Join AD gives an error and login to sogo is not possible

Support
, ,
1

NethServer Version: 7.8.2003
Module: Samba
Hi,
if I try to join a new nethserver installation to an existing MS AD (Tried with Server 2008 R" an Server 2019) I get an error message.

AD_Beitritt
AD_Beitritt1920Ă—1080 89.6 KB

If I copy the command to a shell I get the following:

[root@groupware ~]#  echo '{"action":"remote-ad","AdRealm":"jonasFS.lokal.jonas-farbenwerke.de","AdUsername":"MyBindUser@MyDomain","AdPassword":"MyBindPassword"}' | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-accounts-provider/update | jq
{
  "steps": 3,
  "pid": 25230,
  "args": "",
  "event": "nethserver-sssd-leave"
}
{
  "step": 1,
  "pid": 25230,
  "action": "S01nethserver-sssd-leave",
  "event": "nethserver-sssd-leave",
  "state": "running"
}

{
  "progress": "0.33",
  "time": "2.314365",
  "exit": 0,
  "event": "nethserver-sssd-leave",
  "state": "done",
  "step": 1,
  "pid": 25230,
  "action": "S01nethserver-sssd-leave"
}
{
  "step": 2,
  "pid": 25230,
  "action": "S02nethserver-sssd-cleanup",
  "event": "nethserver-sssd-leave",
  "state": "running"
}
{
  "progress": "0.67",
  "time": "0.382661",
  "exit": 0,
  "event": "nethserver-sssd-leave",
  "state": "done",
  "step": 2,
  "pid": 25230,
  "action": "S02nethserver-sssd-cleanup"
}
{
  "step": 3,
  "pid": 25230,
  "action": "S05generic_template_expand",
  "event": "nethserver-sssd-leave",
  "state": "running"
}
{
  "progress": "1.00",
  "time": "0.232682",
  "exit": 0,
  "event": "nethserver-sssd-leave",
  "state": "done",
  "step": 3,
  "pid": 25230,
  "action": "S05generic_template_expand"
}
{
  "pid": 25230,
  "status": "success",
  "event": "nethserver-sssd-leave"
}
{
  "type": "EventFailed",
  "id": 1592394663,
  "message": " * Resolving: _ldap._tcp.jonasfs.lokal.jonas-farbenwerke.de\n"
}
[root@groupware ~]#

After reloading the page I can change the provider settings and have to enter the bind credentials again.
If I save this I can see all users but can’t use them to login to sogo besides the administrator.
I also tried to change the organisation unit at the sogo.conf (of course with a template), but this didn’t work also. This is my template:

 /* 45 AD authentication */
    SOGoUserSources =(
     {
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        IMAPLoginFieldName = userPrincipalName;
        canAuthenticate = YES;
        bindDN = "CN=administrator,ou=Users,dc=MyDomain,dc=local";
        bindPassword = "MyBindPassword";
        baseDN = "OU=Verwaltung,dc=MyDomain,dc=local";
        bindFields = (
        sAMAccountName,
                userPrincipalName
            );
        hostname = ldap://AD.MyDomain.local;
        filter = "(objectClass='user') AND (sAMAccountType=805306368)";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "MyDomain.local users";
        isAddressBook = YES;
   },
     {
        id = AD_Groups;
        type = ldap;
        CNFieldName = name;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        canAuthenticate = YES;
        bindDN = "CN=administrator,ou=Users,dc=MyDomain,dc=local";
        bindPassword = "MyBindPassword";
        baseDN = "OU=Verwaltung,dc=MyDomain,dc=local";

        hostname = ldap://AD.MyDomain.local;
        filter = "(objectClass='group') AND (sAMAccountType=268435456)";
        MailFieldNames = ("mail");
        scope = SUB;
        displayName = "MyDomain.local groups";
        isAddressBook = YES;
     }
    );
2

Sorry @m.traeumner… my laptop screen is lockted to 1366 x 768 as resolution and i don’t know german. :frowning:
Sadly i can only ask…

  • can Nethserver solve the DNS name of AD?
  • why use AD join instead of LDAP?
  • which is the use of this installation?
3

Looks like the bind failed, can not help you with that…

After the AD-bind is oke keep in mind for SOGo the IMAPLoginFieldName = userPrincipalName may not be correct on a MS-AD…

You may need set the esmith-database property to a matching value.
https://docs.nethserver.org/en/v7/sogo.html#esmith-database

EDIT:
Did you try signal-event nethserver-sogo-update after the AD-bind seems to be oke?
It might set SOGo up with the working sssd configuration.

4

Sorry, I will post the english one tomorrow, I didn’t thought about it.

Yes it can, the AD is also the DNS for nethserver.

Can I do an LDAP join to an AD?

Nethserver is for squid and sogo in a windows domain.

5

No, I only restarted sogod service.

6

The mail-server itself runs on the windows instance or on the nethserver setup?

