Installed OpenLDAP by helm
helm install openldap stable/openldap
Check data in the initialized server
kubectl port-forward $OPENLDAP_POD_NAME 3890:389
ldapsearch -x -H ldap://localhost:3890 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.org
dn: dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example
# admin, example.org
dn: cn=admin,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: [HIDDEN]
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Install keycloak
helm install keycloak codecentric/keycloak
kubectl port-forward $KEYCLOAK_POD_NAME 8080
Bind it to Keycloak in the User Federation -> Add user storage provider -> ldap as below.
Why can't connect to ldap server? I login to the ldap pod to see the log but didn't find where is it.
The "Connection URL" should most probably be ldap://openldap.default:389 (and if openldap was deployed in a different namespace, replace default with that).
I am using Dex as our Identity provider and connecting it to LDAP. Below is my ldap config in Dex:
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: myhost.staging.com:636
insecureNoSSL: false
insecureSkipVerify: false
bindDN: cn=prometheus-proxy,ou=serviceaccounts,dc=staging,dc=comp,dc=com
bindPW: 'prometheus'
rootCA: /etc/dex/ldap/ca-bundle.pem
userSearch:
baseDN: ou=people,dc=staging,dc=comp,dc=com
filter: "(objectClass=person)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: uid
groupSearch:
baseDN: ou=appgroups,dc=staging,dc=comp,dc=com
filter: "(objectClass=groupOfMembers)"
userAttr: DN
groupAttr: member
nameAttr: cn
And below is a sample userSearch & groupSearch Result:
dn: uid=swedas01,ou=people,dc=staging,dc=comp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Sweta Das
gecos: Sweta Das
gidNumber: 50000
givenName: Sweta
mail: Sweta.Das#comp.com
sn: Das
uid: swedas01
memberOf: cn=jenkins,ou=appgroups,dc=staging,dc=comp,dc=com
homeDirectory: /home/swedas01
dn: cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com
objectClass: top
objectClass: groupOfMembers
cn: prometheus
member: uid=testl01,ou=people,dc=staging,dc=comp,dc=com
When I login to my Prometheus instance which uses the above config, even though my userID is not part of the Group that is being used ie Prometheus, I am still able to login.
Dex logs shows there is no groups associated with my id.
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search ou=people,dc=staging,dc=comp,dc=com sub (&(objectClass=person)(uid=swedas01))"
time="2019-10-07T19:05:48Z" level=info msg="username \"swedas01\" mapped to entry uid=swedas01,ou=people,dc=staging,dc=comp,dc=com"
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com sub (&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))"
time="2019-10-07T19:05:48Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))\" returned no groups"
time="2019-10-07T19:05:48Z" level=info msg="login successful: connector \"ldap\", username=\"swedas01\", email=\"Sweta.Das#comp.com\", groups=[]"
But why is it still allowing me to login? Is there any way I can mandate this setting if group serach returns empty, login should fail?
Since your directory supports memberOf attribute, you can try adding a membership condition in the userSearch filter.
Now look :
username: uid
filter: "(objectClass=person)"
yields the following ldap filter :
"(&(objectClass=person)(uid=<uid>))"
So it might be possible to add the membership condition without operator in the filter setting, as dex is actually adding the operator itself (tested and confirmed by #MohammadYusefpur).
Like :
filter: "(objectClass=person)(memberOf=cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com)"
so that the actual ldap filter results in
(&(objectClass=person)(memberOf=cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com)(uid=<uid>))
I am still not sure if this is the right answer. But as far as I could understood, Dex's group search is just for ldap search. It returns the groups a user is memberof. Once you get the groups back, you can put RBAC policies on those group to control what kind of access you want to give to the user.
However, for tools which do not have any auth methods of its ownn(eg Prometheus), I am still not sure how to implement ldap group auth!
I put an acl policy in /etc/rundeck for my group.
rd-acl test -c application -g "Cloud Team" -a create -G project
Using configured Rundeck etc dir: /etc/rundeck
The decision was: allowed
The test passed
Then I log into Rundeck via the website and I see this:
You have no authorized access to projects.
Contact your administrator. (User roles: ..., Cloud Team, ...)
For good measure, I temporarily made another acl policy for my user.
I pass the test with my user name.
rd-acl test -c application -u myuser -a create -G project
I also tried a group that does not have a space in the name and got the same results.
If it makes a difference, I am logging in using my AD credentials and the groups are being pulled in from AD.
This is in Rundeck 3.0.20-20190408
My acl policy
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: Cloud Team
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: Cloud Team
I see errors like this in rundeck.access.log
Evaluating Decision for: res<type:resource, kind:project> subject<Username:MyNameHere Group:OneOfMyGroups Group:AnotherGroup Group:Cloud Team> action<create> env<rundeck:auth:env:application:run
deck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
I want to set up OpenLDAP in a Kubernetes cluster running on AWS.
