Bind to Zentyal LDAP

Bug
, , ,
1

NethServer Version: 7 final
Module:
Hi,
I’m trying to migrate to NS from my old server (Zentyal).
Unfortunately the old server authenticates many services (Mail, Apache, Qnap, Zeroshell …)
I decided to begin to migrate mailboxes leaving authentication on the old LDAP server.
It seemed easy but …

[root@neth ~]# account-provider-test dump
    {
       "startTls" : "",
       "bindUser" : "ebox",
       "userDN" : "ou=Users,dc=zen,dc=xx,dc=xx,dc=xx,dc=it",
       "port" : 389,
       "isAD" : "",
       "host" : "140.xxx.xx.xx",
       "groupDN" : "ou=Groups,dc=zen,dc=xx,dc=xx,dc=xx,dc=it",
       "isLdap" : "1",
       "ldapURI" : "ldap://140.xxx.xx.xx",
       "baseDN" : "dc=zen,dc=xx,dc=xx,dc=xx,dc=it",
       "bindPassword" : "uZlB-xxxxxxxxxxxx",
       "bindDN" : "cn=ebox,dc=zen,dc=xx,dc=xx,dc=xx,dc=it"
    }

[root@neth ~]# config show sssd
sssd=service
    AdDns=
    BaseDN=dc=zen,dc=xx,dc=xx,dc=xx,dc=it
    BindDN=cn=ebox,dc=zen,dc=xx,dc=xx,dc=xx,dc=it
    BindPassword=uZlB-xxxxxxxxxxxxx
    GroupDN=ou=Groups,dc=zen,dc=xx,dc=xx,dc=xx,dc=it
    LdapURI=ldap://140.xxx.xx.xx.xx
    Provider=ldap
    StartTls=disabled
    UserDN=ou=Users,dc=zen,dc=xx,dc=xx,dc=xx,dc=it
    status=enabled

[root@neth ~]# ldapsearch -b dc=zen,dc=xx,dc=xxx,dc=x,dc=it  -h 140.xxx.xx.xx -D uid=admin,ou=Users,dc=zen,dc=xx,dc=xx,dc=xx,dc=it -W

Enter LDAP Password: 
#extended LDIF
#
#LDAPv3
#base <dc=zen,dc=xx,dc=xx,dc=xx,dc=it> with scope subtree
#filter: (objectclass=*)
#requesting: ALL

.........
# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 501
# numEntries: 500

[root@neth ~]# getent passwd admin
admin:*:2121:1901:- -:/home/admin:/usr/sbin/nologin
[root@neth ~]# ldapsearch -H ldap://140.xxx.xx.xx -v -x -b "dc=zen,dc=xx,dc=xx,dc=xx,dc=it" '(uid=admin)' mail
ldap_initialize( ldap://140.xxx.xx.xx:389/??base )
filter: (uid=admin)
requesting: mail 
# extended LDIF
#
# LDAPv3
# base <dc=zen,dc=xx,dc=xx,dc=xx,dc=it> with scope subtree
# filter: (uid=admin)
# requesting: mail 
#

# admin, Users, zen.xx.xx.xx.it
dn: uid=admin,ou=Users,dc=zen,dc=xx,dc=xx,dc=xx,dc=it
mail: admin@xxx.xxx.it

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@neth ~]#

Ok seems to be all right but …

Nothing users, groups only.

And now where do I start? :slight_smile:

Thanks

Emilio

1 Like
2

Could you return all the attributes? I bet the UI search filter requires some adjustments!

3

Ok…

[root@neth ~]# ldapsearch -H ldap://140.164.23.16 -v -x -b "dc=zen,....,dc=it" '(uid=admin)'
ldap_initialize( ldap://140.....:389/??base )
filter: (uid=admin)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=zen,...,dc=it> with scope subtree
# filter: (uid=admin)
# requesting: ALL
#

