AD / LDAP UID vs UserPrincipalName

v7
activedirectory

(Thorsten) #1

NethServer Version: 7.5
Module: AD / LDAP

Just a strange question:
I do use AD / LDAP within Nethserver from several structures, in most cases UID is required for Authentificatin / Authorisation. But in One Case, UserPrincipalName is required which I can neither resolve nor explain.

-> External Router -> Nethserver AD / LDAP … works with UID of the user, e.g. thorsten as the login
-> Nextcloud -> Nethserver AD / LDAP … works with UID of the user, e.g. thorsten as the login
-> External EcoDMS -> Nethserver AD / LDAP … DOES not work with UID, CN, sAMAccountname but requires UserPrincipalName -> thorsten@ad.nethserver.local
-> External EcoDMS -> Zentyal AD / LDAP … DOES work with UID (parallel installion)

Is there any option to tell the client (or nethserver) to check user against UID instead of UserPrincipalName?

Thank you and best regards
Thorsten


(Davide Principi) #2

It is often mapped to the short user name.

It depends on the client configuration. AD by its side allows LDAP simple binds with DN, samaccountname (with ‘@’ plus any registered domain suffix), UPN…

You could compare the LDAP entries in Zentyal and NethServer databases to see what differs.


(Thorsten) #3

OK … now for the noobs … can you help in easy words :slight_smile:


(Markus Neuberger) #4

You may try to change the ecodms “UID Feld” setting to sAMAccountName:

You may compare Zentyal and Nethserver LDAP fields with an LDAP client, maybe in Zentyal userPrincipalName is just “username” whereas in Nethserver it’s “username@domain.tld”.


(Thorsten) #5

Hi Markus,

yes, thank you. For me wired is the following:

If I enter UID, sAMAccountname, cn or users I do get a valid environment. The test button - see


shows my valid users in the respective group, but I can not log in.

only if I enter UserPrincipalName, the result from the test button is the same (just user@mydomain.tld) and I need to use user@mydomain.tld … I do not get that.

Best regards
Thorsten


(Thorsten) #6

Countercheck:

cn
sAMAccountName
givenName
name
userPrincipalName

are exactly the samme on Zentyal and Nethserver. I do not get why this is different.

Best regards
Thorsten


(Davide Principi) #7

Did you try with ldaps://?

I don’t remember if ssl is required for LDAP simple binds… :thinking:


(Thorsten) #8

no, does not work: Currently I do not have a valid certificate - EcoDMS does not accept self signed certificates …

(usually it would work)

THX and best regards
Thorsten


(Markus Neuberger) #9

You may use a letsencrypt cert:

http://docs.nethserver.org/en/v7/base_system.html#server-certificate

…and put it to the samba container:


(Davide Principi) #10

Another less secure solution is disable ssl requirement, like documented here

https://wiki.samba.org/index.php/Updating_Samba#New_Default_for_LDAP_Connections_Requires_Strong_Authentication

Edit /var/lib/machines/nsdc/etc/samba/smb.conf then restart samba nsdc service

 systemctl -M nsdc restart samba

IIRC in some past discussion a Zentyal user told me that AD LDAP can be browsed anonymously…


Configuring ns ldap for zimbra
(Thorsten) #11

Hi Davide,

yes, I use this option - until I am still in an test environment. Once Nethserver goes completly live, it will serve WWW, POP and IMAP. At that point I will enable strong auth again.

Currently I can not take advantage of letsencrypt as the server must be reachable from the internet. At the moment any open Port on the router points to my old Zentyal installation. Consequently I can not use letsencrypt certifcates until I do a swich. Also this is more difficult as I got new domain names (not only dyndns but a real dns A record with a static IP ) … This is a little blindfold testing…

Best regards
Thorsten


(Davide Principi) #12

Please, if that solves your #support request (even if not perfect), please mark the topic as “solved” (Howto mark a topic as solved).


(Thorsten) #13

Dear Davide,

no it is not solved: I still do not want to use UserPrincipalName. This forces me to authetificate against user@top.level.domain. I do not get why this should be necessary.

I want to authetificate against sAMAccountName or UID (like other clients do) using “user” as the login. According to ECODMS this is caused by Nethserver: ECODMS Support told be that this is a setting on MS-AD servers whicht can be changed.

THX and best regards
Thorsten


(Markus Neuberger) #14

I installed ecoDMS demo, where do I have to login? In the ecoDMS web client?


(Thorsten) #15

Dear Markus,

you do need a client installation on windows or linux (ubuntu preferred). The client installation comes with the connection manager. All three pieces of software (connection manager, client, server) may be installed on the same system. Client and Connection manager require a graphical desktop (windows, Ubuntu, Mac). From the connection manager you can log in to the server. You can find the standand users and passwords on the manual. Default admin ist:
user ecoSIMSAdmin
pwd ecoSIMSAdmin
From the admin panel you can go to users -> LDAP

I hope this helps
Thorsten


(Thorsten) #16

By the way … a very good decision … once you got used to ecodms you will love it. It is my most favorite server at all. stable, robust, comfortable document management…


(Markus Neuberger) #17

I tested it and could reproduce the issue.
I tried parts of the samba config of zentyal on Nethserver and some other smb options but no success.
I analyzed the network traffic and it’s similar but works with Zentyal and doesn’t work with Nethserver.
Giving up for today, but maybe ecodms has some log files that show more…


(Davide Principi) #18

Could you provide more details? What setting is it?