Alternative UPN Suffix

NethMaex · March 8, 2017, 5:41am

NethServer Version: 7.3.1611
Module: Account provider: Samba Active Directory

Hello!

I want to use Nethserver as alternative for my old exchange, who is managing a lot of different email Domains for me and some friends. Some of us use more than one email address in their mailbox.

I have 2 needs:
Let the users login with their email address instead of “user@domain.local”.
Get the identity field “Email” (in SOGo and Roundcube Webmail) filled automatically with the primary email address of the user, instead of being filled with “user@domain.local”.

Because I don’t know if changes to the SOGo and Rouncube configs get overwritten by an NethServer update, I decided to go another way.

All my needs can be achived if I use the alternative UPN Suffix feature.

I used a Windows Server to get the configuration into the Samba config of NethServer:
Started the Windows Tool "Active Directory Domains and Trusts"
Connected to the Samba Domain
Properties of "Active Directory Domains and Trusts"
UPN Suffixes
Added all my public email domains

Started "Active Directory Users and Computers"
Created a new user
Selected the (for me) “primary email domain” in the UPN dropdown.

The only thing I would need, is to be able to change the login UPN via the NethServer WebGUI on “Management” - “Users and groups”.
The dropdown could be generated of the list of “Email” - “Domains”. The same list could also fill the UPN configuration in Samba.

Ist some kind of this already implemented in NethServer and I have overlooked, or, hopefully, could be easily integrated?

Thanks!

BR
Markus

davidep · March 8, 2017, 8:08am

The Unix account name in NethServer does not reflect the userPrincipalName attribute of AD LDAP. It is composed by {samAccountName attribute} + @ + {sysdomain}, as stated in /etc/sssd/sssd.conf. This configuration is the upstream default.

The default UPN value of AD is equivalent to it.

A shorter form of Unix account name exists too. It does not have the @domain suffix and is partially supported (see [domain/legacy] in sssd.conf).

Most services use the Unix account name (provided by SSSD) but some applications (like sogo, webtop, nextcloud) have their own way (and configuration) to access LDAP directly.

It would be an awesome feature, but we don’t have it by now because the email identities are provided by individual applications (sogo, roundcube, webtop, thunderbird, evolution, outlook …) and it’s quite impossible to find a generic implementation for it.

By now the identity configuration must be done by hand.

This is not possible, by now for the same reason.

Could you suggest a smb.conf setup for it?