TremoloSecurity / MyVirtualDirectory

Open Source LDAP Virtual Directory
Apache License 2.0
45 stars 18 forks source link

Integration with ApacheDS and AD #89

Open shukalo83 opened 4 years ago

shukalo83 commented 4 years ago

Hello everyone!

I'm trying to make one virtual directory with ApacheDS and MS AD in the backend.

Please if you can offer sam examples config files, it would mean a lot.

We've just succeeded to connect to ApacheDS on the same host but we've got error that server does not offer any scheme and the default is being used.

Here's the link for the log and config files: https://1drv.ms/u/s!AscO89aeoy8EmlDIIpSyzN1SdqJT?e=WPbVy8

Also, if it helps I'll paste the config here:

server.listener.port=10983

#Configure global chains

server.globalChain=LogAllTransactions

server.globalChain.LogAllTransactions.className=net.sourceforge.myvd.inserts.DumpTransaction

server.globalChain.LogAllTransactions.config.logLevel=info

server.globalChain.LogAllTransactions.config.label=Global

#Configure namespaces

server.nameSpaces=Root,ApacheDS

#Define RootDSE

server.Root.chain=RootDSE

server.Root.nameSpace=

server.Root.weight=0

server.Root.RootDSE.className=net.sourceforge.myvd.inserts.RootDSE

server.Root.RootDSE.config.namingContexts=dc=portal,dc=com

server.ApacheDS.chain=ldap
server.ApacheDS.nameSpace=dc=portal,dc=com
server.ApacheDS.weight=10
server.ApacheDS.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.ApacheDS.ldap.config.type=LDAP
server.ApacheDS.ldap.config.host=localhost
server.ApacheDS.ldap.config.port=10389
server.ApacheDS.ldap.config.remoteBase=o=company
server.ApacheDS.ldap.config.proxyDN=cn=user.id@group.com,ou=users,o=company
server.ApacheDS.ldap.config.proxyPass=test123
mlbiam commented 4 years ago

Are you trying to use apache directory studio or another gui? It looks like its search for cn=schema. You'll need to either proxy the apacheds' cn=schema or use the net.sourceforge.myvd.inserts.SchemaInsert to host a local schema (see https://portal.apps.tremolo.io/docs/tremolosecurity-docs/myvd/1.0.8/myvd.html)

shukalo83 commented 4 years ago

I'm using apache dir studio. By the way I'm trying direct search with ldap search and I have also this error:

[admin@kc ~]$ ldapsearch  -H ldap://localhost:10983  -b 'dc=portal,dc=com' -s sub 'uid=user.id@group.com'
ldap_sasl_interactive_bind_s: No such attribute (16)
[admin@kc ~]$ ldapsearch  -H ldap://localhost:10983  -s sub 'uid=user.id@group.com'
ldap_sasl_interactive_bind_s: No such attribute (16)

I would like just to proxy schema but I don't know what's happening later, when I add AD intergration. Can I route per userid?

For instance if user.id@internal.com, then go to AD and authenticate there.

So minimum config should be on myVD. Non technical users will administer users via apacheDS and MD AD tool.

I've read user manual pretty carefully but somewhat lost. It introduces concepts but I failed to grasp what's happening with the insert when you have two separate schemas.

shukalo83 commented 4 years ago

I have to bump this. Still no luck with the config. I need to connect keycloak server to a myvirtual directory. MyVD is in front of ApacheDS and AD.

server.listener.port=10983

#Configure global chains

server.globalChain=LogAllTransactions

server.globalChain.LogAllTransactions.className=net.sourceforge.myvd.inserts.DumpTransaction

server.globalChain.LogAllTransactions.config.logLevel=info

server.globalChain.LogAllTransactions.config.label=Global

server.nameSpaces=ApacheDS,AD

server.ApacheDS.chain=dnMapper,ldap
server.ApacheDS.nameSpace=dc=geoportal,dc=com
server.ApacheDS.weight=10
server.ApacheDS.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.ApacheDS.ldap.config.type=LDAP
server.ApacheDS.ldap.config.host=localhost
server.ApacheDS.ldap.config.port=10389
server.ApacheDS.ldap.config.remoteBase=o=company
server.ApacheDS.ldap.config.proxyDN=uid=user.id@company.com,ou=users,o=company
server.ApacheDS.ldap.config.proxyPass=password

