Menu
▾
▴
unity-idm-discuss
|
From: David P. <d....@hz...> - 2021-03-02 08:49:48
|
Dear developers, at our research centre, we are currently evaluating the usage of Unicore with Unity as an identity manager. More precisely, we are looking to integrate it with our LDAP server. The problem we are facing at the moment, is that our LDAP test instance which is used by multiple parties, has both an empty system DN as well as empty system password set. This seems to be an issue when trying to connect from Unity, as it is not possible to leave these fields empty. I would like to know whether there is a workaround or backdoor that would allow us to connect to our test instance. Kind regards -- David Pape Researcher Computational Science Department (FWCC) Department of Information Services and Computing (FWC) Building 312, Room 7 Helmholtz-Zentrum Dresden-Rossendorf e.V. Bautzner Landstr. 400 | 01328 Dresden | Germany http://www.hzdr.de Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller Company Registration Number VR 1693, Amtsgericht Dresden |
|
From: Krzysztof B. <kb...@un...> - 2021-03-02 12:37:59
|
Dear David, W dniu 02.03.2021 o 09:32, David Pape pisze: > Dear developers, > > at our research centre, we are currently evaluating the usage of Unicore with > Unity as an identity manager. More precisely, we are looking to integrate it > with our LDAP server. > > The problem we are facing at the moment, is that our LDAP test instance which > is used by multiple parties, has both an empty system DN as well as empty > system password set. This seems to be an issue when trying to connect from > Unity, as it is not possible to leave these fields empty. > > I would like to know whether there is a workaround or backdoor that would > allow us to connect to our test instance. In what context you use ldap in your setup? Is it users store with credentials (and so in unity ldap authenticator is used) or you have users with credential stored in unity and ldap is used to enrich user records with additional attributes? In the first case it should be possible to change "binding as" option to user - then user's credential is used to authorize all operations to LDAP, and "system" credentials should not be required. Also the "system" user can be any LDAP user that can run queries about other users in LDAP. HTH, Krzysztof |
|
From: David P. <d....@hz...> - 2021-03-02 13:14:47
Attachments:
Screenshot-LDAP-Test.png
|
Dear Krzysztof, thanks for the quick reply. We are trying to use the LDAP authenticator. Setting "Bind as" to "user" still requires system DN and system password (see screenshot attached). David Am Dienstag, 2. März 2021, 13:37:41 CET schrieb Krzysztof Benedyczak: > Dear David, > > W dniu 02.03.2021 o 09:32, David Pape pisze: > > Dear developers, > > > > at our research centre, we are currently evaluating the usage of Unicore > > with Unity as an identity manager. More precisely, we are looking to > > integrate it with our LDAP server. > > > > The problem we are facing at the moment, is that our LDAP test instance > > which is used by multiple parties, has both an empty system DN as well as > > empty system password set. This seems to be an issue when trying to > > connect from Unity, as it is not possible to leave these fields empty. > > > > I would like to know whether there is a workaround or backdoor that would > > allow us to connect to our test instance. > > In what context you use ldap in your setup? Is it users store with > credentials (and so in unity ldap authenticator is used) or you have > users with credential stored in unity and ldap is used to enrich user > records with additional attributes? > > In the first case it should be possible to change "binding as" option to > user - then user's credential is used to authorize all operations to > LDAP, and "system" credentials should not be required. Also the "system" > user can be any LDAP user that can run queries about other users in LDAP. > > > HTH, > Krzysztof -- David Pape Researcher Computational Science Department (FWCC) Department of Information Services and Computing (FWC) Building 312, Room 7 Helmholtz-Zentrum Dresden-Rossendorf e.V. Bautzner Landstr. 400 | 01328 Dresden | Germany http://www.hzdr.de Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller Company Registration Number VR 1693, Amtsgericht Dresden |
|
From: David P. <d....@hz...> - 2021-03-02 13:31:41
|
P.S.:
I tried using template based resolving like this:
uid={USERNAME},ou=users,ou=db,ou=it,o=fsr,dc=de
where Unity does in fact not ask for a system password. But since in this case
the test fails with "invalid credentials", it seems like normal users are not
allowed to access the system.
Using the ldapsearch command with the options -D "" -b
"ou=users,ou=db,ou=it,o=fsr,dc=de", does work.
Am Dienstag, 2. März 2021, 14:14:31 CET schrieb David Pape:
> Dear Krzysztof,
>
> thanks for the quick reply. We are trying to use the LDAP authenticator.
> Setting "Bind as" to "user" still requires system DN and system password
> (see screenshot attached).
>
> David
>
> Am Dienstag, 2. März 2021, 13:37:41 CET schrieb Krzysztof Benedyczak:
> > Dear David,
> >
> > W dniu 02.03.2021 o 09:32, David Pape pisze:
> > > Dear developers,
> > >
> > > at our research centre, we are currently evaluating the usage of Unicore
> > > with Unity as an identity manager. More precisely, we are looking to
> > > integrate it with our LDAP server.
