Univention Bugzilla – Bug 35091
UCS in Active Directory domain - AD connector
Last modified: 2014-08-07 17:44:02 CEST
The AD Connector changes must be merged:
The wizard will be merged via Bug #35090.
+++ This bug was initially created as a clone of Bug #34091 +++
It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.
The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.
The UCS system should able to provide Samba shares.
Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
One issue we have to solve is the SSL connection. I think we have the following options:
a) switch to Kerberos for the LDAP authentication, in this case TLS is not required
b) upload the root certificate via the ad connection wizard
c) use TLS but don't require the root certificate
I think it would be the best to mix these options:
- switch to kerberos a)
- use TLS c)
- if the server does not support SSL / TLS, the wizard should give a hint
- if the server supports SSL / TLS, we don't require the root certificate
- the wizard or the later configuration should allow to upload the root certificate b)
I've created a new bug for the kerberos authentication: Bug #35349.
(In reply to Stefan Gohmann from comment #2)
> I've created a new bug for the kerberos authentication: Bug #35349.
The kerberos authentication issue has been fixed. The problem is that it is not possible to search as host expect kerberos is used.
It should now also be possible to sync the password hashes, but you have to switch back from host authentication to the Administrator authentication:
ucr set connector/ad/ldap/binddn=Administrator
ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password
chmod 700 /etc/univention/connector/password
echo -n "Administrator password" > /etc/univention/connector/password
The synced users are makred as synced objects. By default the connector is configured into read mode (sync from AD to UCS).
Not sure if this is the right bug. But it seems like "Builtin" groups are not marked as synced. UCS can change them (e.g. "Leistungsprotokollbenutzer").
(In reply to Dirk Wiesenthal from comment #4)
> Not sure if this is the right bug. But it seems like "Builtin" groups are
> not marked as synced. UCS can change them (e.g.
That's right. These groups are currently not synced between UCS and AD. From the logfile:
31.07.2014 06:22:05,498 LDAP (INFO ): _ignore_object: ignore object because of subtree match: [CN=Leistungsprotokollbenutzer,CN=Builtin,DC=deadlock16,DC=local]
I think theses groups were created in UCS with Samba 4. Maybe samba 4 was previously installed on one DC?
I've create Bug #35527 for the AD connector.
OK - Synchronized objects should be marked as synced
OK - If connector/ad/mapping/user/password/kinit is true, connector
does not sync the password (instead, sets KINIT as password)
OK - full password synchronisation
OK - AD Connector mode
OK - YAML