Comments (10)
nitnelave
commented on May 30, 2024
1
Hi! I tried to find their doc for LDAP settings, but couldn't find anything, so I'll give it my best guess. However, it would really help if you could enable verbose mode in LLDAP and post the logs from trying to use UrBackup.
Some changes I'd make:
- user name prefix: either empty or
uid= - user name suffix:
ou=people,dc=example, dc=com - group and class query: not sure what that is, but the syntax you have here is not LDAP, and the field sAMAccountName doesn't exist. You probably want something like
(member={USERNAME})(or maybe(member=uid={USERNAME},ou=people,dc=example,dc=com)). - group key name:
uid
Tell me how that works, and post the LLDAP logs. And if you have trouble, feel free to join the discord for more interactive help.
from lldap.
nitnelave
commented on May 30, 2024
1
Oh, wow, they do extremely basic string concatenation. Try to add a comma at the beginning of the suffix: ,ou=people,dc=example, dc=com
from lldap.
martadinata666
commented on May 30, 2024
1
This is as far i can get, the problem is all user will be admin??? π€
from lldap.
arbdevml
commented on May 30, 2024
1
martadinata666, thank you very much for your help.
UrBackup config:
LDAP/AD server name: lldap
LDAP/AD server port: 3890
LDAP/AD user name prefix: uid=
LDAP/AD user name suffix: ,ou=people,dc=example,dc=com
LDAP/AD group and class query: dc=example,dc=com?memberOf,objectClass?sub?(uid={USERNAME})
LDAP/AD group key name in query: memberOf
LDAP/AD class key name in query: objectClass
LDAP/AD group rights map: cn=admins,*==>all=all
LDAP/AD class rights map: user==>lastacts={AUTOCLIENTS},progress={AUTOCLIENTS},status={AUTOCLIENTS},stop_backup={AUTOCLIENTS},start_backup=all,browse_backups=tokens
Test login succeeded. Rights of user: all=all
from lldap.
arbdevml
commented on May 30, 2024
Thank you very much for your answer.
Environment configuration below:
#promiscuous mode enabled
ifconfig eth0 up
ifconfig eth0 promisc
mkdir -p /home/docker/lldap/data/
mkdir -p /home/docker/urbackup/database/
mkdir -p /home/docker/urbackup/backup/
#docker-compose.yml
version: "2.3"
networks:
isolated:
driver: bridge
internal: true
macvlan_network:
driver: macvlan
driver_opts:
parent: eth0
ipam:
config:
- subnet: 10.10.0.0/24
services:
lldap:
image: nitnelave/lldap
container_name: lldap
hostname: lldap
# ports:
# For LDAP
# - 3890:3890
# For the web front-end
# - 17170:17170
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /home/docker/lldap/data/:/data/
environment:
- UID=1000
- GID=1000
- TZ=UTC
- LLDAP_JWT_SECRET=LLDAPJWTSECRET
- LLDAP_LDAP_USER_PASS=PA$$W0RD
- LLDAP_LDAP_BASE_DN=dc=example,dc=com
- LLDAP_VERBOSE=true
mac_address: 02:42:ac:11:00:01
networks:
isolated:
macvlan_network:
ipv4_address: 10.10.0.1
restart: unless-stopped
urbackup:
image: uroni/urbackup-server
container_name: urbackup
environment:
# - PUID=1000
# - PGID=1000
- TZ=UTC
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /home/docker/urbackup/backup/:/backups/
- /home/docker/urbackup/database/:/var/urbackup/
# ports:
# - "55413-55415:55413-55415"
# - "35623:35623/udp"
mac_address: 02:42:ac:11:00:02
networks:
isolated:
macvlan_network:
ipv4_address: 10.10.0.2
restart: unless-stopped
UrBackup config:
LDAP/AD server name: lldap
LDAP/AD server port: 3890
LDAP/AD user name prefix: uid=
LDAP/AD user name suffix: ou=people,dc=example,dc=com
LDAP/AD group and class query: member=uid={USERNAME},ou=people,dc=example,dc=com
