kopano on active directory



  • Good evening,
    I was hooking up dig in active directory on windows server 2016 r2. I modified the ldap.cfg file, but when I make copy-admin -l it returns the following error:

    Unable to list users, object not found
    Using the -v option (possibly multiple times) may give more hints.

    Logs on server.log are as follows:

    Thu Jul 20 22:15:37 2017: [crit   ] Cannot instantiate user plugin: Failure connecting any of the LDAP servers
    Thu Jul 20 22:15:37 2017: [crit   ] Unable to instantiate user plugin
    Thu Jul 20 22:17:17 2017: [warning] Log connection was reset
    Thu Jul 20 22:27:12 2017: [warning] Previous message logged 2 times
    Thu Jul 20 22:27:12 2017: [warning] LDAP (simple) bind failed: Can't contact LDAP server
    Thu Jul 20 22:27:12 2017: [crit   ] Cannot instantiate user plugin: Failure connecting any of the LDAP servers
    Thu Jul 20 22:27:12 2017: [crit   ] Unable to instantiate user plugin
    Thu Jul 20 22:32:59 2017: [warning] LDAP (simple) bind failed: Can't contact LDAP server
    Thu Jul 20 22:32:59 2017: [crit   ] Cannot instantiate user plugin: Failure connecting any of the LDAP servers
    Thu Jul 20 22:32:59 2017: [crit   ] Unable to instantiate user plugin
    

    The file ldap.cfg is this:

    ##############################################################
    #  LDAP DIRECTORY USER PLUGIN SETTINGS
    #
    
    # Select implementation.
    # If you have any reason to override settings from /usr/share/kopano/*.cfg,
    # do so at the end of this (/etc-resident) config file.
    #
    !include /usr/share/kopano/ldap.openldap.cfg
    #!include /usr/share/kopano/ldap.active-directory.cfg
    
    # LDAP host name/IP address
    ldap_host = 192.168.1.12
    
    # LDAP port
    # Optional, default = 389
    # Use 636 for ldaps
    ldap_port = 636
    
    # LDAP protocol
    # Optional, default = ldap
    # use 'ldaps' for Implicit SSL encryption. Make sure /etc/ldap/ldap.conf is
    # configured correctly with TLS_CACERT
    ldap_protocol = ldaps
    
    # LDAP URI
    # Optional, override ldap_host, ldap_port and ldap_protocol if set
    # e.g. ldaps://servername:port. You may also specify multiple space-separated
    # URIs
    #ldap_uri =
    
    # The charset that strings are stored in on the LDAP server. Normally this
    # is utf-8, but this can differ according to your setup. The charset specified
    # here must be supported by your iconv(1) setup. See iconv -l for all charset
    #ldap_server_charset = utf-8
    
    # The DN of the user to bind as for normal operations (not used for
    # authentication if ldap_authentication_method is set to "bind".
    # When empty, uses anonymous binding.
    # The userPassword attribute must be readable for this user if the
    # ldap_authentication_method option is set to password.
    ldap_bind_user = cn=administrator,cn=users,dc=fabrizio,dc=local
    
    # LDAP bind password
    ldap_bind_passwd = ***password****
    ldap_authentication_method = bind
    
    # The timeout for network operations in seconds
    #ldap_network_timeout = 30
    
    # ldap_page_size limits the number of results from a query that will be downloaded at a time.
    # Default ADS MaxPageSize is 1000.
    ldap_page_size = 1000
    
    ##########
    # Object settings
    ldap_object_type_attribute = objectClass
    ldap_user_type_attribute_value = User
    ldap_group_type_attribute_value = Group
    ldap_contact_type_attribute_value = Contact
    ldap_company_type_attribute_value = ou
    ldap_addresslist_type_attribute_value = kopano-addresslist
    ldap_dynamicgroup_type_attribute_value = kopano-dynamicgroup
    ldap_user_search_filter = (kopanoAccount=1)
    ldap_user_unique_attribute = objectGUID
    ldap_user_unique_attribute_type = binary
    ldap_fullname_attribute = cn
    ldap_loginname_attribute = sAMAccountName
    ldap_emailaddress_attribute = mail
    ldap_emailaliases_attribute = otherMailbox
    ldap_password_attribute =
    ldap_isadmin_attribute = kopanoAdmin
    ldap_nonactive_attribute = kopanoSharedStoreOnly
    # Top level search base, every object should be available under this tree
    ldap_search_base = dc=fabrizio,dc=local
    
    # Use custom defined LDAP property mappings
    # This is not a requirement for most environments but allows custom mappings of
    # special LDAP properties to custom MAPI attributes
    #!propmap /etc/kopano/ldap.propmap.cfg
    

    can you help me?


