Univention Bugzilla – Bug 35092
UCS in Active Directory domain - kinit overlay module
Last modified: 2014-07-14 10:50:00 CEST
An overlay module is needed which performs a kinit against an AD based kerberos server. See patches/openldap/3.2-0-0-ucs/2.4.35-1-ucs-in-ad-domain/15_pwd_scheme_kinit.patch +++ This bug was initially created as a clone of Bug #34091 +++ It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality. The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind. The UCS system should able to provide Samba shares. Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
New overlay module has been added. Code: r13196 + r13197 YAML: r51414
OK - tested against a local samba4 -> univention-ldapsearch uid=test1 userPassword | ldapsearch-decode64 dn: uid=test1,dc=w2k12,dc=test userPassword: {KINIT} -> ldapsearch -D uid=test1,dc=w2k12,dc=test -w univention uid=test1 uid dn: uid=test1,dc=w2k12,dc=test uid: test1 -> ldapsearch -D uid=test1,dc=w2k12,dc=test -w univentiona uid=test1 uid ldap_bind: Invalid credentials (49) samba4 stopped -> ldapsearch -D uid=test1,dc=w2k12,dc=test -w univention uid=test1 ldap_bind: Invalid credentials (49) Jul 8 12:13:41 master slapd[18513]: conn=1082 op=0: pwd_scheme_kinit: krb5_get_init_creds_password: unable to reach any KDC in realm W2K12.TEST If "Change password on next login" is activated, login is not possible. OK - YAML
http://errata.univention.de/ucs/3.2/147.html