDAPS connections (via stunnel)
#2

Hi Michael,

depends on your use case.
If you know the IP-Adresses of your external service, then you could just open the firewall for these special IPs on port 7636 (secure ldap).

If you want to deal with an extra proxy, you could use nginx or stunnel4 for that.

an untested nginx-config could look like:

# /etc/nginx/nginx.conf
[...]
stream {
    upstream stream_backend {
         UCS_SERVER:7636;
    }

    server {
        listen                636 ssl;
        proxy_pass            stream_backend;

        ssl_certificate       /etc/ssl/certs/server.crt;
        ssl_certificate_key   /etc/ssl/certs/server.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
     }
}
<<<FILE END>>>

kind regards, Daniel

#3

Humm in the “same” or at least similar request… UCS provide any “api” to do the authentication?

#4

@codedmind Here is a guide to create a simple authentication account

#5

@peichert thanks for the reply, but what i’m asking is if we can use any “endpoint” of ucs server to send user and password and know if that user is allowed…

#6

@codedmind not sure if I understand your question correct:

  • If you ask about any standard to handle username and password: Yes, UCS will support “SAML” out of the box to have a general login form.
  • If you ask to use any available software for that: It is important that the software has a mechanism for LDAP authentication. Most applications in the Univention App Center are already prepared for this.
  • If you ask about to use any UCS server: I suggest to use at minimum the “Replica Directory Node” to have a local LDAP for authentication. This speeds up the authentication process.
#7

Alternative to Daniels nginx approach (depending on your usecase):

1 Like
#8

This is great, thanks a lot! :slight_smile:

Mastodon