  • Kopano

    Hello @henna02 ,

    the way it looks at the moment you have a mistake in your bind credentials. Maybe enabling the debug logging of the user plugin turns up more details. set 0x00020006 as the log_level in server.cfg

    PS: and please use code blocks when posting logs and configuration files



  • I have already enabled the debug mode in server.cfg


  • Kopano

    I would check if you can list your users with ldapsearch, if that succeeds then there is no reason for kopano to not be able to connect you ads.



  • Is there a reason you are using SSL? I know it is more secure, but if the two servers are sitting right next to each other in a switched environment, it might be worth disabling it. SSL adds about 4x the network traffic. While I use ALWAYS use SSL between the servers and user, I never use SSL between two servers if I can help it.
    The reason I mention it, is that I wonder if there might be a certificate error. Is the domain Root CA installed on the Kopano box? However, the easiest way is to just not use SSL. @fbartels is right, a LDAPSEARCH should duplicate any problems.

    Also, I would use a custom bind user with more limited rights then Administrator.

    Bob



  • Hai, sorry to drop in.

    Same problem here.
    im connecting kopano to a samba AD.
    I’ve tested also with my postfix setup.
    for example,

    postmap -q root ldap:/etc/postfix/kopano-ads-local-redirects.cf
    

    This test, makes that my “local root” email adres, is redirected to an email adres in my public folder.

    if i run kopano-admin -l

     kopano-admin -l
    Unable to list users, object not found
    Using the -v option (possibly multiple times) may give more hints.
    

    i did enable log level 6 ( debug ), which shows.

    Thu Jul 27 13:27:16 2017: [ notice] Starting server version 8,4,0,1103, pid 16041
    Thu Jul 27 13:27:16 2017: [info   ] Using select events
    Thu Jul 27 13:27:16 2017: [notice ] Listening for TCP connections on port 236
    Thu Jul 27 13:27:16 2017: [notice ] Listening for SSL connections on port 237
    Thu Jul 27 13:27:16 2017: [notice ] Listening for priority pipe connections on /var/run/kopano/prio.sock
    Thu Jul 27 13:27:16 2017: [notice ] Listening for pipe connections on /var/run/kopano/server.sock
    Thu Jul 27 13:27:16 2017: [notice ] Connection to database 'db_kopano' succeeded
    Thu Jul 27 13:27:16 2017: [notice ] Querying database for searchfolders. This may take a while.
    Thu Jul 27 13:27:16 2017: [notice ] Loading search folders.
    Thu Jul 27 13:27:16 2017: [notice ] Done loading search folders.
    Thu Jul 27 13:27:16 2017: [notice ] Startup succeeded on pid 16041
    Thu Jul 27 13:27:16 2017: [debug  ] Started priority thread c31b5700
    Thu Jul 27 13:27:16 2017: [debug  ] Started thread c29b4700
    Thu Jul 27 13:27:16 2017: [debug  ] Started thread c21b3700
    Thu Jul 27 13:27:16 2017: [debug  ] Started thread c19b2700
    Thu Jul 27 13:27:16 2017: [debug  ] Started thread c11b1700
    Thu Jul 27 13:27:16 2017: [debug  ] Started thread c09b0700
    Thu Jul 27 13:27:16 2017: [debug  ] Started thread c01af700
    Thu Jul 27 13:27:16 2017: [debug  ] Started thread bf9ae700
    Thu Jul 27 13:27:16 2017: [debug  ] Started thread bf1ad700
    Thu Jul 27 13:27:23 2017: [warning] LDAP (simple) bind failed: Invalid credentials
    Thu Jul 27 13:27:23 2017: [crit   ] Cannot instantiate user plugin: Failure connecting any of the LDAP servers
    Thu Jul 27 13:27:23 2017: [crit   ] Unable to instantiate user plugin
    

    the postfix bind_dn is exact the same as what i use in the ldap.conf as is the password.

    setup used:
    https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#id3
    now, the link also provide the solution for me, and imo, this is a minor bug.

    I also found the solution for me and this was my fix.

