Connect to ActiveDirectory Windows Server 2008

Support
#21

So, NS is false advertising then? It CLEARLY states that AD and email addresses will be imported from AD and now you, as part of the Dev Team are saying that factually FALSE? Perhaps you are mistaken? Or I am not reading this correctly?

From the Administrator Manual:
"The Email module integrates with an Active Directory (AD) environment, if Active Directory member role is enabled in Windows Network page.
To make NethServer work with the external LDAP database provided by Active Directory, the following rules applies:

Only enabled accounts are considered (userAccountControl attribute).
IMAP and SMTP login name is the value of sAMAccountName attribute.
Email addresses associated with an user are the values of mailā€¦"

#22

Youā€™re not reading correctly, the manual states that ā€œThe Email module integrates with an Active Directory (AD) environmentā€, no one talked about importing :wink:
NS reads the users directly from the AD server and no local copy is made. Also, the manual talks about Email modules, not a full integration.

Please be patient, we are working very hard on the next release to create the best user experience for anybody who wants to play with AD :slight_smile:

1 Like
#23

Tthe documentation probably isnā€™t clear enough, as @giacomo already said NethServer 6.x canā€™t live alone without an AD active, so weā€™re speaking about syncing and not importing

#24

What is the purpose of ā€œintegratingā€ with an AD server and mentioning emails if NS does nothing with that information? Sure, I understand the point of joining the domain for purely security reasons. But what value beyond that is there? Why set false expectations?

I disagree wholeheartedly and so does everyone I have shown this document to. We all read it as NS will use AD and pull the email addresses directly. One stop shopping so-to-speak. If I were NS, I would change the manual immediately to be clear that while you can have NS ā€œtalkā€ to AD, there is no exchange of information. And include a line like: ā€œNS will not import, sync, or otherwise communication with AD for anything other than domain membership. Admins will still need to manually populate users and emails into NS.ā€ THAT IS A FAIR STATEMENT.

#25

Maybe we didnā€™t explained ourselves well enough.
I will try with an example, feel free to ask more!

You have a NS and an AD server acting as PDC of the LAN.
NS is joined to the AD.
NS can act as Mail Server and Web Content Filter using users from AD, but you always need to manage the users from AD server.

Example for Mail Server:

  • Join NS to the AD
  • Install the mail server
  • Create a user goofy on AD
  • Add an email field to goofy user on AD
  • NS is automatically configured to receive mails for the goofy user

Example for Web Content Filter:

  • Join NS to the AD
  • Install the web content filter
  • Create a user goofy on AD
  • On NS create a web content profile for the goofy user (you should see the user from NS web interface)
  • NS will filter the web for the goofy user
3 Likes
#26

If that is the case, it is best news I have heard all week!!! However, the ā€œautomatically configuredā€ part is not working. Like I said earlier, I can do a webinfo -u on the NS and see the users. But when trying to log in to the email portal, nothing works.

This is I believe the final step of my implementation. If someone could explain how to get NS to read the email addresses from AD and then send/receive for those addresses, my life would be great! Right now, I am stuck at ā€œ* NS is automatically configured to receive mails for the goofy userā€

For background, we do have the email addresses listed properly in the AD entry.

#27

I think @davidep can help us on this!

#28

Hi @chrisg, if ā€œemail portalā€ is SOGo, one further configuration step is required. Some infos are from this post:

#29

No luck. Does any user actually have AD integrated with NethServer? Iā€™m curious if I am chasing a rabbit here. Iā€™ve done everything suggested but still no luck.

#30

I try to recap the situation:

  • ads join is OK, and winbind lists the domain accounts. I guess also getent passwd does the same.

  • Login on SOGo fails, even after it has been configured with the right permissions to bind the AD LDAP service.

Now it might help to verify if domain users can access their mailboxes with IMAP. Does it work?

#31

Hi David,

Yes, you are right so far. When trying to login, SOGo spins a little when you hit enter so it is doing something. I can completely login with an email account created directly in NS so SOGo works.

IMAP works for the NS user but none of the AD users.

#32

Can you see any relevant line in /var/log/imap?

#33

May 2 14:53:50 mail dovecot: imap: Error: Internal auth failure (client-pid=27959 client-id=1)
May 2 14:53:50 mail dovecot: imap-login: Internal login failure (pid=27959 id=1) (internal failure, 1 succesful auths): user=, method=PLAIN, rip=172.30.0.3, lip=192.168.202.42, mpid=27962, TLS: Disconnected, session=<KWSSK+IxZACsHgAD>

May 2 14:54:13 mail dovecot: imap: Error: Internal auth failure (client-pid=28065 client-id=1)
May 2 14:54:13 mail dovecot: imap-login: Internal login failure (pid=28065 id=1) (internal failure, 1 succesful auths): user=, method=PLAIN, rip=172.30.0.3, lip=192.168.202.42, mpid=28066, TLS, session=<Q0noMeIx+wCsHgAD>

#34

From the 10user_source_active_directory config file for SOGo:
push @sogoUserSources, qq(
id = AD_Users;
type = ldap;
CNFieldName = cn;
IDFieldName = sAMAccountName;
#IDFieldName = mail;
UIDFieldName = sAMAccountName;
IMAPLoginFieldName = mail;
canAuthenticate = YES;
bindDN = ā€œCN=$sogoCredentials[0],CN=Users,$adsBasePathā€;
bindPassword = ā€œ$sogoCredentials[1]ā€;
baseDN = ā€œ$baseDNā€;
bindFields = (mail,
sAMAccountName,
);
hostname = $adsLdapServer;
filter = ā€œ(objectClass=ā€™ā€˜userā€™ā€™)ā€;
scope = SUB;
displayName = ā€œ$adsRealm usersā€;
isAddressBook = YES;
);

#35

I checked AD and the mail attribute is set properly. So is the sAMAccountName.

mail=user2@myamrg.com
sAMAccountName = user2

interestingly, uid is not set to anything in AD.

#36

So, letā€™s concentrate on IMAP! I guess the dovecot keytab file has some kind of issueā€¦

Remove it:

rm -vf /var/lib/dovecot/krb5.keytab

Re-create it, and look at the command exit status:

/usr/libexec/nethserver/smbads initkeytab
echo $?

Then

service dovecot restart

Finally try to login again on IMAP. I hope it helps!

#37

@chrisg I am interested in how your join is going.