I am using LDAP authentication in spring-security. For some reason I don't have an LDAP server and I have configured my spring-security.xml to use the LDIF file.
I need to add a custom attribute, called type for the users. So I created an objectclass and an attributetypes as mentioned here.
The LDIF file looks like :
dn: cn=subschemasubentry
changetype: modify
add: attributetypes
attributetypes: ( 1.2.3.4.5.6.7 NAME 'type' DESC 'New attribute definition'
EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
dn: cn=subschemasubentry
changetype: modify
add: objectClasses
objectClasses: ( 1.2.3.4.56789.1.0.200 NAME 'testUser'
SUP ( inetOrgPerson ) STRUCTURAL
MUST cn
MAY type )
dn: ou=users,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: users
dn: uid=testuser1,ou=users,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: testUser
mail: test1#test.com
cn: Some Name
sn: someName
uid: someId
type: someType
userPassword: pass1
However, this fails with NameNotFoundException, when I try to use some REST call (protected by spring-security) with the error :
LDAP: error code 32 - NO_SUCH_OBJECT:
...
...
Attempt to search under non-existant entry: ou=users,dc=springframework,dc=org];
nested exception is javax.naming.NameNotFoundException:
If I remove the custom attribute and the custom objectclass, and change the user data to objectclass: inetOrgPerson, it works fine.
How can I add the objectclass and the attributes then ?
I was trying to use the schema in LDIF files, which was wrong. I used ApacheDS to create new schema with the custom attributes and custom objectclass. Then exported them to LDIF.
The resulting LDIF I added to the LDIF file used for spring-security.
It is another matter that spring still does not read the new attributes from entries even when it reads the object classes.
Related
I'm using OUD 12c and I would like tho achieve something like the following.
Suppose I have two branches in my LDAP:
ou=users,dc=example,dc=com
ou=users_special,dc=example,dc=com
Is it possible to set on LDAP side that ou=users_special extends the ou=users branch?
So every search in the ou=users branch will automatically look even at the ou=users_special.
Note: no, I can't search for the users in the base dn.
Thanks
EDIT:
I try to re-explain because it seems the goal was not clear.
I have two users with these two DN:
uid=user0,ou=people,dc=example,dc=com
uid=user1,ou=users,dc=example,dc=com
I need that both of these ldapsearches work.
ldapsearch -h localhost -p 1389 -b "ou=people,dc=example,dc=com" (uid=user0)
ldapsearch -h localhost -p 1389 -b "ou=people,dc=example,dc=com" (uid=user1)
That's not schema -- schema defines what attributes exist on an object. You're talking about a referral.
The following LDIF creates an OU with a referral:
dn: ou=users_special,ou=users,dc=example,dc=com
changetype: add
objectclass: top
objectclass: extensibleObject
objectclass: referral
ou: users_special
ref: ldap://LDAPHOST:PORT/ou=users_special,dc=example,dc=com??sub?(objectClass=inetOrgPerson)
I created a user with uid "specialuser01" in ou=users_special,dc=example,dc=com. A query set to follow referrals at base ou=users,dc=example,dc=com for uid=specialuser01 returns the account that is in the
***Searching...
ldap_search_s(ld, "ou=users,dc=example,dc=com", 2, "uid=specialuser01", attrList, 0, &msg)
Getting 1 entries:
Dn: uid=specialuser01,ou=users_special,dc=example,dc=com
cn: special User01;
objectClass (4): top; person; organizationalPerson; inetOrgPerson;
uid: specialuser01;
However a search that doesn't follow referrals will return 0 entries.
I want to query LDAP for all users in a specific OU (call it OU = Anberlin)
This is my current approach:
(&(objectCategory=person)(objectClass=user)(memberOf=OU=Anberlin, DC=Domain, DC=local)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
That should get all the enabled users in that OU right?
No, it won't. The memberOf attribute stores the list of groups the object is a member of.
All LDAP searches have a base DN value that you can pass as well as the query. Usually it's the whole domain, but if you set the base DN to your OU, then you will only get results from that OU.
