Univention SAML and LDAP


#1

I’ve been tasked with trying to setup SSO in our intranet. I haven’t implemented SSO before, and have limited exposure to LDAP as I primarily used AD in the past…and in our environment, none of our PCs(windows machines) are in a domain of any kind. All remote PC’s, everything is in workgroups. We have over 2,000 users…No centralized auth at the user level or PC/server level

In comes the mention of univention. CIO does not want to add PCs to the domain, he is very against and doesn’t want to do it.

Here’s what he wants to happen:
The user logs in to our intranet site www.example.com and it authenticate to the univention IDP/LDAP so that they are already signed into owncloud, etc. Once this part is working they want to expand it to outside vendors…but that’s another topic.

Sorry, I know these are basic questions but I have to ask them so I have to proper information to give, as I’m battling this SSO implementation whether or not to join the PCs to the domain, etc.

In order for this to work, do pcs/users need to be logged into the domain?
What would you do in my situation?

Also…when messing around with the SAML, when trying to download the public certificate, I get this error:

Forbidden
You don’t have permission to access /simplesamlphp/saml2/idp/certificate on this server.

I believe I’ve found the certs regardless of the above error in: /etc/univention/ssl - but It obviously doesn’t match the above path.

The other issue I’m having is I’m unable to get LDAPadmin to connect. The connection test works with anon, you are able to fetch the DNs, which it does properly…but putting in the administrator login credentials, it gives a Invalid DN syntax, invalid DN.

Using anon connection it pulls the correct dc’s.

Perhaps I have the wrong connection string using the default administrator account to connect. I’m missing something here.

Again, I apologize for the slew of questions here - I’ve just been thrown into a very large lake and a very small boat.


#2

Puh…

In order for this to work, do pcs/users need to be logged into the domain?

Hmm, I think owncloud authenticates via the domain, but I am unsure about that.

What would you do in my situation?

Convince the CIO that a domain membership is not evil. :slight_smile: But, joke aside, I reckon, there are issues that we do not know that prevent a domain membership.

Also…when messing around with the SAML, when trying to download the public certificate, I get this error:

Forbidden
You don’t have permission to access /simplesamlphp/saml2/idp/certificate on this server.

I believe I’ve found the certs regardless of the above error in: /etc/univention/ssl - but It obviously doesn’t match the above path.

Often there are symlinks from one path to another - you see them, when you do a # ls -lah in the folder. That may be the case here.

The other issue I’m having is I’m unable to get LDAPadmin to connect. The connection test works with anon, you are able to fetch the DNs, which it does properly…but putting in the administrator login credentials, it gives a Invalid DN syntax, invalid DN.

Using anon connection it pulls the correct dc’s.

Perhaps I have the wrong connection string using the default administrator account to connect. I’m missing something here.

At the UCS execute the following command:

univention-ldapsearch uid=administrator dn

and copy the DN. Next you need to find out in what way the LDAPAdmin expects the DN.
I hope I could help a bit.