[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Rowland penny
rpenny at samba.org
Fri Aug 21 21:08:25 UTC 2020
On 21/08/2020 21:40, vincent at cojot.name wrote:
> On Fri, 21 Aug 2020, Rowland penny via samba wrote:
>
>> This works for me:
>>
>> rowland at devstation:~$ sudo ldapsearch -H
>> ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w
>> 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com'
>> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain
>> Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:'
>> [sudo] password for rowland:
>> dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
>> dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com
>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>> dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com
>> dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
>>
>> Rowland
>
> You're right, this works here too:
> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
> "raistlin at ad.lasthome.solace.krynn" -b
> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain
> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'|grep 'dn:'
> Enter LDAP Password:
> dn: CN=raistlin,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn
> dn: CN=Administrator,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn
>
> So that must not be the problem, then.. Do you see anything else that
> stands out in the lines below?
>
> augmentedActiveDirectory:
> groupsQuery:
> baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
> scope: sub
> derefAliases: never
> pageSize: 0
> filter: (objectclass=group)
> groupUIDAttribute: primaryGroupID
> groupNameAttributes: [ cn ]
> groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
> usersQuery:
> baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
> scope: sub
> derefAliases: never
> filter: (objectclass=person)
> pageSize: 0
> userNameAttributes: [ "sAMAccountName" ]
As far as I can see (and I could be missing something obvious), whilst
it defines the search base, etc, it doesn't define what DN to search
for. Should [ "memberof:1.2.840.113556.1.4.1941:" ] be something like:
[ "memberof:1.2.840.113556.1.4.1941:=cn=Domain
Users,CN=Users,dc=samdom,dc=example,dc=com" ]
Rowland
More information about the samba
mailing list