So this is what you'd use for your search:
Base DN: OU=Anberlin,DC=Domain,DC=local
Query: (&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
i have added entry:
!DATE 2014-01-19T11:48:56.062
dn: cn=Derek Carter2,ou=mis,ou=unit,ou=company,dc=labs,dc=com
changetype: add
telephoneNumber: 02-29587572
mail: c291677874#labs.com
objectClass: person
objectClass: inetOrgPerson
givenName: Derek Carter
sn: Carter
title: engineer
cn: Derek Carter2
but joomla ldap config need uid field。
what else should i to enable joomla login with ldap?
change schema or add entry attrbuite?
uid is supposed to be globally unique. Often it is a short name you might consider a login name value. It is unlikely that the user wants to login as Derek Carter2 they probably want to login as dcarter or carterd or somesuch. Do you maintain such a value? Conversely, folk often use the email address as the login id, since it must be globally unique. Or at worst, the stuff before the # sign in the email address, if it is your email domain. I.e. All users in your email domain, should have unique bits before the # sign.
In that case, use that data in the uid attribute. Or else change the LDAP mapping that takes the passed in login name, and looks at mail instead of uid.
I am really bad at understanding LDAP and I have not found a reliable source to learn what I need about it. I need now to authenticate users in joomla using an LDAP directory, and I am using JMapMyLDAP. In the configuration it asks me for a base DN and I am not sure what that is but in this case I have
ou=People,do=uniandes,do=edu,do=co
and then in filter, I would like to filter by Uid, I want to be able to map the users by Uid so that depending on their uid I can assign them the appropriate viewing and editing permissions and I am not quite sure how to do it so in filter I have
(&(uid=[username]))
Then in lookup type I have -forward- In lookup attribute I have -member- and in lookup member I have -Uid- and in DN attribute -distinguishedName-. Finally I have the mapping as myusername:group and when trying to log with my LDAP user I just cant log in. I don't know if I am doing something wrong or what may be happening. Any one has any idea? Any suggested reading?
What LDAP directory are you using. Your base DN of ou=People,do=uniandes,do=edu,do=co is almost certainly incorrect. The cn=, ou=, dc= part are well known naming attributes of objects. do= seems very unlikely.
If you are using Active Directory as your LDAP directory, the last part (Usually two) need to dc=.
Far more likely is ou=People,dc=uniandes,dc=edu unless the last bit about do=co means something in your context.
If you are using eDirectory as an LDAP directory, far more likely is: ou=People,ou=uniandes,o=edu
As for your filter of (&(uid=[username])) you can probably get by with just (uid=[username]) assuming the [username] is a Joomla macro for the username provided.
For example:
labs.com
/ \
login company
/ \ / \
user group unit customer
/ | \
mis account hr
root-unit.ldif:
root node
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
login top
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
user, uid, password
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
group
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
for company organization top
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
for company organization (unit)
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
human resource (under unit)
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
MIS (under unit)
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
Account (under unit)
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
for customers information
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
refernce
Some users in my LDAP Directory have several uids assigned as such:
dn: uid=user1,ou=People,o=org
uid: user1
uid: nick1
dn: uid=user2,ou=People,o=org
uid: user2
uid: nick2
While trying to get uid for these users using ActiveLdap (like User.uid) I only get the first uid attr as it is DN attribute.
Is it possible with ActiveLdap to get both of them?
i just ran into this a couple weeks ago:
Query all the users in a system with LDAP
It is not an ActiveLDAP issue per say.
Here is the thing, and I will hopefully save you some time. with your ldap schema, as is, what you have is a unique dn for every user. So, in effect, if you have 100,000 users, you have 100,000 folders, each identified at the top level as unique by id. if your schema was setup like this:
dn: category=active,ou=People,o=org
uid: uid1
uid: nick1
then you could query all the active users for overlapping uid because the filter would filter down to active users and select from that the users with uid attributes of x.
As it is, you can only get at the top level dn, so each filter will filter one user, so its useless. What I did is actually query my flatfile backup of the ldap database and extracted information that way. i used basic ruby and just split records on newlines, and made a big array, if I remember correctly. We had about 130,000 records and was able to get my query in about 2 seconds from the flat file.