Trying to get ldapsearch on ESX 3.0.x to work without simple binding. In otherwords no -x parameter. Simple binding is sending the password in clear text which is just not allowed. I have our ldapsearch queries working just fine with simple binding, but want to eliminate simple binding. We are using ldapsearch against Microsoft AD Windows 2003.
For example...
/usr/bin/ldapsearch -x -v -LLL -h prototype.dachshund.org -b DC=dachshund,DC=org -D Administrator@dachshund.org -W -u -tt -T /LDAP/Data/UsersGroup "(samAccountName=UsersGroup)" member
But...
/usr/bin/ldapsearch -v -LLL -h prototype.dachshund.org -b DC=dachshund,DC=org -D Administrator@dachshund.org -W -u -tt -T /LDAP/Data/UsersGroup "(samAccountName=UsersGroup)" member
Returns...
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Local error
Since -x is not being used SASL is expected by Microsoft AD? No clue how to set the LDAP password in AD either. I believe the default method is MD5 hash encrypted passwords for SASL? Any help would be appreciated.
No points? Tough crowd and at this rate I will never get my brain
Steve Beaver
VMTN Forum Moderator
*Virtualization is a journey, not a project.*
Hello,
Instead of using LDAP this way I would suggest using winbind instead. Check out my blog at http://www.informit.com/authors/bio.aspx?a=6383b474-43ad-4266-8dee-c3eb9d55db56&rl=1 for full steps in integrating AD using pam kerberos and winbind modules.
Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074
Unfortunately I am dealing with some very severe restrictions for AD inteaction. I can not use Samba at all, I can not change any settings on the DCs, so disable of secure channel or signed communications is completely out of the question. Per the link you provided, although an excellent idea, I can not make the changes needed to implement it.
I have only two options, both of which I need some help setting up...
1) use Secure LDAP (port 636)
or
2) implement SASL
Kerberos is available in our environment, but the standard ldapsearch component provided by VMware does not have kerberos support compiled into the ldapsearch binary, and I am not allowed to compile a new version of ldapsearch, I have to use what VMware provides as core to ESX OS.
Please keep those suggestions coming, or if you have implemented Secure LDAP or SASL for ldapseach on a Windows 2003 R2 SP1/SP2 domain, I really would appreciate the help.
Hello,
Well you definitely have a limited environment. BTW, changes to AD are only required if using the Samba packages from VMware and not the latest.... There are two problems here:
1) Authentication: You can use the pam_krb5 modules to do Authentication using kerberos. That aspect of the integration document does not require samba.
2) User/Group Information: Either live without any user/group information from the AD server or implement LDAP. Secure LDAP is the only option here. However, in order to get the information you may have to first be authenticated which in some ways is too far along the process to get useful group information.
I would not use ldap for authentication no matter how you slice it. Kerberos is the better method.
SASL is an option for authentication but not really for group information.
Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074
Yes, kerberos would be the best, which is -k for ldapsearch, but the ldapsearch that VMware provides in the OpenLDAP rpm with the distribution is not enable for kerberos, and I can not use Open Source unless it is release by VMware as part of the official ESX OS distribution. Maybe VMware will compile an variant of OpenLDAP RPM that does include ldapsearch with the -k option supported?
BTW, Texiwill, thank you for the suggestions, they may not have solved my issue, but did help to illustrate options, unfortunately, I am unable to leverage the suggestions, since Samba is off the table, and such.
I could live with SASL, I believe, because all I need is to do the actual ldap query to get the group membership, i.e. the list of samAccountNames from AD for the UsersGroup.
Schor-
I use secure LDAP to search AD and add and remove users from ESX based on group membership. To make this work you WILL need to install some extra rpm's. There is no way around that based on the packages that come with ESX. I wrote a white paper on how to do but again you will need to install some RPM's in my method. If you are interested then send me a PM and I will send you my paper
Steve Beaver
VMTN Forum Moderator
*Virtualization is a journey, not a project.*
Thanks! Yes very interested. Are these additional RPMs part of the
VMware ESX OS distribution? If not, maybe I can get VMware to bless
them, so to speak.
Schor-
I use this as part of my standard build and it has been working great for me
Just to make things easier I will post the doc here.
Steve Beaver
VMTN Forum Moderator
*Virtualization is a journey, not a project.*
Hello,
Still remember not to confuse authentication with group/user information. They are separate processes. You mentioned using ldapsearch -k, which is not something I would use for authentication. The pam_krb5.so that ships with ESX will handle kerberos based authentication. I would use this over SASL.
Now, group information is something totally different, and there are only limited ways to get this information. Secure LDAP is most likely your best way but you do need to install non-VMware packages. I would look at pam_ldap.so as a possible option. Otherwise you do not get the group information soon enough. Or just use local groups for the remote users as you will need to create local users in order to login. I have not looked into pam_ldap but as Steve notes it will work.
Steve thank you for posting the doc! useful information.
Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074
Message was edited by: Texiwill
Right, I am only specifically concerned with the actual authentication process/method. Query for qroup membership is a slam-dunk and not at issue. I think noted above, that if I could use simple binding, I would already be done, I have all other aspects of this effort completed and functional, other than the authentication to execute the LDAP queries as needed.
This should answer your needs to do secure LDAP calls
No points? Tough crowd and at this rate I will never get my brain
Steve Beaver
VMTN Forum Moderator
*Virtualization is a journey, not a project.*
SORRY! Been on Vacation!