When I initially built the main part of my lab, I wanted to have a Domain Controller for centralized authentication. I decided upon using Univention Corporate Server as my domain controller. I never ended up using it for centralized authentication, though it has been very easy to maintain for a local DNS server to avoid DNS loopback problems with my ISP.<\/p>\n\n\n\n
After working with separate accounts on all my services long enough, I decided it would be a good time to move at least some of my core services to use centralized authentication. I spin up and experiment with services often enough that I’ll never have 100% of it centralized, but the frequently used ones can at least be easier to login to without memorizing multiple passwords.<\/p>\n\n\n\n\n\n\n\n
The first service I worked on for this was Grafana. I tried getting it to authenticate my admin user previously, however I always had issues getting it to give me admin in Grafana for that privilege was based on the user group. I decided to figure it out this time around.<\/p>\n\n\n\n
After running some manual ldapsearch commands on my server, I found the culprit, the memberOf attribute.<\/p>\n\n\n\n
Administrator@ucs:~$ ldapsearch -xLLL -D uid=auth-grafana,cn=users,dc=rapternet,dc=us -W ui d=administrator\nEnter LDAP Password:\ndn: uid=Administrator,cn=users,dc=rapternet,dc=us\nuid: Administrator\nkrb5PrincipalName: Administrator@RAPTERNET.US\nuidNumber: 2002\nsambaAcctFlags: [U ]\nkrb5MaxLife: 86400\ncn: Administrator\nkrb5MaxRenew: 604800\nloginShell: \/bin\/bash\nuniventionObjectType: users\/user\ndisplayName: Administrator\nsambaSID: S-1-5-21-3990746676-2282511386-955537671-500\ngecos: Administrator\nsn: Administrator\nhomeDirectory: \/home\/Administrator\ngidNumber: 5000\nsambaPrimaryGroupSID: S-1-5-21-3990746676-2282511386-955537671-512\nuniventionPolicyReference: cn=default-admins,cn=admin-settings,cn=users,cn=pol\n icies,dc=rapternet,dc=us\ndescription: Built-in account for administering the computer\/domain\nobjectClass: krb5KDCEntry\nobjectClass: univentionPerson\nobjectClass: person\nobjectClass: automount\nobjectClass: top\nobjectClass: inetOrgPerson\nobjectClass: sambaSamAccount\nobjectClass: organizationalPerson\nobjectClass: univentionPWHistory\nobjectClass: univentionMail\nobjectClass: univentionObject\nobjectClass: shadowAccount\nobjectClass: krb5Principal\nobjectClass: univentionPolicyReference\nobjectClass: posixAccount\nuniventionUMCProperty: appcenterSeen=false\nuniventionUMCProperty: udmUserGridView=default\nuniventionUMCProperty: favorites=updater,appcenter:appcenter,udm:computers\/com\n puter,udm:users\/user,udm:groups\/group,udm:dns\/dns\nshadowLastChange: 17459\nmail: administrator@rapternet.us\nmailPrimaryAddress: administrator@rapternet.us<\/pre>\n\n\n\nDoing a bit of google search lead me to the reason why, the memberOf attribute requires extra configuration to run on openLDAP, and that was not the default when I initially created my UCS VM.<\/p>\n\n\n\n
Univention Corporate Server memberOf Attribute<\/h2>\n\n\n\n
UCS versions 4.3-0 and up have the memberOf overlay enabled by default. Since mine was built before that, I have to manually enable it. The process is simple enough with the following commands.<\/p>\n\n\n\n
ucr set ldap\/overlay\/memberof=yes\nservice slapd restart\n\/usr\/share\/univention-ldap-overlay-memberof\/univention-update-memberof<\/pre>\n\n\n\nI found out that my administrator user couldn’t run the UCR command, though it could be run as root (my administrator user didn’t have the right PATH setup to use the UCR terminal command, though maybe thats also a legacy upgrade problem).<\/p>\n\n\n\n
Since my first attempt to run the UCR command failed. I decided to make the registry update in the webgui. I found out later that it was available to the root user (shown below) but since I didn’t try that till after making the changes.<\/p>\n\n\n\n
UCR Terminal Command Problem<\/h2>\n\n\n\n
