trouble on get kopano users / groups from active directory



  • Hello together,

    i try to use my active directory as user database following the guide
    on kopano documentation site: https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#id4

    After some trouble to find correct parameters to connect to the active directory and i thought i got it work, but if i want to fetch the users from the server with:

    #$ kopano-cli --list-users

    i got error in the logs:

    [info ] Auto-creating user from external source
    [warning] K-1534: Unable to create object in local database: user has no name

    You can find these error in the error-code section:
    https://kb.kopano.io/display/WIKI/K-XXXX+log+entries

    … but there is no additional description for that. So i have no idea, where the
    problem exists.

    The connection params for ldap seems to be correct. If i modify values (password, bind-user, search-base) i got en error in logfile, that ldap-auth-module could not be initialised. I also tried the same settings on command line with ldap-search, and this also works fine.
    With ldap-search i got an list of all relevant users in the ou, so i think that is
    not an authentification problem.

    I have 2 other questions regarding this:

    Is it needed to put the kopano base linux system as a domain member / join the domain with a computer-account or does the active directory-auth does work too without this step?

    What credentials needs an active directory user to bind and search inside ad? I tried with a standard user and got no successfull connection. After i switched the ldap-bind user to an domain-admin-account the search worked.

    Thanks for your help.

    Best regardings
    Andre


  • Kopano

    Hi @Andre ,

    From what you describe we should be able to tell more, once you enable the user plugin diag logging in server.cfg. from the error description it sounds like the user you use to search the ldap, does not have enough permissions to read out all relevant user information (the error message strongly hints either towards the full name or username - I did not check the source code what is more likely).

    @andre said in trouble on get kopano users / groups from active directory:

    Is it needed to put the kopano base linux system as a domain member / join the domain with a computer-account

    No, unless you also want to work with Kerberos, this is not necessary.

    @andre said in trouble on get kopano users / groups from active directory:

    What credentials needs an active directory user to bind and search inside ad?

    The given user should have at least enough permission to list your users/groups along with all configured attributes.



  • @fbartels said in trouble on get kopano users / groups from active directory:

    the error description it sounds like the user you use to search the ldap, does not have enough permissions to read out all relevant user information

    Thanks a lot. Your answers lets me thinking about it and i have had a look at the configuration examples in /usr/share/kopano. There was an example configuration file for active directory but inside this file, was no settings for ldap host and other needed settings.
    So in included the example file at the end of my ldap.cnf and now i got all users / groups.

    !include /usr/share/kopano/ldap.active-directory.cfg
    

    The only thing is that i now get all users, not only users that are enabled for kopano. From the 25 Users in AD only 20 have the flag “kopano user” enabled in the user-setting kopano-tab.
    I tried to set:

    ldap_user_search_filter = (kopanoAccount=1)
    

    … but this was overwritten with “(objectCategory=Person)” in the active-directory example configuration. After change the value inside that file, it was ok.

    So i have modified the default filter

    ldap_user_search_filter = (&(objectCategory=Person)(kopanoAccount=1))
    

    … and hope this way is the correct one.

    Andre


  • Kopano

    Hi @Andre,

    I just scrolled through our ldap documentation and it seems a bit more verbose (and therefore probably confusing) than it needs to be. the gist is the following:

    • you should copy /usr/share/doc/kopano/example-config/ldap.cfg to /etc/kopano/ldap.cfg
    • you should only modify files in /etc/kopano and no files below /usr/share to configure kopano or the ldap integration of kopano
    • in /etc/kopano/ldap.cfg you should switch the include statement according to your type of ldap and of course change your connection details.
    • if you then want/need to override a default (like your ldap_user_search_filter) then you should add this to /etc/kopano/ldap.cfg.


  • Thanks for your reply. You made my day. :-)


Log in to reply