Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Problem with groups in SAMBA AD

    Kopano Groupware Core
    2
    3
    291
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • hmin
      hmin last edited by

      Hello,

      I Setup a new Kopano environment on Debian10 and 2 new samba AD controllers for testing purposes.
      Web interface and user authentication work fine. but i ran in some problems with the groups and hoped, maybe someone here has an idea of what I’m doing wrong .

      Here is where i am at the moment in terms of troubleshooting:

      I can list the users but i can not list the groups

      root@kobra:/etc/kopano# kopano-cli --list-groups
MAPI error 8004010F (MAPI_E_NOT_FOUND)
root@kobra:/etc/kopano# kopano-cli --list-users
User list for Default (3):
User             Full Name            Homeserver          
----------------------------------------------------------
SYSTEM           SYSTEM               Unknown             
dreamcast        dreamcast            Unknown             
uzume            uzume                Unknown

      In the log files i see this error

      Jul 30 11:08:18 kobra kopano-server[743]: LDAP query in "DC=software,DC=htc" failed: (&(|(&(objectClass=group)(objectCategory=Group))(&(objectClass=kopanoDynamicGroup)kopanoAccount))) (result=0xfffffff9, Bad search filter)

      if i try this with ldapsearch it also does not find anything

      root@kobra:/etc/kopano# ldapsearch -H ldap://samba1.software.htc:389 -D CN=Administrator,CN=Users,DC=software,DC=htc -W "(&(|(&(objectClass=group)(objectCategory=Group))(&(objectClass=kopanoDynamicGroup)kopanoAccount)))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=software,dc=htc> (default) with scope subtree
# filter: (&(|(&(objectClass=group)(objectCategory=Group))(&(objectClass=kopanoDynamicGroup)kopanoAccount)))
# requesting: ALL
#

ldap_search_ext: Bad search filter (-7)

      If i try it without the kopano specific stuff it works.

      root@kobra:/etc/kopano# ldapsearch -H ldap://samba1.software.htc:389 -D CN=Administrator,CN=Users,DC=software,DC=htc -W "(&(|(&(objectClass=group)(objectCategory=Group))))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=software,dc=htc> (default) with scope subtree
# filter: (&(|(&(objectClass=group)(objectCategory=Group))))
# requesting: ALL
#

# RAS and IAS Servers, Users, software.htc
dn: CN=RAS and IAS Servers,CN=Users,DC=software,DC=htc
objectClass: top
objectClass: group
cn: RAS and IAS Servers
description: Servers in this group can access remote access properties of user
 s
...

      I think the problem is that there is no group with the objectClass=kopanoDynamicGroup
      Screenshot at 2019-07-30 11-19-44.png

      Here are my ldap setings:

      cat ldap.cfg 
!include /etc/kopano/ldap.active-directory.cfg

ldap_host = samba1.software.htc
ldap_port = 389
ldap_protocol = ldap

ldap_bind_user = cn=administrator,CN=Users,DC=software,DC=htc
ldap_bind_passwd = ************
ldap_authentication_method = bind

ldap_search_base = OU=koopa,DC=software,DC=htc

      Here are the important settings from my ldap.active-directory.cfg

      ldap_object_type_attribute = objectClass
ldap_user_type_attribute_value = user
ldap_group_type_attribute_value = group
ldap_contact_type_attribute_value = contact
ldap_company_type_attribute_value = organizationalUnit
ldap_addresslist_type_attribute_value = kopanoAddresslist
ldap_dynamicgroup_type_attribute_value = kopanoDynamicGroup
ldap_server_type_attribute_value = computer


ldap_user_search_filter =

      Greetings,

      David

      fbartels 1 Reply Last reply Reply Quote 0
      • fbartels
        fbartels Kopano @hmin last edited by

        Hi @hmin,

        can you post your full ldap configuration?

        btw. instead of creating a /etc/kopano/ldap.active-directory.cfg the recommended way to configure ldap in kopano is to copy the example config from /usr/share/doc/kopano/example-config/ldap.cfg to /etc/kopano/ldap.cfg and here define which config template to include (so in your case comment !include /usr/share/kopano/ldap.openldap.cfg and uncomment !include /usr/share/kopano/ldap.active-directory.cfg). Every setting that should then override the default (like a different user search filter) should go the /etc/kopano/ldap.cfg.

        Regards Felix

        Resources:
        https://kopano.com/blog/how-to-get-kopano/
        https://documentation.kopano.io/
        https://kb.kopano.io/

        Support overview:
        https://kopano.com/support/

        1 Reply Last reply Reply Quote 1
        • hmin
          hmin last edited by

          Thank you for the reply when i changed the ldap configuration to /usr/share/kopano/ldap.active-directory.cfg
          as you described i noticed that the problem i previously had was gone. I then did a diff between the two files and noticed that
          i changed “ldap_dynamicgroup_search_filter” that was why it could not find the group.

          root@kobra:/etc/kopano# diff ldap.active-directory.cfg /usr/share/kopano/ldap.active-directory.cfg
45c45
< ldap_user_search_filter =
---
> ldap_user_search_filter = (objectCategory=Person)
327c327
< ldap_dynamicgroup_search_filter = kopanoAccount
---
> ldap_dynamicgroup_search_filter =

          Thank a lot for the help.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post