After trying the UCR command and having it fail as my administrator user, I decided to investigate why it didn’t work.<\/p>\n\n\n\n
Administrator@ucs:~$ ucr\n-bash: ucr: command not found<\/pre>\n\n\n\nI also tried running it as root, and that worked. Since I was able to use the ucr command as root, I checked the path UCR was running from.<\/p>\n\n\n\n
root@ucs:\/home\/Administrator# which ucr\n\/usr\/sbin\/ucr<\/pre>\n\n\n\nAnd yes, my administrator user was missing UCR from the path.<\/p>\n\n\n\n
Administrator@ucs:~$ echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/bin\/X11:\/usr\/games<\/pre>\n\n\n\nWhile my root user had the UCR path included in its PATH variable<\/p>\n\n\n\n
root@ucs:\/home\/Administrator# echo $PATH\n\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin<\/pre>\n\n\n\nThis is something to update later, and is just a side tangent for the current adventure.<\/p>\n\n\n\n
UCR Update<\/h2>\n\n\n\n
The UCR WebUI can be found under System \u2192 Univention Configuration Registry. This worked well and was simple enough to do, I still had to run the update on the command line to build the intial memberOf attribute dataset.<\/p>\n\n\n\n
Administrator@ucs:~$ \/usr\/share\/univention-ldap-overlay-memberof\/univention-update-memberofmodify cn=Domain Admins,cn=groups,dc=rapternet,dc=us\nmodify cn=Domain Users,cn=groups,dc=rapternet,dc=us\nmodify cn=Domain Guests,cn=groups,dc=rapternet,dc=us\nmodify cn=Windows Hosts,cn=groups,dc=rapternet,dc=us\nmodify cn=DC Backup Hosts,cn=groups,dc=rapternet,dc=us\nmodify cn=DC Slave Hosts,cn=groups,dc=rapternet,dc=us\nmodify cn=Computers,cn=groups,dc=rapternet,dc=us\nmodify cn=Backup Join,cn=groups,dc=rapternet,dc=us\nmodify cn=Slave Join,cn=groups,dc=rapternet,dc=us\nmodify cn=Authenticated Users,cn=Builtin,dc=rapternet,dc=us\nmodify cn=Enterprise Domain Controllers,cn=groups,dc=rapternet,dc=us\nmodify cn=Domain Controllers,cn=groups,dc=rapternet,dc=us\nmodify cn=Schema Admins,cn=groups,dc=rapternet,dc=us\nmodify cn=Enterprise Admins,cn=groups,dc=rapternet,dc=us\nmodify cn=Group Policy Creator Owners,cn=groups,dc=rapternet,dc=us\nmodify cn=Denied RODC Password Replication Group,cn=groups,dc=rapternet,dc=us\nmodify cn=Administrators,cn=Builtin,dc=rapternet,dc=us\nmodify cn=Users,cn=Builtin,dc=rapternet,dc=us\nmodify cn=Guests,cn=Builtin,dc=rapternet,dc=us\nmodify cn=piwigo_users,cn=groups,dc=rapternet,dc=us\nmodify cn=piwigo_admins,cn=groups,dc=rapternet,dc=us\nmodify cn=piwigo_webmasters,cn=groups,dc=rapternet,dc=us<\/pre>\n\n\n\nI then rebooted the system than restarting the slapd service (I had other updates that required the restart).<\/p>\n\n\n\n
Checking for the memberOf Attribute<\/h2>\n\n\n\n
Using another ldapsearch after the reboot, I wanted to check to make sure everything was enabled properly.<\/p>\n\n\n\n
Administrator@ucs:~$ ldapsearch -xLLL -D uid=auth-grafana,cn=users,dc=rapternet,dc=us -W uid=administrator \\* +\nEnter LDAP Password:\ndn: uid=Administrator,cn=users,dc=rapternet,dc=us\nuid: Administrator\nkrb5PrincipalName: Administrator@RAPTERNET.US\nuidNumber: 2002\nsambaAcctFlags: [U]\nkrb5MaxLife: 86400\ncn: Administrator\nkrb5MaxRenew: 604800\nloginShell: \/bin\/bash\nuniventionObjectType: users\/user\ndisplayName: Administrator\nsambaSID: S-1-5-21-3990746676-2282511386-955537671-500\ngecos: Administrator\nsn: Administrator\nhomeDirectory: \/home\/Administrator\nstructuralObjectClass: inetOrgPerson\nentryUUID: 53ddf1e8-121f-1036-9fa4-2b28a36a0e86\ncreatorsName: cn=admin,dc=rapternet,dc=us\ncreateTimestamp: 20160918191037Z\ngidNumber: 5000\nsambaPrimaryGroupSID: S-1-5-21-3990746676-2282511386-955537671-512\nuniventionPolicyReference: cn=default-admins,cn=admin-settings,cn=users,cn=policies,dc=rapternet,dc=us\ndescription: Built-in account for administering the computer\/domain\nobjectClass: krb5KDCEntry\nobjectClass: univentionPerson\nobjectClass: person\nobjectClass: automount\nobjectClass: top\nobjectClass: inetOrgPerson\nobjectClass: sambaSamAccount\nobjectClass: