trouble on get kopano users / groups from active directory
i try to use my active directory as user database following the guide
on kopano documentation site: https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#id4
After some trouble to find correct parameters to connect to the active directory and i thought i got it work, but if i want to fetch the users from the server with:
#$ kopano-cli --list-users
i got error in the logs:
[info ] Auto-creating user from external source
[warning] K-1534: Unable to create object in local database: user has no name
You can find these error in the error-code section:
… but there is no additional description for that. So i have no idea, where the
The connection params for ldap seems to be correct. If i modify values (password, bind-user, search-base) i got en error in logfile, that ldap-auth-module could not be initialised. I also tried the same settings on command line with ldap-search, and this also works fine.
With ldap-search i got an list of all relevant users in the ou, so i think that is
not an authentification problem.
I have 2 other questions regarding this:
Is it needed to put the kopano base linux system as a domain member / join the domain with a computer-account or does the active directory-auth does work too without this step?
What credentials needs an active directory user to bind and search inside ad? I tried with a standard user and got no successfull connection. After i switched the ldap-bind user to an domain-admin-account the search worked.
Thanks for your help.
Hi @Andre ,
From what you describe we should be able to tell more, once you enable the user plugin diag logging in server.cfg. from the error description it sounds like the user you use to search the ldap, does not have enough permissions to read out all relevant user information (the error message strongly hints either towards the full name or username - I did not check the source code what is more likely).
Is it needed to put the kopano base linux system as a domain member / join the domain with a computer-account
No, unless you also want to work with Kerberos, this is not necessary.
What credentials needs an active directory user to bind and search inside ad?
The given user should have at least enough permission to list your users/groups along with all configured attributes.
the error description it sounds like the user you use to search the ldap, does not have enough permissions to read out all relevant user information
Thanks a lot. Your answers lets me thinking about it and i have had a look at the configuration examples in /usr/share/kopano. There was an example configuration file for active directory but inside this file, was no settings for ldap host and other needed settings.
So in included the example file at the end of my ldap.cnf and now i got all users / groups.
The only thing is that i now get all users, not only users that are enabled for kopano. From the 25 Users in AD only 20 have the flag “kopano user” enabled in the user-setting kopano-tab.
I tried to set:
ldap_user_search_filter = (kopanoAccount=1)
… but this was overwritten with “(objectCategory=Person)” in the active-directory example configuration. After change the value inside that file, it was ok.
So i have modified the default filter
ldap_user_search_filter = (&(objectCategory=Person)(kopanoAccount=1))
… and hope this way is the correct one.
I just scrolled through our ldap documentation and it seems a bit more verbose (and therefore probably confusing) than it needs to be. the gist is the following:
- you should copy
- you should only modify files in
/etc/kopanoand no files below
/usr/shareto configure kopano or the ldap integration of kopano
/etc/kopano/ldap.cfgyou should switch the include statement according to your type of ldap and of course change your connection details.
- if you then want/need to override a default (like your
ldap_user_search_filter) then you should add this to
- you should copy
Thanks for your reply. You made my day. :-)