Can't get past setup - applied memberOf overlay
906 views
Skip to first unread message
Aaron Joseph
Sep 28, 2015, 5:16:36 AM9/28/15
to pwm-general
Jason, and others,
I'm using the latest PWM cloned just now from the git repo that was built and deployed.
I've applied the memberOf overlay which I believe is working as it returns the right DN.
$ ldapsearch -xLLL -h raspberrypi -D "cn=admin,dc=example,dc=com" -W -b "ou=people,dc=example,dc=com" '(uid=aaron)' memberOf
dn: cn=aaron,ou=people,dc=example,dc=com
memberOf: cn=pwmNewAdmins,ou=groups,dc=example,dc=com
Based on that, this is what I am specifying for Administrator Group DN:
Based on that, this is what I am specifying for Administrator Group DN:
memberOf=cn=pwmNewAdmins,ou=groups,dc=example,dc=com
Tried it with brackets, same error:
Error during admin group validation: 5079 ERROR_LDAP_DATA_ERROR (entry DN '(memberOf=cn=pwmNewAdmins,ou=groups,dc=example,dc=com)' is not valid for profile default)
I've been struggling with this for over a week now, and have lost a lot of hair. :)
Please help!
Aaron
@ErikSorensen
Sep 28, 2015, 8:42:26 AM9/28/15
to pwm-general
Wouldn't the distinguished name of your ldap group be just "cn=pwmNewAdmins,ou=groups,dc=example,dc=com"?
Aaron Joseph
Oct 1, 2015, 3:21:40 AM10/1/15
to pwm-general
On Monday, September 28, 2015 at 5:42:26 AM UTC-7, @ErikSorensen wrote:
Wouldn't the distinguished name of your ldap group be just "cn=pwmNewAdmins,ou=groups,dc=example,dc=com"?
Assuming I interpreted you correctly -- I've tried specifying that for the Administrator Group DN. I get the same error as previously.
I'm just not understanding at all how to get past this. From what I've read, it should work. But doesn't. :(
/Aaron
carl.gusta...@gmail.com
Oct 9, 2015, 2:30:18 AM10/9/15
to pwm-general
On Thursday, October 1, 2015 at 9:21:40 AM UTC+2, Aaron Joseph wrote:
> On Monday, September 28, 2015 at 5:42:26 AM UTC-7, @ErikSorensen wrote:
> Wouldn't the distinguished name of your ldap group be just "cn=pwmNewAdmins,ou=groups,dc=example,dc=com"?
>
>
> Assuming I interpreted you correctly -- I've tried specifying that for the Administrator Group DN. I get the same error as previously.
>
> On Monday, September 28, 2015 at 5:42:26 AM UTC-7, @ErikSorensen wrote:
> Wouldn't the distinguished name of your ldap group be just "cn=pwmNewAdmins,ou=groups,dc=example,dc=com"?
>
>
> Assuming I interpreted you correctly -- I've tried specifying that for the Administrator Group DN. I get the same error as previously.
>
I have the same problem. I have created an admin group:
dn: cn=admins,ou=Groups,dc=example,dc=com
When I do a ldapsearch I get one hit:
ldapsearch -b cn=admins,ou=Groups,dc=example,dc=com -D cn=admin,dc=example,dc=com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=admins,ou=Groups,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# admins, Groups, example.com
dn: cn=admins,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: admins
gidNumber: 10000
description: Group account
memberUid: adminuser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Entered the following into the 'Administrator Group DN' field:
cn=admins,ou=Groups,dc=example,dc=com
But I get the error "No matching admin users".
Running on pwm-20151008-0600.war
carl.gusta...@gmail.com
Oct 9, 2015, 10:05:37 AM10/9/15
to pwm-general, carl.gusta...@gmail.com
On Friday, October 9, 2015 at 8:30:18 AM UTC+2, carl.gusta...@gmail.com wrote:
> On Thursday, October 1, 2015 at 9:21:40 AM UTC+2, Aaron Joseph wrote:
> > On Monday, September 28, 2015 at 5:42:26 AM UTC-7, @ErikSorensen wrote:
> > Wouldn't the distinguished name of your ldap group be just "cn=pwmNewAdmins,ou=groups,dc=example,dc=com"?
> >
> >
> > Assuming I interpreted you correctly -- I've tried specifying that for the Administrator Group DN. I get the same error as previously.
