NextCloud notifications with remote AD provider

Not to bring up an old thread, but this seems to no longer be working with newest NextCloud/NS.
Not sure when is stopped working, but tested on fresh install of NS 7.6.18.10.
NS connected to Zentyal 6, and when NextCloud install, userPrincipalname was already in the mail field of LDAP settings. I believe when it worked before, it was grabbing email addresses from NS not Zentyal, as I do not have email addresses set in Zentyal.
All LDAP users/groups show up in NextCloud, but no email’s filled in.

Who’s acting as mailserver, @wbilger? Zentyal or NethServer?

NethServer.

Therefore i don’t now if LDAP data from Zentyal is correctly providing information about Mail Address.
Maybe @davidep could help to ease doubts.

The userPrincipalName LDAP attribute has an email address syntax. IIRC it is composed by default by sAMAccountName + @ + REALM. The NethServer local accounts provider configures AD and sets userPrincipalName value as sAMAccountName + @ + NSDOMAIN.

That’s because REALM is (usually) a private DNS domain, whilst NSDOMAIN has to be a public DNS domain (expecially if NS is a mail server).

To make notifications work you could add REALM to your mail domain aliases and define a mail alias for each user. As alternative, configure AD to set userPrincipalName in the same way NS would do.

Is it possible to unbind the email address from the remote accounts database?

In other words, instead of fetching the email address from AD, is it possible to modify it from Nextcloud settings/user page? /cc @alefattorini @alep @giacomo

Yes, but any modification on that part will be rewritten on package update.
See relevant code at line 79 and 106.

2 Likes

Can we add a condition to opt-out from those settings? A remote accounts provider could be something different from NethServer…

For instance

  • a prop to completely disable/skip new updates to LDAP settings, or
  • a prop targeted to mail address only

Is there anything for me to try?
In my case, I am not looking to get email address from Zentyal, but from NS.
My local domain is mydomain.lan, and my public is mydomain.com, but I can deliver the NextCloud notifications to either user@mydomain.lan or user@mydomain.com, all users are local. What I hope is that when a new user is added in Zentyal, their NextCloud user has the email address filled.
This sounds like my relevant part, but not sure how to procede.

To make notifications work you could add REALM to your mail domain aliases and define a mail alias for each user. As alternative, configure AD to set userPrincipalName in the same way NS would do.

Could you attach the output of

account-provider-test dump
hostname

account-provider-test dump

{
“BindDN” : “ldapservice@mydomain.lan”,
“LdapURI” : “ldap://dc1.mydomain.lan”,
“DiscoverDcType” : “dns”,
“StartTls” : “1”,
“port” : 389,
“host” : “dc1.mydomain.lan”,
“isAD” : “1”,
“isLdap” : “”,
“UserDN” : “DC=mydomain,DC=lan”,
“GroupDN” : “DC=mydomain,DC=lan”,
“BindPassword” : “mypassword”,
“BaseDN” : “DC=mydomain,DC=lan”,
“LdapUriDn” : “ldap:///dc%3Dmydomain%2Cdc%3Dlan”
}

hostname

test.mydomain.lan

As your REALM === your DOMAIN it could work out of the box as Nextcloud is installed with the mail server…

What are the userPrincipalName values?

Please run this command and check if they match with your account domain values

  net ads search  -P userPrincipalName=* userPrincipalName

ads_connect: No logon servers are currently available to service the logon request.
ads_connect: No logon servers are currently available to service the logon request.

…this is odd :frowning:

Please try to get a TGT

 kdestroy
 kinit someuser
 klist

Connection to Zentyal AD is good, all Zentyal users and group are available in NS, Webtop and NextCloud.

After you get a TGT try

 ldapsearch -Y GSSAPI -h dc1.mydomain.lan -b dc=mydomain,dc=lan 'userPrincipalName=*' userPrincipalName

Yes we could, but since now it’s the first request.
I’d suggest Wayne to add a custom action inside the nethserver-nextcloud-update event which executes the custom occ config.

kdestroy
kinit someuser
klist

[root@test ~]# kdestroy
[root@test ~]# kinit wayne
Password for wayne@MYDOMAIN.LAN:
Warning: Your password will expire in 178 days on Sun 25 Aug 2019 01:36:01 PM ED T
[root@test ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: wayne@MYDOMAIN.LAN

Valid starting Expires Service principal
02/28/2019 09:45:54 02/28/2019 19:45:54 krbtgt/MYDOMAIN.LAN@MYDOMAIN.LAN
renew until 03/07/2019 09:45:48

ldapsearch -Y GSSAPI -h dc1.mydomain.lan -b dc=mydomain,dc=lan ‘userPrincipalName=*’ userPrincipalName
** I replaced the user names with a few dummies so the NumRepsonses and NumEntries don’t match

SASL/GSSAPI authentication started
SASL username: wayne@MYDOMAIN.LAN
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=mydomain,dc=lan> with scope subtree
# filter: userPrincipalName=*
# requesting: userPrincipalName
#

# User One, Users, mydomain.lan
dn: CN=User One,CN=Users,DC=mydomain,DC=lan
userPrincipalName: user1@MYDOMAIN.LAN

# User Two, Users, mydomain.lan
dn: CN=User Two,CN=Users,DC=mydomain,DC=lan
userPrincipalName: user2@MYDOMAIN.LAN

# User Three, Users, mydomain.lan
dn: CN=User Three,CN=Users,DC=mydomain,DC=lan
userPrincipalName: user3@MYDOMAIN.LAN

# User Four, Users, mydomain.lan
dn: CN=User Four,CN=Users,DC=mydomain,DC=lan
userPrincipalName: user4@MYDOMAIN.LAN

# Wayne User, Users, mydomain.lan
dn: CN=Wayne User,CN=Users,DC=mydomain,DC=lan
userPrincipalName: wayne@MYDOMAIN.LAN

# test test, Users, mydomain.lan
dn: CN=test test,CN=Users,DC=mydomain,DC=lan
userPrincipalName: test@MYDOMAIN.LAN

# search reference
ref: ldap://mydomain.lan/CN=Configuration,DC=mydomain,DC=lan

# search reference
ref: ldap://mydomain.lan/DC=DomainDnsZones,DC=mydomain,DC=lan

# search reference
ref: ldap://mydomain.lan/DC=ForestDnsZones,DC=mydomain,DC=lan

# search result
search: 4
result: 0 Success

# numResponses: 21
# numEntries: 17
# numReferences: 3

Try to send a message to that name:

echo helloworld | mail wayne@MYDOMAIN.LAN
  • Check the root/admin’s mailbox for any bounce
  • Check the /var/log/maillog for delivery status

Message delivered.
I think you know, but just so we are on the same page, the issue isn’t that I can’t deliver messages, but that the email field is not filled out automatically in NextCloud. If I fill in the email manually, NC can sent the notifications can be sent. But, it is preferred to not have to manually do so, the email address needs to be auto-filled when a new user is added.