LDAP users go to Lookaside Database

Document ID : KB000009950
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

sebuildla cannot retrieve the LDAP users (on an AIX) box because the LDAP interface used in this case does not allow enumeration of the LDAP users via native OS system calls.

 

In order to overcome this limitation sebuildla can utilise its own LDAP interface which makes it independent from the enumeration feature of the 3rd party LDAP interface.

 

Please note that user authentication via LDAP does not necessarily confirm that sebuildla is capable of enumerating the LDAP-users.

 

Instructions:

1.
Set the following seos.ini file tokens for CA ControlMinder to find the LDAP service:
ldap_userinfo_ladb = yes
ldap_base, ldap_hostname, and ldap_userdn.

2.
Run
# seldapcred
to store the encrypted LDAP password. (for the initial bind user you set in ldap_userdn)

3.
(Optional) Set the ldap_port and ldap_timeout tokens for your environment.
The time it takes to retrieve information from the LDAP service depends on how fast the LDAP service is, and how much user data is stored in the DIT. You can adjust the ldap_timeout token in the [seos] section of the seos.ini file to account for these aspects.

4.
(Optional) If you are using a non-standard schema, set the ldap_uid_attr, ldap_uidNumber_attr, and ldap_user_class tokens.

Finally run

# sebuildla -a -n

to retrieve also the LDAP users into the ladb.

 

For Example, x64 Linux, CM 12.81, MS AD doing the following:

1.) Make sure openldap-clients and openldap-devel packages are installed and symlink the relevant library

# rpm -qa | grep -i ldap
openldap-2.4.23-32.el6_4.1.x86_64
pam_ldap-185-11.el6.x86_64
nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64

# ln -s /lib64/libldap-2.4.so.2 /usr/lib/libldap.so


2.) in seos.ini set

[seos]
ldap_userinfo_ladb = yes
ldap_hostname = mydc
ldap_port = 389
ldap_userdn = CN=Administrator,CN=Users,DC=mydom,DC=ca,DC=com
ldap_base = CN=Users,DC=mydom,DC=ca,DC=com
;; ldap_base = DC=mydom,DC=ca,DC=com <- with this there is an issue currently leading to an error )
ldap_verbose = 1
ldap_method = 0
ldap_uid_attr = sAMAccountName
ldap_gid_attr = sAMAccountName
ldap_uidNumber_attr = uidNumber
ldap_gidNumber_attr = gidNumber
ldap_user_class = user
ldap_group_class = group


Confirm the relevant values with an LDAP Browser and adjust these in seos.ini according to your specifics


3.) set the bind password - run in a root shell
# seldapcred


4.) execute sebuildla, process also LDAP users and groups respectively.
# sebuildla -a -n
CA ControlMinder: Creating users look-aside database.
CA ControlMinder: Adding data from LDAP DIT to users look-aside database.
Simple authentication to LDAP service (mydc,389) with (CN=Administrator,CN=Users,DC=mydom,DC=ca,DC=com,xxxxx)
loaded 23 user entries prior to adding LDAP data.
Requesting all LDAP entries with filter objectClass=user
found 9 LDAP objects for objectClass=user
LDAP user data:  uidNumber:   1000,  sAMAccountName: Administrator,
...
LDAP user data:  uidNumber:   1010,  sAMAccountName: Tester,
...
Retrieved total LDAP entries: 4
CA ControlMinder: Creating hosts look-aside database using DNS.
CA ControlMinder: Creating services look-aside database.
CA ControlMinder: Creating groups look-aside database.
CA ControlMinder: Adding data from LDAP DIT to groups look-aside database.
Simple authentication to LDAP service (mydc,389) with (CN=Administrator,CN=Users,DC=mydom,DC=ca,DC=com,xxxxx)
loaded 38 group entries prior to adding LDAP data.
Requesting all LDAP entries with filter objectClass=group
found 23 LDAP objects for objectClass=group
...
LDAP group data:  gidNumber:    180,  sAMAccountName:    Wir,
...
Retrieved total LDAP entries: 1


5.) confirm native and LDAP users and groups are processed in the ladb
# sebuildla -U
# sebuildla -G

Additional Information:

Please see
https://docops.ca.com/ca-privileged-identity-manager/12-9-02/EN/reference/utilities/sebuildla-utility-create-a-lookaside-database

Note, CA offered a product named Unix Authentication Broker (UNAB) which allowed to do the enumeration of LDAP users.

For further details please see:
https://docops.ca.com/ca-privileged-identity-manager/12-9-02/EN/implementing/installing-and-customizing-a-unab-host/the-unab-host

Addendum:

For PIM r12.8 SP1 we built a patch (T5C1114) which eliminates the need of having a 3rd Party LDAP Client in place.

It recognizes and uses the following new seos.ini tokens (instead of the less powerful ldap_user_class, ldap_group_class used before)

ldap_user_filter
ldap_group_filter

Its values can be any conforming ldap filter.

e.g.

ldap_user_filter = (objectClass=user)
ldap_group_filter = (objectClass=group)

; ldap_user_filter = (&(objectClass=user)(objectcAtegory=user))
; ldap_user_filter = (&(objectClass=user)(sAMAccountName=Tester*))

 

The ldap_verbose token can now be set in the range 0 .. 3

This feature will be included in any later version of PIM than 12.8 SP1.