Authentication credential for LDAP

Tripple_Tee · January 17, 2018, 1:48pm

NethServer Version: 7.4.17
Module: Email, SOGo
Hi

I am to setup a NethServer as Email server for a Windows domain. I joined the NethServer to AD directory and it worked however the LDAP bit is not quite finish, like this screen shot

Read a lot of doco but can’t find any instruction on what to fill in the Bind DN and Bind Password
My domain is CMMS.FOUO, the Win server name is MSDC, and the Neth server name is Exchange.

By the way do I need to create a LDAP service account or add new role for the Win16 server ?

My end state is to have SOGo to authenticate with AD user, and possible the XMPP/Jabber chat server service to do the same (authenticate AD user)

After reading some post, their instruction is
Bind DN: cn=ldapservice,cn=Users,dc=cmms,dc=fouo
Bind Password: the password of AD user
but I have the error message “Authentication credentials for LDAP applications
LDAP connection error”

Thanks

happnatious1 · January 17, 2018, 2:10pm

After the last update I too am now getting a warning to enter a Bind DN and Bind Password but it wont let me type anything into those fields.

mrmarkuz · January 17, 2018, 2:14pm

I had to reinstall the AD account provider to get the new user credentials. Is there an easier way?

giacomo · January 17, 2018, 2:16pm

You just need to enter AD credential for an existing user or create a special one.

Take a look here:

http://docs.nethserver.org/en/v7/accounts.html#join-an-existing-active-directory-domain

Tripple_Tee · January 17, 2018, 2:20pm

yes as I described in my original post, I created an account “ldapservice” in the User OU with a never expired password. However the bind fail "Authentication credentials for LDAP applications
LDAP connection error"
Does this user need some special priviledge ?

mrmarkuz · January 17, 2018, 2:25pm

Thanks but I have a local AD and got the warning. The user credentials fields are not editable so the warning was there until I reinstalled local AD.

giacomo · January 17, 2018, 4:18pm

No, but you must use and valid AD syntax, like a full DN or something like user@domain

Tripple_Tee · January 17, 2018, 8:44pm

Like this: cn=ldapservice,cn=Users,dc=cmms,dc=fouo

Or ldapservice@cmms.fouo?

Tripple_Tee · January 17, 2018, 9:55pm

I still can’t get pass this step

I tried with an account ldapservice like this:
cn=ldapservice,cn=Users,dc=cmms,dc=fouo
and
ldapservice@cmms.fouo

and with other accounts. I used the command kinit on Linux to confirm if the Windows account/password to correct.

Please help guys, I haven’t done anything funky with the server yet, this is what I did:
install the Netserver from .iso
join domain, install Email and SOGo
On Win16 server, I created a user sogo
on Neth ran these command:

# config setprop sogod AdsCredentials ‘sogo%PASSWORD’
# signal-event nethserver-sogo-update

mrmarkuz · January 18, 2018, 1:55am

Did you install the AD certificate services on the 2016 server? Here is a howto for 2012 but M$ did not change much:

My account provider settings:

grafik

The Windows Server 2016 AD, here I created a user ldapservice:

grafik

The ldapservice user is not shown in “Users and groups”:

grafik

I installed Sogo and the login with testuser1 worked.

Tripple_Tee · January 18, 2018, 10:10am

I haven’t had the certificate done yet. Will try tomorrow.

I cannot thank you enough for your support. Much faster respond than the IT helpdesk of my comp who got paid to do their job.

giacomo · January 18, 2018, 10:28am

@mrmarkuz you’re saying that you need to enable AC certificate services even if the LDAP connection is in clear text without STARTTLS?

Is this last piece which solved your problem, @Tripple_Tee?

mrmarkuz · January 18, 2018, 11:09am

You are absolutely right, it doesn’t make sense. I thought maybe the LDAP auth bind always does a cert check? Another thing is M$ Windows because I installed these AD cert services and did a reboot and after that everything worked. Maybe the solution is just the REBOOT of the Win Server after joining?

giacomo · January 18, 2018, 1:10pm

There is a probe for SSL support, but if it fails there is a fallback on clear text.

@davidep do you think we should improve the doc? Did you encountered the same behavior on your tests?

davidep · January 18, 2018, 1:25pm

IIRC clear text passwords are allowed in MS AD

https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/

davidep · January 18, 2018, 5:46pm

A post was split to a new topic: Set authentication credentials for LDAP applications

Tripple_Tee · January 19, 2018, 9:53am

I used the ldap://ipaddress instead of FQDN, although the server can resolve the name, somehow Neth couldn’t.
Don’t think the Cert Authority role has anything to do with it, I did install, tested connection, remove the Role and things still work.

mrmarkuz · January 19, 2018, 11:45am

Do you use your Windows Server as DNS on NethServer?

You are right. I can confirm that the AD certificate services are not necessary.

Tripple_Tee · January 20, 2018, 10:48am

The DNS server is on Win16, Netserver point to it for name service.

Now that it works, I am a bit curious how LDAP work. Where is the authentication happen? Nethserver forward the credential to AD to be checked or the LDAP service on Nethserver has a replication of directory credentials ?

mrmarkuz · January 20, 2018, 12:24pm

Yes, there is no replication