# admin, Users, zen.....it
dn: uid=admin,ou=Users,dc=zen,...,dc=it
cn: - -
uid: admin
sn: -
loginShell: /usr/sbin/nologin
uidNumber: 2121
gidNumber: 1901
homeDirectory: /home/admin
givenName: -
mail: admin@xxx.xxx.it
mailbox: icb.cnr.it/admin/
userMaildirSize: 0
mailquota: 0
mailHomeDirectory: /var/vmail/
sambaPwdCanChange: 0
sambaLogoffTime: 2147483647
sambaLogonTime: 0
sambaKickoffTime: 2147483647
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
sambaPwdMustChange: 2147483647
sambaPrimaryGroupSID: S-1-5-21-3818554400-921237426-3143208535-513
sambaSID: S-1-5-21-3818554400-921237426-3143208535-5242
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
objectClass: CourierMailAccount
objectClass: usereboxmail
objectClass: fetchmailUser
objectClass: sambaSamAccount
objectClass: systemQuotas
sambaAcctFlags: [UD]
sambaHomePath: \\zen\admin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@neth ~]#

with root DN …

# postmaster, Users, zen......it
dn: uid=postmaster,ou=Users,dc=zen,....,dc=it
cn: postmaster icb
uid: postmaster
sn: icb
loginShell: /usr/sbin/nologin
uidNumber: 2171
gidNumber: 1901
homeDirectory: /home/postmaster
userPassword:: e1NIQX01aGY3QlFwVEZDS0pZd3NmQ0pVVmo4WmRRQzA9
eboxSha1Password: {SHA}5hf7BQpTFCKJYwsfCJUVj8ZdQC0=
eboxMd5Password: {MD5}gVIE29SvrI7fYTUGpCkT1w==
eboxLmPassword: 4E813A3EC97D23031C6E2D49017F4B3B
eboxNtPassword: 5976D48D3AD41AA4C07BFB1D58CC0AE9
eboxDigestPassword: {MD5}ATrgQBRQidAz88coOIwquw==
eboxRealmPassword: {MD5}013ae040145089d033f3c728388c2abb
givenName: postmaster
sambaPwdCanChange: 0
sambaLogoffTime: 2147483647
sambaLogonTime: 0
sambaAcctFlags: [UD]
sambaKickoffTime: 2147483647
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1302881841
sambaPwdMustChange: 2147483647
sambaPrimaryGroupSID: S-1-5-21-3818554400-921237426-3143208535-513
sambaLMPassword: 4E813A3EC97D23031C6E2D49017F4B3B
sambaNTPassword: 5976D48D3AD41AA4C07BFB1D58CC0AE9
sambaSID: S-1-5-21-3818554400-921237426-3143208535-5342
mail: postmaster@.......it
mailbox: ........it/postmaster/
userMaildirSize: 0
mailquota: 0
mailHomeDirectory: /var/vmail/
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
objectClass: sambaSamAccount
objectClass: CourierMailAccount
objectClass: usereboxmail
objectClass: fetchmailUser
objectClass: systemQuotas
sambaHomePath: \\zen\postmaster

# postmaster@........it, mailalias, postfix, zen........r.it
dn: mail=postmaster@........it,ou=mailalias,ou=postfix,dc=zen,.....,dc=it
objectClass: CourierMailAlias
objectClass: account
uid: postmaster@......it
mail: postmaster@.......r.it
maildrop: postmaster@.......it
1 Like
4

Thank you very much! You gave me back the right information.

The Server Manager LDAP client has a bug: its filter queries the shadowAccount objectClass. I guess it is required to gather password aging values. However RFC2307 is about “posixAccount” objectClass and we must honor it!

So you hit a bug! Can you help me to fix it?

1 Like
5

Sure, tell me what you need. But keep in mind that I’m not a programmer, just an ‘old’ system engineer :slight_smile:

4 Likes
6

/usr/libexec/nethserver/list-user (line 67):

- 'filter' => '(objectClass=shadowAccount)',
+ 'filter' => '(objectClass=posixAccount)',

Schermata del 2017-02-24 17-43-11.png775×418 77.9 KB

works but of course I have no idea what will happen now …

3 Likes
7

Congrats! This is the workaround :heart_eyes:

Now I’m waiting for your PR on GitHub

8

Hi @gondrano, I’ve just filed a new bug: could you have a glance at it?

Just two additional questions:

Which version of Zentyal are you using? (could help the QA phase)

I see Zentyal has an admin user. In a NethServer shell, could you paste the output of

getent passwd admin
getent passwd admin@$(hostname -d)
9

Emilio! Thanks for your support, that’s a useful scenario to document #howto ! Please write down some notes once it works well.

10

2 posts were split to a new topic: Zentyal 2 LDAP as accounts provider