-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross domain queries (same Active Directory, different "forest") #409
Comments
Hi @arjan-saly-tfs . Interesting situation. I think that forest are more common than one may think because of enterprises bought by another. Does some users have some accounts in the both trees ? What do you think of having two synchronisation, one for each tree of the forest ? I need to investigate deeper in you use case.
You mean #407 ? I'll take an eye on this too. |
Hi @bersace, We considered separate synchronization for each tree with different search users. It is an last resort option, but not the a preferred one. This is because we're facing more than two trees. Not sure how many we have or need to query, at least 2 probably 3, possibly more. Also, we want to use different search users for the different DTAP-environments (Develop, Test, Acceptance, Production), as well as database uses (different clusters). This is why I would prefer to do all synchronization using one user. Hope you can find a solution that can do with a single user. And yeah, I meant #407 ... |
Update: your answer provided in #407 does let me login to the two different domains using the same search user and binddn. However, now I became aware of another issue: In the config, the uri is defined, directing to domain1. Is that possible? This is what I already tried:
|
It looks like SASL is bound to the domain. I'm wondering if ldap2pg could handle multiple LDAP connection like it handle a connection to each database on Postgres. I mean every parameters are the same, just the domain may vary like a database. I have absolutely no experience like this. That would be good to have simple setup to test this.
By URI, do you mean LDAPURI parameter ? Can you share some redacted ldap2pg.yaml ? It's hard to get it clear. |
Here's a redacted example from the ldap2pg.yml I used to clarify the uri. I meant the "uri:" parameter in the ldap: section. For the first run on domain1, this would be the config:
For the second run on domain2, this would be the config
Using the same username for both. Given new insights provided by other tickets, I wonder if binddn: is relevant here, as this issue only occurs when using SASL. Recently found new information: When running the same config using the docker version, I get the same error but now for both configs. When executing ldap2pg from its docker container, I get the same message on both domains. Hence, even when connecting to the domain where the user is defined. Note that this issue is very related to #406, handling referrals. If ldap2pg can handle referrals by itself, cross domain queries probably will be resolved automatically. On the other hand, this issue may be in the way of handling referrals.... |
binddn is unused with SASL. That would be good if ldap2pg logs about this. You'd better not defining it when using SASL to avoid confusion.
Can you share a redacted verbose output of this execution ?
Yes. For this issue, do you need to specify a different server for each ldapsearches ? Something like this : sync_map:
- ldapsearch:
uri: ldap://domain1.company.com
basedn: ...
roles: "{cn}" |
$ sudo docker run --rm -v ${PWD}/ldap2pg.emea.yml:/workspace/ldap2pg.yml -e VERBOSITY=DEBUG dalibo/ldap2pg
[ldap2pg.config DEBUG] Trying ./ldap2pg.yml.
[ldap2pg.config INFO] Using /workspace/ldap2pg.yml.
[ldap2pg.config DEBUG] Read verbosity from argv.
[ldap2pg.config DEBUG] Read version from YAML.
[ldap2pg.config DEBUG] Read ldap:uri from YAML.
[ldap2pg.config DEBUG] Read ldap:user from YAML.
[ldap2pg.config DEBUG] Read ldap:password from YAML.
[ldap2pg.config DEBUG] Read postgres:dsn from YAML.
[ldap2pg.config DEBUG] Read postgres:databases_query from YAML.
[ldap2pg.config DEBUG] Read postgres:owners_query from YAML.
[ldap2pg.config DEBUG] Read postgres:managed_roles_query from YAML.
[ldap2pg.config DEBUG] Read postgres:roles_blacklist_query from YAML.
[ldap2pg.config DEBUG] Read postgres:schemas_query from YAML.
[ldap2pg.config DEBUG] Read privileges from YAML.
[ldap2pg.config DEBUG] Read sync_map from YAML.
[ldap2pg.config DEBUG] Drop unused hidden privilege __default_execute_on_functions__
[ldap2pg.config DEBUG] Drop unused hidden privilege __execute_on_all_functions__
[ldap2pg.config DEBUG] Drop unused hidden privilege __global_default_execute_on_functions__
[ldap2pg.config DEBUG] Configuration loaded.
[ldap2pg.script DEBUG] Setting up LDAP client.
