Comments (10)
Hi! I tried to find their doc for LDAP settings, but couldn't find anything, so I'll give it my best guess. However, it would really help if you could enable verbose mode in LLDAP and post the logs from trying to use UrBackup.
Some changes I'd make:
- user name prefix: either empty or
uid=
- user name suffix:
ou=people,dc=example, dc=com
- group and class query: not sure what that is, but the syntax you have here is not LDAP, and the field sAMAccountName doesn't exist. You probably want something like
(member={USERNAME})
(or maybe(member=uid={USERNAME},ou=people,dc=example,dc=com)
). - group key name:
uid
Tell me how that works, and post the LLDAP logs. And if you have trouble, feel free to join the discord for more interactive help.
from lldap.
Oh, wow, they do extremely basic string concatenation. Try to add a comma at the beginning of the suffix: ,ou=people,dc=example, dc=com
from lldap.
This is as far i can get, the problem is all user will be admin??? π€
from lldap.
martadinata666, thank you very much for your help.
UrBackup config:
LDAP/AD server name: lldap
LDAP/AD server port: 3890
LDAP/AD user name prefix: uid=
LDAP/AD user name suffix: ,ou=people,dc=example,dc=com
LDAP/AD group and class query: dc=example,dc=com?memberOf,objectClass?sub?(uid={USERNAME})
LDAP/AD group key name in query: memberOf
LDAP/AD class key name in query: objectClass
LDAP/AD group rights map: cn=admins,*==>all=all
LDAP/AD class rights map: user==>lastacts={AUTOCLIENTS},progress={AUTOCLIENTS},status={AUTOCLIENTS},stop_backup={AUTOCLIENTS},start_backup=all,browse_backups=tokens
Test login succeeded. Rights of user: all=all
from lldap.
Thank you very much for your answer.
Environment configuration below:
#promiscuous mode enabled
ifconfig eth0 up
ifconfig eth0 promisc
mkdir -p /home/docker/lldap/data/
mkdir -p /home/docker/urbackup/database/
mkdir -p /home/docker/urbackup/backup/
#docker-compose.yml
version: "2.3"
networks:
isolated:
driver: bridge
internal: true
macvlan_network:
driver: macvlan
driver_opts:
parent: eth0
ipam:
config:
- subnet: 10.10.0.0/24
services:
lldap:
image: nitnelave/lldap
container_name: lldap
hostname: lldap
# ports:
# For LDAP
# - 3890:3890
# For the web front-end
# - 17170:17170
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /home/docker/lldap/data/:/data/
environment:
- UID=1000
- GID=1000
- TZ=UTC
- LLDAP_JWT_SECRET=LLDAPJWTSECRET
- LLDAP_LDAP_USER_PASS=PA$$W0RD
- LLDAP_LDAP_BASE_DN=dc=example,dc=com
- LLDAP_VERBOSE=true
mac_address: 02:42:ac:11:00:01
networks:
isolated:
macvlan_network:
ipv4_address: 10.10.0.1
restart: unless-stopped
urbackup:
image: uroni/urbackup-server
container_name: urbackup
environment:
# - PUID=1000
# - PGID=1000
- TZ=UTC
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /home/docker/urbackup/backup/:/backups/
- /home/docker/urbackup/database/:/var/urbackup/
# ports:
# - "55413-55415:55413-55415"
# - "35623:35623/udp"
mac_address: 02:42:ac:11:00:02
networks:
isolated:
macvlan_network:
ipv4_address: 10.10.0.2
restart: unless-stopped
UrBackup config:
LDAP/AD server name: lldap
LDAP/AD server port: 3890
LDAP/AD user name prefix: uid=
LDAP/AD user name suffix: ou=people,dc=example,dc=com
LDAP/AD group and class query: member=uid={USERNAME},ou=people,dc=example,dc=com
LDAP/AD group key name in query: uid
LDAP/AD class key name in query: objectClass
LDAP/AD group rights map: cn=admins,*==>all=all
LDAP/AD class rights map: user==>lastacts={AUTOCLIENTS},progress={AUTOCLIENTS},status={AUTOCLIENTS},stop_backup={AUTOCLIENTS},start_backup=all,browse_backups=tokens
UrBackup log:
ERROR: Login via LDAP failed: Login denied(ec=67), LDAP remote: bind failed Success Too many elements in distinguished name: ""uid"", ""adminou"", ""people""
lldap log:
2023-06-12T09:58:29.987671429+00:00 INFO LDAP session [ 88.9Β΅s | 39.19% / 100.00% ]
2023-06-12T09:58:29.987692235+00:00 INFO ββ LDAP request [ 51.2Β΅s | 52.94% / 57.62% ]
2023-06-12T09:58:29.987700524+00:00 DEBUG β ββ π [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=adminou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-06-12T09:58:29.987701688+00:00 DEBUG β ββ do_bind [ 4.16Β΅s | 4.68% ]
2023-06-12T09:58:29.987703233+00:00 DEBUG β β ββ π [debug]: DN: uid=adminou=people,dc=example,dc=com
2023-06-12T09:58:29.987713047+00:00 DEBUG β ββ π [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: NamingViolation, matcheddn: "", message: "Too many elements in distinguished name: \"\"uid\"\", \"\"adminou\"\", \"\"people\"\"", referral: [] }, saslcreds: None })
2023-06-12T09:58:29.987772545+00:00 INFO ββ LDAP request [ 2.84Β΅s | 3.19% ]
2023-06-12T09:58:29.987774585+00:00 DEBUG ββ π [debug]: | msg: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [] }
2023-06-12T09:58:42.847152802+00:00 INFO HTTP request [ 7.81Β΅s | 100.00% ]
2023-06-12T09:58:42.847154396+00:00 INFO ββ ο½ [info]: | uri: /health
2023-06-12T09:58:42.847161435+00:00 INFO ββ ο½ [info]: | status_code: 200
2023-06-12T09:58:42.847011185+00:00 INFO LDAP session [ 107Β΅s | 33.51% / 100.00% ]
2023-06-12T09:58:42.847057260+00:00 INFO ββ LDAP request [ 70.9Β΅s | 66.49% ]
2023-06-12T09:58:42.847065350+00:00 DEBUG ββ π [debug]: | msg: LdapMsg { msgid: 0, op: SearchRequest(LdapSearchRequest { base: "", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Present("objectClass"), attrs: ["supportedExtension"] }), ctrl: [] }
2023-06-12T09:58:42.847067411+00:00 DEBUG ββ π [debug]: rootDSE request
2023-06-12T09:58:42.847083861+00:00 DEBUG ββ π [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[116, 111, 112]] }, LdapPartialAttribute { atype: "vendorName", vals: [[76, 76, 68, 65, 80]] }, LdapPartialAttribute { atype: "vendorVersion", vals: [[108, 108, 100, 97, 112, 95, 48, 46, 53, 46, 48, 45, 97, 108, 112, 104, 97]] }, LdapPartialAttribute { atype: "supportedLDAPVersion", vals: [[51]] }, LdapPartialAttribute { atype: "supportedExtension", vals: [[49, 46, 51, 46, 54, 46, 49, 46, 52, 46, 49, 46, 52, 50, 48, 51, 46, 49, 46, 49, 49, 46, 49]] }, LdapPartialAttribute { atype: "supportedControl", vals: [] }, LdapPartialAttribute { atype: "supportedFeatures", vals: [[49, 46, 51, 46, 54, 46, 49, 46, 52, 46, 49, 46, 52, 50, 48, 51, 46, 49, 46, 53, 46, 49]] }, LdapPartialAttribute { atype: "defaultNamingContext", vals: [[100, 99, 61, 97, 116, 44, 100, 99, 61, 108, 97, 110]] }, LdapPartialAttribute { atype: "namingContexts", vals: [[100, 99, 61, 97, 116, 44, 100, 99, 61, 108, 97, 110]] }, LdapPartialAttribute { atype: "isGlobalCatalogReady", vals: [[102, 97, 108, 115, 101]] }] })
2023-06-12T09:58:42.847115994+00:00 DEBUG ββ π [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
Thank you very much for your answer.
from lldap.
nitnelave, thank you very much for your help.