server.ApacheDS.dnMapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper
server.ApacheDS.dnMapper.config.dnAttribs=member
server.ApacheDS.dnMapper.config.remoteBase=o=company
server.ApacheDS.dnMapper.config.localBase=dc=portal,dc=com

server.AD.nameSpace=dc=portal,dc=com
server.AD.weight=100
server.AD.chain=uidMapper,dnMapper,ldap
server.AD.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.AD.ldap.config.host=192.168.0.2
server.AD.ldap.config.port=389
server.AD.ldap.config.remoteBase=dc=portal,dc=local
server.AD.ldap.config.proxyDN=uid=administrator,ou=people,dc=portal,dc=local  ???
server.AD.ldap.config.proxyPass=passw

server.AD.dnMapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper
server.AD.dnMapper.config.dnAttribs=member
server.AD.dnMapper.config.remoteBase=dc=portal,dc=local
server.AD.dnMapper.config.localBase=dc=portal,dc=com

server.AD.uidMapper.className=net.sourceforge.myvd.inserts.mapping.AttributeMapper
server.AD.uidMapper.config.mapping=sAMAccountName=uid
mlbiam commented 4 years ago

Sorry for the delay

ldap_sasl_interactive_bind_s: No such attribute (16)

MyVD doesn't support SASL. Use the -x in ldapsearch to do a simple bind

Can I route per userid?

Sort of. MyVD has several routing plugins you can use. Look for RouteByAttributeValue in the MyVD docs (https://portal.apps.tremolo.io/docs/tremolosecurity-docs/myvd/1.0.9/myvd.html). You would setup a route for domains either in an email address or userPrincipalName.

Looking at your configuration, the only potential issue I see if you're mapping a remote base (the base of the remote directory) of o=company to the local base (in MyVD) to dc=portal,dc=com in the dc=geoportal,dc=com namespace. Is that what you intended?

shukalo83 commented 4 years ago

Thank you @mlbiam. When I disable AD namespace everything is OK and ldapsearch is working correctly. With AD namespace enabled I've got java exception with 'Invalid credentials'. I presume myvd cannot connect to AD but I'm able to do a search on AD like this:

ldapsearch -H ldap://192.168.0.2:389 -x -W -D "administrator@portal.local" -b "dc=portal,dc=local" "(sAMAccountName=administrator)"
server.AD.nameSpace=dc=portal,dc=com
server.AD.weight=100
server.AD.chain=uidMapper,dnMapper,ldap
server.AD.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.AD.ldap.config.host=192.168.0.2
server.AD.ldap.config.port=389
server.AD.ldap.config.remoteBase=dc=portal,dc=local
server.AD.ldap.config.proxyDN=uid=administrator@portal.local
server.AD.ldap.config.proxyPass=password

server.AD.dnMapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper
server.AD.dnMapper.config.dnAttribs=member
server.AD.dnMapper.config.remoteBase=dc=portal,dc=local
server.AD.dnMapper.config.localBase=dc=portal,dc=com

server.AD.uidMapper.className=net.sourceforge.myvd.inserts.mapping.AttributeMapper
server.AD.uidMapper.config.mapping=sAMAccountName=uid
shukalo83 commented 4 years ago

Tried with this also:

server.AD.ldap.config.proxyDN=CN=Administrator,CN=Users,DC=portal,DC=local

Still everytime I get this:

[admin@kc bin]$ ldapsearch  -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'uid=administrator@portal.local'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: uid=administrator@portal.local
# requesting: ALL
#

# search result
search: 2
result: 49 Invalid credentials
text: INVALID_CREDENTIALS: failed for MessageType : SEARCH_REQUEST
Message ID :
  2
    SearchRequest
        baseDn : 'dc=portal,dc=com'
        filter : '
 (uid=administrator@portal.local)'
        scope : whole subtree
        typ
 esOnly : false
        Size Limit : no limit
        Time Limit : no limit

