aws-iam-ldap-bridge icon indicating copy to clipboard operation
aws-iam-ldap-bridge copied to clipboard

Published 20 hours ago verified publisher icon denismo

Can not bind via users after building from src

Open james-dekker opened this issue 9 years ago • 5 comments

Hello there,

First and foremost, thank you very much for creating this bridge.

I git cloned the src code and built it via "ant dist".

Moved the newly built binary into a different folder and then started it like this:

sudo bash $ADS_HOME/bin/apacheds.sh start

Was able to change the password from admin to something else.

Seems as if the anonymous bind alongwith admin bind works but not user bind.

e.g.

ldapsearch -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w password -b "dc=iam,dc=aws,dc=org" "(cn=jdoe)"

returns a list of entries

but

trying it like this:

ldapsearch -x -D "uid=jdoe,ou=users,dc=iam,dc=aws,dc=org" -W -H ldap://localhost:10389/ -b "ou=users,dc=iam,dc=aws,dc=org" -s sub 'uid=jdoe'

Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=jdoe,ou=users,dc=iam,dc=aws,dc=org

Is there a configuration setting or a change in the source code which allows user binds when building apacheds with your iam / aws integration code?

james-dekker avatar Oct 27 '15 00:10 james-dekker

  1. It could be the search command I usually execute something like this for testing:ldapsearch -H ldap://localhost:10389 -D "uid=Pam,ou=users,dc=iam,dc=aws,dc=org" -x -w ... -b "dc=iam,dc=aws,dc=org" "(objectclass=posixaccount)" But it is meant to user-bind, because the logic mechanism is using the LDAP authentication filter.
  2. Did you check the application log? Usually it reports failed logins and any associated errors. "Cannot authenticate" is just a general LDAP response, but the log would tell you the underlying reason for that. Cheers, Denis From: james-dekker [email protected] To: denismo/aws-iam-ldap-bridge [email protected] Sent: Tuesday, 27 October 2015, 11:44 Subject: [aws-iam-ldap-bridge] Can not bind via users after building from src (#19)

Hello there,First and foremost, thank you very much for creating this bridge.I git cloned the src code and built it via "ant dist".Moved the newly built binary into a different folder and then started it like this:sudo bash $ADS_HOME/bin/apacheds.sh startWas able to change the password from admin to something else.Seems as if the anonymous bind - admin bind works but not user bind.e.g. ldapsearch -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w password -b "dc=iam,dc=aws,dc=org" "(cn=jdoe)"returns a list of entriesbut trying it like this:ldapsearch -x -D "uid=jdoe,ou=users,dc=iam,dc=aws,dc=org" -W -H ldap://localhost:10389/ -b "ou=users,dc=iam,dc=aws,dc=org" -s sub 'uid=jdoe'Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=jdoe,ou=users,dc=iam,dc=aws,dc=orgIs there a configuration setting or a change in the source code which allows user binds when building apacheds with your iam / aws integration code?— Reply to this email directly or view it on GitHub.

denismo avatar Oct 27 '15 03:10 denismo

Thanks for the quick response!

I tried your ldapsearch command with my username and password and received the same error that I posted.

Here's the output from the application.log:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been 'POST /

host:iam.amazonaws.com user-agent:aws-sdk-java/1.8.11 Linux/3.13.0-48-generic Java_HotSpot(TM)_64-Bit_Server_VM/20.45-b01/1.6.0_45 x-amz-date:20151027T191325Z

host;user-agent;x-amz-date xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

The String-to-Sign should have been 'AWS4-HMAC-SHA256 20151027T1914321 20151027/us-east-1/iam/aws4_request

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (Service: AmazonIdentityManagement; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) [19:16:11] WARN [com.denismo.aws.iam.LDAPIAMPoller] - Unable to determine primary group for awsbackup

james-dekker avatar Oct 27 '15 19:10 james-dekker

Hi James, this is usually an indication that the Acess key/Secret key don't match. Either simple typo, or the secret key has special characters which got cut off, you may need to put it in quotes Denis From: james-dekker [email protected] To: denismo/aws-iam-ldap-bridge [email protected] Cc: Denis Mikhalkin [email protected] Sent: Wednesday, 28 October 2015, 6:41 Subject: Re: [aws-iam-ldap-bridge] Can not bind via users after building from src (#19)

Thanks for the quick response!I tried your ldapsearch command with my username and password and received the same error that I posted. Here's the output from the application.log:The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.The Canonical String for this request should have been 'POST /host:iam.amazonaws.com user-agent:aws-sdk-java/1.8.11 Linux/3.13.0-48-generic Java_HotSpot(TM)_64-Bit_Server_VM/20.45-b01/1.6.0_45 x-amz-date:20151027T191325Zhost;user-agent;x-amz-date xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'The String-to-Sign should have been 'AWS4-HMAC-SHA256 20151027T1914321 20151027/us-east-1/iam/aws4_requestxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (Service: AmazonIdentityManagement; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) [19:16:11] WARN [com.denismo.aws.iam.LDAPIAMPoller] - Unable to determine primary group for awsbackup

— Reply to this email directly or view it on GitHub.

denismo avatar Oct 27 '15 22:10 denismo

Hi Denis,

Under the scripts folder, what is the command to run packer against the packer_ami.json file? Is this where users need to setup / provision the bridge? Also, what is the validator = iam_password? Is this the default password?

Thanks again,

James

james-dekker avatar Oct 27 '15 22:10 james-dekker

Packer is just if you want to create your own AMI. You use apacheds.sh to actually run the server. From: james-dekker [email protected] To: denismo/aws-iam-ldap-bridge [email protected] Cc: Denis Mikhalkin [email protected] Sent: Wednesday, 28 October 2015, 9:50 Subject: Re: [aws-iam-ldap-bridge] Can not bind via users after building from src (#19)

Hi Denis,Under the scripts folder, what is the command to run packer against the packer_ami.json file? Is this where users need to setup / provision the bridge? Thanks again,James

— Reply to this email directly or view it on GitHub.

denismo avatar Oct 27 '15 23:10 denismo