Bug 35091 - UCS in Active Directory domain - AD connector
UCS in Active Directory domain - AD connector
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Stefan Gohmann
Felix Botner
Depends on:
Blocks: 34091
  Show dependency treegraph
Reported: 2014-06-11 08:14 CEST by Stefan Gohmann
Modified: 2014-08-07 17:44 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-06-11 08:14:37 CEST
The AD Connector changes must be merged:

The wizard will be merged via Bug #35090.

+++ This bug was initially created as a clone of Bug #34091 +++

It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.

The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.

The UCS system should able to provide Samba shares.

Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Comment 1 Stefan Gohmann univentionstaff 2014-07-04 06:01:04 CEST
One issue we have to solve is the SSL connection. I think we have the following options:

a) switch to Kerberos for the LDAP authentication, in this case TLS is not required

b) upload the root certificate via the ad connection wizard

c) use TLS but don't require the root certificate

I think it would be the best to mix these options:

- switch to kerberos a)
- use TLS c)
  - if the server does not support SSL / TLS, the wizard should give a hint
  - if the server supports SSL / TLS, we don't require the root certificate
    ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER
- the wizard or the later configuration should allow to upload the root certificate b)
Comment 2 Stefan Gohmann univentionstaff 2014-07-14 09:27:25 CEST
I've created a new bug for the kerberos authentication: Bug #35349.
Comment 3 Stefan Gohmann univentionstaff 2014-07-29 09:28:09 CEST
(In reply to Stefan Gohmann from comment #2)
> I've created a new bug for the kerberos authentication: Bug #35349.

The kerberos authentication issue has been fixed. The problem is that it is not possible to search as host expect kerberos is used.

It should now also be possible to sync the password hashes, but you have to switch back from host authentication to the Administrator authentication:
 ucr set connector/ad/ldap/binddn=Administrator
 ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password
 touch /etc/univention/connector/password
 chmod 700 /etc/univention/connector/password
 echo -n "Administrator password" > /etc/univention/connector/password

The synced users are makred as synced objects. By default the connector is configured into read mode (sync from AD to UCS).
Comment 4 Dirk Wiesenthal univentionstaff 2014-07-30 22:15:12 CEST
Not sure if this is the right bug. But it seems like "Builtin" groups are not marked as synced. UCS can change them (e.g. "Leistungsprotokollbenutzer").
Comment 5 Stefan Gohmann univentionstaff 2014-07-31 06:31:45 CEST
(In reply to Dirk Wiesenthal from comment #4)
> Not sure if this is the right bug. But it seems like "Builtin" groups are
> not marked as synced. UCS can change them (e.g.
> "Leistungsprotokollbenutzer").

That's right. These groups are currently not synced between UCS and AD. From the logfile:

31.07.2014 06:22:05,498 LDAP        (INFO   ): _ignore_object: ignore object because of subtree match: [CN=Leistungsprotokollbenutzer,CN=Builtin,DC=deadlock16,DC=local]

I think theses groups were created in UCS with Samba 4. Maybe samba 4 was previously installed on one DC?

I've create Bug #35527 for the AD connector.
Comment 6 Felix Botner univentionstaff 2014-07-31 16:03:39 CEST
OK - Synchronized objects should be marked as synced 
OK - If connector/ad/mapping/user/password/kinit is true, connector
     does not sync the password (instead, sets KINIT as password)
OK - full password synchronisation
OK - AD Connector mode

Comment 7 Janek Walkenhorst univentionstaff 2014-08-07 17:44:02 CEST