Menu
▾
▴
Re: [Unity-idm-discuss] LDAP authentication with empty system DN/password
|
From: David P. <d....@hz...> - 2021-03-04 14:00:49
|
Dear Krzysztof,
it turned out the problem was a miscommunication on our side. Bind as user
works just as expected, there was just an error in the DN template that I
used. No need for any trickery to access the LDAP.
Thanks again for the quick response and sorry for the inconveniences!
Best regards,
David
Am Mittwoch, 3. März 2021, 09:44:46 CET schrieb Krzysztof Benedyczak:
> Dear David,
>
> W dniu 02.03.2021 o 14:31, David Pape pisze:
> > P.S.:
> >
> > I tried using template based resolving like this:
> >
> > uid={USERNAME},ou=users,ou=db,ou=it,o=fsr,dc=de
> >
> > where Unity does in fact not ask for a system password. But since in this
> > case the test fails with "invalid credentials", it seems like normal
> > users are not allowed to access the system.
>
> Ah, ok - so yes - there are two places where unity credential can be
> set. If you use 'bindAs=system' then system credential is used for every
> query except of password verification (done with bind). So this needs to
> be a credential of highly privileged user.
>
> If you use bindAs=user then this is in general not needed as the user's
> credential is used to query LDAP. But this means we need to have a
> template to build user's DN out of username - only then we can start
> using this DN as part of the authN. Otherwise another 'mini-system'
> credential needs to be provided to just find the user's DN. This, in
> contrast to the previous one, needs not to have wide permissions.
>
> > Using the ldapsearch command with the options -D "" -b
> > "ou=users,ou=db,ou=it,o=fsr,dc=de", does work.
>
> If I read the above correctly your LDAP is configured so that you can
> run queries without authentication whatsoever? If so then I'd suggest
> adding a user to you test ldap instance with some credentials and use
> this as a 'system' user in unity.
>
> Best,
> Krzysztof
--
David Pape
Researcher
Computational Science Department (FWCC)
Department of Information Services and Computing (FWC)
Building 312, Room 7
Helmholtz-Zentrum Dresden-Rossendorf e.V.
Bautzner Landstr. 400 | 01328 Dresden | Germany
http://www.hzdr.de
Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller
Company Registration Number VR 1693, Amtsgericht Dresden
|