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/etc/openldap/ldap.conf'
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/etc/ldap/ldap.conf'
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/root/ldaprc'
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/root/.ldaprc'
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/workspace/ldaprc'
[ldap2pg.ldap DEBUG] Read PASSWORD from env.
[ldap2pg.ldap DEBUG] Read URI from YAML.
[ldap2pg.ldap DEBUG] Read USER from YAML.
[ldap2pg.ldap DEBUG] Read PASSWORD from YAML.
[ldap2pg.ldap DEBUG] Connecting to LDAP server ldap://emea.company.com.
[ldap2pg.ldap DEBUG] Trying SASL DIGEST-MD5 auth.
[ldap2pg.ldap DEBUG] Authenticating: ldapwhoami -Y DIGEST-MD5 -U username -W
[ldap2pg.script CRITI] Failed to connect to LDAP: {'desc': 'Unknown authentication method', 'errno': 22, 'info': 'SASL(-4): no mechanism available: No worthy mechs found'} |
Unfortunately this doesn't seem to work:
|
The sample YAML was a proposition of a new |
Ah, OK, sorry for misunderstanding.
Might want to take it one step further though by enabling to specify binddn/userid/password as well? |
...
I confirm the bug. The docker image miss some sasl2 modules. I'll patch this. |
@arjan-saly-tfs latest docker image has SASL modules, fixing |
@bersace I tested the new docker image and it SASL now works fine indeed. Thanks for the quick fix! |
That's expected. Thanks for the confirmation. This is a new feature. I'm ok to add multi-ldap-server support in ldap2pg as long as it's the same auth for all servers. |
That feature is a good step toward #406 |
As stated before, I'm not an AD or LDAP expert. But based on what I've learnt the past week on this subject, multi-ldap-server support mainly seems to make sense as an workaround for #406 . Especially if it is "limited" to the same auth for all servers. I do understand this limitation by the way as that'll be the situation for #406 as well. So, if adding multi-ldap-server is really is a good and useful step towards #406 , it would be a good addition. However, if that would mean it will take you longer go reach #406, perhaps focusing on #406 would be more appropriate. |
For your additional information: This week we made the design choice to step away from existing AD groups, define dedicated AD groups for the ldap2pg sync and keep those all in one ldap domain. I have already seen that when a group in domain1 holds members from domain2, they're synchronized fine, This means that for now, there is no urgent need anymore for synchronizing from multiple ldap domains. As I can't predict the future, I think #406 remains a useful addition for future implementations. But at this stage, the urgent need for this to be solved is gone from my end. Thanks for bringing me this far as we now are able to setup a useful standard of synchronizing AD with PostgreSQL thanks to your tool and your help! Please let me know if you want me to test new features like #406 ! |
I need small steps to implement such big feature. Long PR is bad for managing the project. This is why I want #409 before #406. Maybe with a release in-between. |
This is very wise. Provide some kind of LDAP *view" server side is way better : it make synchronization much much faster and simpler to design and configure.
That's very good news for you. I can't warranty delay when contributing to ldap2pg until we have a deal. Dalibo offer 20% of my work time to contribute to the community, that's very fair but it take time.
Yep, I adopted these features in the roadmap. But expect this in a few monthes. |
Did you try |
Hi,
So, we have different domains in our organization, like:
In Active Directory these are defined as different "forests" (I'm not an AD expert, just writing what our expert told me to....).
Regardless of which domain I'm in, logging in to services normally works.
But when querying using ldapsearch, I run into an odd problem:
-- I can connect and search using the -H -D switches and then all works fine, but that doesn't work for ldap2pg
-- When I connect and search using the -Y DIGEST-MD5 -U switches, like ldap2pg does, get this error:
SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 8009030C: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data 52e, v4563
Interesting enough, the same issue occurs the other way around. So, when using a user on domain2 ("domain2user"), all works fine on domain2, but I get the same error when trying to connect to domain1. In this case, I can query all details for domain2 groups, but don't get members from domain1 groups.
As we need to synchronize members from both domains, how do I get around this?
Do I really need to create as many AD users as I have domains? Or do you have a different solution?
Note: We're not bound to -Y DIGEST-MD5, -H -D would be fine as well, but I don't know how to configure that in ldap2pg (separate ticket, not being replied on....)
Thanks in advance!
The text was updated successfully, but these errors were encountered: