Am 16.01.2011 13:11, schrieb Stefan Schwarz:
Due to an excellent support from Felix i was able to solve this issue and successfully authenticate to our company LDAP-server.In openvas_libraries/misc/openvas_auth.c (Rev 9935) there seems to be a support for LDAP and/or AD authentication which can be build with "cmake -DBUILD_WITH_LDAP=ON ."But how can i configure it, e.g. LDAP-URI for binding?
For all of you who want to know the details, here it goes: 1) Use SVN-revision >= 9935Best would be to use actual SVN-revision, so that LDAP-related bugs are fixed. You have to build openvas-libraries using:
cmake -DBUILD_WITH_LDAP=ON .Note: If you like you can download my build-environment from our SVN-server at https://subversion.unibw.de/public/openvas. It's only tested for Ubuntu, but a simple "make" or "make up" will do. See README for details.
2) Copy openvas-libraries/doc/example.auth.conf to /usr/local/var/lib/openvas/users/.auth.conf as a starting point This assumes you're running OpenVAS with default directories under /usr/local, which is further assumed.
3) Edit .auth.conf according to your LDAP-settingsYou have to specify at least the following (attribute values are my settings which will not work for you):
[method:ldap] order=2 enabled=true ldaphost=my_ldap_host authdn=uid=%s,ou=people,dc=RZ,dc=unibw-muenchen,dc=de role-attribute=uid role-user-values=user1;user2 role-admin-values=user3This is the most tricky part. Note that leaving these roles empty will NOT work, you have to define them.
I'll suggest to do a ldapsearch with binding for testing before, like:ldapsearch -h my_ldap_host -W -D uid=user3,ou=people,dc=RZ,dc=unibw-muenchen,dc=de uid=user3 dn
Note the exact DN you'll have to specify. This is, because OpenVAS will not use anonymous binding for finding out the correct DN of an user. This makes it a little bit uncomfortable in case you have several branches in your LDAP-directory. You can find out your DN with an anonymous bind like:
ldapsearch -x -h my_ldap_host uid=user3 dnCheck out which attributes you want to use for allowing users to login and defining admin roles. In case you don't want to define special attributes for OpenVAS (just like me) i'd prefer to use uid, but any others (like mail) will also do (yes, multi-value-attributes are also supported!). Use ; to specify lists of users. Note that defining an admin will also allow this user to login without additionally specifying him as user.
4) Testing with OpenVASAny client communication over OMP will do, i used a webclient (with gsad running) and also gsa-desktop (over Windows) successfully. In case of trouble you'll have to take a look at the managers log-file, located at /usr/local/var/log/openvas/openvasmd.log. Please note, that in actual revisions log-configurations have changed and must be enabled by running openvasmd with verbose-option and increasing the loglevel in /usr/local/etc/openvas(openvasmd_log.conf. (see thread at http://lists.wald.intevation.org/pipermail/openvas-discuss/2011-January/002494.html)
In case of success you should see something like:lib auth: DEBUG:2011-01-27 15h06.30 utc:9265: Authentication trial, order 1, method file -> 1. (w/method) lib ldap: DEBUG:2011-01-27 15h06.30 utc:9265: LDAP-authenticate: username=user3, host=my_ldap_host, dn=uid=user3,ou=people,dc=RZ,dc=unibw-muenchen,dc=de
lib ldap: DEBUG:2011-01-27 15h06.31 utc:9265: LDAP StartTLS initialized.lib ldap: DEBUG:2011-01-27 15h06.31 utc:9265: LDAP bind with uid=user3,ou=people,dc=RZ,dc=unibw-muenchen,dc=de successful lib ldap: DEBUG:2011-01-27 15h06.31 utc:9265: LDAP-search for role-attribute: uid lib ldap: DEBUG:2011-01-27 15h06.31 utc:9265: LDAP-search for role returned: 0
lib ldap: DEBUG:2011-01-27 15h06.31 utc:9265: LDAP-attribute found: user3 lib ldap: DEBUG:2011-01-27 15h06.31 utc:9265: LDAP-User has role 2lib ldap:WARNING:2011-01-27 15h06.31 utc:9265: No ruletype specified, using defaults
lib ldap: DEBUG:2011-01-27 15h06.31 utc:9265: User has admin role. lib ldap: DEBUG:2011-01-27 15h06.31 utc:9265: User has user role.lib auth: DEBUG:2011-01-27 15h06.31 utc:9265: Authentication trial, order 2, method ldap -> 0. (w/method) event auth:MESSAGE:2011-01-27 15h06.31 utc:9265: Authentication success for user user3 ........
In case of problems, double check your configuration-file at 3) Don't forget to restart openvasmd each time you changed the configs!Hope this helps. Again many thanks to Felix and the whole team for this great piece of software and excellent support.
Stefan
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
