Authentication credential for LDAP

remote
v7
activedirectory

(Tripple Tee) #1

NethServer Version: 7.4.17
Module: Email, SOGo
Hi

I am to setup a NethServer as Email server for a Windows domain. I joined the NethServer to AD directory and it worked however the LDAP bit is not quite finish, like this screen shot

Read a lot of doco but can’t find any instruction on what to fill in the Bind DN and Bind Password
My domain is CMMS.FOUO, the Win server name is MSDC, and the Neth server name is Exchange.

By the way do I need to create a LDAP service account or add new role for the Win16 server ?

My end state is to have SOGo to authenticate with AD user, and possible the XMPP/Jabber chat server service to do the same (authenticate AD user)

After reading some post, their instruction is
Bind DN: cn=ldapservice,cn=Users,dc=cmms,dc=fouo
Bind Password: the password of AD user
but I have the error message “Authentication credentials for LDAP applications
LDAP connection error”

Thanks


(Bill ) #2

After the last update I too am now getting a warning to enter a Bind DN and Bind Password but it wont let me type anything into those fields.


(Markus Neuberger) #3

I had to reinstall the AD account provider to get the new user credentials. Is there an easier way?


(Giacomo Sanchietti) #4

You just need to enter AD credential for an existing user or create a special one.

Take a look here:

http://docs.nethserver.org/en/v7/accounts.html#join-an-existing-active-directory-domain


(Tripple Tee) #5

yes as I described in my original post, I created an account “ldapservice” in the User OU with a never expired password. However the bind fail "Authentication credentials for LDAP applications
LDAP connection error"
Does this user need some special priviledge ?


(Markus Neuberger) #6

Thanks but I have a local AD and got the warning. The user credentials fields are not editable so the warning was there until I reinstalled local AD.


(Giacomo Sanchietti) #7

No, but you must use and valid AD syntax, like a full DN or something like user@domain


(Tripple Tee) #8

Like this: cn=ldapservice,cn=Users,dc=cmms,dc=fouo

Or ldapservice@cmms.fouo?


(Tripple Tee) #9

I still can’t get pass this step


I tried with an account ldapservice like this:
cn=ldapservice,cn=Users,dc=cmms,dc=fouo
and
ldapservice@cmms.fouo

and with other accounts. I used the command kinit on Linux to confirm if the Windows account/password to correct.

Please help guys, I haven’t done anything funky with the server yet, this is what I did:
install the Netserver from .iso
join domain, install Email and SOGo
On Win16 server, I created a user sogo
on Neth ran these command:

# config setprop sogod AdsCredentials ‘sogo%PASSWORD’
# signal-event nethserver-sogo-update

(Markus Neuberger) #10

Did you install the AD certificate services on the 2016 server? Here is a howto for 2012 but M$ did not change much:

My account provider settings:

grafik

The Windows Server 2016 AD, here I created a user ldapservice:

grafik

The ldapservice user is not shown in “Users and groups”:

grafik

I installed Sogo and the login with testuser1 worked.


(Tripple Tee) #11

I haven’t had the certificate done yet. Will try tomorrow.

I cannot thank you enough for your support. Much faster respond than the IT helpdesk of my comp who got paid to do their job.


(Giacomo Sanchietti) #12

@mrmarkuz you’re saying that you need to enable AC certificate services even if the LDAP connection is in clear text without STARTTLS? :confused:

Is this last piece which solved your problem, @Tripple_Tee?


(Markus Neuberger) #13

You are absolutely right, it doesn’t make sense. I thought maybe the LDAP auth bind always does a cert check? Another thing is M$ Windows because I installed these AD cert services and did a reboot and after that everything worked. Maybe the solution is just the REBOOT of the Win Server after joining?


(Giacomo Sanchietti) #14

There is a probe for SSL support, but if it fails there is a fallback on clear text.

@davidep do you think we should improve the doc? Did you encountered the same behavior on your tests?


(Davide Principi) #15

IIRC clear text passwords are allowed in MS AD

https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/


(Davide Principi) #16

A post was split to a new topic: Set authentication credentials for LDAP applications


(Tripple Tee) #17

I used the ldap://ipaddress instead of FQDN, although the server can resolve the name, somehow Neth couldn’t.
Don’t think the Cert Authority role has anything to do with it, I did install, tested connection, remove the Role and things still work.


(Markus Neuberger) #18

Do you use your Windows Server as DNS on NethServer?

You are right. I can confirm that the AD certificate services are not necessary.


(Tripple Tee) #19

The DNS server is on Win16, Netserver point to it for name service.

Now that it works, I am a bit curious how LDAP work. Where is the authentication happen? Nethserver forward the credential to AD to be checked or the LDAP service on Nethserver has a replication of directory credentials ?


(Markus Neuberger) #20

Yes, there is no replication