> > >
> > > The problem we are facing at the moment, is that our LDAP test instance
> > > which is used by multiple parties, has both an empty system DN as well
> > > as
> > > empty system password set. This seems to be an issue when trying to
> > > connect from Unity, as it is not possible to leave these fields empty.
> > >
> > > I would like to know whether there is a workaround or backdoor that
> > > would
> > > allow us to connect to our test instance.
> >
> > In what context you use ldap in your setup? Is it users store with
> > credentials (and so in unity ldap authenticator is used) or you have
> > users with credential stored in unity and ldap is used to enrich user
> > records with additional attributes?
> >
> > In the first case it should be possible to change "binding as" option to
> > user - then user's credential is used to authorize all operations to
> > LDAP, and "system" credentials should not be required. Also the "system"
> > user can be any LDAP user that can run queries about other users in LDAP.
> >
> >
> > HTH,
> > Krzysztof
--
David Pape
Researcher
Computational Science Department (FWCC)
Department of Information Services and Computing (FWC)
Building 312, Room 7
Helmholtz-Zentrum Dresden-Rossendorf e.V.
Bautzner Landstr. 400 | 01328 Dresden | Germany
http://www.hzdr.de
Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller
Company Registration Number VR 1693, Amtsgericht Dresden
|
|
From: Krzysztof B. <kb...@un...> - 2021-03-03 08:45:02
|
Dear David,
W dniu 02.03.2021 o 14:31, David Pape pisze:
> P.S.:
>
> I tried using template based resolving like this:
>
> uid={USERNAME},ou=users,ou=db,ou=it,o=fsr,dc=de
>
> where Unity does in fact not ask for a system password. But since in this case
> the test fails with "invalid credentials", it seems like normal users are not
> allowed to access the system.
Ah, ok - so yes - there are two places where unity credential can be
set. If you use 'bindAs=system' then system credential is used for every
query except of password verification (done with bind). So this needs to
be a credential of highly privileged user.
If you use bindAs=user then this is in general not needed as the user's
credential is used to query LDAP. But this means we need to have a
template to build user's DN out of username - only then we can start
using this DN as part of the authN. Otherwise another 'mini-system'
credential needs to be provided to just find the user's DN. This, in
contrast to the previous one, needs not to have wide permissions.
> Using the ldapsearch command with the options -D "" -b
> "ou=users,ou=db,ou=it,o=fsr,dc=de", does work.
If I read the above correctly your LDAP is configured so that you can
run queries without authentication whatsoever? If so then I'd suggest
adding a user to you test ldap instance with some credentials and use
this as a 'system' user in unity.
Best,
Krzysztof
|
|
From: David P. <d....@hz...> - 2021-03-04 14:00:49
|
Dear Krzysztof,
it turned out the problem was a miscommunication on our side. Bind as user
works just as expected, there was just an error in the DN template that I
used. No need for any trickery to access the LDAP.
Thanks again for the quick response and sorry for the inconveniences!
Best regards,
David
Am Mittwoch, 3. März 2021, 09:44:46 CET schrieb Krzysztof Benedyczak:
> Dear David,
>
> W dniu 02.03.2021 o 14:31, David Pape pisze:
> > P.S.:
> >
> > I tried using template based resolving like this:
> >
> > uid={USERNAME},ou=users,ou=db,ou=it,o=fsr,dc=de
> >
> > where Unity does in fact not ask for a system password. But since in this
> > case the test fails with "invalid credentials", it seems like normal
> > users are not allowed to access the system.
>
> Ah, ok - so yes - there are two places where unity credential can be
> set. If you use 'bindAs=system' then system credential is used for every
> query except of password verification (done with bind). So this needs to
> be a credential of highly privileged user.
>
> If you use bindAs=user then this is in general not needed as the user's
> credential is used to query LDAP. But this means we need to have a
> template to build user's DN out of username - only then we can start
> using this DN as part of the authN. Otherwise another 'mini-system'
> credential needs to be provided to just find the user's DN. This, in
> contrast to the previous one, needs not to have wide permissions.
>
> > Using the ldapsearch command with the options -D "" -b
> > "ou=users,ou=db,ou=it,o=fsr,dc=de", does work.
>
> If I read the above correctly your LDAP is configured so that you can
> run queries without authentication whatsoever? If so then I'd suggest
> adding a user to you test ldap instance with some credentials and use
> this as a 'system' user in unity.
>
> Best,
> Krzysztof
--
David Pape
Researcher
Computational Science Department (FWCC)
Department of Information Services and Computing (FWC)
Building 312, Room 7
Helmholtz-Zentrum Dresden-Rossendorf e.V.
Bautzner Landstr. 400 | 01328 Dresden | Germany
http://www.hzdr.de
Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller
Company Registration Number VR 1693, Amtsgericht Dresden
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X