Clarification on the project about aws-iam-ldap-bridge HOT 12 CLOSED

Hello,

The project provides an ldap server, you just need to follow the install instructions to make it running.

Denis

On 14 Oct 2014, at 10:46 pm, jgudavalli [email protected] wrote:

Hello,
I am trying to set up an EC2 instance as a central machine that manages and controls access to all my other EC2 instances.
Do I need to first install LDAP server on this and then use your plugin?

Regards,
Jyothi

—
Reply to this email directly or view it on GitHub.

from aws-iam-ldap-bridge.

Hello Denismo,
Thank you for the reply. This is what I tried and not successfull:

1. I have an amazon EC2 instance - ldap-test.test.com
2. I change the hostname in /etc/hosname to ldap-test.test.com
3. I downloaded the zip of your project using the below line into a directory /home/ubuntu/apacheds and unzipped it
   wget https://s3-ap-southeast-2.amazonaws.com/aws-iam-apacheds/apacheds-0.1.zip
   4.I created an IAM account that has all permissions in my AWS account. downloaded the credentials file
   and created a file ~/.aws/config . My config file has below contents

[default]
region = ap-southeast-1
aws_access_key_id = .......
aws_secret_access_key = ..........

1. After that I set path saying export AWS_CREDENTIAL_FILE=/home/ubuntu/.aws/config
2. I created a file /etc/iam_ldap.conf and the contents of the file are as shown below:
   pollPeriod=600
   rootDN="dc=ldap-test1,dc=test,dc=com"
3. I ran the apacheds as per your installation doc-
   ubuntu@ldap-test1:/apacheds/apacheds/bin$ Usage: apacheds.sh []
   If is ommited, 'default' will be used.
   is one of start, stop.
   sleep 10
   [1]+ Exit 1 bash apacheds.sh
   ubuntu@ldap-test1:/apacheds/apacheds/bin$
4. Now I ran the ldapsearch and I got the error below:
   ubuntu@ldap-test1:/apacheds/apacheds/bin$ ldapsearch -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w secret -b "dc=ldap-test1,dc=test,dc=com" "(objectclass=posixaccount)"
   The program 'ldapsearch' is currently not installed. You can install it by typing:
   sudo apt-get install ldap-utils
   ubuntu@ldap-test1:/apacheds/apacheds/bin$ sudo apt-get install ldap-utils

and after installing the ldap-utils , I ran the command again and got the below error:
buntu@ldap-test1:~/apacheds/apacheds/bin$ ldapsearch -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w secret -b "dc=ldap-test1,dc=test,dc=com" "(objectclass=posixaccount)"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

What am I doing wrong. Can you help?

Regards,
Jyothi

from aws-iam-ldap-bridge.

Hello,

do you have port 10389 open in your security group?

However, I've also tried apacheds-0.1.zip and I found another problem - due to some reason the partition is not there, so the authenticator won't work. Sorry for that, must be a bug in deployment. Unfortunately, I'm travelling right now so I cannot fix it (don't have the right package with me). I'll be back next week and plan to fix this ASAP. I'll let you know once that is done if you are still interested.

BTW, I'm also planning to create a public AMI to simplify the deployment, or a set of Puppet/Chef/Docker scripts. Just out of curiosity - if I had one of these, which one would you use (or would you still prefer to do the installation by yourself)?

Cheers,

Denis

From: jgudavalli [email protected]
To: denismo/aws-iam-ldap-bridge [email protected]
Cc: Denis Mikhalkin [email protected]
Sent: Thursday, 16 October 2014, 14:26
Subject: Re: [aws-iam-ldap-bridge] Clarification on the project (#13)

Hello Denismo,
Thank you for the reply. This is what I tried and not successfull:

1. I have an amazon EC2 instance - ldap-test.test.com
2. I change the hostname in /etc/hosname to ldap-test.test.com
3. I downloaded the zip of your project using the below line into a directory /home/ubuntu/apacheds and unzipped it
   wget https://s3-ap-southeast-2.amazonaws.com/aws-iam-apacheds/apacheds-0.1.zip
   4.I created an IAM account that has all permissions in my AWS account. downloaded the credentials file
   and created a file ~/.aws/config . My config file has below contents
   [default]
   region = ap-southeast-1
   aws_access_key_id = .......
   aws_secret_access_key = ..........
   1. After that I set path saying export AWS_CREDENTIAL_FILE=/home/ubuntu/.aws/config
   2. I created a file /etc/iam_ldap.conf and the contents of the file are as shown below: pollPeriod=600 rootDN="dc=ldap-test1,dc=test,dc=com"
   3. I ran the apacheds as per your installation doc-
      ubuntu@ldap-test1:/apacheds/apacheds/bin$ Usage: apacheds.sh []
      If is ommited, 'default' will be used.
      is one of start, stop.
      sleep 10
      [1]+ Exit 1 bash apacheds.sh
      ubuntu@ldap-test1:/apacheds/apacheds/bin$
   4. Now I ran the ldapsearch and I got the error below:
      ubuntu@ldap-test1:/apacheds/apacheds/bin$ ldapsearch -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w secret -b "dc=ldap-test1,dc=test,dc=com" "(objectclass=posixaccount)"
      The program 'ldapsearch' is currently not installed. You can install it by typing:
      sudo apt-get install ldap-utils
      ubuntu@ldap-test1:/apacheds/apacheds/bin$ sudo apt-get install ldap-utils
      and after installing the ldap-utils , I ran the command again and got the below error:
      buntu@ldap-test1:~/apacheds/apacheds/bin$ ldapsearch -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w secret -b "dc=ldap-test1,dc=test,dc=com" "(objectclass=posixaccount)"
      ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
      What am I doing wrong. Can you help?
      Regards,
      Jyothi
      —
      Reply to this email directly or view it on GitHub.

from aws-iam-ldap-bridge.