      Deref Aliases : never Deref Aliases
        attributes :
org.apache.dire
 ctory.api.ldap.model.message.SearchRequestImpl@ec7dd1d7: Invalid Credentials:
...
shukalo83 commented 4 years ago

I'm running out of ideas now.

mlbiam commented 4 years ago

server.AD.ldap.config.proxyDN doesn't look like a full distinguished name. The setting needs to be the service account's full distinguished name.

shukalo83 commented 4 years ago

I've added this and it works now:

server.AD.ldap.config.ignoreRefs=true
server.AD.ldap.config.passBindOnly=false
server.AD.ldap.config.maxIdle=300000
server.AD.ldap.config.maxMillis=30000
server.AD.ldap.config.maxStaleTimeMillis=10000
server.AD.ldap.config.minimumConnections=10
shukalo83 commented 4 years ago

What's interesting is that I still can't query AD with uid= but it accepts the cn= format:

[admin@kc ~]$ ldapsearch  -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'uid=user.id@external.com'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: uid=user.id@external.com
# requesting: ALL
#

# user.id@external.com, users, portal.com
dn: uid=user.id@external.com,ou=users,dc=portal,dc=com
uid: user.id@external.com
mail: user.id@external.com
displayName:: Qm9qYW4gxaB1a2Fsbw==
sn:: xaB1a2Fsbw==
cn: User
objectclass: top
objectclass: inetOrgPerson
objectclass: person
objectclass: organizationalPerson
userPassword:: e1NIQTI1Nn03TmNZY05HV014YXBmanJEUUl5WU5hMk04UFBCdkhBMUo4TUNaVk5
 QZGE0PQ==

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[admin@kc ~]$ ldapsearch  -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'uid=administrator@portal.local'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: uid=administrator@portal.local
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
[admin@kc ~]$ ldapsearch  -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'cn=administrator@portal.local'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: cn=administrator@portal.local
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
[admin@kc ~]$ ldapsearch  -H ldap://localhost:10983 -x -b 'dc=portal,dc=com' -s sub 'cn=administrator'
# extended LDIF
#
# LDAPv3
# base <dc=portal,dc=com> with scope subtree
# filter: cn=administrator
# requesting: ALL
#

# Administrator, Users, portal.com
dn: CN=Administrator,CN=Users,dc=portal,dc=com
uSNCreated: 8196
badPwdCount: 0
countryCode: 0
description: Built-in account for administering the computer/domain
whenChanged: 20200908050516.0Z
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
primaryGroupID: 513
objectGUID:: TZv9gcj3W0Cawi9zome4fQ==
objectSid:: AQUAAAAAAAUVAAAAhJC7ADgmpiSsDsbe9AEAAA==
instanceType: 4
adminCount: 1
whenCreated: 20200713123251.0Z
dSCorePropagationData: 20200713124937.0Z
dSCorePropagationData: 20200713123426.0Z
dSCorePropagationData: 16010101181216.0Z
userAccountControl: 66048
lastLogonTimestamp: 132440151163572057
isCriticalSystemObject: TRUE
cn: Administrator
codePage: 0
sAMAccountName: Administrator
accountExpires: 9223372036854775807
sAMAccountType: 805306368
managedObjects: CN=ARCGIS-APP,OU=Domain Controllers,DC=portal,DC=local
pwdLastSet: 132325403870671932
lastLogon: 132440220564531053
name: Administrator
lastLogoff: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=portal,DC=local
distinguishedName: CN=Administrator,CN=Users,DC=portal,DC=local
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=portal,DC=local
memberOf: CN=Domain Admins,CN=Users,DC=portal,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=portal,DC=local
memberOf: CN=Schema Admins,CN=Users,DC=portal,DC=local
memberOf: CN=Administrators,CN=Builtin,DC=portal,DC=local
logonCount: 13
badPasswordTime: 132440220505261749
uSNChanged: 27197

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[admin@kc ~]$