Open byxorna opened 8 years ago
Thank you for this. I spent yesterday struggling with this and your comment gave me what I needed to figure out how to connect collins to AD instead of LDAP (we use ipa/ldap almost everywhere, but for a set of services, it is AD).
Since I don't see a good place to put this, I'll show how our (sanitized) AD is setup and then how we configured collins to talk to it. The biggest problem is that instead of the username, AD puts the First and Last name in the DN, which made it so that collins could not find the group membership. The other issue was that uid is definitely required, though I don't know what collins uses it for.
A user entry:
dn: CN=First Last,OU=Users,OU=Company,DC=example,DC=net
cn: First Last
distinguishedName: CN=First Last,OU=Users,OU=Company,DC=example,DC=net
memberOf: CN=collins-admins,OU=COLLINS,OU=Products,OU=Company,DC=example,DC=net
employeeNumber: 1042
A group entry:
# collins-admins, COLLINS, Groups - Software Products, Company, example.net
dn: CN=collins-admins,OU=COLLINS,OU=Products,OU=Company,DC=example,DC=net
cn: collins-admins
member: CN=First Last,OU=Users,OU=Company,DC=example,DC=net
distinguishedName: CN=collins-admins,OU=COLLINS,OU=Products,OU=Company,DC=example,DC=net
name: collins-admins
ldap { host = "ad01.example.net" anonymous = false schema = "rfc2307bis" searchbase = "OU=Company,DC=example,DC=net" userAttribute = "sAMAccountName" userNumberAttribute = "employeeNumber" usersub = "OU=Users"
groupsub = "OU=COLLINS,OU=Products"
groupAttribute = "member"
groupNameAttribute = "name"
cacheSpecification = "expireAfterWrite=30s"
binddn = "CN=svc-ldap-collins,OU=Service_Accounts,OU=Company,DC=example,DC=net"
bindpwd = "supersecret"
}
@ytjohn glad it helped. Ill punt this ticket over to someone in tumblr to get it integrated into the gh-pages. cc @defect @roymarantz
I spoke too soon actually. It is letting me login, but does not in fact, seem to be getting any groups. I assumed it was because the error went away. It would be nice to have a way to show what groups a logged in user belongs to (say a debug log option).
Seems a bunch of fields are missing from docs on the LDAP Authentication plugin. It would be useful to have them better documented, along with examples.
For example: