I’ve been struggling with this all day, but I finally give up and ask for help.
I just want to use NethServer with an existing OpenLDAP server. Fresh install of NethServer, I apply all updates and then I go straight to the “Users and Groups” section. I select “LDAP” and I fill in the IP address of the LDAP server. I wait while the config gets applied and things get restarted, and when it’s finished, after about 20 seconds, the page gets refreshed and I am left with an empty user table.
I look in /var/log/messages and I see no obvious problem there. It seems to get applied, but nothing seems to happen, no users and groups are pulled. Which, to be honest, does not surprise me, because:
I did not get to specify a bind user and password
I did not get to specify a base dn
Also, there is no way to specify ldaps instead of ldap. (It should work with either in my case.)
I have the feeling that I am missing something…
Is this the correct work flow for what I am trying to achieve?
Me too! Thanks for pointing this out @lucian. I have to add at least some documentation about this!
The default configuration in sssd.conf have some preconditions on the remote LDAP server
rfc2307 schema
anonymous bind is allowed and the LDAP tree can be browsed anonymously
authenticated bind must be protected by STARTTLS
We found the default behavior of sssd is good for our LDAP setup, but of course there can be other variants, too. Can you provide more details about your LDAP server? What are its requirements?
Also can you query the rootDSE?
ldapsearch -h LDAPserver -b "" -s base "(objectclass=*)"
Many thanks for the clarifications! Sorry for the delay in my response, I am mostly on the road these days.
I don’t think that the LDAP tree can be browsed anonymously. When I connect with phpldapadmin anonymously I do not see my users. When I connect authenticated (cn=admin,dc=example,dc=com) then I can see everything.
So I think I need to fix that.
Querying the rootDSE from the OpenLDAP server itself gives the following:
[root@dmz2-hq-buc myuser]# ldapsearch -h localhost -b "" -s base "(objectclass=*)"
ldap_sasl_interactive_bind_s: No such attribute (16)
[root@dmz2-hq-buc myuser]#
[root@dmz2-hq-buc myuser]#
[root@dmz2-hq-buc myuser]#
[root@dmz2-hq-buc myuser]# ldapsearch -x -h localhost -b "" -s base "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@dmz2-hq-buc myuser]#
It seems to be successful, but only with the “-x” switch. Is this the correct/expected output?
Host: 10.31.10.163
User DN: cn=ldapservice,dc=example,dc=com
Password: <empty>
Base DN: dc=directory,dc=nh
Of course, it is easy to correct the NextCloud config, but I guess the idea was to generate the right config autiomatically, since NethServer already has the info.
Generally speaking, reboot is required only to run a new Linux kernel version. Here should not be required.
When testing there are always two scenarios to consider ( /cc @quality_team )
New installation: nethserver-sssd from testing must be installed before configuring the external LDAP provider. No manual action required.
Update existing installation: nethserver-sssd from testing is updated after joining the external LDAP and the “signal-event” command must be issued manually
Next, I installed NextCloud from software center and I checked the LDAP settings page. It looks good, except for Base DN, which is “dc=directory,dc=nh”. And the message was “Configuration incorrect”. Changed Base DN to “dc=example,dc=com”, I got “Configuration OK”, then I checked the users page and it got populated ok.
It’s great that now it’s working! The Base DN propagation from NS to NC still needs to be fixed, though. That being said, I also think the following two features would be very useful:
1.The ability to manually specify the base DN (currently it is implied from the NS host name). This comes in handy when the LDAP server has subdomains. In my case, I have the following structure:
and so on
If I want to have one NS per customer, then I am forced to name them like this: ns-customer1.example.com, ns-customer2.example.com, otherwise NS is unable to connect to the LDAP server. This has many implications, for example when requesting a certificate, when using email etc. Ideally, I could name each NS like this: nethserver.customer1.com, nethserver.customer2.com etc.
2.The ability to specify the base user tree and base group tree. For example, in my case, I could have:
NS host name: nethserver.customer1.com
Base DN: dc-example,dc=com
Base User tree: vd=customer1.com,o=hosting,dc=example,dc=com
Base Group tree: vd=customer1.com,o=hosting,dc=example,dc=com
This way, each customer could have its own NS with access to only its users and groups and the users and groups would have the proper email address (user@customerx.com). Base user tree and base group tree would also need to be propagated to the installed packages, for example in NextCloud LDAP Advanced settings page.