UrBackup config:
LDAP/AD server name: lldap
LDAP/AD server port: 3890
LDAP/AD user name prefix: uid=
LDAP/AD user name suffix: ,ou=people,dc=example,dc=com
LDAP/AD group and class query: member=uid={USERNAME},ou=people,dc=example,dc=com
LDAP/AD group key name in query: uid
LDAP/AD class key name in query: objectClass
LDAP/AD group rights map: cn=admins,*==>all=all
LDAP/AD class rights map: user==>lastacts={AUTOCLIENTS},progress={AUTOCLIENTS},status={AUTOCLIENTS},stop_backup={AUTOCLIENTS},start_backup=all,browse_backups=tokens
UrBackup log:
ERROR: Login via LDAP failed: LDAP: search failed(ec=39), LDAP remote: search failed Success Too many elements in distinguished name: ""member"", ""uid"", ""admin""
lldap log:
2023-06-12T11:07:58.234838195+00:00 INFO HTTP request [ 8.61Β΅s | 100.00% ]
2023-06-12T11:07:58.234840002+00:00 INFO ββ ο½ [info]: | uri: /health
2023-06-12T11:07:58.234847828+00:00 INFO ββ ο½ [info]: | status_code: 200
2023-06-12T11:07:58.234705916+00:00 INFO LDAP session [ 113Β΅s | 39.58% / 100.00% ]
2023-06-12T11:07:58.234746366+00:00 INFO ββ LDAP request [ 68.6Β΅s | 60.42% ]
2023-06-12T11:07:58.234754384+00:00 DEBUG ββ π [debug]: | msg: LdapMsg { msgid: 0, op: SearchRequest(LdapSearchRequest { base: "", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Present("objectClass"), attrs: ["supportedExtension"] }), ctrl: [] }
2023-06-12T11:07:58.234756456+00:00 DEBUG ββ π [debug]: rootDSE request
2023-06-12T11:07:58.234771757+00:00 DEBUG ββ π [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[116, 111, 112]] }, LdapPartialAttribute { atype: "vendorName", vals: [[76, 76, 68, 65, 80]] }, LdapPartialAttribute { atype: "vendorVersion", vals: [[108, 108, 100, 97, 112, 95, 48, 46, 53, 46, 48, 45, 97, 108, 112, 104, 97]] }, LdapPartialAttribute { atype: "supportedLDAPVersion", vals: [[51]] }, LdapPartialAttribute { atype: "supportedExtension", vals: [[49, 46, 51, 46, 54, 46, 49, 46, 52, 46, 49, 46, 52, 50, 48, 51, 46, 49, 46, 49, 49, 46, 49]] }, LdapPartialAttribute { atype: "supportedControl", vals: [] }, LdapPartialAttribute { atype: "supportedFeatures", vals: [[49, 46, 51, 46, 54, 46, 49, 46, 52, 46, 49, 46, 52, 50, 48, 51, 46, 49, 46, 53, 46, 49]] }, LdapPartialAttribute { atype: "defaultNamingContext", vals: [[100, 99, 61, 97, 116, 44, 100, 99, 61, 108, 97, 110]] }, LdapPartialAttribute { atype: "namingContexts", vals: [[100, 99, 61, 97, 116, 44, 100, 99, 61, 108, 97, 110]] }, LdapPartialAttribute { atype: "isGlobalCatalogReady", vals: [[102, 97, 108, 115, 101]] }] })
2023-06-12T11:07:58.234803705+00:00 DEBUG ββ π [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
2023-06-12T11:08:04.889672461+00:00 INFO LDAP session [ 51.3ms | 0.16% / 100.00% ]
2023-06-12T11:08:04.890776428+00:00 INFO ββ LDAP request [ 51.2ms | 0.16% / 99.74% ]
2023-06-12T11:08:04.890784515+00:00 DEBUG β ββ π [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-06-12T11:08:04.890787101+00:00 DEBUG β ββ do_bind [ 51.1ms | 0.04% / 99.58% ]
2023-06-12T11:08:04.890789404+00:00 DEBUG β β ββ π [debug]: DN: uid=admin,ou=people,dc=example,dc=com
2023-06-12T11:08:04.890794494+00:00 DEBUG β β ββ bind [ 50.9ms | 0.03% / 99.20% ]
2023-06-12T11:08:04.890804233+00:00 DEBUG β β β ββ get_password_file_for_user [ 81.4Β΅s | 0.16% ]
2023-06-12T11:08:04.891008448+00:00 DEBUG β β β ββ passwords_match [ 50.8ms | 99.01% ]
2023-06-12T11:08:04.941840312+00:00 DEBUG β β ββ get_user_groups [ 176Β΅s | 0.34% ]
2023-06-12T11:08:04.941844690+00:00 DEBUG β β β ββ π [debug]: | user_id: UserId("admin")
2023-06-12T11:08:04.942348812+00:00 DEBUG β β β ββ π [debug]: | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-05-12T21:14:10.427030105, uuid: Uuid("36c211d9-92e5-32ac-9813-07b0fdc62ed7") }, GroupDetails { group_id: GroupId(4), display_name: "admins", creation_date: 2023-05-12T21:21:10.039454408, uuid: Uuid("214f8213-2caa-3b8f-a559-985bdd2bf412") }}
2023-06-12T11:08:04.942352074+00:00 DEBUG β β ββ π [debug]: Success!
