KC Active Directory and Windows Server 2016 Datacenter



  • Hello everyone,

    I have trouble to implement AD into KC (test lab environment). I installed the Kopano AD Extension, created some basic users and set them all active…for testing purposes I pass on ssl etc. . On my Univention system I see those users and did a setup like the KC Administrator guide told me. However, I can’t login into WebApp.

    The /var/log/kopano/server.log gives me the 1st hint:

    Fri Oct  6 12:32:42 2017: [warning] ***Authentication by plugin failed for user "peter": Trying to authenticate failed: peter not found in LDAP; username = peter***
    Fri Oct  6 12:32:42 2017: [warning] Failed to authenticate user "peter" from "file:///var/run/kopano/server.sock" using program "apache2"
    Fri Oct  6 12:32:43 2017: [debug  ] Accepted incoming connection from file:///var/run/kopano/server.sock
    

    So far, I simply queried the main DC to spill out everything he has:

    ldapsearch -x -h dc-root2016.homelab.loc -b "dc=homelab,dc=loc"
    # extended LDIF
    #
    # LDAPv3
    # base <dc=homelab,dc=loc> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    
    # search result
    search: 2
    result: 1 Operations error
    text: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this opera
     tion a successful bind must be completed on the connection., data 0, v3839
    
    # numResponses: 1
    
    ldapsearch -x -h dc-root2016.homelab.loc -D "uid=dummy,dc=homelab,dc=loc" -W -b "dc=homelab,dc=loc"
    Enter LDAP Password: 
    ldap_bind: Invalid credentials (49)
            additional info: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839
    

    Curious:

    ldapsearch -x -LLL -E pr=200/noprompt -h dc-root2016.homelab.loc -D "dummy@homelab.loc" -W -b "cn=schema,cn=configuration,dc=homelab,dc=loc" -s base
    

    works ! But when I issue this:

    ldapsearch -x -h dc-root2016.homelab.loc -D "uid=dummy,dc=homelab,dc=loc" -W -b "dc=homelab,dc=loc"
    Enter LDAP Password: 
    ldap_bind: Invalid credentials (49)
            additional info: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839
    

    I can’t authenticate again.

    Obviously, there is a binding/authentication issue…however I’ve no clue actually how to fix it. The KC Manual mentioned to install the ADLS Role on my DC --what I did-- but without further configuration ?!

    To clarify my configs, here my ldap and server.cfg (all test environment, so no sensible data).

    /etc/kopano/ldap.cfg:

    !include /usr/share/kopano/ldap.active-directory.cfg
    ldap_uri = ldap://dc-root2016.homelab.loc:389 ldap://dc-second2016.homelab.loc:389
    ldap_bind_user = cn=stephan,cn=users,dc=homelab,dc=loc
    ldap_bind_passwd = Password1234
    ldap_page_size = 1000
    ldap_search_base = dc=homelab,dc=loc
    ldap_nonactive_attribute = kopanoSharedStoreOnly
    ldap_sendas_relation_attribute = uidNumber
    ldap_user_unique_attribute = entryUUID
    ldap_group_search_filter = (&(kopanoAccount=1)(objectClass=kopano-group))
    ldap_emailaliases_attribute = mailAlternativeAddress
    ldap_emailaddress_attribute = mailPrimaryAddress
    ldap_quota_multiplier = 1048576
    ldap_user_type_attribute_value = kopano-user
    ldap_user_search_filter = (kopanoAccount=1)
    ldap_authentication_method = bind
    