LDAP/AD group key name in query: uid
LDAP/AD class key name in query: objectClass
LDAP/AD group rights map: cn=admins,*==>all=all
LDAP/AD class rights map: user==>lastacts={AUTOCLIENTS},progress={AUTOCLIENTS},status={AUTOCLIENTS},stop_backup={AUTOCLIENTS},start_backup=all,browse_backups=tokens
UrBackup log:
ERROR: Login via LDAP failed: Login denied(ec=67), LDAP remote: bind failed Success Too many elements in distinguished name: ""uid"", ""adminou"", ""people""
lldap log:
2023-06-12T09:58:29.987671429+00:00 INFO LDAP session [ 88.9Β΅s | 39.19% / 100.00% ]
2023-06-12T09:58:29.987692235+00:00 INFO ββ LDAP request [ 51.2Β΅s | 52.94% / 57.62% ]
2023-06-12T09:58:29.987700524+00:00 DEBUG β ββ π [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=adminou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-06-12T09:58:29.987701688+00:00 DEBUG β ββ do_bind [ 4.16Β΅s | 4.68% ]
2023-06-12T09:58:29.987703233+00:00 DEBUG β β ββ π [debug]: DN: uid=adminou=people,dc=example,dc=com
2023-06-12T09:58:29.987713047+00:00 DEBUG β ββ π [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: NamingViolation, matcheddn: "", message: "Too many elements in distinguished name: \"\"uid\"\", \"\"adminou\"\", \"\"people\"\"", referral: [] }, saslcreds: None })
2023-06-12T09:58:29.987772545+00:00 INFO ββ LDAP request [ 2.84Β΅s | 3.19% ]
2023-06-12T09:58:29.987774585+00:00 DEBUG ββ π [debug]: | msg: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [] }
2023-06-12T09:58:42.847152802+00:00 INFO HTTP request [ 7.81Β΅s | 100.00% ]
2023-06-12T09:58:42.847154396+00:00 INFO ββ ο½ [info]: | uri: /health
2023-06-12T09:58:42.847161435+00:00 INFO ββ ο½ [info]: | status_code: 200
2023-06-12T09:58:42.847011185+00:00 INFO LDAP session [ 107Β΅s | 33.51% / 100.00% ]
2023-06-12T09:58:42.847057260+00:00 INFO ββ LDAP request [ 70.9Β΅s | 66.49% ]
2023-06-12T09:58:42.847065350+00:00 DEBUG ββ π [debug]: | msg: LdapMsg { msgid: 0, op: SearchRequest(LdapSearchRequest { base: "", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Present("objectClass"), attrs: ["supportedExtension"] }), ctrl: [] }
2023-06-12T09:58:42.847067411+00:00 DEBUG ββ π [debug]: rootDSE request
2023-06-12T09:58:42.847083861+00:00 DEBUG ββ π [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[116, 111, 112]] }, LdapPartialAttribute { atype: "vendorName", vals: [[76, 76, 68, 65, 80]] }, LdapPartialAttribute { atype: "vendorVersion", vals: [[108, 108, 100, 97, 112, 95, 48, 46, 53, 46, 48, 45, 97, 108, 112, 104, 97]] }, LdapPartialAttribute { atype: "supportedLDAPVersion", vals: [[51]] }, LdapPartialAttribute { atype: "supportedExtension", vals: [[49, 46, 51, 46, 54, 46, 49, 46, 52, 46, 49, 46, 52, 50, 48, 51, 46, 49, 46, 49, 49, 46, 49]] }, LdapPartialAttribute { atype: "supportedControl", vals: [] }, LdapPartialAttribute { atype: "supportedFeatures", vals: [[49, 46, 51, 46, 54, 46, 49, 46, 52, 46, 49, 46, 52, 50, 48, 51, 46, 49, 46, 53, 46, 49]] }, LdapPartialAttribute { atype: "defaultNamingContext", vals: [[100, 99, 61, 97, 116, 44, 100, 99, 61, 108, 97, 110]] }, LdapPartialAttribute { atype: "namingContexts", vals: [[100, 99, 61, 97, 116, 44, 100, 99, 61, 108, 97, 110]] }, LdapPartialAttribute { atype: "isGlobalCatalogReady", vals: [[102, 97, 108, 115, 101]] }] })
2023-06-12T09:58:42.847115994+00:00 DEBUG ββ π [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
Thank you very much for your answer.
from lldap.
arbdevml
commented on May 30, 2024
nitnelave, thank you very much for your help.
