Bug 35092 – UCS in Active Directory domain - kinit overlay module

Bug 35092 - UCS in Active Directory domain - kinit overlay module


Summary:	UCS in Active Directory domain - kinit overlay module

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 3.2-2-errata
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:	34091
	Show dependency tree / graph

Reported:	2014-06-11 08:19 CEST by Stefan Gohmann
Modified:	2014-07-14 10:50 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2014-06-11 08:19:02 CEST

An overlay module is needed which performs a kinit against an AD based kerberos server. See
 patches/openldap/3.2-0-0-ucs/2.4.35-1-ucs-in-ad-domain/15_pwd_scheme_kinit.patch

+++ This bug was initially created as a clone of Bug #34091 +++

It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.

The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.

The UCS system should able to provide Samba shares.

Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.

Comment 1 Stefan Gohmann

2014-07-07 08:17:53 CEST

New overlay module has been added.

Code: r13196 + r13197

YAML: r51414

Comment 2 Felix Botner

2014-07-08 12:15:46 CEST

OK - tested against a local samba4

-> univention-ldapsearch uid=test1 userPassword | ldapsearch-decode64 
dn: uid=test1,dc=w2k12,dc=test
userPassword: {KINIT}

->  ldapsearch -D uid=test1,dc=w2k12,dc=test -w univention uid=test1 uid
dn: uid=test1,dc=w2k12,dc=test
uid: test1

-> ldapsearch -D uid=test1,dc=w2k12,dc=test -w univentiona uid=test1 uid
ldap_bind: Invalid credentials (49)


samba4 stopped
-> ldapsearch -D uid=test1,dc=w2k12,dc=test -w univention uid=test1
ldap_bind: Invalid credentials (49)
Jul  8 12:13:41 master slapd[18513]: conn=1082 op=0: pwd_scheme_kinit: krb5_get_init_creds_password: unable to reach any KDC in realm W2K12.TEST

If "Change password on next login" is activated, login is not possible.

OK - YAML

Comment 3 Moritz Muehlenhoff

2014-07-14 10:50:00 CEST

http://errata.univention.de/ucs/3.2/147.html