OpenLDAP Authentication UID vs CN issues

ubuntu authentication openldap uid
15,653

The ldapsearch tool in your example uses simple BIND to change the authorization state of the connection. The simple BIND operation requires the distinguished name and credentials. The distinguished name is uid=jsmith,ou=Users,dc=example,dc=com, not cn=jsmith,ou=Users,dc=example,dc=com in the entry given as example.

This directory server configuration causes the server to return the result code for invalid credentials when actually the distinguished name cn=jsmith,ou=Users,dc=example,dc=com doe not exist. This is the recommended configuration: it provides less information to an attacker.

Share:
15,653
TagWolf
Author by

TagWolf

Updated on September 18, 2022

Comments

  • TagWolf
    TagWolf over 1 year

    I'm having trouble authenticating services using uid for authentication, which I thought was the standard method for authentication on the user. So basically, my users are added in ldap like this:

    # jsmith, Users, example.com
dn: uid=jsmith,ou=Users,dc=example,dc=com
uidNumber: 10003
loginShell: /bin/bash
sn: Smith
mail: [email protected]
homeDirectory: /home/jsmith
displayName: John Smith
givenName: John
uid: jsmith
gecos: John Smith
gidNumber: 10000
cn: John Smith
title: System Administrator

    But when I try to authenticate using typical webapps or services like this:

    jsmith
password

    I get: 

    ldapsearch -x -h ldap.example.com -D "cn=jsmith,ou=Users,dc=example,dc=com" -W -b "dc=example,dc=com"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

    But if I use:

    ldapsearch -x -h ldap.example.com -D "uid=jsmith,ou=Users,dc=example,dc=com" -W -b "dc=example,dc=com"

    It works.

    HOWEVER...most webapps and authentication methods seem to use another method. So on a webapp I'm using, unless I specify the user as: uid=smith,ou=users,dc=example,dc=com Nothing works.

    In the webapp I just need users to put: jsmith in the user field.

    Keep in mind my ldap is using the "new" cn=config method of storing settings. So if someone has an obvious ldif I'm missing please provide.

    Let me know if you need further info. This is OpenLDAP on Ubuntu 12.04.

    • FooBee
      FooBee over 11 years
      Most applications that use LDAP for auth can be configured to tell them what to search for. In your first example, the app appears to search for the cn, not the uid, and since the cn is John Smith, not jsmith, this cannot work.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenLDAP gives duplicate attributeType error
Apache/2.4.7 (Ubuntu) AH01630: client denied by server configuration despite "Require all granted"
unable to connect to the aws ec2 instance,Host key verification failed
Permission denied (publickey). fatal: Could not read from remote repository
Authentication Required for everything I do in Ubuntu 19.10
Can't authenticate on mongodb with PHP
Suddenly, I Can't login with correct password (greeter & tty)
Changing AuthorizedKeysFile in `sshd_config` not solving public key auth failure with encrypted home
Unable to login to host via ssh, just see 'Connection closed' in authlog
su: Authentication failure on Ubuntu