    /etc/kopano/server.cfg

    server_bind             =
    server_tcp_enabled      = yes
    server_tcp_port         = 236
    server_pipe_enabled     = yes
    server_pipe_name        = /var/run/kopano/server.sock
    server_pipe_priority    = /var/run/kopano/prio.sock
    server_name = ucs-server
    server_hostname =
    database_engine         = mysql
    allow_local_users       = yes
    local_admin_users = root kopano
    owner_auto_full_access = true
    system_email_address    = postmaster@localhost
    run_as_user = kopano
    run_as_group = kopano
    coredump_enabled = yes
    session_timeout         = 300
    tmp_path = /tmp
    log_method              = file
    log_file                = /var/log/kopano/server.log
    log_level               = 6
    log_timestamp           = 1
    audit_log_enabled       = yes
    audit_log_method        = syslog
    audit_log_file          = /var/log/kopano/audit.log
    audit_log_level         = 1
    audit_log_timestamp     = 1
    mysql_host = localhost
    mysql_port = 3306
    mysql_user = kopanoDbUser
    mysql_password = fzRnuPgpp1
    mysql_socket            =
    mysql_database = kopano
    attachment_storage      = files 
    attachment_files_fsync  = yes
    attachment_path         = /var/lib/kopano/attachments
    attachment_compression  = 6
    server_ssl_enabled = yes
    server_ssl_port         = 237
    server_ssl_key_file = /etc/kopano/ssl/server.pem
    server_ssl_key_pass     = replace-with-server-cert-password
    server_ssl_ca_file = /etc/univention/ssl/ucsCA/CAcert.pem
    server_ssl_ca_path      =
    server_ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
    server_ssl_prefer_server_ciphers = no
    sslkeys_path            = /etc/kopano/sslkeys
    threads                         =       8
    watchdog_frequency      =       1
    watchdog_max_age        =       500
    server_max_keep_alive_requests  =       100
    server_recv_timeout     =       5
    server_read_timeout     =       60
    server_send_timeout     =       60
    softdelete_lifetime     = 30
    sync_lifetime           = 90
    sync_log_all_changes = yes
    enable_sso = no
    enable_gab = yes
    auth_method = plugin
    pam_service = passwd
    cache_cell_size                         = 256M
    cache_quota_size                        = 1M
    cache_quota_lifetime            = 1
    cache_acl_size                          = 1M
    cache_store_size                        = 1M
    cache_user_size                         = 1M
    cache_userdetails_size          = 25M
    cache_userdetails_lifetime      = 0
    cache_server_size                       = 1M
    cache_server_lifetime   = 30
    quota_warn              = 0
    quota_soft              = 0
    quota_hard              = 0
    companyquota_warn      = 0
    user_plugin = ldap
    user_plugin_config      = /etc/kopano/ldap.cfg
    plugin_path             = /usr/lib/kopano
    createuser_script               =       /etc/kopano/userscripts/createuser
    deleteuser_script               =       /etc/kopano/userscripts/deleteuser
    creategroup_script              =       /etc/kopano/userscripts/creategroup
    deletegroup_script              =       /etc/kopano/userscripts/deletegroup
    createcompany_script    =       /etc/kopano/userscripts/createcompany
    deletecompany_script    =       /etc/kopano/userscripts/deletecompany
    user_safe_mode = no
    thread_stacksize = 512
    enable_hosted_kopano = false
    enable_distributed_kopano = false
    storename_format = %f
    loginname_format = %u
    client_update_enabled = false
    client_update_path = /var/lib/kopano/client
    client_update_log_level = 1
    client_update_log_path = /var/log/kopano/autoupdate
    hide_everyone = no
    hide_system = yes 
    search_enabled = yes
    search_socket = file:///var/run/kopano/search.sock
    search_timeout = 10
    enable_enhanced_ics = yes
    enable_sql_procedures = no
    sync_gab_realtime = no
    disabled_features = imap pop3
    max_deferred_records = 0
    max_deferred_records_folder = 20
    restrict_admin_permissions = no
    embedded_attachment_limit = 20
    proxy_header =
    

    Has someone a hint or suggestion what to do next ?



  • @flyingpenguinman said in KC Active Directory and Windows Server 2016 Datacenter:

    !include /usr/share/kopano/ldap.active-directory.cfg

    what are the ldap port settings ?
    can you post the ldap.active-directory.cfg too

    rg
    Christian



  • Sure.

