Remote Accounts Provider

Thomas_Rechberger · January 23, 2019, 10:55am

Hello
this is more a general question. I want to use Nethserver only as Mailserver with User Accounts beeing on Remote AD Server.

So i configured successfully a remote LDAP connection to the AD server but i cannot see any user accounts, it is “empty table”.

For testing i used Administrator Account on AD Server with ldaps Connection (Administrator@intern.test). User DN specified as: OU=Users,DC=intern,DC=test

Do i miss anything here?

pike · January 23, 2019, 11:00am

Use administrator account for connecting to LDAP is not considered best practice.

davidep · January 23, 2019, 11:00am

Please check out these threads

https://community.nethserver.org/search?expanded=true&q=%23support%20tags%3Aactivedirectory%2Bremote

There you could find some commands for troubleshooting

Note: since 7.6 we have winbind running too with file server module

flatspin · January 23, 2019, 11:24am

Hi Thomas,

does your Account provider Page look like this?

Please post output of account-provider-test dump.

Thomas_Rechberger · January 23, 2019, 12:20pm

account-provider-test dump
{
   "BindDN" : "Administrator@intern.test",
   "LdapURI" : "ldap://dc1.intern.test",
   "DiscoverDcType" : "dns",
   "StartTls" : "1",
   "port" : 389,
   "host" : "dc1.intern.test",
   "isAD" : "",
   "isLdap" : "1",
   "UserDN" : "DC=intern,DC=test",
   "GroupDN" : "DC=intern,DC=test",
   "BindPassword" : "x",
   "BaseDN" : "DC=intern,DC=test",
   "LdapUriDn" : "ldap:///dc%3Dintern%2Cdc%3Dtest"
}

I tried also ldap://dc1.intern.test with STARTTLS NO. Or User/Group DN set specific to OU=Users,DC=intern,DC=test

Is it required to be also AD Member? Its not really clear in documentation and in GUI i can not join to AD after LDAP connection is set. I was assuming it works with pure LDAP like in Kerio.

Does AD account need something specific, member of any group?

Edit:
“isAD” : “”,
“isLdap” : “1”,
Set both to 1 ?

flatspin · January 23, 2019, 2:18pm

Is the DC you’re trying to contact another Nethserver-instance or somewhat else (MS) ?

Thomas_Rechberger · January 23, 2019, 2:32pm

It is Win 2019 Essentials with AD 2008R2 function level

Edit: In this thread

there is a picture
https://community.nethserver.org/uploads/db8506/original/2X/6/67d4982d8a42e57c5f7c679afc15655494854f8f.jpg
from LDAP config where you can see you can choose between LDAP and AD. In my GUI i cannot choose anything at all.

flatspin · January 23, 2019, 2:57pm

Sorry, no MS here on my side, so I can’t help with that.

I did some tests with pure ldap against another NS-instance.

With anonymous connection I get also an empty table.
With bind credentials I get all groups, but not all users??

EDIT: With a full join to AD I get all users and all groups.

flatspin · January 23, 2019, 3:04pm

You can choose. Just unbind your machine and bind again.
choose LDAP

choose Bind remotely

Thomas_Rechberger · January 23, 2019, 3:16pm

yes thats what i did.

I found also in sogo.conf

  /* 45 ldap authentication */
    SOGoUserSources =(
     {
        id = groups;
        type = ldap;
        CNFieldName = cn;
        UIDFieldName = cn;
        IDFieldName = cn;
        baseDN = "DC=intern,DC=test";
        bindDN = "Administrator@intern.test";
        bindPassword = "x";
        scope = ONE;
        canAuthenticate = YES;
        MailFieldNames = ("mail");
        displayName = "nethserver groups";
        hostname = ldap://dc1.intern.test/????!StartTLS;
        isAddressBook = NO;
     },
     {
        id = users;
        type = ldap;
        CNFieldName = cn;
        UIDFieldName = uid;
        IDFieldName = mail;
        bindFields = (
                mail,
                uid
            );
        IMAPLoginFieldName = mail;
        baseDN = "DC=intern,DC=test";
        bindDN = "Administrator@intern.test";
        bindPassword = "x";
        scope = ONE;
        MailFieldNames = ("mail");
        canAuthenticate = YES;
        displayName = "nethserver users";
        hostname = ldap://dc1.intern.test/????!StartTLS;
        isAddressBook = YES;
     }
    );

davidep · January 23, 2019, 3:49pm

You cannot bind an AD domain controller host as a generic “remote ldap”. It’s not rfc2307 compliant!

Unbind, then bind again with the correct account provider type!

Thomas_Rechberger · January 24, 2019, 8:07pm

Its working now, i didnt know i had to join AD and after that the LDAP setup appeared.
And i dont quite understand why thats needed because i can see AD accounts with an standard LDAP browser too.

Yesterday i had also the famous error: AccountProvider_Error_82

Like in other threads noted i checked server time and it was way off because my test vm went to suspended mode and after wakeup, the time was wrong. I corrected time manually and changed it back to sync via ntp, still was not working after server reboot. I even changed hw clock but no change. And then today i fire it back up and everything is working, i didnt change anything since yesterday.