LDAP Proxy User Access... ERROR

[SITC]

Even using domain admin we still see this user failing to have access.

No Enterprise license found (using bundled Freeware license)
Please contact sa...@rcdevs.com for commercial information

Starting WebADM PKI server... Ok
Starting WebADM Session server... Ok
Starting WebADM HTTP server... Ok

Checking server connections. Please wait...
Connected LDAP server: SIT-SBS (192.168.20.249)
Connected SQL server: SQL Server (127.0.0.1)
Connected PKI server: PKI Server (localhost)
Connected Session server: Session Server (localhost)

Checking LDAP proxy user access... ERROR
Checking SQL database access... Ok
Checking PKI service access... Ok

webadm.conf file read out on vm appliance: (Letters in red are changed from original for security)

proxy_user     "CN=ProxyUser,OU=Users,OU=MyBusiness,DC=DOMAIN,DC=local"
proxy_password "PASSWORD"

# Super administrators have extended WebADM privileges such as setup permissions,
# additional operations and unlimited access to any LDAP encrypted data. Access
# restriction configured in the WebADM OptionSets do not apply to super admins.
# You can set a list of individual LDAP users or LDAP groups here.
# With ActiveDirectory, your administrator account should be is something like
# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample
# super_admins group on the second line with an existing security group.
super_admins "CN=Admin,OU=Service Accounts,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=DOMAIN,DC=local", \
             "CN=Domain Admins,CN=Users,DC=sit,DC=local"

I will note that when I attempt to give this user proxyuser access I do not see  webadmAccount  or the below Screen shot options.  I'm thinking this has something to do with the issue, but i'm not sure how to resolve.




Any assistance is appreciated.

Thank You!

[Yoann Traut (RCDevs)]

Hello, 

How is configured  your LDAP server in servers.xml ? (encryption, port, protocol ? ) 

Could you run the following command from your webadm server : telnet your_ldap_server ldap_port  (for exemple, if you use LDAPS 636 SSL : telnet 192.168.3.50 636) 

Are you sure that the delegation is not overridden by an AD GPO ?

Regards 

[Sean Pennington]

Yoann,

 

Telnet command isn’t available from the root of the webadm VM appliance.  When attempting using putty from my desktop the SSL port I have setup does not time out, it does only give a blank screen, but does not seem to time out.

 

I have set the servers.xml to the IP and port for that server, still it fails for the ldap proxy user access….It does state during the restart that it is connected to the ldap server

 

“Connected LDAP Server: SBS (192.168.x.x)”

 

Which is part of what is confusing me.  Any other thoughts\ideas?

 

Best Regards,

 

--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/lb7im2MnkUs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at https://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

---

Total Control Panel Login

To: sean.pe...@solomonitconsulting.com From: rcdevs-technical+bncbdwl7...@googlegroups.com Message Score: 25 High (60): Pass My Spam Blocking Level: Medium Medium (75): Pass Low (90): Pass Block this sender / Block this sender enterprise-wide Block googlegroups.com / Block googlegroups.com enterprise-wide

This message was delivered because the content filter score did not exceed your filter level.

 

[Sean Pennington]

Here’s an update:

 

If I change to my 2^nd Domain controller (not the Schema Master) it succeeds, but when I login I get the following errors:

 

Checking LDAP schema
Reading schema objectclasses... Ok
Reading schema attributes... Ok
Checking account objectclass... Missing
Checking group objectclass... Missing
Checking config objectclass... Missing
Checking data attribute... Missing
Checking settings attribute... Missing
Checking type attribute... Missing

 

Checking LDAP schema
Reading schema objectclasses... Ok
Reading schema attributes... Ok
Checking account objectclass... Missing
Checking group objectclass... Missing
Checking config objectclass... Missing
Checking data attribute... Missing
Checking settings attribute... Missing
Checking type attribute... Missing

 

Everything else says OK.

 

What am I missing here?

 

Best Regards,

 

[Sean Pennington]

Okay, so I determined that it was the port I was using for ldap on the primary DC was wrong….apparently it was not setup as I thought.  Which allowed me to restart webadm with no error and accomplish getting the following: Checking LDAP schema

Reading schema objectclasses... Ok
Reading schema attributes... Ok

Checking account objectclass... Ok
Checking group objectclass... Ok
Checking config objectclass... Ok
Checking data attribute... Ok
Checking settings attribute... Ok
Checking type attribute... Ok

 

So my next dilemma is still: 

 

Checking default LDAP objects
Checking domains container... Missing
Checking clients container... Missing
Checking optionsets container... Missing
Checking adminroles container... Missing
Checking mountpoints container... Missing
Checking webapps container... Missing
Checking websrvs container... Missing

 

These will not create, even if I change the proxyuser account to be the domain admin.  Which is the account that would have been used in creting the original LDAP config on that server.

 

Thoughts while I continue to beat my head against this issue?  (hopefully my ramblings will be helpful to someone else in the future to trouble shoot this same or similar issue)  In the meantime, anyone got a pointer in the right direction for the above “missing”  containers issue?  They won’t create!

 

Best Regards,

 

---

Total Control Panel Login

To: sean.pe...@solomonitconsulting.com From: rcdevs-technical+bncbdaph...@googlegroups.com Message Score: 10 High (60): Pass

My Spam Blocking Level: Medium Medium (75): Pass Low (90): Pass Block this sender / Block this sender enterprise-wide Block googlegroups.com / Block googlegroups.com enterprise-wide

This message was delivered because the content filter score did not exceed your filter level.

--

[Yoann Traut (RCDevs)]

Your super_admin who are logged on the WebADM GUI have the rights to write in your WebADM container on your LDAP ? 

You have define in /opt/webadm/conf/webadm.conf the default container. It look likes something like that : 

# Find below the LDAP containers required by WebADM.

# Change the container's DN to fit your ldap tree base.

# WebADM AdminRoles container

adminroles_container "cn=AdminRoles,cn=WebADM,dc=yorcdevs,dc=com"

# WebADM Optionsets container

optionsets_container "cn=OptionSets,cn=WebADM,dc=yorcdevs,dc=com"

# WebApp configurations container

webapps_container "cn=WebApps,cn=WebADM,dc=yorcdevs,dc=com"

# WebSrv configurations container

websrvs_container "cn=WebSrvs,cn=WebADM,dc=yorcdevs,dc=com"

# Mount points container

mountpoints_container "cn=Mountpoints,cn=WebADM,dc=yorcdevs,dc=com"

# Domain and Trusts container

domains_container "cn=Domains,cn=WebADM,dc=yorcdevs,dc=com"

# Clients container

clients_container "cn=Clients,cn=WebADM,dc=yorcdevs,dc=com"

My container is CN=WebADM, and the user logged on the WebADM GUI should have the read/write rights on this container. 

Regards 

[Sean Pennington]

So I used adsiedit to create the base container for the WebADM.  I did so through the LDAP connection.  See SS below:

 

Once connected I create a new object\container and named it.  I’m thinking you could probably change the permissions on it using ADUC but with domain admin as the super user it all succeeded and came back with OK.

 

I’ll continue to post in case I run into anything else.  Yoann, you’ve been a big help and giving me the points in the direction I needed to connect the dots.

 

Thank You!

 

--