Bug 35093 - UCS in Active Directory domain - kinit overlay module (univention-ldap)
UCS in Active Directory domain - kinit overlay module (univention-ldap)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Stefan Gohmann
Felix Botner
:
Depends on:
Blocks: 34091
  Show dependency treegraph
 
Reported: 2014-06-11 08:25 CEST by Stefan Gohmann
Modified: 2014-07-14 10:51 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-06-11 08:25:13 CEST
univention-ldap must load this overlay module, see:
 ucs-3.2/component/ucs-in-ad-domain/univention-ldap

+++ This bug was initially created as a clone of Bug #35092 +++

An overlay module is needed which performs a kinit against an AD based kerberos server. See
 patches/openldap/3.2-0-0-ucs/2.4.35-1-ucs-in-ad-domain/15_pwd_scheme_kinit.patch

+++ This bug was initially created as a clone of Bug #34091 +++

It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.

The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.

The UCS system should able to provide Samba shares.

Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Comment 1 Stefan Gohmann univentionstaff 2014-07-07 08:15:56 CEST
Merged from ucs-in-ad scope and added some more minor fixes:
 r51413 + r51415 + r51416

YAML: r51429
Comment 2 Felix Botner univentionstaff 2014-07-07 17:20:26 CEST
OK - univention-ldap
OK - YAML
Comment 3 Moritz Muehlenhoff univentionstaff 2014-07-14 10:51:25 CEST
http://errata.univention.de/ucs/3.2/150.html