[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift

Rowland penny rpenny at samba.org
Fri Aug 21 21:29:22 UTC 2020 

On 21/08/2020 22:08, Rowland penny via samba wrote:
> On 21/08/2020 21:40, vincent at cojot.name wrote:
>> On Fri, 21 Aug 2020, Rowland penny via samba wrote:
>>
>>> This works for me:
>>>
>>> rowland at devstation:~$ sudo ldapsearch -H 
>>> ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w 
>>> 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' 
>>> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain 
>>> Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:'
>>> [sudo] password for rowland:
>>> dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
>>> dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com
>>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>>> dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com
>>> dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
>>>
>>> Rowland
>>
>> You're right, this works here too:
>> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
>> "raistlin at ad.lasthome.solace.krynn" -b 
>> "dc=ad,dc=lasthome,dc=solace,dc=krynn" 
>> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain 
>> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'|grep 'dn:'
>> Enter LDAP Password:
>> dn: CN=raistlin,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn
>> dn: CN=Administrator,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn
>>
>> So that must not be the problem, then.. Do you see anything else that 
>> stands out in the lines below?
>>
>> augmentedActiveDirectory:
>>     groupsQuery:
>>         baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
>>         scope: sub
>>         derefAliases: never
>>         pageSize: 0
>>         filter: (objectclass=group)
>>     groupUIDAttribute: primaryGroupID
>>     groupNameAttributes: [ cn ]
>>     groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
>>     usersQuery:
>>         baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
>>         scope: sub
>>         derefAliases: never
>>         filter: (objectclass=person)
>>         pageSize: 0
>>     userNameAttributes: [ "sAMAccountName" ]
>
> As far as I can see (and I could be missing something obvious), whilst 
> it defines the search base, etc, it doesn't define what DN to search 
> for. Should [ "memberof:1.2.840.113556.1.4.1941:" ]  be something like:
>
> [ "memberof:1.2.840.113556.1.4.1941:=cn=Domain 
> Users,CN=Users,dc=samdom,dc=example,dc=com" ]
>
> Rowland 

looking at 'krynn-ad-sync-config.yaml' , you have 'groupUIDAttribute' 
set to 'primaryGroupID' and that is set to '513' for every AD user 
(unless you have changed it), so could the UID actually refer to 
something that identifies the group ? 'dn' for instance ?

Rowland

More information about the samba mailing list