Hello Denis,
thank you for confirming my steps for the installation of your project. I am new to cloud computing and new to lot of technical terms. You can provide me a script for installing the project or I can do the installation with some help from you. You can also reach me at my email - [email protected].

I am actually desperate to build a EC2 instance which uses IAM credentials to control the access to all the other EC2 instances. Hopefully your project will help me.

Regards,
Jyothi

from aws-iam-ldap-bridge.

Hello,

just verified:

1. Created an t2.small instance from Amazon AMI. The instance was assigned an EC2 Role, which has permissions to Get/List IAM
2. curl -O https://s3-ap-southeast-2.amazonaws.com/aws-iam-apacheds/apacheds-0.1.zip
3. unzip apacheds-0.1.zip
4. cd apacheds
5. cd bin
6. bash apacheds.sh start
7. Connected to the instance remotely with Apache Directory Studio, on port 10389 (opened this port in security group)

I can see the users and groups from IAM so everything seems to be working fine.

Tomorrow I'll make an AMI. Which region are you using?

Regards,

Denis

From: jgudavalli [email protected]
To: denismo/aws-iam-ldap-bridge [email protected]
Cc: Denis Mikhalkin [email protected]
Sent: Sunday, 19 October 2014, 0:14
Subject: Re: [aws-iam-ldap-bridge] Clarification on the project (#13)

Hello Denis,
thank you for confirming my steps for the installation of your project. I am new to cloud computing and new to lot of technical terms. You can provide me a script for installing the project or I can do the installation with some help from you. You can also reach me at my email - [email protected].
I am actually desperate to build a EC2 instance which uses IAM credentials to control the access to all the other EC2 instances. Hopefully your project will help me.
Regards,
Jyothi
—
Reply to this email directly or view it on GitHub.

from aws-iam-ldap-bridge.

Hello Denismo,
I am using singapore.

Regards,
Jyothi
On 20-Oct-2014, at 6:47 pm, Denis Mikhalkin [email protected] wrote:

Hello,

just verified:

1. Created an t2.small instance from Amazon AMI. The instance was assigned an EC2 Role, which has permissions to Get/List IAM
2. curl -O https://s3-ap-southeast-2.amazonaws.com/aws-iam-apacheds/apacheds-0.1.zip
3. unzip apacheds-0.1.zip
4. cd apacheds
5. cd bin
6. bash apacheds.sh start
7. Connected to the instance remotely with Apache Directory Studio, on port 10389 (opened this port in security group)

I can see the users and groups from IAM so everything seems to be working fine.

Tomorrow I'll make an AMI. Which region are you using?

Regards,

Denis

---

From: jgudavalli [email protected]
To: denismo/aws-iam-ldap-bridge [email protected]
Cc: Denis Mikhalkin [email protected]
Sent: Sunday, 19 October 2014, 0:14
Subject: Re: [aws-iam-ldap-bridge] Clarification on the project (#13)

Hello Denis,
thank you for confirming my steps for the installation of your project. I am new to cloud computing and new to lot of technical terms. You can provide me a script for installing the project or I can do the installation with some help from you. You can also reach me at my email - [email protected].
I am actually desperate to build a EC2 instance which uses IAM credentials to control the access to all the other EC2 instances. Hopefully your project will help me.
Regards,
Jyothi
—
Reply to this email directly or view it on GitHub.
—
Reply to this email directly or view it on GitHub.

from aws-iam-ldap-bridge.

@denismo I encountered the same issue
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I do not want to use the pre-built AMI and want to configure in my ubuntu ec2 instance. I am using your latest binary package. Please advise. Thanks!!

from aws-iam-ldap-bridge.

This looks more like an infrastructure configuration issue. Is server running? Is it listening on the LDAP port? Is the port open in firewall? Is the port open in security group?

from aws-iam-ldap-bridge.

I followed the exact steps listed above by Jyothi. Its an ubuntu ec2 instance, server is running, no firewall, port 10389 open in security group. any other ports needs to be opened? The issue you had mentioned with the partition, is that fixed?

from aws-iam-ldap-bridge.

Is this how I start the server? How do I verify if its running? And what is an instance name?

/apacheds/bin$ bash apacheds.sh
Usage: apacheds.sh []
If is ommited, 'default' will be used.
is one of start, stop.
:/apacheds/bin$ bash apacheds.sh start
Starting ApacheDS instance 'default'...

from aws-iam-ldap-bridge.

@denismo I think I found the problem. Its because apacheds expects java to be under /bin/java while mine was user /usr/bin/java. Once I symlinked, I see the server is running.
However I see the below error with a custom rootDN in /etc/iam_ldap.conf. Please let me know if I should start a new thread. Thanks for your help.

org.apache.direc tory.api.ldap.model.message.SearchRequestImpl@8623823: ERR_268 Cannot find a partition for dc=test,dc=ldap,dc=com

With the default rootDN, it works and I see the IAM users.

from aws-iam-ldap-bridge.

it's hard to tell. The root DN is created on start, whether it is default or custom. Do you see any exceptions in the log?

from aws-iam-ldap-bridge.