[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift

Rowland penny rpenny at samba.org
Fri Aug 21 21:08:25 UTC 2020 

On 21/08/2020 21:40, vincent at cojot.name wrote:
> On Fri, 21 Aug 2020, Rowland penny via samba wrote:
>
>> This works for me:
>>
>> rowland at devstation:~$ sudo ldapsearch -H 
>> ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w 
>> 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' 
>> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain 
>> Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:'
>> [sudo] password for rowland:
>> dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
>> dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com
>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>> dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com
>> dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
>>
>> Rowland
>
> You're right, this works here too:
> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
> "raistlin at ad.lasthome.solace.krynn" -b 
> "dc=ad,dc=lasthome,dc=solace,dc=krynn" 
> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain 
> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'|grep 'dn:'
> Enter LDAP Password:
> dn: CN=raistlin,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn
> dn: CN=Administrator,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn
>
> So that must not be the problem, then.. Do you see anything else that 
> stands out in the lines below?
>
> augmentedActiveDirectory:
>     groupsQuery:
>         baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
>         scope: sub
>         derefAliases: never
>         pageSize: 0
>         filter: (objectclass=group)
>     groupUIDAttribute: primaryGroupID
>     groupNameAttributes: [ cn ]
>     groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
>     usersQuery:
>         baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
>         scope: sub
>         derefAliases: never
>         filter: (objectclass=person)
>         pageSize: 0
>     userNameAttributes: [ "sAMAccountName" ]

As far as I can see (and I could be missing something obvious), whilst 
it defines the search base, etc, it doesn't define what DN to search 
for. Should [ "memberof:1.2.840.113556.1.4.1941:" ]  be something like:

[ "memberof:1.2.840.113556.1.4.1941:=cn=Domain 
Users,CN=Users,dc=samdom,dc=example,dc=com" ]

Rowland

More information about the samba mailing list