NethServer-SavaPage module

mrmarkuz · January 6, 2018, 3:43pm

Thanks for testing!

I recently recognized that there is a nethserver-dc/sssd in testing which makes AD support simple LDAP auth:

github.com/NethServer/dev

AD access for LDAP simple auth applications

opened 09:47AM - 06 Dec 17 UTC

closed 02:57PM - 10 Jan 18 UTC

DavidePrincipi

verified

Many NethServer applications (WebTop, SOGo, Roundcube, Ejabberd, Nextcloud) requ…ire LDAP simple authentication to bind with the Active Directory LDAP service because they do not implement a GSSAPI LDAP client. Whilst the OpenLDAP-based `nethserver-directory` package provides a default account for such applications (and also allows anonymous binds by default), the Active Directory still lacks a similar account, and forbids anonymous binds too. We cannot enable anonymous binds in AD, because it would be a wrong assumption on many networks. By now, such applications use the machine account credentials granted to NethServer itself. However this approach has the following limitations: - cannot work with a remote AD accounts provider - MS AD does not allow simple binds with such credentials; Samba AD could remove support in the future - latest Samba release produces a very long and complex machine password that could break the output of a template with poor special chars escaping - forces us to stop the machine password monthly rotation (which is a standard AD client protocol) The following features must be implemented - [x] create a special account during DC provisioning / update / migration / upgrade - [x] show the special account credentials in Accounts provider page (local AD provider mode) - [x] display a TODO if LDAP simple auth is required, but the credentials weren't specified at the end of AD join workflow - [x] validation of LDAP credentials and connection parameters - [x] clean up of procedures relying on machine account credentials and membership of Accounts Operator group - [x] update docs - [ ] translations Postponed: - ~restore SSSD default machine password rotation~ [future] See also: - https://community.nethserver.org/t/remote-ad-forcing-bind-user/8229 - https://community.nethserver.org/t/special-account-for-applications-with-simple-ldap-bind/8175 - https://community.nethserver.org/t/name-nethserver-sssd-oldin-used-only-once/8373/4

I didn’t test it, but this way we maybe don’t need the extra savaaduser.