7

It’s running at the windows server. It’s hmail.

8

I can’t reproduce, yesterday I tried it and always get the error, today it’s away. So I only have the SOGo problem.

9

Nethserver-sogo is intended to work with the local (nethserver) mail-server. It even pulls it in as an dependency.

Not saying it is impossible, but you may need a couple custom template’s for this. And not sure if it is worth the trouble.

10

We didn’t need sogo for mails, only for calendar and address book.

11

not sure if that works or is an good idea. Note the sogo-setup is interagted with the local mail server:

12

Hi Mark,
sorry for late response, but I had to test a lot. For a “normal” AD with cn=users this configuration works. The AD authentication part looks like the one, nethserver creates automatically. The Mail part is not he same, but I didn’t touched it, because I didn’t use it. Here my Mail-part:

/* 20 Mail */
    SOGoDraftsFolderName = "Drafts";
    SOGoSentFolderName = "Sent";
    SOGoTrashFolderName = "Trash";
    SOGoJunkFolderName = "Junk";
    SOGoIMAPServer = "localhost";
    SOGoSieveServer = "sieve://localhost:4190";
    SOGoSMTPServer = "127.0.0.1:10587";
    SOGoMailDomain = "MyDomain";
    SOGoSMTPAuthenticationType = "PLAIN";
    SOGoMailingMechanism = "smtp";
    NGImap4ConnectionStringSeparator = "/";

For the Organization unit I created a custom template:

{
    use NethServer::SSSD; 
    my $sssd = new NethServer::SSSD();

    my $baseDN = $sssd->baseDN();
    my $bindDN = $sssd->bindDN();
    $bindDN =~ s/\\/\\\\/g;
    my $userDN = $sssd->userDN();
    my $groupDN = $sssd->groupDN();
    my $bindPassword = $sssd->bindPassword();
    my $host = $sssd->host();
    my $ldapURI = $sssd->ldapURI();

    # We must check if starttls is used 
    $tls = $sssd->startTls();
    if ($tls){
        $ldapURI = $ldapURI . '/????!StartTLS';
    }

    # select the email field in case of Microsotf AD bind
    my $CustomEmailField = $sogod{'CustomEmailField'} || 'userPrincipalName';

    if ($sssd->isLdap){
        # user source: ldap
        $OUT .= <<EOF

  /* 45 ldap authentication */
    SOGoUserSources =(
     \{   
        id = groups;
        type = ldap;
        CNFieldName = cn;
        UIDFieldName = cn;
        IDFieldName = cn;
        baseDN = "$groupDN";
        bindDN = "$bindDN";
        bindPassword = "$bindPassword";
        scope = ONE;
        canAuthenticate = YES;
        MailFieldNames = ("mail");
        displayName = "$SystemName groups";
        hostname = $ldapURI;
        isAddressBook = YES;
     \},
     \{   
        id = users;
        type = ldap;
        CNFieldName = cn;
        UIDFieldName = uid;
        IDFieldName = mail;
        bindFields = (
                mail,
                uid
            );
        IMAPLoginFieldName = mail;
        baseDN = "$userDN";
        bindDN = "$bindDN";
        bindPassword = "$bindPassword";
        scope = ONE;
        MailFieldNames = ("mail");
        canAuthenticate = YES;
        displayName = "$SystemName users";
        hostname = $ldapURI;
        isAddressBook = YES;
     \}
    );
EOF

    } elsif($sssd->isAD){
        # user source: AD
        $bindPassword =~ s/"/\"/;

        $OUT .= <<EOF

  /* 45 AD authentication */
    SOGoUserSources =(
     \{ 
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        IMAPLoginFieldName = $CustomEmailField;
        canAuthenticate = YES;
        bindDN = "BindUser\@MyDomainName.local";
        bindPassword = "MyBindpassword";
        baseDN = "OU=MyOrganisationUnit,DC=MyDomainName,DC=local";
        bindFields = (
                sAMAccountName,
                $CustomEmailField
            );
        hostname = $ldapURI;
        filter = "(objectClass='user') AND (sAMAccountType=805306368)";
        MailFieldNames = ("$CustomEmailField");
        scope = SUB;
        displayName = "$DomainName users";
        isAddressBook = YES;
     \}

     \{
        id = AD_Groups;
        type = ldap;
        CNFieldName = name;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        canAuthenticate = YES;
        bindDN = "BindUser\@MyDomainName.local";
        bindPassword = "MyBindpassword";
        baseDN = "OU=MyOrganisationUnit,DC=MyDomainName,DC=local";
        hostname = $ldapURI;
        filter = "(objectClass='group') AND (sAMAccountType=268435456)";
        MailFieldNames = ("mail");
        scope = SUB;
        displayName = "$DomainName groups";
        isAddressBook = YES;
     \},

     );
EOF

    }
}

Also I get it working with multiple organization units.

1 Like