OpenLDAP Authentication UID vs CN issues
The ldapsearch
tool in your example uses simple BIND to change the authorization state of the connection. The simple BIND operation requires the distinguished name and credentials. The distinguished name is uid=jsmith,ou=Users,dc=example,dc=com
, not cn=jsmith,ou=Users,dc=example,dc=com
in the entry given as example.
This directory server configuration causes the server to return the result code for invalid credentials
when actually the distinguished name cn=jsmith,ou=Users,dc=example,dc=com
doe not exist. This is the recommended configuration: it provides less information to an attacker.
TagWolf
Updated on September 18, 2022Comments
-
TagWolf over 1 year
I'm having trouble authenticating services using uid for authentication, which I thought was the standard method for authentication on the user. So basically, my users are added in ldap like this:
# jsmith, Users, example.com dn: uid=jsmith,ou=Users,dc=example,dc=com uidNumber: 10003 loginShell: /bin/bash sn: Smith mail: [email protected] homeDirectory: /home/jsmith displayName: John Smith givenName: John uid: jsmith gecos: John Smith gidNumber: 10000 cn: John Smith title: System Administrator
But when I try to authenticate using typical webapps or services like this:
jsmith password
I get:
ldapsearch -x -h ldap.example.com -D "cn=jsmith,ou=Users,dc=example,dc=com" -W -b "dc=example,dc=com" Enter LDAP Password: ldap_bind: Invalid credentials (49)
But if I use:
ldapsearch -x -h ldap.example.com -D "uid=jsmith,ou=Users,dc=example,dc=com" -W -b "dc=example,dc=com"
It works.
HOWEVER...most webapps and authentication methods seem to use another method. So on a webapp I'm using, unless I specify the user as:
uid=smith,ou=users,dc=example,dc=com
Nothing works.In the webapp I just need users to put: jsmith in the user field.
Keep in mind my ldap is using the "new"
cn=config
method of storing settings. So if someone has an obvious ldif I'm missing please provide.Let me know if you need further info. This is OpenLDAP on Ubuntu 12.04.
-
FooBee over 11 yearsMost applications that use LDAP for auth can be configured to tell them what to search for. In your first example, the app appears to search for the
cn
, not theuid
, and since thecn
isJohn Smith
, notjsmith
, this cannot work.
-