From Ben.Polman at science.ru.nl Mon Jul 5 15:53:55 2021 From: Ben.Polman at science.ru.nl (Ben Polman) Date: Mon, 5 Jul 2021 15:53:55 +0200 Subject: automx2 ldap config example using mysql database Message-ID: <461caea1-9bf3-4c95-63fd-68ae432dfafa@science.ru.nl> hi, can anyone provide an example config using ldap. How should the ldap_server table in mysql be filled ? And how do you combine this with the user_name field in the server table ? best regards, Ben -- --------------------------------------------------------------------- Dr. B.J.W. Polman, C&CZ, Radboud University Nijmegen. Heyendaalseweg 135, 6525 AJ Nijmegen, The Netherlands, Phone: +31-24-3653360 e-mail: Ben.Polman at science.ru.nl From automx2 at seichter.de Mon Jul 5 16:27:35 2021 From: automx2 at seichter.de (Ralph Seichter) Date: Mon, 05 Jul 2021 16:27:35 +0200 Subject: automx2 ldap config example using mysql database In-Reply-To: <461caea1-9bf3-4c95-63fd-68ae432dfafa@science.ru.nl> References: <461caea1-9bf3-4c95-63fd-68ae432dfafa@science.ru.nl> Message-ID: <87zgv0zvhk.fsf@wedjat.horus-it.com> * Ben Polman: > can anyone provide an example config using ldap. > How should the ldap_server table in mysql be filled ? Examples can be found on GitHub [1]. The exact column values for the 'ldapserver' table depend on what type of LDAP server and schema you chose for your users. The file sqlite-sample.sql shows an example entry for OpenLDAP with the 'posixAccount' object class (the latter uses attributes 'mail' and 'uid'). [1] https://github.com/rseichter/automx2/tree/master/contrib > And how do you combine this with the user_name field in the server > table ? If an LDAP server is configured for a given domain name, the column ldapserver.attr_uid specifies the LDAP attribute used to determine the user name; i.e. the value read from LDAP overrides server.user_name . As long as you specify a non-null value for user_name, it does not really matter which value you choose. -Ralph From Ben.Polman at science.ru.nl Tue Jul 6 09:21:16 2021 From: Ben.Polman at science.ru.nl (Ben Polman) Date: Tue, 6 Jul 2021 09:21:16 +0200 Subject: automx2 ldap config example using mysql database In-Reply-To: <87zgv0zvhk.fsf@wedjat.horus-it.com> References: <461caea1-9bf3-4c95-63fd-68ae432dfafa@science.ru.nl> <87zgv0zvhk.fsf@wedjat.horus-it.com> Message-ID: <5b86e240-0aaa-c6a3-dd9d-881fdfe2fac6@science.ru.nl> On 05-07-2021 16:27, Ralph Seichter wrote: thanks, that helped. Is it possible to configure the ldap connection to use starttls instead of ssl ? and if so where do I configure the certificates,? I do not see how the configuration of the old version of autoconf? can be rewritten Ben > * Ben Polman: > >> can anyone provide an example config using ldap. >> How should the ldap_server table in mysql be filled ? > Examples can be found on GitHub [1]. The exact column values for the > 'ldapserver' table depend on what type of LDAP server and schema you > chose for your users. The file sqlite-sample.sql shows an example entry > for OpenLDAP with the 'posixAccount' object class (the latter uses > attributes 'mail' and 'uid'). > > [1] https://github.com/rseichter/automx2/tree/master/contrib > >> And how do you combine this with the user_name field in the server >> table ? > If an LDAP server is configured for a given domain name, the column > ldapserver.attr_uid specifies the LDAP attribute used to determine the > user name; i.e. the value read from LDAP overrides server.user_name . > As long as you specify a non-null value for user_name, it does not > really matter which value you choose. > > -Ralph -- --------------------------------------------------------------------- Dr. B.J.W. Polman, C&CZ, Radboud University Nijmegen. Heyendaalseweg 135, 6525 AJ Nijmegen, The Netherlands, Phone: +31-24-3653360 e-mail: Ben.Polman at science.ru.nl From automx2 at seichter.de Tue Jul 6 13:44:06 2021 From: automx2 at seichter.de (Ralph Seichter) Date: Tue, 06 Jul 2021 13:44:06 +0200 Subject: automx2 ldap config example using mysql database In-Reply-To: <5b86e240-0aaa-c6a3-dd9d-881fdfe2fac6@science.ru.nl> References: <461caea1-9bf3-4c95-63fd-68ae432dfafa@science.ru.nl> <87zgv0zvhk.fsf@wedjat.horus-it.com> <5b86e240-0aaa-c6a3-dd9d-881fdfe2fac6@science.ru.nl> Message-ID: <87v95nacqh.fsf@wedjat.horus-it.com> * Ben Polman: > Is it possible to configure the ldap connection to use starttls > instead of ssl ? The current automx2 version does not pass "Tls" or "SSLContext" objects to the ldap3 [1] library, and since ldap3's connection URL schema must be either ldap or ldaps, STARTTLS is not available. Is there a particular reason for you not to use ldaps? [1] https://ldap3.readthedocs.io/ > where do I configure the certificates That depends on your operating system. If you use Linux and OpenSSL, you can add CA files locally in /usr/local/share/ca-certificates (remember to run "update-ca-certificates" or similar after adding CA files). -Ralph From Ben.Polman at science.ru.nl Tue Jul 6 16:44:30 2021 From: Ben.Polman at science.ru.nl (Ben Polman) Date: Tue, 6 Jul 2021 16:44:30 +0200 Subject: automx2 ldap config example using mysql database In-Reply-To: <87v95nacqh.fsf@wedjat.horus-it.com> References: <461caea1-9bf3-4c95-63fd-68ae432dfafa@science.ru.nl> <87zgv0zvhk.fsf@wedjat.horus-it.com> <5b86e240-0aaa-c6a3-dd9d-881fdfe2fac6@science.ru.nl> <87v95nacqh.fsf@wedjat.horus-it.com> Message-ID: switched to ldaps, works without further configuration needed Ben > * Ben Polman: > >> Is it possible to configure the ldap connection to use starttls >> instead of ssl ? > The current automx2 version does not pass "Tls" or "SSLContext" objects > to the ldap3 [1] library, and since ldap3's connection URL schema must > be either ldap or ldaps, STARTTLS is not available. Is there a > particular reason for you not to use ldaps? > > [1] https://ldap3.readthedocs.io/ > >> where do I configure the certificates > That depends on your operating system. If you use Linux and OpenSSL, you > can add CA files locally in /usr/local/share/ca-certificates (remember > to run "update-ca-certificates" or similar after adding CA files). > > -Ralph -- --------------------------------------------------------------------- Dr. B.J.W. Polman, C&CZ, Radboud University Nijmegen. Heyendaalseweg 135, 6525 AJ Nijmegen, The Netherlands, Phone: +31-24-3653360 e-mail: Ben.Polman at science.ru.nl