Enhancement #2727: Configurable AD accounts LDAP subtree - NethServer 6 - NethServer.org

Enhancement #2727

Configurable AD accounts LDAP subtree

Added by Davide Principi over 7 years ago. Updated about 7 years ago.

Status:

CLOSED

Start date:

Priority:

Normal

Due date:

Assignee:

% Done:

100%

Category:

nethserver-samba

Target version:

v6.5

Resolution:

NEEDINFO:

Description

The LDAP search for user accounts is now performed under cn=Users,<base>. Define a prop that allow customization of the search base.

Related issues

Associated revisions

Revision fa461a8f
Added by Davide Principi over 7 years ago

Defaults DB props for Active Directory integration. Refs #2727

AdsRealm: the Kerberos realm name (eg ADNAME.LOCAL)

AdsLdapAccountsBranch: the LDAP branch containing account nodes
(assume cn=Users, if empty)

Revision 2e8d0da8
Added by Davide Principi over 7 years ago

Use smb/AdsLdapAccountsBranch prop as search base in AD. Refs #2727

By default cn=Users,<dcparts> is assumed.

Revision dfd982f2
Added by Davide Principi over 7 years ago

postfix/AdsMapUserPrincipalStatus prop: consider AD user name as valid mail address. Refs #2727

Revision c0fc83f1
Added by Davide Principi over 7 years ago

AD integration: new postfix templates for users and groups. Refs #2727

Configuration of LDAP queries is now in templates

- /etc/postfix/active-directory-users
- /etc/postfix/active-directory-groups

Revision 58662507
Added by Davide Principi over 7 years ago

AD integration: deliver only to enabled users and "security" groups. Refs #2727

Changed the group filter to exclude "distribution" groups. See
http://msdn.microsoft.com/en-us/library/cc245527.aspx

Revision 2f6345f4
Added by Davide Principi over 7 years ago

Active directory: use static configuration. Refs #2729 #2727

- Use DNS A record, to resolve domain controllers IP.
- Enhanced AdsLdapServer prop, allowing specification of PROTO and
PORT.
- Added AdsCredentials DB default.
- Use smb/AdsLdapAccountsBranch as search base for accounts

Revision a20b2104
Added by Davide Principi over 7 years ago

AD added separate group LDAP source. Refs #2727

Revision 6ceaca1a
Added by Davide Principi over 7 years ago

Workgroup module: change AdsLdapAccountsBranch value from UI. Refs #2727

Revision ad134a1f
Added by Davide Principi over 7 years ago

domain-* events: expand Postfix active-directory templates. Refs #2727

Revision 002f55dc
Added by Davide Principi about 7 years ago

Windows network (samba) documentation. Refs #2727

History

#1 Updated by Davide Principi over 7 years ago

Status changed from TRIAGED to ON_DEV
Assignee set to Davide Principi
% Done changed from 20 to 30

#2 Updated by Davide Principi over 7 years ago

see #2729

#3 Updated by Davide Principi over 7 years ago

Dovecot has some troubles when the search base is at the root level

http://www.dovecot.org/list/dovecot/2012-May/083550.html

I suspect it's caused by search references in LDAP response...

#4 Updated by Davide Principi over 7 years ago

Status changed from ON_DEV to MODIFIED
Assignee deleted (~~Davide Principi~~)
% Done changed from 30 to 60

Test case

After upgrading to the modified version

In Windows Network module, set "LDAP accounts branch" field to a value that fits your Active Directory environment

Send a mail message and check it's delivered correctly:

   # echo "Test message" | mail -s "Test AD delivery user" davide.principi@adnethesis.it
   # echo "Test message" | mail -s "Test AD delivery to distribution group" tecnici@adnethesis.it

NOTE: only AD "distribution groups" are fully supported.

As reference, execute the following commands to check for user and group correct mapping:

Ensure the mail domain is handled by NethServer mail server with local delivery (i.e. adnethesis.it)

Initialize kerberos environment for testing:

   # kinit davide.principi@ADNETHESIS.IT
[type password...]

Dovecot: AD user davide.principi exists:

    # doveadm user davide.principi
userdb: davide.principi
  home      : /var/lib/nethserver/vmail/davide.principi
  system_groups_user: davide.principi

Postfix: AD user address davide@adnethesis.it that maps to davide.principi:

    # postmap  -q davide@adnethesis.it ldap:/etc/postfix/active-directory-users 
davide.principi

Postfix: AD distribution group expands to members:

    # postmap  -q tecnici@adnethesis.it ldap:/etc/postfix/active-directory-groups
nicola.rauso,davide.principi

Postfix: AD security group is mapped:

    # postmap  -q secgroup@adnethesis.it ldap:/etc/postfix/active-directory-users 
secgroup

#5 Updated by Davide Principi over 7 years ago

Status changed from MODIFIED to ON_QA
% Done changed from 60 to 70

In nethserver-testing:
nethserver-sogo-1.3.0-3.0gitb0e1dd4b.ns6.noarch.rpm
nethserver-samba-1.4.2-3.0git6ceaca1a.ns6.noarch.rpm
nethserver-mail-server-1.6.4-7.0gitad134a1f.ns6.noarch.rpm

#6 Updated by Davide Principi about 7 years ago

Related to Feature #2751: AD group mail delivery type switch added

#7 Updated by Nicola Rauso about 7 years ago

Assignee set to Nicola Rauso

#8 Updated by Nicola Rauso about 7 years ago

Status changed from ON_QA to VERIFIED
Assignee deleted (~~Nicola Rauso~~)
% Done changed from 70 to 90

Tested: ok

Some additional information:

1) To set correctly "LDAP accounts branch" field, you have to omit domain content attributes (i.e. "OU=Nethesis" instead of "OU=Nethesis,DC=example,DC=org");

2) Remember to check always the email domain configured into Mail module;

3) In AD, distribution groups and security groups DO NOT have mail field set by default: you have to set them up through "AD users and computers" panel.

#9 Updated by Giacomo Sanchietti about 7 years ago

Status changed from VERIFIED to CLOSED
% Done changed from 90 to 100

Released in nethserver-updates:

nethserver-samba-1.4.3-1.ns6.noarch.rpm
nethserver-sogo-1.4.0-1.ns6.noarch.rpm
nethserver-mail-server-1.7.0-1.ns6.noarch.rpm

Also available in: Atom PDF

NethServer 6

Issues

Custom queries