Citadel Groupware

An alternative approach could be running citadel internal LDAP and configure NethServer to use it. If it has RFC2307 schema and anonymous binds, NethServer can consume its accounts.

During installation it’s possible to choose

From citadel site about self contained authentication:
This is also known in some other circles as “black box” authentication. Note that you can use mod_auth_citadel to integrate other applications with citadel; You don't need ldap for that.

Self-contained authentication is the mode most sites will want to use. It is by far the easiest because it requires zero maintenance and zero external configuration.

If I understand that right, citadel doesn’t use ldap in this case.

1 Like

What about “host system integrated authentication”?

If citadel runs on NethServer, both PAM and nsswitch are already configured!

My main aim is the Nextcloud + extra features around it like:
A good CRM with integration with Asterisk
A fair HRM
Something like Zentyal, Zimbra or Citadel,
Chatting XMPP + Video to complete the package.

To cut the story short , most of the above support LDAP, or Active directory (AD is low priority for me as I do not wish to mix my AD of Microsoft with the nextcloud) my nextcloud will also be partially open to external users , LDAP is the best choice I could think of unless someone can enlighten me otherwise.

But users are created with nethgui with nsdc installed are not available on the host, only in the container, or am I wrong? These users are not listed in /etc/passwd.

That file is read by the pam_unix backend. However nethserver-sssd configures pam_sss module, too so the whole system can authenticate against AD or OpenLDAP, too.

A similar configuration applies to /etc/nsswitch.conf.

Hi everyone,

I can only say that there is a lot of confusion around Webtop here.

First, it is actively developed even today, but as already stated elsewhere, we stopped pushing sources in 2011 because we had to focus on our customers and had not time to work with a community.

I personally don’t see the point to compare Webtop with Citadel, because they are two completely different product, where Webtop is focused on being both a development platform of services and an Exchange/Zimbra/Notes/whatever-business-collaboration-product replacement.

Second, Webtop is a multidomain solution: we have our cloud based customers running around 1000 users inside a multitenant zone, with different domains, different customized instances where needed and login rebranding depending on domain.

Third, we’ve been actively working on Webtop5 in the last couple of years, and going to release a public beta together with Nethesis shortly (while still mantaining and adding features to wt4 where and when needed).

The fact that latest git sources repos for both wt4 and wt5 are not public yet, is just a matter of agreements to be finalized between Sonicle and Nethesis.

I hope you can wait a little bit longer, and resist the urge to push, it’s a very very very busy moment for all of us, focused on publishing the bast we can as a starting point with the community.

Thanks,
Gabriele

2 Likes

Tried it. Accountprovider OpenLDAP.
Citadel is starting, but I can’t authenticate.
System does not use native mode authentication.

from messages.log

All logs with sssd are empty.

from slapd.log

Anything relevant?

1 Like

Is citadmin present in the LDAP tree? Can you set the search base in citadel config file?

Can you attach the output of

 ldapsearch -Y EXTERNAL
[root@ns7test3 /]# ldapsearch -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=directory,dc=nh> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# directory.nh
dn: dc=directory,dc=nh
objectClass: top
objectClass: dcObject
objectClass: organization
dc: directory
o: Example Org

# People, directory.nh
dn: ou=People,dc=directory,dc=nh
objectClass: top
objectClass: organizationalUnit
ou: People

# Groups, directory.nh
dn: ou=Groups,dc=directory,dc=nh
objectClass: top
objectClass: organizationalUnit
ou: Groups

# locals, Groups, directory.nh
dn: cn=locals,ou=Groups,dc=directory,dc=nh
objectClass: posixGroup
cn: locals
gidNumber: 1003

# libuser, directory.nh
dn: cn=libuser,dc=directory,dc=nh
objectClass: device
objectClass: simpleSecurityObject
cn: libuser
description: libuser management account
userPassword:: e0NSWVBUfSQ2JGZlWWNPMHVYR09EZFhwdG4kNGtGa0hFaVBqVS9ocEtXbW5UeEJ
 Mby9SdkVpS0FZbTZtbnRrVEFsR2dIL2t2djJXTjBNNnZ2T1BCQkFRNTQyWm41bmVJRUw5alRxbG80
 M1U2N1pNcS4=

# pam, directory.nh
dn: cn=pam,dc=directory,dc=nh
objectClass: device
objectClass: simpleSecurityObject
cn: pam
description: pam management account
userPassword:: e0NSWVBUfSQ2JHlrL3cxVVl1VWRRdEVhWXckNDJBbVA4NnFuNW43ajMzVzNqbjQ
 4c0hOTE5LNjE2U0pIaGpBakJCc05OeGxtSy9IcFJJQlBEdU5hQmxrN3ZtTHhqTld5dmNRRVAuZ2lo
 LlJjejZuYTA=

