LDAP auth from external application help

UCS - Univention Corporate Server
,
1

Hello everyone, I'm having some trouble getting my application to authenticate to UCS over LDAP 7386. I'm currently using Zentyal as my AD replacement and trying hard to move to UCS.

I created a Read Only account (works with Apache Directory Studio) and my logs show it is working, but cannot find the username trying to log into the system to authenticate based on them being a member of a specific group

The existing Zentyal configuration is working great but for some reason I cannot make it work with UCS. Here is the structure differences of the directory on Zentyal that is working, and my search filters / query strings.

$LOCAL_DEBUG_LDAP->setLoginAllUsersFilter('(memberOf=cn=SMSCALLOUT__ENABLED,ou=groups,dc=sgvfr,dc=lan)');
$LOCAL_DEBUG_LDAP->setAdminGroupFilter('(memberOf=cn=SMSCALLOUT_ADMIN,ou=Groups,dc=sgvfr,dc=lan)');
$LOCAL_DEBUG_LDAP->setSMSGroupFilter('(|(memberOf=cn=SMSCALLOUT__ENABLED,ou=Groups,dc=sgvfr,dc=lan))');

$LOCAL_DEBUG_LDAP->setGroupMemberOf_Attribute('memberuid');

.
.
.

I have been reading for hours and tried several suggestions such as uniqueMember in the filters but nothing I tried has worked.. I know I must be missing something simple, I just can't figure it out.

2

Hello and welcome! :slight_smile:

I think that might already be the culprit. In UCS, we have the following settings, if the App Active Directory compatible Domain controller (Samba/AD) is installed:

| Port | Service  | TLS or StartTLS |
-------------------------------------
|  389 | Samba    | StartTLS        |
|  636 | Samba    | TLS             |
| 7389 | OpenLDAP | StartTLS        |
| 7636 | OpenLDAP | TLS             |

I guess your configuration for Zentyal will most probably just work if you use port 389.
Please note, that Samba/AD make use of the memberOf attribute, while OpenLDAP does not (by default).

Maybe you already came across this blog post, but if not, I recommend it :wink:

Best regards,
Michael Grandjean

3

Whoops.. I had a mistake in my original.. I am using port 7389, but it seems I cannot use memberOf in any search filter for checking group membership?? Is this supposed to happen?

I will read that link you attached thank you.

4

Yes, as I was saying earlier, 7389 is OpenLDAP which has no memberOf by default. Use 389 instead, which is Samba and does have memberOf :slight_smile:

#########
5

Ahhh. Ok I understand now.. I will look into it further. but I am getting errors on query.. additional info: BindSimple: Transport encryption required.

389 isn't supposed to be encrypted by default i thought? 636 was the LDAPS ?? I"m still fairly new to LDAP so I need to learn more.

Thank you for your help

6

OK. now the forum is back :slight_smile:

After more reading, I discovered there was a memberOf overlay available, this appears to work for my search

-> univention-install univention-ldap-overlay-memberof

users were updated with the script:

“/usr/share/univention-ldap-overlay-memberof/univention-update-memberof”

Which seems to have fixed the search issue

Are there any security issues in doing this?

7

Not that I am aware of. Only operational things to keep in mind as stated in this SDB article.

Don’t get me wrong, but if you care about security, I’d recommend to use TLS over port 636 in the first place. (That probably requires to make the UCS CA root certificate (https://your-ucs-master/ucs-root-ca.crt) a trusted CA cert on the machine your PHP(?) application is running on.)