    ldap_last_modification_attribute = uSNChanged
    ldap_object_type_attribute = objectClass
    ldap_user_type_attribute_value = user
    ldap_group_type_attribute_value = group
    ldap_contact_type_attribute_value = contact
    ldap_company_type_attribute_value = organizationalUnit
    ldap_addresslist_type_attribute_value = kopanoAddresslist
    ldap_dynamicgroup_type_attribute_value = kopanoDynamicGroup
    ldap_server_type_attribute_value = computer
    ldap_user_search_filter = (objectCategory=Person)
    ldap_user_unique_attribute = objectGuid
    ldap_user_unique_attribute_type = binary
    ldap_fullname_attribute = cn
    ldap_loginname_attribute = sAMAccountName
    ldap_password_attribute = unicodePwd
    ldap_authentication_method = bind
    ldap_emailaddress_attribute = mail
    ldap_emailaliases_attribute = otherMailbox
    ldap_isadmin_attribute = kopanoAdmin
    ldap_nonactive_attribute = kopanoSharedStoreOnly
    ldap_resource_type_attribute = kopanoResourceType
    ldap_resource_capacity_attribute = kopanoResourceCapacity
    ldap_sendas_attribute = kopanoSendAsPrivilege
    ldap_sendas_attribute_type = dn
    ldap_sendas_relation_attribute = distinguishedName
    ldap_user_certificate_attribute = userCertificate
    !propmap /usr/share/kopano/ldap.propmap.cfg
    ldap_group_search_filter = (objectCategory=Group)
    ldap_group_unique_attribute = objectSid
    ldap_group_unique_attribute_type = binary
    ldap_groupname_attribute = cn
    ldap_groupmembers_attribute = member
    ldap_groupmembers_attribute_type = dn
    ldap_groupmembers_relation_attribute = 
    ldap_group_security_attribute = groupType
    ldap_group_security_attribute_type = ads
    ldap_company_search_filter =
    ldap_company_unique_attribute = objectGUID
    ldap_company_unique_attribute_type = binary
    ldap_companyname_attribute = ou
    ldap_company_view_attribute = kopanoViewPrivilege
    ldap_company_view_attribute_type = dn
    ldap_company_view_relation_attribute =
    ldap_company_admin_attribute = kopanoAdminPrivilege
    ldap_company_admin_attribute_type = dn
    ldap_company_admin_relation_attribute = 
    ldap_company_system_admin_attribute = kopanoSystemAdmin
    ldap_company_system_admin_attribute_type = dn
    ldap_company_system_admin_relation_attribute =
    ldap_addresslist_search_filter = 
    ldap_addresslist_unique_attribute = cn
    ldap_addresslist_unique_attribute_type = text
    ldap_addresslist_filter_attribute = kopanoFilter
    ldap_addresslist_search_base_attribute = kopanoBase
    ldap_addresslist_name_attribute = cn
    ldap_dynamicgroup_search_filter = 
    ldap_dynamicgroup_unique_attribute = cn
    ldap_dynamicgroup_unique_attribute_type = text
    ldap_dynamicgroup_filter_attribute = kopanoFilter
    ldap_dynamicgroup_search_base_attribute = kopanoBase
    ldap_dynamicgroup_name_attribute = cn
    ldap_quota_userwarning_recipients_attribute = kopanoQuotaUserWarningRecipients
    ldap_quota_userwarning_recipients_attribute_type = text
    ldap_quota_userwarning_recipients_relation_attribute =
    ldap_quota_companywarning_recipients_attribute = kopanoQuotaCompanyWarningRecipients
    ldap_quota_companywarning_recipients_attribute_type = text
    ldap_quota_companywarning_recipients_relation_attribute =
    ldap_quotaoverride_attribute = kopanoQuotaOverride
    ldap_warnquota_attribute = kopanoQuotaWarn
    ldap_softquota_attribute = kopanoQuotaSoft
    ldap_hardquota_attribute = kopanoQuotaHard
    ldap_userdefault_quotaoverride_attribute = kopanoUserDefaultQuotaOverride
    ldap_userdefault_warnquota_attribute = kopanoUserDefaultQuotaWarn
    ldap_userdefault_softquota_attribute = kopanoUserDefaultQuotaSoft
    ldap_userdefault_hardquota_attribute = kopanoUserDefaultQuotaHard
    ldap_quota_multiplier = 1048576
    ldap_addressbook_hide_attribute = kopanoHidden 
    ldap_object_search_filter = (anr=%s)
    ldap_filter_cutoff_elements = 1000
    ldap_user_server_attribute = kopanoUserServer
    ldap_company_server_attribute = kopanoCompanyServer
    ldap_server_address_attribute = kopanoHostAddress
    ldap_server_http_port_attribute = kopanoHttpPort
    ldap_server_ssl_port_attribute = kopanoSslPort
    ldap_server_file_path_attribute = kopanoFilePath
    ldap_server_contains_public_attribute = kopanoContainsPublic
    ldap_server_proxy_path_attribute = kopanoProxyURL
    ldap_server_search_filter = (objectCategory=Computer)
    ldap_server_unique_attribute = cn
    ldap_search_base = dc=homelab,dc=loc
    

Log in to reply
 

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.