Remote LDAP User & Group Search

zentyal
accounts-provider

(Veeramani P) #1

NethServer Version: NethServer release 7.4.1708 (Final)
Module: Account Provider

Hi Team,

I have configured the account provider as domain join mode. But we need to configure account provider as remote ldap, i tried ldap configuration as per the documentation also some google research and i was change the ldap user search entries in config file. If i configured currectly but i can’t see the user list and group list, it’s getting empty both user and group,

/usr/libexec/nethserver/count-accounts

@@ -58,7 +58,7 @@ if($sssd->isLdap()) {
     }
 
     %config = ( %config,
-        'userfilter' => '(objectClass=shadowAccount)',
+        'userfilter' => '(objectClass=posixAccount)',
         'userkeyattr' => 'uid',
         'groupfilter' => '(objectClass=posixGroup)',
         'groupkeyattr' => 'cn',

/usr/libexec/nethserver/list-group-members

@@ -63,7 +63,7 @@ if($sssd->isLdap()) {
         'memberattr' => 'memberUid',
         'filter' => "(&(objectClass=posixGroup)(cn=$groupName))",
         'groupclass' => 'posixGroup',
-        'memberfilter' => '(objectClass=shadowAccount)'
+        'memberfilter' => '(objectClass=posixAccount)'
     );

usr/libexec/nethserver/list-group-members

@@ -63,7 +63,7 @@ if($sssd->isLdap()) {
         'memberattr' => 'memberUid',
         'filter' => "(&(objectClass=posixGroup)(cn=$groupName))",
         'groupclass' => 'posixGroup',
-        'memberfilter' => '(objectClass=shadowAccount)'
+        'memberfilter' => '(objectClass=posixAccount)'
     );

/usr/libexec/nethserver/list-users

@@ -64,7 +64,7 @@ if($sssd->isLdap()) {
 
     %config = ( %config,
         'keyattr' => 'uid',
-        'filter' => '(objectClass=shadowAccount)',
+        'filter' => '(objectClass=posixAccount)',
     );

i don’t know how to solve this problems, kindly provide the solutions.


(Giacomo Sanchietti) #2

Hi,
what is your remote LDAP server?

Please, make sure it supports RFC2307
See also: http://docs.nethserver.org/en/v7/accounts.html#account-providers

If the remote LDAP server is a NethServer 6, you can check also this: http://docs.nethserver.org/projects/nethserver-devel/en/v6/directory.html#anonymous-access-to-user-account-entries


(Veeramani P) #3

Hi,

We are using Zentyal version 5 as domain controller. We have using Nethserver 7.4 version. I need exact solution for this one.


(Giacomo Sanchietti) #4

Please see my answer above.
Your LDAP server must support RFC2307.

If such requirement is not met, the join to remote LDAP provider will not work.


(Veeramani P) #5

hi,

Yes, its support RFC2307 schema, i configured remote ldap correctly. But i can’t see the user list and group list, its getting empty.
Sometimes its getting single entry as @domain.com in user tab.


(Davide Principi) #6

A similar issue was discussed here for zentyal 2

I thought we didn’t use shadowAccount any more :thinking:


(Davide Principi) #7

@veeramani, could you check your nethserver-sssd version? The diff you posted do not match with the latest code!

To verify the version, run this command and post here the output

 rpm -q nethserver-sssd 

Thank you!

See also


(Veeramani P) #8

the result below sssd version

image


(Davide Principi) #9

Ok it is not the latest one, but it surely contains the merged patch for Zentyal 2…

Could you attach (on gist.github.com) a dump of the Zentyal 5 LDAP DB contents? Remember to anonymize/obfuscate sensible information!

Also paste the output of

account-provider-test dump

(Veeramani P) #10

I think the problem occurred in nethserver only, we can’t access Zentyal server its getting restricted for some user. Previously we use Untangle and sophos firewall with ldap configuration. its working normal and all user and group listed.

And also how to extend the squid authentication session timeouts. Maybe in domain join mode, the delay getting authentication from Zentyal Domain server.

You may try to configure ldap connection with nethserver and update the results.
Is there any update regarding ldap configuration kindly inform, we are getting big trouble. we decided to change the nethserver firewall to another better one for including this features ( web filter, AD authentication, Multi-wan, openvpn ). Is there any alternative firewall kindly let me know.