AD LDAP binding error (strong authentification required)

etique57 · March 28, 2024, 10:22am

NethServer Version: NS8 Stable on Debian 12
Module: ActiveDirectory

Hello,

I can’t seem to be able to reach the ActiveDirectory database from an external application. Here’s what the log says:

2024-03-28 10:06:14 +0000 08 axigen1 USERDB:00000001: LDAP bind succesful for hosturl=‘192.168.0.77:389’
2024-03-28 10:06:14 +0000 02 axigen1 USERDB:00000001: Cannot bind to ldap server “ldap://192.168.0.77:389” (Strong(er) authentication required)

I would need to perform this (didn’t want to necro the topic) but in NS8:

Is there some guidance? I couldn’t find anything in the doc.

Thanks a lot!

davidep · March 28, 2024, 10:31am

In NS8 you can edit include.conf:

runagent -m samba1 podman exec -ti samba-dc vi /etc/samba/include.conf

To restart the DC

runagent -m samba1 systemctl --user restart samba-dc

I didn’t test that configuration with a multiple DC AD domain. I suppose changing that setting applies to the local DC only. In other words, it does not affect the global domain policy. Let me know how it goes!

etique57 · March 28, 2024, 10:34am

hello Davide,

And thanks! I’ll test this.

root@ns8-main:~# runagent -m samba1 podman exec -ti samba-dc vi /etc/samba/include.conf
Error: crun: executable file vi not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found

seems vi is not available, testing with nano

Nope. I can’t find an editor:
root@ns8-main:~# runagent -m samba1 podman exec -ti samba-dc whereis vi
vi:
root@ns8-main:~# runagent -m samba1 podman exec -ti samba-dc whereis nano
nano:

I also tried this but to no avail:
runagent -m samba1 podman exec -ti samba-dc “echo ldap server require strong auth = no >> /etc/samba/include.conf”
Error: crun: executable file echo ldap server require strong auth = no >> /etc/samba/include.conf not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found

davidep · March 28, 2024, 10:42am

It works here, maybe I installed it… Let’s change the path to something familiar:

[root@ns8n3 ~]# runagent -m samba2 podman exec -ti samba-dc bash -l
root@dc2:/# apt-get update
root@dc2:/# apt install vim
...
root@dc2:/# vi /etc/samba/include.conf

…you can install Nano if you prefer.

Since it operates as a container, restarting the service undoes all previous changes, except for ‘include.conf,’ which is preserved in a persistent volume.

etique57 · March 28, 2024, 10:46am

It worked, thanks! now it can bind properly (still not working though but I keep digging).

For reference, the line I added in the /etc/samba/include.conf of the AD container is the following:

ldap server require strong auth = no

thanks a lot!
Etienne

davidep · March 28, 2024, 11:43am

echo is also a shell builtin. Let’s run it in a shell:

runagent -m samba1 podman exec -i samba-dc bash -c "echo 'ldap server require strong auth = no' >> /etc/samba/include.conf"

etique57 · March 28, 2024, 1:16pm

@davidep , last question : do you know of a similar way to add a custom LDAP schema to a SAMBA DC ?

I tried to browse the ldapproxy container but couldn’t find a static volume or a place where the ldap schema are stored.

I found this help entry but can’t relate it to NS8:
https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-directory.html#upgrade-to-active-directory

(I might lack the knowledge).

I have both a .schema and an .ldiff.

I may open a new topic if needed.

Thanks again!

davidep · March 28, 2024, 1:40pm

You can run ldbadd/ldbmodify in a similar way

runagent -m samba1 podman exec -i samba-dc ldbmodify [some opts here...] <your.ldif

Samba DB files are under /var/lib/samba/.

I don’t know what you want to achieve: refer to Samba official wiki for more information.

etique57 · March 28, 2024, 9:09pm

Thanks Davide,

I’m trying to integrate Axigen (which is a mail server) with my NS8 AD controller.

I’ve dug around and it seems the NS8 AD/LDAP schema doesn’t include inetOrgPerson:

Here’s my error:

axigen1 USERDB:00000001: Failed OpenLdap search basedn(DC=ad,DC=domain,DC=net), filter((&(objectClass=inetOrgPerson))), error(Other (e.g., implementation specific) error) on

And when I query a user, I get this, which I think means the inetOrgPerson class is missing:

dn: CN=admin,CN=Users,DC=ad,DC=domain,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: admin

Finally, when I try to add a inetOrgPerson LDIF that ChatGPT (:)) generated for me, here’s what I get:

root@ns8-main:~# runagent -m samba1 podman exec -i samba-dc ldbmodify -H /var/lib/samba/private/sam.ldb < inetorgperson.ldif

ERR: (Constraint violation) “objectclass_attrs: attribute ‘objectClasses’ on entry ‘cn=schema,cn=config,dc=ad,dc=domain,dc=net’ is constructed!” on DN cn=schema,cn=config,dc=ad,dc=domain,dc=net at block before line 18

Modify failed after processing 0 records