    For Zarafa ( 7.2.1 ) this worked.

    ldap_bind_user = CN=secret-user,OU=Service-Accounts,OU=COMPANY,DC=internal,DC=domain,DC=tld
    

    but this is not working for kopano…

    i changed that line to this :

    ldap_bind_user = cn=secret-user,ou=Service-Accounts,ou=COMPANY,dc=internal,dc=domain,dc=tld
    

    And now kopano-admin -l works again, and i see all i want to see…

    I hope this helps the topic starter also.

    Greetz,
    Louis


  • Kopano

    Hello @thctlo ,

    his ldap_bind_user is already lowercase. Can you explain a bit more which part of the documentation had you reconsider the casing for your bind user?



  • Sure,
    chapter, 5.16.2. Configuring KC for ADS.
    there i saw:

    ldap_bind_user = cn=administrator,cn=users,dc=example,dc=com
    

    i noticed the lowercased cn=
    so i tried that and that worked.

    I just checked again and im sure that zarafa 7.2.1 ( last i was running ), and that worked fine with the upper cased version .



  • @thctlo give me a few mint to add something, i need to check something for the topic starter.
    and give you my reputation back, with what it was in the zarafa forum, please ;-)



  • ok, the topic starter needs to do the following.
    ( as already suggest)
    create a new user. (bind2ldapuser) for example.
    I also suggest create a OU for these “service accounts” and add them there.

    Set in the Account tab, at account options:
    check , password never expires.
    check, user cannot change password
    check, Do not require Kerberos preauthenticaion.

    that should fix it, and dont set these options on your Administrator account.


  • Kopano

    @thctlo for me (8.4.90.0-0+4.1) it works regardless of the casing of the bind user. running openldap though, so the actual ldap server may differ in behaviour.



  • Then i might be worth to mention more of my setup.

    Debian Linux ( mixed jessie and stretch servers )
    2 x Samba AD DC version : 4.6.6 (The zarafa setup was working with 4.5.x AD)

    I installed kopano and i did not install any kopano schema anywhere, i still use the latest 7.2.1 zarafa schema in my Samba AD.
    i copied these files :
    ldap.active-directory.cfg
    ldap.propmap.cfg

    to my /etc/kopano and change there where needed the kopanoXXXX to zarafaXXXXX
    and same for the propmap.cfg

    so maybe the mix of zarafa/kopano with the "bind user = CN or cn " is wat my caused my problem.



  • uhm, review the topic starters setup.

    Why is the topic starter not using :
    !include /usr/share/kopano/ldap.active-directory.cfg
    but he is using the openldap setup.

    he used : ldap_host = 192.168.1.12 but connects with ldaps ?
    so he must first make sure his server is using the DC DNS. ( resolv.conf)
    make sure /etc/hosts is correct.
    remove 127.0.1.1 lines
    and check for the line if it exists, if not add it.
    server_ip hostname.example.com hostname

    and change : ldap_host to the server hostname.

    Correct resolving helps a lot.
    About 50% of the samba problems are due to incorrect resolvings and people ignoring that the world is changing to ssl ( and samba case kerberos ) and both kerberos and ssl rely on resolving.

    tip.
    https://realtimelogic.com/blog/2014/05/How-to-act-as-a-Certificate-Authority-the-Easy-Way
    This site explains a simple CA tool for windows users. That dont know how to handle it on Linux.



  • etc/hosts

    0_1501269512884_b0c2fb15-3fde-4eb7-9acc-aca4a8d01751-image.png

    etc/resolve

    0_1501268946701_68697f8d-659d-4cd3-875a-6774dd85c6c6-image.png

    ldap.cfg

    0_1501269000522_0b627d59-8d59-4495-a449-09283e2ae2f0-image.png
    0_1501269376734_a69c4816-34d9-4314-b5bd-ca8e4928543a-image.png
    0_1501269153973_20935b10-9430-4d2d-bc12-d5eb0ca01a9d-image.png

    What’s wrong yet?



  • I can say the following about your config.

    Dont use user Adminstrator, create a new user for ldap_bind_users.
    why, see https://forum.kopano.io/post/2605

    Also you cant set Do not require Kerberos preauthentication on Administator.
    ( you can but dont do that! )

    Do configure and setup ssl for you Linux client so client <=> server works with ldaps.

    add : TLS_REQCERT allow
    to /etc/ldap/ldap.conf

    i’ve also added my AD DC root Certificate to :
    /etc/ssl/certs/ca-certificates.crt

    and example how.
    https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/


Log in to reply
 

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.