UrBackup config:
LDAP/AD server name: lldap
LDAP/AD server port: 3890
LDAP/AD user name prefix: uid=
LDAP/AD user name suffix: ,ou=people,dc=example,dc=com
LDAP/AD group and class query: member=uid={USERNAME},ou=people,dc=example,dc=com
LDAP/AD group key name in query: uid
LDAP/AD class key name in query: objectClass
LDAP/AD group rights map: cn=admins,*==>all=all
LDAP/AD class rights map: user==>lastacts={AUTOCLIENTS},progress={AUTOCLIENTS},status={AUTOCLIENTS},stop_backup={AUTOCLIENTS},start_backup=all,browse_backups=tokens
UrBackup log:
ERROR: Login via LDAP failed: LDAP: search failed(ec=39), LDAP remote: search failed Success Too many elements in distinguished name: ""member"", ""uid"", ""admin""
lldap log:
2023-06-12T11:07:58.234838195+00:00 INFO HTTP request [ 8.61Β΅s | 100.00% ]
2023-06-12T11:07:58.234840002+00:00 INFO ββ ο½ [info]: | uri: /health
2023-06-12T11:07:58.234847828+00:00 INFO ββ ο½ [info]: | status_code: 200
2023-06-12T11:07:58.234705916+00:00 INFO LDAP session [ 113Β΅s | 39.58% / 100.00% ]
2023-06-12T11:07:58.234746366+00:00 INFO ββ LDAP request [ 68.6Β΅s | 60.42% ]
2023-06-12T11:07:58.234754384+00:00 DEBUG ββ π [debug]: | msg: LdapMsg { msgid: 0, op: SearchRequest(LdapSearchRequest { base: "", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Present("objectClass"), attrs: ["supportedExtension"] }), ctrl: [] }
2023-06-12T11:07:58.234756456+00:00 DEBUG ββ π [debug]: rootDSE request
2023-06-12T11:07:58.234771757+00:00 DEBUG ββ π [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[116, 111, 112]] }, LdapPartialAttribute { atype: "vendorName", vals: [[76, 76, 68, 65, 80]] }, LdapPartialAttribute { atype: "vendorVersion", vals: [[108, 108, 100, 97, 112, 95, 48, 46, 53, 46, 48, 45, 97, 108, 112, 104, 97]] }, LdapPartialAttribute { atype: "supportedLDAPVersion", vals: [[51]] }, LdapPartialAttribute { atype: "supportedExtension", vals: [[49, 46, 51, 46, 54, 46, 49, 46, 52, 46, 49, 46, 52, 50, 48, 51, 46, 49, 46, 49, 49, 46, 49]] }, LdapPartialAttribute { atype: "supportedControl", vals: [] }, LdapPartialAttribute { atype: "supportedFeatures", vals: [[49, 46, 51, 46, 54, 46, 49, 46, 52, 46, 49, 46, 52, 50, 48, 51, 46, 49, 46, 53, 46, 49]] }, LdapPartialAttribute { atype: "defaultNamingContext", vals: [[100, 99, 61, 97, 116, 44, 100, 99, 61, 108, 97, 110]] }, LdapPartialAttribute { atype: "namingContexts", vals: [[100, 99, 61, 97, 116, 44, 100, 99, 61, 108, 97, 110]] }, LdapPartialAttribute { atype: "isGlobalCatalogReady", vals: [[102, 97, 108, 115, 101]] }] })
2023-06-12T11:07:58.234803705+00:00 DEBUG ββ π [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
2023-06-12T11:08:04.889672461+00:00 INFO LDAP session [ 51.3ms | 0.16% / 100.00% ]
2023-06-12T11:08:04.890776428+00:00 INFO ββ LDAP request [ 51.2ms | 0.16% / 99.74% ]
2023-06-12T11:08:04.890784515+00:00 DEBUG β ββ π [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-06-12T11:08:04.890787101+00:00 DEBUG β ββ do_bind [ 51.1ms | 0.04% / 99.58% ]
2023-06-12T11:08:04.890789404+00:00 DEBUG β β ββ π [debug]: DN: uid=admin,ou=people,dc=example,dc=com
2023-06-12T11:08:04.890794494+00:00 DEBUG β β ββ bind [ 50.9ms | 0.03% / 99.20% ]
2023-06-12T11:08:04.890804233+00:00 DEBUG β β β ββ get_password_file_for_user [ 81.4Β΅s | 0.16% ]
2023-06-12T11:08:04.891008448+00:00 DEBUG β β β ββ passwords_match [ 50.8ms | 99.01% ]
2023-06-12T11:08:04.941840312+00:00 DEBUG β β ββ get_user_groups [ 176Β΅s | 0.34% ]
2023-06-12T11:08:04.941844690+00:00 DEBUG β β β ββ π [debug]: | user_id: UserId("admin")
2023-06-12T11:08:04.942348812+00:00 DEBUG β β β ββ π [debug]: | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-05-12T21:14:10.427030105, uuid: Uuid("36c211d9-92e5-32ac-9813-07b0fdc62ed7") }, GroupDetails { group_id: GroupId(4), display_name: "admins", creation_date: 2023-05-12T21:21:10.039454408, uuid: Uuid("214f8213-2caa-3b8f-a559-985bdd2bf412") }}
2023-06-12T11:08:04.942352074+00:00 DEBUG β β ββ π [debug]: Success!