organizationalPerson\nobjectClass: univentionPWHistory\nobjectClass: univentionMail\nobjectClass: univentionObject\nobjectClass: shadowAccount\nobjectClass: krb5Principal\nobjectClass: univentionPolicyReference\nobjectClass: posixAccount\nuniventionUMCProperty: appcenterSeen=false\nuniventionUMCProperty: udmUserGridView=default\nuniventionUMCProperty: favorites=updater,appcenter:appcenter,udm:computers\/computer,udm:users\/user,udm:groups\/group,udm:dns\/dns\nshadowLastChange: 17459\nmail: administrator@rapternet.us\nmailPrimaryAddress: administrator@rapternet.us\nentryCSN: 20200830190753.356900Z#000000#000#000000\nmodifyTimestamp: 20200830190753Z\nmemberOf: cn=Domain Admins,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Domain Users,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=DC Backup Hosts,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Schema Admins,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Enterprise Admins,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Group Policy Creator Owners,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Administrators,cn=Builtin,dc=rapternet,dc=us\nmemberOf: cn=piwigo_users,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=piwigo_admins,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=piwigo_webmasters,cn=groups,dc=rapternet,dc=us\nmodifiersName: cn=admin,dc=rapternet,dc=us\nentryDN: uid=Administrator,cn=users,dc=rapternet,dc=us\nsubschemaSubentry: cn=Subschema\nhasSubordinates: FALSE<\/pre>\n\n\n\nI finally see the memberOf attribute showing in my LDAP searches, and now at least know that I can get the groups and use them in Grafana, Portainer, etc. I can now start reconfiguring some of my services to authenticate against it using the administrators group thats default in UCS as my baseline admin group.<\/p>\n\n\n\n
Administrator@ucs:~$ ldapsearch -xLLL -D uid=auth-grafana,cn=users,dc=rapternet,dc=us -W uid=administrator memberOf\nEnter LDAP Password:\ndn: uid=Administrator,cn=users,dc=rapternet,dc=us\nmemberOf: cn=Domain Admins,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Domain Users,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=DC Backup Hosts,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Schema Admins,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Enterprise Admins,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Group Policy Creator Owners,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=Administrators,cn=Builtin,dc=rapternet,dc=us\nmemberOf: cn=piwigo_users,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=piwigo_admins,cn=groups,dc=rapternet,dc=us\nmemberOf: cn=piwigo_webmasters,cn=groups,dc=rapternet,dc=us<\/pre>\n\n\n\nConclusion to the memberOf Saga<\/h2>\n\n\n\n
This was an interesting adventure into some of the inner workings of my domain controller. Since LDAP isn’t something I commonly work on, this provided a good amount of insight into debugging the system and some of the other portions of UCS that are there to configure the system.<\/p>\n\n\n\n
Not long after getting the attribute setup in LDAP, I was able to authenticate my administrator user against grafana and get administrative rights in it without any changes to my LDAP configuration on the service. My Grafana group configuration was correct all along, with the only problem being a misconfiguration on my UCS LDAP server.<\/p>\n\n\n\n
Resources<\/h1>\n\n\n\n
- Integration with LDAP<\/a><\/li>
- Univention Documentation of the memberOf enabling<\/a> which also includes documentation on performing the change on a cluster<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"
When I initially built the main part of my lab, I wanted to have a Domain Controller for centralized authentication. I decided upon using Univention Corporate Server as my domain controller. I never ended up using it for centralized authentication, though it has been very easy to maintain for a local DNS server to avoid … <\/p>\n