cerebro
cerebro copied to clipboard
lmenezes
[LDAP]Why is username used in the last bind request?
Hi guys,
I'm using Cerebro 0.8.5 installed with the RPM package. I want to authenticate the user via Microsoft Active Directory and the configuration for authentication is as below:
# Authentication
auth = {
# either basic or ldap
type: ldap
settings {
# LDAP
url = "ldap://Active_Directory_IP:389"
# OpenLDAP might be something like "ou=People,dc=domain,dc=com"
base-dn = "DC=mycompany,DC=com"
# Usually method should be "simple" otherwise, set it to the SASL mechanisms to try
method = "simple"
# user-template executes a string.format() operation where
# username is passed in first, followed by base-dn. Some examples
# - %s => leave user untouched
# - %[email protected] => append "@domain.com" to username
# - uid=%s,%s => usual case of OpenLDAP
user-template = "%s"
// User identifier that can perform searches
bind-dn = "admin_user_dn"
bind-pw = "admin_user_password"
group-search {
// If left unset parent's base-dn will be used
#base-dn = ${?LDAP_GROUP_BASE_DN}
// Attribute that represent the user, for example uid or mail
user-attr = "sAMAccountName"
// Define a separate template for user-attr
// If left unset parent's user-template will be used
#user-attr-template = ${?LDAP_USER_ATTR_TEMPLATE}
// Filter that tests membership of the group. If this property is empty then there is no group membership check
// AD example => memberOf=CN=mygroup,ou=ouofthegroup,DC=domain,DC=com
// OpenLDAP example => CN=mygroup
group = "memberOf=CN=ehr-inf,OU=User Group,DC=mycompany,DC=com"
}
# Basic auth
#username = ${?BASIC_AUTH_USER}
#password = ${?BASIC_AUTH_PWD}
}
}
Now the login action fails all the time and With Wireshark I find the authentication process has 3 steps:
a. Send a bind request with the admin user.
This step is ok.
b. See if the user exists and belongs to the specified group. In my case, this means the input username equals to the value of sAMAccountName (the user-attr parameter) and the value of memberOf contains the specified group DN (the group parameter).
This step is ok and a log of attributes of the account returns, such as cn, name, mail, distinguishedName (DN of the account in Active Directory).
c. Send another bind request with the user to authenticate.
This step fails and I find that Cerebro uses the username but the distinguishedName in the request. It seems that there isn't a parameter to specify the attribute used in the last bind request.
Anyone has a solution to this issue please kindly help me.
Thanks, Bruce
Hi!
a and b => Admin user checks that user belongs to group. This point is ok.
c => Cerebro uses input of the user (i.e. username and password) to verify that the user can bind to the ldap server. To tune this a bit you can use user-template. I'll put an example:
- Say that credentials
[email protected]/xxxx(for user / password) are valid- If
user-templateis"%[email protected]". The login will succeed if user typesfooas username - if
user-templateis"%s". The login will succeed if user types[email protected]as username
- If
Hopefully you find this useful
I'm having a similar issue with authentication to ldap. If I comment out the group check, auth works fine. How do you debug this more? There seems to be zero logging for the ldap client. This is on version 0.9.0.
