How to authenticate against ldap.google.com

g-suitegoogle-cloud-identityopenldapsssd

I've set up SSSD and openldap to successfully query ldaps://ldap.google.com. I can use ldapsearch to perform queries and can interact with the directory using both sssctl and getent. Unfortunately all my attempts to authenticate as a user in the directory are met with the INVALID_CREDENTIALS (ldap error code 49). I've reproduce this behavior using a number of clients. I can observe these failures in the LDAP audit log within the GSuite admin console as
LDAP bind with uid=brian,ou=Users,dc=XXX,dc=com failed with INVALID_CREDENTIALS.

My account does have 2 factor enabled but I'm using an application specific password to try and authenticate myself. I've quadruple-checked the password and even created a new one just to test this out. The Google ldap server is behaving as though it can't authenticate.

Any ideas how I can set up secure external authentication against ldap.google.com?

Thx

Best Answer

This is a bit misleading because "INVALID_CREDENTIALS" is actually a much more generic error than it implies. In reality, this usually is the result of a permissions error rather than invalid credentials. I ran into this while configuring a local OpenLDAP server of my own. The problem is likely that your user does not have the permission to bind/authenticate to the LDAPS server in the first place.

The reason that ldapsearch works for getent & sss daemon is because they are probably using either your LDAP administrator credentials, or if you've configured it correctly, your bind proxyuser account. (You should never do bind auth via manager directly).

The issue is caused by your ACLs (access control lists) for LDAP. What you essentially want to do is allow all users to read the full directory (with the exception of sensitive objects like password fields and such.

I don't know what your ACLs look like currently, but what you want to do is begin with the following ACL.

DISCLAIMER: THIS IS NOT SECURE BY DEFAULT

access to *
        by self write
        by users auth
        by users read

Effectively, this allows users to authenticate, and read all objects, as well as overwrite their own user objects so they can do things like change their passwords and such.

Bear in mind that this configuration is only slightly more secure than the default which allows anonymous binds, something no administrator worth his salt should ever allow. You should be VERY strict about what users have access to by setting access controls on specific attributes. This ACL is very open-ended, so you should make sure you go the extra mile to lock it down further.

Properly configured LDAP servers with good schemas already have some built-in security for guarding passwords and other sensitive objects, but you should always verify this.

Go to the documentation and read it thoroughly. LDAP is a huge monster, and it's unfortunately all too easy to mess it up.

https://www.openldap.org/doc/admin24/access-control.html

Related Solutions

Php – How to get PHP to read the .ldaprc file

PHP is running as a different user - eg www-data on Debian/Ubuntu. So you need to put .ldaprc in the home directory of that user.

Ssl – LDAP Client Search with SSL – CentOS7

The following is taken from a working CentOS7 ldap server, and should cover the key aspects of SASL/EXTERNAL(TLS) authentication.
Minors notes:
- The server is also acting as the client in this example.
- This example makes use of ~/.ldaprc rather than /etc/openldap/ldap.conf
- This example uses olcTLSVerifyClient: verify rather than hard because the server is supporting other authentication types in addition to SASL/EXTERNAL(TLS) authentication.

slapd-config

[root@ldap ~]# ldapsearch cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> (default) with scope subtree
# filter: cn=config
# requesting: olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient 
#

# config
dn: cn=config
olcTLSCACertificateFile: /etc/pki/tls/certs/ldap.example.com_CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.example.com.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.example.com.key
olcTLSVerifyClient: try

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

certificate key permissions

[root@ldap ~]# ls -lZ /etc/pki/tls/private/ldap.example.com.key
-rw-r-----+ root root unconfined_u:object_r:cert_t:s0  /etc/pki/tls/private/ldap.example.com.key

[root@ldap ~]# getfacl /etc/pki/tls/private/ldap.example.com.key
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/tls/private/ldap.example.com.key
# owner: root
# group: root
user::rw-
user:ldap:r--
group::---
mask::r--
other::---

sasl configuration

[root@ldap ~]# cat /etc/sasl2/slapd.conf 
mech_list: external gssapi plain
pwcheck_method: saslauthd

ldap client settings

[root@ldap ~]# cat .ldaprc
URI ldapi:///
BASE cn=config
SASL_MECH external
#TLS_CACERT /etc/ssl/certs/ca-bundle.crt
TLS_CACERT /etc/pki/tls/certs/ldap.example.com_CA.crt
TLS_CERT /etc/pki/tls/certs/ldap.example.com.crt
TLS_KEY /etc/pki/tls/private/ldap.example.com.key

successful SASL/EXTERNAL(TLS) bind

[root@ldap ~]# ldapwhoami -ZZ -h ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0
dn:cn=ldap.example.com,<cert locality info>
[root@ldap ~]# ldapwhoami -H ldaps://ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0

Best Answer

Related Solutions

Php – How to get PHP to read the .ldaprc file

Ssl – LDAP Client Search with SSL – CentOS7

Related Topic