# admin, People, directory.nh
dn: uid=admin,ou=People,dc=directory,dc=nh
uidNumber: 1000
gidNumber: 1001
uid: admin
shadowMax: 99999
shadowWarning: 7
shadowMin: 0
loginShell: /usr/libexec/openssh/sftp-server
homeDirectory: /var/lib/nethserver/home/admin
shadowInactive: -1
shadowExpire: -1
gecos: Administrator
shadowLastChange: 17091
shadowFlag: -1
cn: Administrator
sn: admin
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
mail: admin@ns7.lan
userPassword:: e0NSWVBUfSQ2JHRLekxVUWcuYkxlVnNBc1kkckQwdWx6ZlMzd1lxVDl0Skw4L0l
 MZU1HOFdPSDQyd3dRR3kycDVNVHpjcmRYUEFZNm5PR1NhS2J3bU1jdURwVS5PUW9FT095RG1xNmtT
 eXg2VmxOai4=

# citadmin, People, directory.nh
dn: uid=citadmin,ou=People,dc=directory,dc=nh
uidNumber: 1002
gidNumber: 1001
uid: citadmin
shadowMax: 99999
shadowWarning: 7
shadowMin: 0
loginShell: /usr/libexec/openssh/sftp-server
homeDirectory: /var/lib/nethserver/home/citadmin
shadowInactive: -1
shadowExpire: -1
gecos: Citadel
shadowLastChange: 17091
shadowFlag: -1
cn: Citadel
sn: citadmin
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
mail: citadmin@ns7.lan
userPassword:: e0NSWVBUfSQ2JC40eUtURzJCamdMRjE2dzUkUk1oUzZlZ2gwWVloWks4eFN5a0V
 zbTlwd1pYR0VaR0x1QTFTM2lWbno0eGdjZWxaenpNcXJKcnRLZVNvNlJoYzBXYktqazdUamlWbE8v
 Zkk1LmpWMzE=

# testuser, People, directory.nh
dn: uid=testuser,ou=People,dc=directory,dc=nh
uidNumber: 1003
gidNumber: 1003
uid: testuser
shadowMax: 99999
shadowWarning: 7
shadowMin: 0
loginShell: /usr/libexec/openssh/sftp-server
homeDirectory: /var/lib/nethserver/home/testuser
shadowInactive: -1
shadowExpire: -1
gecos: Testuser
shadowLastChange: 17092
shadowFlag: -1
cn: Testuser
sn: testuser
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
mail: testuser@ns7.lan
userPassword:: e0NSWVBUfSQ2JHhHNlFTRkVzLnkvaFBuQXEkc2FJT28uY2s2cmhFQm5qdHhDN0N
 MbGk1THE2TldzVnZsbUVmTGZLbDd0emgzeGdscnhha3pZSEtaalJObWdScnFEWERyTi95YkZFU29v
 SUI0UXQvajA=

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9
[root@ns7test3 /]#

citadmin is present.

It makes sense , I just noticed that while installing the Citadel in LDAP mode it asks for the ldap admin password.
I entered what I thought it was but I was wrong.
It would be good since we have an LDAP expert here to advise how can we retrieve the default NS7 LDAP Password.
I do have an LDAP issue with Nextcloud + XMPP that I also seek help on.

look at domain accounts panel.

1 Like

@flatspin that password was declined. I guess it is only a hash, I am not sure…

Correction, that password worked however the user DN should be cn=libuser,dc=directory,dc=nh

Using LDAP Admin, should I set it to anonymous correction I can load the schema and browse the LDAP directory.
Should I select cn=libuser,dc=directory,dc=nh and use the password , testing connection works however when trying to connect I get LDAP error: No such Object!

What I am doing wrong ?

@gabriele_bulfon
@davidep

Hello,

I’m very interested in this feature.
Can we have this on NS7?
At least with OpenLDAP (I think is very hard with Samba AD) and at least different domains (NOT ALIAS DOMAIN).

In this moment I use this kind of configuration on NS 6.8, with SOGo.
First of all, I don’t know if it works on NS7. There are a lot of changes.

TIA,
Gabriel

Sorry, I don’t know how to achieve this on NS6/7 , we do it on our XStreamOS based cloud.
Maybe @giacomo or @alefattorini can answer on this specifically for NS.
Webtop itself is prepared to work in a multitenant environment.

Gabriele

Thank you Gabriele for your answer!

NS is designed and built only for once company, but you can use multiple mail domains.
SSSD does support multi-domain authentication, but we have no plan to integrate it.

2 Likes

I’m not sure abot this any more :thinking:

We shall investigate…

2 Likes

I know that.

With NS 6.8 I use such configuration (a dedicated email server for multiple and different domains).

I don’t know if is possible with NS 7.
I will try to test with WebTop and OpenLDAP, but not in the next days.
For now I try to setup NS 7 RC1 as DC/AD.

Thank you both (you and @davidep), for your responses!

2 Likes