> >
>
> I have the same problem. I have created an admin group:
> dn: cn=admins,ou=Groups,dc=example,dc=com
>
> On Thursday, October 1, 2015 at 9:21:40 AM UTC+2, Aaron Joseph wrote:
> > On Monday, September 28, 2015 at 5:42:26 AM UTC-7, @ErikSorensen wrote:
> > Wouldn't the distinguished name of your ldap group be just "cn=pwmNewAdmins,ou=groups,dc=example,dc=com"?
> >
> >
> > Assuming I interpreted you correctly -- I've tried specifying that for the Administrator Group DN. I get the same error as previously.
> >
>
> I have the same problem. I have created an admin group:
> dn: cn=admins,ou=Groups,dc=example,dc=com
>
Got it working now.
I had configure the overlay memberof attribute.
Followed this instruction: https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/
bst...@gmail.com
Oct 16, 2015, 6:04:13 AM10/16/15
to pwm-general
Has anyone gotten a recent daily build to accept the admin group dn that is using Active Directory?
I have tried both memberof and jus the dn.
I either get the 5079 error or no results when it checks.
Thanks
Aaron Joseph
Oct 16, 2015, 11:28:48 PM10/16/15
to pwm-general, carl.gusta...@gmail.com
On Friday, October 9, 2015 at 7:05:37 AM UTC-7, carl.gusta...@gmail.com wrote:
Got it working now.
I had configure the overlay memberof attribute.
Followed this instruction: https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/
I still can't get it to work despite already having memberOf attribute and users belonging to the group. Can I ask which version of PWM you're using? Maybe there is a regression I'm being bitten by/
notbr...@gmail.com
Oct 17, 2015, 9:51:08 PM10/17/15
to pwm-general, carl.gusta...@gmail.com
I know my 389 DS is setup correctly.
ldapsearch -x -D "cn=Directory Manager" -W "(memberOf=cn=pwmadmins,ou=Groups,dc=example,dc=com)" dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# extended LDIF
#
# LDAPv3
# filter: (memberOf=cn=pwmadmins,ou=Groups,dc=example,dc=com)
# requesting: dn
#
# tuser1, accounts, example.com
dn: uid=tuser1,ou=accounts,dc=example,dc=com
# tuser2, accounts, example.com
dn: uid=tuser2,ou=accounts,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numEntries: 2
Aaron Joseph
Oct 18, 2015, 10:05:07 PM10/18/15
to pwm-general, carl.gusta...@gmail.com, notbr...@gmail.com
This is definitely an issue. I can't get it to work with the memberOf overlay nor with IPA which has 389DS behind it with an overlay already applied.
Can we get some insight into what version does work? The cutting edge pulled from the git repo is a no-go.
ST
Oct 19, 2015, 2:09:38 PM10/19/15
to pwm-general, carl.gusta...@gmail.com, notbr...@gmail.com
Just grabbed a nightly build today and also stuck here, hoping someone has figured it out.
Jason Rivard
Oct 20, 2015, 7:45:58 PM10/20/15
to pwm-general, carl.gusta...@gmail.com, notbr...@gmail.com
All LDAP searches for group permissions are performed against the user to see if the group is associated with the user. Your doing your ldap query backwards (against the group instead of the user). If you watch the PWM logs you can see the actual search PWM uses. Since I know nothing about 389DS I don't know what attribute is on the user that references the group. The default in PWM is 'groupMembership'. If someone can share what this attribute is and an LDIF output of the RootDSE, we can add detection and a default.
Otherwise, just skip the config guide and set this stuff up in the config editor.... In the editor you can set whatever filter you want.
notbr...@gmail.com
Oct 23, 2015, 11:00:01 PM10/23/15
to pwm-general, carl.gusta...@gmail.com, notbr...@gmail.com
memberof is a plugin in 389 Directory server that allows for group membership attribute to become
available within a user object.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
objectClass: top
namingContexts: dc=example,dc=com
namingContexts: o=netscaperoot
defaultnamingcontext: dc=omnitecinc,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.2.10.2 B2012.194.51
dataversion: 020131205051636020131205051636
netscapemdsuffix: cn=ldap://dc=ldap,dc=example,dc=com:389
available within a user object.
# extended LDIF
#
# LDAPv3
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
# requesting: ALL
#
#
objectClass: top
namingContexts: dc=example,dc=com
namingContexts: o=netscaperoot
defaultnamingcontext: dc=omnitecinc,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.2.10.2 B2012.194.51
dataversion: 020131205051636020131205051636
netscapemdsuffix: cn=ldap://dc=ldap,dc=example,dc=com:389
Reply all
Reply to author
Forward
0 new messages