Remote AD: forcing bind user

giacomo · November 6, 2017, 4:09pm

As you know, NethServer can join a remote Active Directory and use it as account provider.

When an application authenticates against a remote AD, it can use 2 different protocols:

GSSAPI (Kerberos): used by PAM
LDAP bind: used by third-party applications which don’t use PAM, like Nextcloud, FreePBX etc.

So, if you have a NethServer joined to an AD, you need to add an extra bind user and bind password if you want to make all applications access the account provider.
The underlying implementation is quite complex and not all users know the difference between these two protocols, and often they forget to configure a valid bind user.

Currently the bind user is optional, what do you think to make it mandatory?
This is choice will drastically reduce user errors and I don’t see any real downside.

So, what do you think?

davidep · November 6, 2017, 5:08pm

Mandatory can be dangerous:

A remote MS AD could be subject to any kind of restricted policy
Some NS installations wouldn’t actually require it (i.e. a plain IMAP mail server or a Samba file server)

What if we display a TODO?

We could even display a web splash page in place of the expected web application, if the configuration is not completed:

“Webapp X is not configured…”

nrauso · November 7, 2017, 2:06pm

It seems to be a good idea to me.

But if you’re the sysadmin of the scenario you should know if there’re security policies applied or not.
If you’re not the Microsoft AD sysadmin, the admin in charge to which you ask for the user for the bind should know!

Well, the bind user will simply not be used in that case, right?

davidep · November 7, 2017, 5:29pm

…and should be collaborative! Can we assume he’s going to create an additional account for us?

I’d prefer not to make this assumption. I’d prefer a system that fits any environment.

Yes, …and if the AD sysadmin is on holiday (for instance) you’re stuck!

giacomo · November 8, 2017, 8:32am

Yes, since it’s a requirement for many applications. It should be part of the installation process:
allocate IP for a new server and user for AD connection

I don’t get this, if the user is setup in the join stage, it will be valid even if the AD sysadmin is on vacation.
I would also assume that in most scenarios the AD sysadmin and NS one, are the same person!

We need to ease the life of users, not arguing about best practices.

@filippo_carletti @nrauso @CharlieWhiting how many times sysadmins face this kind of problem?
If the problem arises 90% of times, probably it worth to restrict configuration freedom and make it work.
Otherwise, if only few people encountered the problem, we can just add a documentation line inside the join form.

alefattorini · November 8, 2017, 8:50am

I guess that @gg_jr @dnutan @guus @mrmarkuz @enzoturri @mansoor.tariq may be interested in that discussion

davidep · November 8, 2017, 8:58am

The IP is required on local accounts provider. Only remote case here. Anyway, the join process has already too many requirements that are difficult to understand. This is another reason to avoid a new mandatory one which could lead to further troubles (even on a minority of cases).

I’d rather say we need to ease the life of users through best practices; …and shorcuts are dangerous.

GG_jr · November 8, 2017, 10:38am

I think you already know my point of view regarding the administration of an Information System by a sysadmin.
No matter if that I.S. is at work or at home, the person which administer that I.S., the sysadmin, must have enough knowledge to do that.
Otherwise, no matter how easy to configure is the NethServer (in this case) made, nothing will work!
Another thing related to all from above: all this settings, will never be made by the user(s)! Or never should be made by user(s).

And yes, “…we need to ease the life of users through best practices; …and shortcuts are dangerous.”, with a little amendament, at least in this case: instead of “users”, i’d say “sysadmins”. The users only use!

Kind regards,
Gabriel

Stefano_Zamboni · November 8, 2017, 11:00am

I agree with you at 120%

NS can’t be (ant IMVHO must not be) used by everybody: and the aim to be used by home users with no knowledge must have a limit… we’re talking about a sever (often exposed to wan)

from murphy’s law:

Make a system even a moron can use and a moron will use it.

nrauso · November 8, 2017, 2:21pm

He have to! Or we could not get our job done!
In that case our modules could not work anyway![quote=“davidep, post:4, topic:8229”]
…and if the AD sysadmin is on holiday (for instance) you’re stuck!
[/quote]
The same as above…

In my experience it happens in more than 50% of the cases.

davidep · November 8, 2017, 4:36pm

This is the current join form

We should ask BOTH a privileged user’s credentials to join the machine AND unprivileged user’s credential for SOGo, WebTop & Co. LDAP simple binds? Mandatory?

I’m still not convinced making it mandatory is a good idea that simplifies the sysadmin work and eases configuration… I still prefer adding a TODO and displaying a comprensible error page in place of /sogo and /webtop URLs.

giacomo · November 9, 2017, 9:01am

Thank you for the amazing feedback!

To recap we should proceed following these directions:

do not make bind user mandatory
read-only bind credentials should be more visible inside the UI
the UI must inform the user about applications which need bind credentials

I will add it to our roadmap!

Just for reference, we can list applications which uses bind credentials with a code like this:

for PACKAGE in $(grep -l -R -e bindDN -e userDN -e bindUser -e groupDN -e bindPassword /etc/e-smith/events/actions/ /etc/e-smith/templates/ \
    | xargs -- rpm -qf --queryformat '%{NAME}\n' | sort | uniq \
    | grep -v -E 'nethserver-(dc|sssd|directory)' | cut -d'-' -f2); do
    echo "${PACKAGE}"
done

davidep · November 9, 2017, 9:35am

Sadly, I know it well

Instead of seeking dependant packages, we should do the contrary: individual packages subscribe the nethserver-sssd-save event!

davidep · December 14, 2017, 4:17pm

This feature is now on testing! /cc @quality_team

https://github.com/NethServer/dev/issues/5396

Who wants to run some test cases?

planet_jeroen · December 14, 2017, 5:37pm

What exactly do you want tested ?

davidep · December 14, 2017, 6:38pm

Test cases description is available from the link above! Please ask if you need explanations!

planet_jeroen · December 14, 2017, 8:26pm

I install the sssd rpm mentioned and start testing right?

I’ll have a go at it tomorrow. It’s a perfect day for some testing as half the company will be busy with meetings

planet_jeroen · December 15, 2017, 1:25pm

Murphy interfered … I will be testing later today/tonight … sorry for the delay.

planet_jeroen · December 17, 2017, 1:32pm

So … at first glance that looked like not much work … then I read it again and a bit more careful

I have 0 experience with OpenLDAP, so I will test that last, as it will be a learning experience as well. Trying to figure out how to work through the cases I can test right now (which is samba AD scenario’s) I came up with the following testplan, please let me know if that would do:

Create VM with fresh Nethserver installation, updated fully.
Clone this machine, correct networking settings and hostname.
snapshot both at this stage.
Install the sssd RPM
Run testcase 2.1 on the first VM, VM1
Run testcase 2.4 on the second VM, VM2
Run testcase 2.5 on the first VM, being a Samba AD server at this point
unbind VM2 from VM1 and install SOGo
Run testcase 3.4 on VM2
reset snapshots
install SOGO on both VM’s
snapshot VM1 again
Install Samba AD on VM1.
Join VM2 to Samba AD on VM1.
install sssd RPM on VM1 and VM2
Run testcase 1.1 on VM1
Run testcase 1.4.2 on VM2
revert VM1 to latest snapshot
install sssd RPM
Run testcase 3.4 on VM1

Is there a preferred format for the output ? Screenshots ?

davidep · December 17, 2017, 8:09pm

No in general. If you find an error screen it might be useful. Pay attention to error messages in /var/log/messages