bob1de
commented
5 years ago Hi,
Please set DEBUG=1 and try again.
Best regards Robert
Closed jkaberg closed 5 years ago
bob1de
commented
5 years ago Hi,
Please set DEBUG=1 and try again.
Best regards Robert
jkaberg
commented
5 years ago Sorry for the late reply @efficiosoft, the log shows me:
hast_1_19f71f89490d | Escaped 'XXXX' to 'XXXX'.
hast_1_19f71f89490d | * Trying 172.19.0.2...
hast_1_19f71f89490d | * TCP_NODELAY set
hast_1_19f71f89490d | * Connected to openldap (172.19.0.2) port 389 (#0)
hast_1_19f71f89490d | * LDAP remote: bind failed Success
hast_1_19f71f89490d | * Closing connection 0
hast_1_19f71f89490d | Result: 1
hast_1_19f71f89490d | Number of entries: 0
hast_1_19f71f89490d | Client output:
hast_1_19f71f89490d |
hast_1_19f71f89490d | User 'XXXX' failed to authenticate.Pretty sure the bind options are ok (using the same with a few other services)
ldap-config.cfg
DEBUG=1
CLIENT="curl"
SERVER="ldap://openldap:389"
USERDN="uid=$(ldap_dn_escape "$username"),cn=users,ou=groups,dc=majo,dc=local"
BASEDN="$USERDN"
SCOPE="base"
FILTER="(&(objectClass=posixAccount)(uid=$(ldap_dn_escape "$username"))"
ATTRS="cn"
NAME_ATTR="cn"
ATTRS="$ATTRS $NAME_ATTR"
########## SCRIPT CODE FOLLOWS, DON'T TOUCH ##########
on_auth_success() {
# print the meta entries for use in HA
if [ ! -z "$NAME_ATTR" ]; then
name=$(echo "$output" | sed -nr "s/^\s*$NAME_ATTR:\s*(.+)\s*\$/\1/Ip")
[ -z "$name" ] || echo "name=$name"
fi
}And the right value is 100% the correct DN?
hast_1_19f71f89490d | Escaped 'XXXX' to 'XXXX'.
It would probably be good to inspect the server logs, too. Maybe you have some ACL preventing binding from the hass container?
bob1de
commented
5 years ago Ha! There's a closing parenthesis missing at the end of your FILTER definition. Should be:
FILTER="(&(objectClass=posixAccount)(uid=$(ldap_dn_escape "$username")))"@efficiosoft yes that indeed seems like an issue. However I found out that there's indeed an ACL inplace (readonly user requirement, can't bind with other users).
Do you have an example with readonly user?
bob1de
commented
5 years ago @efficiosoft yes that indeed seems like an issue. However I found out that there's indeed an ACL inplace (readonly user requirement, can't bind with other users).
Do you have an example with readonly user?
I don't understand this. ACLs in OpenLDAP are not completely trivial, but there are docs for it. Just go and read them.
So I'm closing this now as it's no issue with ldap-auth-sh. Feel free to comment further.
Hi @efficiosoft,
I saw your work on the command line integration in HA and this script and wanted to give it a go. However I'm struggling with my current USERDN
USERDN="uid=$(ldap_dn_escape "$username"),cn=users,ou=groups,dc=XXXX,dc=local"that results in
op=0 RESULT tag=97 err=49 text=which means wrong user/password - however I'm certain that they are infact correct, and that the user exists in under this path.Any ideas?