2023-06-12T11:08:04.942357533+00:00 DEBUG β ββ π [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2023-06-12T11:08:04.942469270+00:00 INFO ββ LDAP request [ 48.8Β΅s | 0.09% / 0.10% ]
2023-06-12T11:08:04.942475092+00:00 DEBUG β ββ π [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "member=uid=admin,ou=people,dc=example,dc=com", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Present("objectclass"), attrs: [] }), ctrl: [] }
2023-06-12T11:08:04.942476339+00:00 DEBUG β ββ do_search [ 3.35Β΅s | 0.01% ]
2023-06-12T11:08:04.942483661+00:00 DEBUG β ββ π [debug]: | response: SearchResultDone(LdapResult { code: InvalidDNSyntax, matcheddn: "", message: "Too many elements in distinguished name: \"\"member\"\", \"\"uid\"\", \"\"admin\"\"", referral: [] })
2023-06-12T11:08:04.942612254+00:00 INFO ββ LDAP request [ 2.96Β΅s | 0.01% ]
2023-06-12T11:08:04.942614464+00:00 DEBUG ββ π [debug]: | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [] }
from lldap.
nitnelave, thank you very much for your help.
On the UrBackup forum I have found this information:
https://forums.urbackup.org/t/active-directory-and-urbackup/809/11
LDAP/AD user name prefix
What gets prepended to the username when logging in usually βfirmennameβ.
LDAP/AD user name suffix
Can be left empty.
LDAP/AD group and class query --> βDC=example,DC=comβ¦β
Change to your choice of domain name. E.g. DC=firmenname,DC=de
https://forums.urbackup.org/t/ldap-server-bind/10047/4
DC=home,DC=intern?memberOf,objectClass?sub?(sAMAccountName={USERNAME})
Here you can simply change βsAMAccountNameβ to whatever you want the username to be queried from.
https://forums.urbackup.org/t/cannot-open-backups-using-an-ldap-account/6988/2
The mapping to administrator (βall=allβ) failed and it falls back to normal user authentication.
from lldap.
martadinata666, thank you very much for your help.
This is as far i can get, the problem is all user will be admin??? π€
What do you think about this users restriction:
Administrator users: internal storage;
Users from LDAP: restricted group rights map.
from lldap.
I dunno how this translate to urbackup permission, as a client that logged via LDAP
, I prefer simple.
- Upload backup
- Manage backup
Then there is this https://www.urbackup.org/administration_manual.html#x1-190004.1 maybe it set on the LDAP *==>all=all
things, but technically this is personal preferences on how client can/can't do.
from lldap.
What I'm curious is: LDAP/AD class rights map
how/when this affect LDAP login. π€
As the one that can set permission is LDAP/AD group rights map:
My current LDAP/AD group rights map
cn=lldap_urbackup,*==>browse_backups=all,start_backup=all,status=all,logs=all,progress=all,stop_backup=all,lastacts=all
from lldap.
Related Issues (20)
- [BUG]firstName and lastName are treated as attributes HOT 1
- [BUG] Broken web UI after user creation HOT 3
- [BUG] π¨ [error]: [LDAPS] Service Error: while handling incoming messages: while receiving LDAP op: unexpected end of file HOT 7
- [BUG] LDAP Property Mappings not propagated to LDAP Outpost HOT 1
- [FEATURE REQUEST] Add Support for CockroachDB HOT 5
- [BUG] Authelia example has deprecated keys HOT 1
- [BUG] First name and Last name of user are not displayed in the WebUI HOT 1
- [BUG] Error building on Windows HOT 1
- [BUG] bootstrap.sh user creation fails when id is a substring of another id HOT 1
- Bootrap.sh seems not executable HOT 6
- [BUG] generate_secrets.sh does not run when default shell is dash HOT 2
- [BUG] Rust 1.80 compatibility
- [BUG] Multibyte characters break client
- [BUG] Queries of the form "|(member=myuser)(member=uid=myuser,ou=...)" fail. (blocks linux groups via libnss-ldapd) HOT 1
- [BUG] Presence filters are not properly handled by lldap HOT 1
- [FEATURE REQUEST] allow `force_ldap_user_pass_reset` to run on every boot.
- [BUG] No restrictions on sending "Forgot Password" emails, which may pose a security risk HOT 4
- [BUG] unable to send_test_email: ERROR π¨ [error]: Could not send email: Connection error: Connection error: received corrupt message: Connection error: received corrupt message: received corrupt message HOT 13
- [BUG] Misleading error code when trying to bind without authentication
- [BUG] Authelia integration fails with error="user not found"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lldap.