$ ldapsearch -x \ -b dc=example,dc=com \ -D "cn=<SA-CN>,dc=example,dc=com" \ -w <SA-PASS> \ "(cn=<group-cn>)"
This section provides some guidance for resolving issues with your OpenLDAP integration.
If Console does not save your settings after entering your configuration parameters, it means that Console cannot establish a test connection to your slapd server. To debug the issue:
Verify that your slapd server is accessible to the host machine where Console runs, and that your authentication certs are valid.
Verify that your service account can run queries using ldapsearch.
Verify that your base-dn is valid.
If you do not have a directory service, Console lets you create and manage Twistlock-specific (or local) users and groups. Local users and groups refer to the users and groups created before OpenLDAP was integrated with Twistlock or when OpenLDAP integration is disabled.
ldap group names are case sensitive. |
If you have local users when you enable OpenLDAP integration, Console handles authentication using the following sequence:
Twistlock first tries to authenticate the user with the LDAP server.
If Twistlock fails to authenticate the user with the LDAP server, it tries to authenticate the user with the local database.
Twistlock searches for posixGroups and its memberUid’s. Make sure your group has the posixGroup objectClass.
Query your directory for the group name:
$ ldapsearch -x \ -b dc=example,dc=com \ -D "cn=<SA-CN>,dc=example,dc=com" \ -w <SA-PASS> \ "(cn=<group-cn>)"
Inspect the output and verify that the group object has the required fields. For example, the following output comes from a query for the group ldap-admins. This group has the required posixGroup objectClass, and the the admin_user is listed as a member in the memberUid field.
# ldap-admins, groups, example.com dn: cn=ldap-admins,dc=example,dc=com gidNumber: 500 description: Ldap-admins objectClass: posixGroup objectClass: top cn: ldap-admins memberUid: admin_user
Query the LDAP directory for the group member, and verify all fields are as expected. For example, the uid for John Smith is admin_user, which is also listed in the memberUid field for the ldap-admins group.
# admin_user, example.com dn: cn=admin_user,dc=example,dc=com cn: admin_user givenName: John gidNumber: 500 homeDirectory: /home/users/admin_user sn: Smith loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top userPassword:: e01ENX00L1VKc1VGTWx3OWprMVA5Rmg2VWpBPT0= uidNumber: 1000 uid: admin_user