Hello
this is more a general question. I want to use Nethserver only as Mailserver with User Accounts beeing on Remote AD Server.
So i configured successfully a remote LDAP connection to the AD server but i cannot see any user accounts, it is “empty table”.
For testing i used Administrator Account on AD Server with ldaps Connection (Administrator@intern.test). User DN specified as: OU=Users,DC=intern,DC=test
Do i miss anything here?
Use administrator account for connecting to LDAP is not considered best practice.
Please check out these threads
https://community.nethserver.org/search?expanded=true&q=%23support%20tags%3Aactivedirectory%2Bremote
There you could find some commands for troubleshooting
Note: since 7.6 we have winbind running too with file server module
Hi Thomas,
does your Account provider Page look like this?
Please post output of account-provider-test dump.
account-provider-test dump
{
"BindDN" : "Administrator@intern.test",
"LdapURI" : "ldap://dc1.intern.test",
"DiscoverDcType" : "dns",
"StartTls" : "1",
"port" : 389,
"host" : "dc1.intern.test",
"isAD" : "",
"isLdap" : "1",
"UserDN" : "DC=intern,DC=test",
"GroupDN" : "DC=intern,DC=test",
"BindPassword" : "x",
"BaseDN" : "DC=intern,DC=test",
"LdapUriDn" : "ldap:///dc%3Dintern%2Cdc%3Dtest"
}
I tried also ldap://dc1.intern.test with STARTTLS NO. Or User/Group DN set specific to OU=Users,DC=intern,DC=test
Is it required to be also AD Member? Its not really clear in documentation and in GUI i can not join to AD after LDAP connection is set. I was assuming it works with pure LDAP like in Kerio.
Does AD account need something specific, member of any group?
Edit:
“isAD” : “”,
“isLdap” : “1”,
Set both to 1 ?
Is the DC you’re trying to contact another Nethserver-instance or somewhat else (MS) ?
It is Win 2019 Essentials with AD 2008R2 function level
Edit: In this thread
there is a picture
https://community.nethserver.org/uploads/db8506/original/2X/6/67d4982d8a42e57c5f7c679afc15655494854f8f.jpg
from LDAP config where you can see you can choose between LDAP and AD. In my GUI i cannot choose anything at all.
Sorry, no MS here on my side, so I can’t help with that.
I did some tests with pure ldap against another NS-instance.
With anonymous connection I get also an empty table.
With bind credentials I get all groups, but not all users??
EDIT: With a full join to AD I get all users and all groups.
You can choose. Just unbind your machine and bind again.
choose LDAP
choose Bind remotely
yes thats what i did.
I found also in sogo.conf
/* 45 ldap authentication */
SOGoUserSources =(
{
id = groups;
type = ldap;
CNFieldName = cn;
UIDFieldName = cn;
IDFieldName = cn;
baseDN = "DC=intern,DC=test";
bindDN = "Administrator@intern.test";
bindPassword = "x";
scope = ONE;
canAuthenticate = YES;
MailFieldNames = ("mail");
displayName = "nethserver groups";
hostname = ldap://dc1.intern.test/????!StartTLS;
isAddressBook = NO;
},
{
id = users;
type = ldap;
CNFieldName = cn;
UIDFieldName = uid;
IDFieldName = mail;
bindFields = (
mail,
uid
);
IMAPLoginFieldName = mail;
baseDN = "DC=intern,DC=test";
bindDN = "Administrator@intern.test";
bindPassword = "x";
scope = ONE;
MailFieldNames = ("mail");
canAuthenticate = YES;
displayName = "nethserver users";
hostname = ldap://dc1.intern.test/????!StartTLS;
isAddressBook = YES;
}
);You cannot bind an AD domain controller host as a generic “remote ldap”. It’s not rfc2307 compliant!
Unbind, then bind again with the correct account provider type!
Its working now, i didnt know i had to join AD and after that the LDAP setup appeared.
And i dont quite understand why thats needed because i can see AD accounts with an standard LDAP browser too.
Yesterday i had also the famous error: AccountProvider_Error_82
Like in other threads noted i checked server time and it was way off because my test vm went to suspended mode and after wakeup, the time was wrong. I corrected time manually and changed it back to sync via ntp, still was not working after server reboot. I even changed hw clock but no change. And then today i fire it back up and everything is working, i didnt change anything since yesterday.