Problem with groups in SAMBA AD



  • Hello,

    I Setup a new Kopano environment on Debian10 and 2 new samba AD controllers for testing purposes.
    Web interface and user authentication work fine. but i ran in some problems with the groups and hoped, maybe someone here has an idea of what I’m doing wrong .

    Here is where i am at the moment in terms of troubleshooting:

    I can list the users but i can not list the groups

    root@kobra:/etc/kopano# kopano-cli --list-groups
    MAPI error 8004010F (MAPI_E_NOT_FOUND)
    root@kobra:/etc/kopano# kopano-cli --list-users
    User list for Default (3):
    User             Full Name            Homeserver          
    ----------------------------------------------------------
    SYSTEM           SYSTEM               Unknown             
    dreamcast        dreamcast            Unknown             
    uzume            uzume                Unknown  
    

    In the log files i see this error

    Jul 30 11:08:18 kobra kopano-server[743]: LDAP query in "DC=software,DC=htc" failed: (&(|(&(objectClass=group)(objectCategory=Group))(&(objectClass=kopanoDynamicGroup)kopanoAccount))) (result=0xfffffff9, Bad search filter)
    

    if i try this with ldapsearch it also does not find anything

    root@kobra:/etc/kopano# ldapsearch -H ldap://samba1.software.htc:389 -D CN=Administrator,CN=Users,DC=software,DC=htc -W "(&(|(&(objectClass=group)(objectCategory=Group))(&(objectClass=kopanoDynamicGroup)kopanoAccount)))"
    Enter LDAP Password: 
    # extended LDIF
    #
    # LDAPv3
    # base <dc=software,dc=htc> (default) with scope subtree
    # filter: (&(|(&(objectClass=group)(objectCategory=Group))(&(objectClass=kopanoDynamicGroup)kopanoAccount)))
    # requesting: ALL
    #
    
    ldap_search_ext: Bad search filter (-7)
    

    If i try it without the kopano specific stuff it works.

    root@kobra:/etc/kopano# ldapsearch -H ldap://samba1.software.htc:389 -D CN=Administrator,CN=Users,DC=software,DC=htc -W "(&(|(&(objectClass=group)(objectCategory=Group))))"
    Enter LDAP Password: 
    # extended LDIF
    #
    # LDAPv3
    # base <dc=software,dc=htc> (default) with scope subtree
    # filter: (&(|(&(objectClass=group)(objectCategory=Group))))
    # requesting: ALL
    #
    
    # RAS and IAS Servers, Users, software.htc
    dn: CN=RAS and IAS Servers,CN=Users,DC=software,DC=htc
    objectClass: top
    objectClass: group
    cn: RAS and IAS Servers
    description: Servers in this group can access remote access properties of user
     s
    ...
    

    I think the problem is that there is no group with the objectClass=kopanoDynamicGroup
    Screenshot at 2019-07-30 11-19-44.png

    Here are my ldap setings:

    cat ldap.cfg 
    !include /etc/kopano/ldap.active-directory.cfg
    
    ldap_host = samba1.software.htc
    ldap_port = 389
    ldap_protocol = ldap
    
    ldap_bind_user = cn=administrator,CN=Users,DC=software,DC=htc
    ldap_bind_passwd = ************
    ldap_authentication_method = bind
    
    ldap_search_base = OU=koopa,DC=software,DC=htc
    

    Here are the important settings from my ldap.active-directory.cfg

    ldap_object_type_attribute = objectClass
    ldap_user_type_attribute_value = user
    ldap_group_type_attribute_value = group
    ldap_contact_type_attribute_value = contact
    ldap_company_type_attribute_value = organizationalUnit
    ldap_addresslist_type_attribute_value = kopanoAddresslist
    ldap_dynamicgroup_type_attribute_value = kopanoDynamicGroup
    ldap_server_type_attribute_value = computer
    
    
    ldap_user_search_filter =
    

    Greetings,

    David


  • Kopano

    Hi @hmin,

    can you post your full ldap configuration?

    btw. instead of creating a /etc/kopano/ldap.active-directory.cfg the recommended way to configure ldap in kopano is to copy the example config from /usr/share/doc/kopano/example-config/ldap.cfg to /etc/kopano/ldap.cfg and here define which config template to include (so in your case comment !include /usr/share/kopano/ldap.openldap.cfg and uncomment !include /usr/share/kopano/ldap.active-directory.cfg). Every setting that should then override the default (like a different user search filter) should go the /etc/kopano/ldap.cfg.



  • Thank you for the reply when i changed the ldap configuration to /usr/share/kopano/ldap.active-directory.cfg
    as you described i noticed that the problem i previously had was gone. I then did a diff between the two files and noticed that
    i changed “ldap_dynamicgroup_search_filter” that was why it could not find the group.

    root@kobra:/etc/kopano# diff ldap.active-directory.cfg /usr/share/kopano/ldap.active-directory.cfg
    45c45
    < ldap_user_search_filter =
    ---
    > ldap_user_search_filter = (objectCategory=Person)
    327c327
    < ldap_dynamicgroup_search_filter = kopanoAccount
    ---
    > ldap_dynamicgroup_search_filter =
    

    Thank a lot for the help.


Log in to reply