John R. Graham
2023-Apr-25 19:22 UTC
[Samba] Configuring Linux openldap ldapsearch client-side tool to authenticate against a Samba AD server
Is there a guide somewhere that explains the process of getting openldap (the ldapsearch tool for starters) to authenticate against a Samba AD server? On my Linux client, I can run ??? ldapsearch -LLL -x -b '' -s base '(objectClass=*)' and get a detailed response from the server. Somewhat obfuscated, that response is: dn: configurationNamingContext: CN=Configuration,DC=myrealm,DC=example,DC=com defaultNamingContext: DC=myrealm,DC=example,DC=com rootDomainNamingContext: DC=myrealm,DC=example,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=myrealm,DC=example,DC=org subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=myrealm,DC=example, ?DC=com supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Samba Team (https://www.samba.org) isSynchronized: TRUE dsServiceName: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name ?,CN=Sites,CN=Configuration,DC=myrealm,DC=example,DC=com serverName: CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu ?ration,DC=myrealm,DC=example,DC=com dnsHostName: dc1.myrealm.example.com ldapServiceName: myrealm.example.com:dc1$@MYREALM.EXAMPLE.COM currentTime: 20230425172943.0Z supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.2064 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1341 namingContexts: DC=myrealm,DC=example,DC=com namingContexts: CN=Configuration,DC=myrealm,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=myrealm,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=myrealm,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=myrealm,DC=example,DC=com supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: NTLM highestCommittedUSN: 6034 domainFunctionality: 4 forestFunctionality: 4 domainControllerFunctionality: 4 isGlobalCatalogReady: TRUE But almost any other query results in ??? Operations error (1) ??? Additional information: 00002020: Operation unavailable without authentication Surely I'm missing a pre-existing guide somewhere. - John
Rowland Penny
2023-Apr-25 20:00 UTC
[Samba] Configuring Linux openldap ldapsearch client-side tool to authenticate against a Samba AD server
On 25/04/2023 20:22, John R. Graham via samba wrote:> Is there a guide somewhere that explains the process of getting openldap > (the ldapsearch tool for starters) to authenticate against a Samba AD > server? On my Linux client, I can run > > ??? ldapsearch -LLL -x -b '' -s base '(objectClass=*)' > > and get a detailed response from the server. Somewhat obfuscated, that > response is: > > dn: > configurationNamingContext: CN=Configuration,DC=myrealm,DC=example,DC=com > defaultNamingContext: DC=myrealm,DC=example,DC=com > rootDomainNamingContext: DC=myrealm,DC=example,DC=com > schemaNamingContext: > CN=Schema,CN=Configuration,DC=myrealm,DC=example,DC=org > subschemaSubentry: > CN=Aggregate,CN=Schema,CN=Configuration,DC=myrealm,DC=example, > ?DC=com > supportedCapabilities: 1.2.840.113556.1.4.800 > supportedCapabilities: 1.2.840.113556.1.4.1670 > supportedCapabilities: 1.2.840.113556.1.4.1791 > supportedCapabilities: 1.2.840.113556.1.4.1935 > supportedCapabilities: 1.2.840.113556.1.4.2080 > supportedLDAPVersion: 2 > supportedLDAPVersion: 3 > vendorName: Samba Team (https://www.samba.org) > isSynchronized: TRUE > dsServiceName: CN=NTDS > Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name > ?,CN=Sites,CN=Configuration,DC=myrealm,DC=example,DC=com > serverName: > CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu > ?ration,DC=myrealm,DC=example,DC=com > dnsHostName: dc1.myrealm.example.com > ldapServiceName: myrealm.example.com:dc1$@MYREALM.EXAMPLE.COM > currentTime: 20230425172943.0Z > supportedControl: 1.2.840.113556.1.4.1413 > supportedControl: 1.2.840.113556.1.4.1413 > supportedControl: 1.2.840.113556.1.4.1413 > supportedControl: 1.2.840.113556.1.4.1413 > supportedControl: 1.2.840.113556.1.4.1413 > supportedControl: 1.2.840.113556.1.4.528 > supportedControl: 1.2.840.113556.1.4.841 > supportedControl: 1.2.840.113556.1.4.319 > supportedControl: 2.16.840.1.113730.3.4.9 > supportedControl: 1.2.840.113556.1.4.473 > supportedControl: 1.2.840.113556.1.4.1504 > supportedControl: 1.2.840.113556.1.4.801 > supportedControl: 1.2.840.113556.1.4.801 > supportedControl: 1.2.840.113556.1.4.805 > supportedControl: 1.2.840.113556.1.4.1338 > supportedControl: 1.2.840.113556.1.4.529 > supportedControl: 1.2.840.113556.1.4.417 > supportedControl: 1.2.840.113556.1.4.2064 > supportedControl: 1.2.840.113556.1.4.1339 > supportedControl: 1.2.840.113556.1.4.1340 > supportedControl: 1.2.840.113556.1.4.1413 > supportedControl: 1.2.840.113556.1.4.1341 > namingContexts: DC=myrealm,DC=example,DC=com > namingContexts: CN=Configuration,DC=myrealm,DC=example,DC=com > namingContexts: CN=Schema,CN=Configuration,DC=myrealm,DC=example,DC=com > namingContexts: DC=DomainDnsZones,DC=myrealm,DC=example,DC=com > namingContexts: DC=ForestDnsZones,DC=myrealm,DC=example,DC=com > supportedSASLMechanisms: GSS-SPNEGO > supportedSASLMechanisms: GSSAPI > supportedSASLMechanisms: NTLM > highestCommittedUSN: 6034 > domainFunctionality: 4 > forestFunctionality: 4 > domainControllerFunctionality: 4 > isGlobalCatalogReady: TRUE > > But almost any other query results in > > ??? Operations error (1) > ??? Additional information: 00002020: Operation unavailable without > authentication > > Surely I'm missing a pre-existing guide somewhere.Yes, you are missing that, unlike openldap, AD ldap requires authentication for most searches. Sorry but you are going to have to authenticate. Can I ask just what the openldap server is used for ? You may just find it easier to extend the AD schema instead. Rowland