10:47 p.m.
Hi all,
I go my first steps with slapd and ldap role. As far as I understood I
set up first an slapd server. This just installs openldap and configures
schema and admin users.
After running
debops service/slapd -l ldap.example.org
I end up with an running openldap and there are two passwords stored in
ansible/secret/slapd/credentials/
But with none of these passswords I can bind to the server:
/usr/bin/ldapsearch -H ldaps://ldap.example.org -D
"cn=admin,dc=example,dc=org" -b "dc=example,dc=org" -W
passwords are created here (roles/slapd/defaults/main.yml):
slapd__superuser_config_password: '{{ "{CRYPT}" +
lookup("password",
secret + "/slapd/credentials/" + slapd__config_rootdn | to_uuid +
".password"+ " encrypt=sha512_crypt length=32") }}'
I understand: "DebOps uses the "to_uuid" Ansible filter to convert LDAP
Distinguished Names". Is there any possibility to convert uuids back to
ldap dn's to know which one is which?
My understanding is further that first steps for initialize the
directory works with
debops ldap/init-directory -l ldap.example.org
I get:
ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
Thanks for help and kind regards
Jan
12:10 a.m.
Hi all,
I got my mistake: I just messed up the domain names. For testing purpose
I set a custom slapd_domain - and didn't set ldap_domain to the same
value - so they differed.
Kind regards
Jan
Am 09.03.21 um 22:47 schrieb Jan Kowalsky:
> Hi all,
>
> I go my first steps with slapd and ldap role. As far as I understood I
> set up first an slapd server. This just installs openldap and configures
> schema and admin users.
>
> After running
>
> debops service/slapd -l ldap.example.org
>
> I end up with an running openldap and there are two passwords stored in
> ansible/secret/slapd/credentials/
>
> But with none of these passswords I can bind to the server:
>
> /usr/bin/ldapsearch -H ldaps://ldap.example.org -D
> "cn=admin,dc=example,dc=org" -b "dc=example,dc=org" -W
>
> passwords are created here (roles/slapd/defaults/main.yml):
>
> slapd__superuser_config_password: '{{ "{CRYPT}" +
lookup("password",
> secret + "/slapd/credentials/" + slapd__config_rootdn | to_uuid +
> ".password"+ " encrypt=sha512_crypt length=32") }}'
>
> I understand: "DebOps uses the "to_uuid" Ansible filter to convert
LDAP
> Distinguished Names". Is there any possibility to convert uuids back to
> ldap dn's to know which one is which?
>
> My understanding is further that first steps for initialize the
> directory works with
>
> debops ldap/init-directory -l ldap.example.org
>
> I get:
>
> ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
>
> Thanks for help and kind regards
> Jan
>
12:24 a.m.
On mar 09, Jan Kowalsky wrote:
Hi all,
Hello. I saw that you already fixed your issue, that's good to hear. Anyway,
some more comments from me that you might find useful.
I go my first steps with slapd and ldap role. As far as I understood
I
set up first an slapd server. This just installs openldap and configures
schema and admin users.
Correct, although the admin account is created by the
'ldap/init-directory.yml' playbook.
After running
debops service/slapd -l ldap.example.org
I end up with an running openldap and there are two passwords stored in
ansible/secret/slapd/credentials/
But with none of these passswords I can bind to the server:
/usr/bin/ldapsearch -H ldaps://ldap.example.org -D
"cn=admin,dc=example,dc=org" -b "dc=example,dc=org" -W
passwords are created here (roles/slapd/defaults/main.yml):
slapd__superuser_config_password: '{{ "{CRYPT}" +
lookup("password",
secret + "/slapd/credentials/" + slapd__config_rootdn | to_uuid +
".password"+ " encrypt=sha512_crypt length=32") }}'
I understand: "DebOps uses the "to_uuid" Ansible filter to convert LDAP
Distinguished Names". Is there any possibility to convert uuids back to
ldap dn's to know which one is which?
Unfortunately not, since this is a hashed value. But if you know a possible
value you can get its UUID using the 'ldap/get-uuid.yml' playbook - it will
ask you first for an 'uid' login name, and if you don't specify it, a full
Distinguished Name which then will be converted to an UUID based on the
algorithm used by Ansible. This should help you match the DNs to UUIDs.
Cheers,
Maciej
1:11 p.m.
Hi Maciej,
thanks for your answer.
Unfortunately not, since this is a hashed value. But if you know a
possible
value you can get its UUID using the 'ldap/get-uuid.yml' playbook -
it will
ask you first for an 'uid' login name, and if you don't specify it, a
full
Distinguished Name which then will be converted to an UUID based on
the
algorithm used by Ansible. This should help you match the DNs to
UUIDs.
Great. I've seen this in documentation. But it took me some time to
understand it fully ;-)
Regards
Jan
--
datenkollektiv.net GbR
Böhmische Str. 14
01099 Dresden
Tel: (0351) 41 88 66 00
E-Mail: carsten.ungewitter(a)datenkollektiv.net
http://www.datenkollektiv.net
1428
days inactive
1429
days old
3 comments
2 participants
participants (2)
-
Jan Kowalsky -
Maciej Delmanowski