Kopano and LDAP

TGM

Dear everyone,

i found an notice, that Samba4 is not supported as user source for installations with more then 50 users. Is still still valid?

< https://documentation.kopano.io/kopanocore_administrator_manual/user_management.html >

Is anyone here who is using SAMBA4 with Kopano? How many users do you have?

Best, Tobias

thctlo

@tgm it works fine as long you set the correct indexing.
im using kopano with sama4 AD’s for 4 years now.

TGM

@thctlo I did not activated additional indexes. Do you have any hint for me?
We have the Sernet support package 4.12.8-8 active.

Do you mean this indexes? Can I just activate it like wrote in this document in Samba4?

https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-ldap-indices-in-openldap

thctlo

@tgm
start reading here :
https://forum.kopano.io/topic/1332/migration-from-db-to-openldap?_=1608114563424

offcourse… i did a bit back searching because most should be in the kopano forum already, but i see some external links dont work anymore.

The full setups you need to go through.

#
# source : https://stash.kopano.io/projects/KC/repos/kopano-ads-source/browse/samba/kopano-samba-ads
# In /etc/samba/smb.conf change/allow schema updates

sudo sed -i 's/sdb:schema update allowed = no/sdb:schema update allowed = yes/g' /etc/samba/smb.conf
sudo systemctl samba-ad-dc reload

# If you install the ldiff from the DC itself.
sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD ./ldiff/ -v -H /var/lib/samba/private/sam.ldb -writechanges

# or if you do a remote install in ldap (AD).
#sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD  ./ldiff/ -H ldaps://hostname.your.domain.tld -UAdministrator%YourStrongPass -writechanges

# Wait^^ after its finished give the ad time to sync if you have multple DC's. 

# revert the schema update allowed.
sudo sed -i 's/sdb:schema update allowed = yes/sdb:schema update allowed = no/g' /etc/samba/smb.conf
sudo systemctl samba-ad-dc reload

So thats adding the kopano Schema.

Now lookup what to index :
https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-ldap-indices-in-openldap
( DO NOT use : cat optimize-index.ldif | ldapmodify -Y EXTERNAL -H ldapi:/// ) thats for LDAP. )

Adding the indexing to samba-AD-DC’s.
For the case of Samba AD we are editing a schema based database. Take into account that directly editing @INDEXLIST will not work, as @INDEXLIST is generated from the schema. We will need to edit the schema to ensure indexing on the desired attributes:

Now, verify which records al indexed.
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST

Then first find the base DN for your setup:
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b "" defaultNamingContext

Then edit the schema, using ldbedit and set searchFlags attribute to 1 on the attribute entry you want to index:
( examples, adjust with your values )
ldbedit -H /var/lib/samba/private/sam.ldb -b CN=SCHEMA,CN=CONFIGURATION,DC=S-AD1,DC=INTERNAL,DC=DOMAIN,DC=TLD

and change : searchFlags: 0 to : searchFlags: 1

when all is done.
stop samba and start samba. ( just to make sure things are ok )
now run : samba-tool dbcheck --reindex
this might take a while, wait untill its finish.

Repeat this on all AD-DC’s.

And its done, personaly i reboot the AD-DC to be sure its still fine after reboots and i check as last the index list to see its all applied : ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST

Enjoy.