I’ve applied YAML files “https://github.com/osixia/docker-openldap/tree/stable/example/kubernetes/simple” except for service type I choose load balancer.
I’ve added below two ldif files:
base.ldif
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
test.ldif
dn: uid=test,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: test
uid: test
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/test
loginShell: /bin/bash
gecos: test admin user
userPassword: password
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
I’ve setup LDAP client on centos 7 system but no result is showing if I execute “getent passwd test”
Please help me with this?
I have several WHOIS servers for which I want to have a single proxy. The proxy should forward requests to appropriate servers based on the data in the query. How to approach this problem?
Step 1 read the RFC for WHOIS
Step 2 implement a mock server with Net::Server
Step 3 implement the proxy using your mock server and Net::Whois::Proxy or some other WHOIS module
A quick scan of the RFC seems to say that it is just a simple text based protocol that expects one CRLF terminated line and then sends a blob of CRLF terminate lines and closes the socket.
Yep, it really looks that simple, given this code
#!/usr/bin/perl
{
package Whois;
use strict;
use warnings;
use parent 'Net::Server';
sub process_request {
my $request = <>;
print "you sent me $request";
}
}
Whois->run;
you can say
whois -h localhost -p 20203 foo.com
and get back
you sent me foo.com
Given the "high-load" tag, you will probably want to switch over to Net::Server::PreForkSimple personality when you are done with testing.
And just because I was bored:
#!/usr/bin/perl
package Whois {
use strict;
use warnings;
use parent 'Net::Server::PreFork';
use Net::Whois::Raw;
my %handler = (
org => "whois.publicinterestregistry.net",
);
sub process_request {
(my $request = <>) =~ s/[.]([^.]+)\x{0d}\x{0a}/.$1/;
print exists $handler{$1} ?
whois $request, $handler{$1} :
"I don't know where to look for $request\r\n";
}
}
Whois->run(
user => "nobody",
group => "nobody",
port => 43,
min_servers => 1, #min number of children
max_servers => 10, #max number of children
min_spare_servers => 1, #fork if we don't have this many waiting
max_spare_servers => 5, #kill if we have this many waiting
max_requests => 10_000, #num of requests before killing a child
);
which when I run
sudo perl whois.pl
and then
whois -h localhost foo.org
gives us
NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its
accuracy. This service is intended only for query-based access. You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations. All
rights reserved. Public Interest Registry reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.
Domain ID:D1608104-LROR
Domain Name:FOO.ORG
Created On:10-Jan-1995 05:00:00 UTC
Last Updated On:07-Mar-2011 00:26:43 UTC
Expiration Date:09-Jan-2012 05:00:00 UTC
Sponsoring Registrar:Fabulous.com Pty Ltd. (R133-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:fabwpp-000700385
Registrant Name:Domain Hostmaster, CustomerID : 85519846801225
Registrant Organization:Whois Privacy Services Pty Ltd
Registrant Street1:PO Box 923
Registrant Street2:
Registrant Street3:
Registrant City:Fortitude Valley
Registrant State/Province:QLD
Registrant Postal Code:4006
Registrant Country:AU
Registrant Phone:+61.730070090
Registrant Phone Ext.:
Registrant FAX:+61.730070091
Registrant FAX Ext.:
Registrant Email:85519846801225-959797#whoisprivacyservices.com.au
Admin ID:fabwpp-000700385
Admin Name:Domain Hostmaster, CustomerID : 85519846801225
Admin Organization:Whois Privacy Services Pty Ltd
Admin Street1:PO Box 923
Admin Street2:
Admin Street3:
Admin City:Fortitude Valley
Admin State/Province:QLD
Admin Postal Code:4006
Admin Country:AU
Admin Phone:+61.730070090
Admin Phone Ext.:
Admin FAX:+61.730070091
Admin FAX Ext.:
Admin Email:85519846801225-959797#whoisprivacyservices.com.au
Tech ID:fabwpp-000700385
Tech Name:Domain Hostmaster, CustomerID : 85519846801225
Tech Organization:Whois Privacy Services Pty Ltd
Tech Street1:PO Box 923
Tech Street2:
Tech Street3:
Tech City:Fortitude Valley
Tech State/Province:QLD
Tech Postal Code:4006
Tech Country:AU
Tech Phone:+61.730070090
Tech Phone Ext.:
Tech FAX:+61.730070091
Tech FAX Ext.:
Tech Email:85519846801225-959797#whoisprivacyservices.com.au
Name Server:NS1.HITFARM.COM
Name Server:NS2.HITFARM.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
whois.publicinterestregistry.net
I'm no expert on whois, but Net::Whois::Proxy would seem to be what you want.