2023-06-12T11:08:04.942357533+00:00 DEBUG β ββ π [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2023-06-12T11:08:04.942469270+00:00 INFO ββ LDAP request [ 48.8Β΅s | 0.09% / 0.10% ]
2023-06-12T11:08:04.942475092+00:00 DEBUG β ββ π [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "member=uid=admin,ou=people,dc=example,dc=com", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Present("objectclass"), attrs: [] }), ctrl: [] }
2023-06-12T11:08:04.942476339+00:00 DEBUG β ββ do_search [ 3.35Β΅s | 0.01% ]
2023-06-12T11:08:04.942483661+00:00 DEBUG β ββ π [debug]: | response: SearchResultDone(LdapResult { code: InvalidDNSyntax, matcheddn: "", message: "Too many elements in distinguished name: \"\"member\"\", \"\"uid\"\", \"\"admin\"\"", referral: [] })
2023-06-12T11:08:04.942612254+00:00 INFO ββ LDAP request [ 2.96Β΅s | 0.01% ]
2023-06-12T11:08:04.942614464+00:00 DEBUG ββ π [debug]: | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [] }
from lldap.
arbdevml
commented on May 30, 2024
nitnelave, thank you very much for your help.
On the UrBackup forum I have found this information:
https://forums.urbackup.org/t/active-directory-and-urbackup/809/11
LDAP/AD user name prefix
What gets prepended to the username when logging in usually βfirmennameβ.
LDAP/AD user name suffix
Can be left empty.
LDAP/AD group and class query --> βDC=example,DC=comβ¦β
Change to your choice of domain name. E.g. DC=firmenname,DC=de
https://forums.urbackup.org/t/ldap-server-bind/10047/4
DC=home,DC=intern?memberOf,objectClass?sub?(sAMAccountName={USERNAME})
Here you can simply change βsAMAccountNameβ to whatever you want the username to be queried from.
https://forums.urbackup.org/t/cannot-open-backups-using-an-ldap-account/6988/2
The mapping to administrator (βall=allβ) failed and it falls back to normal user authentication.
from lldap.
arbdevml
commented on May 30, 2024
martadinata666, thank you very much for your help.
This is as far i can get, the problem is all user will be admin??? π€
What do you think about this users restriction:
Administrator users: internal storage;
Users from LDAP: restricted group rights map.
from lldap.
martadinata666
commented on May 30, 2024
I dunno how this translate to urbackup permission, as a client that logged via LDAP, I prefer simple.
- Upload backup
- Manage backup
Then there is this https://www.urbackup.org/administration_manual.html#x1-190004.1 maybe it set on the LDAP *==>all=all things, but technically this is personal preferences on how client can/can't do.
from lldap.
martadinata666
commented on May 30, 2024
What I'm curious is: LDAP/AD class rights map how/when this affect LDAP login. π€
As the one that can set permission is LDAP/AD group rights map:
My current LDAP/AD group rights map
cn=lldap_urbackup,*==>browse_backups=all,start_backup=all,status=all,logs=all,progress=all,stop_backup=all,lastacts=all
from lldap.
Related Issues (20)
- Use separate configuration options for database credentials HOT 1
- Display Name not required to be unique. HOT 10
- Format for changing password from inside container. HOT 4
- Samba integration HOT 4
- [Document] more log verbosity control HOT 1
- Emails do not have a message_id HOT 2
- SMTP configuration with environment variables is inconsistent HOT 2
- Add support handle several objectClass when creating a user
- Improved Image Versioning and Release Cycle HOT 2
- Connecting to an external mysql database in kubernetes cluster HOT 1
- Jellyfin LDAP Plugin Change Password Fails HOT 7
- WEBhook configuration HOT 1
- Sort groups list on user view HOT 1
- TOTP Support HOT 7
- Fallback note for useres with incompatible browsers HOT 3
- uidNumber attribute missing HOT 3
- [docker-mailserver] Hello need help for Dovecot Configuration HOT 9
- Terraform: adding new groups fail HOT 7
- Use Python LDAP3 To retrieve all USers and Groups HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lldap.