search

operasoftware / ssh-key-authority

A tool for managing SSH key access to any number of servers.
Apache License 2.0
456 stars 71 forks source link

LDAP configuration #32

Closed velinbudinov closed 5 years ago

velinbudinov commented 5 years ago

Hello there,

can't figure out how ti configure LDAP settings in config.ini:

[ldap]
host = ldaps://ldap.example.com:636
starttls = 0
dn_user = "ou=Users,dc=example,dc=com"
dn_group = "ou=Groups,dc=example,dc=com"
follow_referrals = 0
bind_dn = "uid=********,ou=service_acc,dc=example,dc=com"
bind_password = *******
user_id = uid
user_name = cn
user_email = mail
group_member = memberUid
group_member_value = uid
admin_group_cn = sysops

When i run ldap_update.php, I've got group "sysops" with no members in it! With ldapsearch I can list users in same group:

ldapsearch -x -D "uid=********,ou=service_acc,dc=example,dc=com" -w ******* "cn=sysops"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: cn=sysops
# requesting: ALL
#

# sysops, Groups, example.com
dn: cn=sysops,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: sysops
gidNumber: 38947
memberUid: uid=********,ou=Users,dc=example,dc=com
memberUid: uid=********,ou=Users,dc=example,dc=com
memberUid: uid=********,ou=Users,dc=example,dc=com
memberUid: uid=********,ou=Users,dc=example,dc=com
memberUid: uid=********,ou=Users,dc=example,dc=com

Regards, Velin Budinov

thomas-pike commented 5 years ago

Try using group_member_value = dn.

The explanation being that the values in your memberUid field are not uids, they are the dns of the group members.

velinbudinov commented 5 years ago

@thomas-pike thanks a lot, that fixed it! :) Can you please advice me about sync script as well:

service keys-sync start
[FAIL] Starting keys-sync daemon:--user parameter must be provided failed!
cat /etc/init.d/keys-sync 
#!/bin/sh

### BEGIN INIT INFO
# Provides:          keys-sync
# Required-Start:    mysql
# Required-Stop:     mysql
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SSH key synchronization daemon
### END INIT INFO

. /lib/lsb/init-functions

SCRIPT=/opt/ssh-key-authority/scripts/syncd.php
USER=keys-sync
PIDFILE=/var/run/keys-sync.pid

test -f $SCRIPT || exit 0

case "$1" in
start)
    log_daemon_msg "Starting keys-sync daemon"
    start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $SCRIPT --user $USER --
    log_end_msg $?
    ;;
stop)
    log_daemon_msg "Stopping keys-sync daemon"
    start-stop-daemon --stop --quiet --pidfile $PIDFILE --name syncd.php --user $USER
    log_end_msg $?
    rm -f $PIDFILE
    ;;
restart)
    $0 stop && $0 start
    ;;
*)
    log_action_msg "Usage: /etc/init.d/keys-sync {start|stop|restart}"
    exit 2
    ;;
esac
exit 0
cat /etc/passwd:
keys-sync:x:112:65534::/var/local/keys-sync:/bin/sh
cat /etc/issue.net 
Debian GNU/Linux 7
ls -la ../scripts/
total 52
drwxr-xr-x  2 root root  4096 Jan 31 15:42 .
drwxr-xr-x 12 root root  4096 Jan 31 13:28 ..
-rwxr-xr-x  1 root root  3562 Jan 31 13:28 ldap_update.php
-rwxr-xr-x  1 root root   907 Jan 31 13:28 pubkey_update.php
-rw-r--r--  1 root root  2334 Jan 31 13:28 sync-common.php
-rwxr-xr-x  1 root root  4158 Jan 31 13:28 syncd.php
-rwxr-xr-x  1 root root 21084 Jan 31 13:28 sync.php

If I run sync trough the web: Sync status: Pending

Regards, Velin

thomas-pike commented 5 years ago

I'm not sure unfortunately. I can't see anything wrong in the setup that you have posted. That said, I haven't had a chance to test the init script for a long time as my setups are now on systemd.

The error you are seeing is generated at line 53 of syncd.php and implies that the --user parameter is not being correctly sent to the syncd.php script, but I can't see why that is the case here.

thomas-pike commented 5 years ago

Playing around a bit, I think the problem is in the getopt function call at line 19 of syncd.php. I'll provide a patch for you to try out.

thomas-pike commented 5 years ago

Please try the single-character patch in commit 23c40b8

velinbudinov commented 5 years ago

I've found the same yesterday, and have tried to debug:

if username is "keyssync" without dash - it's ok, or if I remove check for "user":

        if(!isset($options['user'])) {
                fwrite(STDERR, "--user parameter must be provided");
                exit(1);
        }

and set: $username = "keys-sync"; it's ok.

I've tried the patch, which you've submitted, but it's the same: [FAIL] Starting keys-sync daemon:--user parameter must be provided failed!

If I put: var_dump($argc); after: $options = getopt('', array('systemd', 'user')); it returns:


}
[FAILr parameter must be provided failed!```

```dpkg -l|grep php|grep ii
ii  libapache2-mod-php5                   5.6.40-1~dotdeb+zts+7.1          amd64        server-side, HTML-embedded scripting language (Apache 2 module)
ii  php-pear                              5.6.40-1~dotdeb+zts+7.1          all          PEAR - PHP Extension and Application Repository
ii  php-services-json                     1.0.3-1                          all          PHP implementaion of json_encode/decode
ii  php5                                  5.6.40-1~dotdeb+zts+7.1          all          server-side, HTML-embedded scripting language (metapackage)
ii  php5-cli                              5.6.40-1~dotdeb+zts+7.1          amd64        command-line interpreter for the php5 scripting language
ii  php5-common                           5.6.40-1~dotdeb+zts+7.1          amd64        Common files for packages built from the php5 source
ii  php5-ldap                             5.6.40-1~dotdeb+zts+7.1          amd64        LDAP module for php5
ii  php5-mcrypt                           5.6.40-1~dotdeb+zts+7.1          amd64        MCrypt module for php5
ii  php5-mysqlnd                          5.6.40-1~dotdeb+zts+7.1          amd64        MySQL module for php5 (Native Driver)
ii  php5-ssh2                             1:0.12-2~dotdeb+zts+7.1          amd64        Bindings for the libssh2 library```

Regards,
Velin