KC Active Directory and Windows Server 2016 Datacenter

Hello everyone,

I have trouble to implement AD into KC (test lab environment). I installed the Kopano AD Extension, created some basic users and set them all active…for testing purposes I pass on ssl etc. . On my Univention system I see those users and did a setup like the KC Administrator guide told me. However, I can’t login into WebApp.

The /var/log/kopano/server.log gives me the 1st hint:

Fri Oct  6 12:32:42 2017: [warning] ***Authentication by plugin failed for user "peter": Trying to authenticate failed: peter not found in LDAP; username = peter***
Fri Oct  6 12:32:42 2017: [warning] Failed to authenticate user "peter" from "file:///var/run/kopano/server.sock" using program "apache2"
Fri Oct  6 12:32:43 2017: [debug  ] Accepted incoming connection from file:///var/run/kopano/server.sock

So far, I simply queried the main DC to spill out everything he has:

ldapsearch -x -h dc-root2016.homelab.loc -b "dc=homelab,dc=loc"
# extended LDIF
#
# LDAPv3
# base <dc=homelab,dc=loc> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v3839

# numResponses: 1
ldapsearch -x -h dc-root2016.homelab.loc -D "uid=dummy,dc=homelab,dc=loc" -W -b "dc=homelab,dc=loc"
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839

Curious:

ldapsearch -x -LLL -E pr=200/noprompt -h dc-root2016.homelab.loc -D "dummy@homelab.loc" -W -b "cn=schema,cn=configuration,dc=homelab,dc=loc" -s base

works ! But when I issue this:

ldapsearch -x -h dc-root2016.homelab.loc -D "uid=dummy,dc=homelab,dc=loc" -W -b "dc=homelab,dc=loc"
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839

I can’t authenticate again.

Obviously, there is a binding/authentication issue…however I’ve no clue actually how to fix it. The KC Manual mentioned to install the ADLS Role on my DC --what I did-- but without further configuration ?!

To clarify my configs, here my ldap and server.cfg (all test environment, so no sensible data).

/etc/kopano/ldap.cfg:

!include /usr/share/kopano/ldap.active-directory.cfg
ldap_uri = ldap://dc-root2016.homelab.loc:389 ldap://dc-second2016.homelab.loc:389
ldap_bind_user = cn=stephan,cn=users,dc=homelab,dc=loc
ldap_bind_passwd = Password1234
ldap_page_size = 1000
ldap_search_base = dc=homelab,dc=loc
ldap_nonactive_attribute = kopanoSharedStoreOnly
ldap_sendas_relation_attribute = uidNumber
ldap_user_unique_attribute = entryUUID
ldap_group_search_filter = (&(kopanoAccount=1)(objectClass=kopano-group))
ldap_emailaliases_attribute = mailAlternativeAddress
ldap_emailaddress_attribute = mailPrimaryAddress
ldap_quota_multiplier = 1048576
ldap_user_type_attribute_value = kopano-user
ldap_user_search_filter = (kopanoAccount=1)
ldap_authentication_method = bind

/etc/kopano/server.cfg

server_bind             =
server_tcp_enabled      = yes
server_tcp_port         = 236
server_pipe_enabled     = yes
server_pipe_name        = /var/run/kopano/server.sock
server_pipe_priority    = /var/run/kopano/prio.sock
server_name = ucs-server
server_hostname =
database_engine         = mysql
allow_local_users       = yes
local_admin_users = root kopano
owner_auto_full_access = true
system_email_address    = postmaster@localhost
run_as_user = kopano
run_as_group = kopano
coredump_enabled = yes
session_timeout         = 300
tmp_path = /tmp
log_method              = file
log_file                = /var/log/kopano/server.log
log_level               = 6
log_timestamp           = 1
audit_log_enabled       = yes
audit_log_method        = syslog
audit_log_file          = /var/log/kopano/audit.log
audit_log_level         = 1
audit_log_timestamp     = 1
mysql_host = localhost
mysql_port = 3306
mysql_user = kopanoDbUser
mysql_password = fzRnuPgpp1
mysql_socket            =
mysql_database = kopano
attachment_storage      = files 
attachment_files_fsync  = yes
attachment_path         = /var/lib/kopano/attachments
attachment_compression  = 6
server_ssl_enabled = yes
server_ssl_port         = 237
server_ssl_key_file = /etc/kopano/ssl/server.pem
server_ssl_key_pass     = replace-with-server-cert-password
server_ssl_ca_file = /etc/univention/ssl/ucsCA/CAcert.pem
server_ssl_ca_path      =
server_ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
server_ssl_prefer_server_ciphers = no
sslkeys_path            = /etc/kopano/sslkeys
threads                         =       8
watchdog_frequency      =       1
watchdog_max_age        =       500
server_max_keep_alive_requests  =       100
server_recv_timeout     =       5
server_read_timeout     =       60
server_send_timeout     =       60
softdelete_lifetime     = 30
sync_lifetime           = 90
sync_log_all_changes = yes
enable_sso = no
enable_gab = yes
auth_method = plugin
pam_service = passwd
cache_cell_size                         = 256M
cache_quota_size                        = 1M
cache_quota_lifetime            = 1
cache_acl_size                          = 1M
cache_store_size                        = 1M
cache_user_size                         = 1M
cache_userdetails_size          = 25M
cache_userdetails_lifetime      = 0
cache_server_size                       = 1M
cache_server_lifetime   = 30
quota_warn              = 0
quota_soft              = 0
quota_hard              = 0
companyquota_warn      = 0
user_plugin = ldap
user_plugin_config      = /etc/kopano/ldap.cfg
plugin_path             = /usr/lib/kopano
createuser_script               =       /etc/kopano/userscripts/createuser
deleteuser_script               =       /etc/kopano/userscripts/deleteuser
creategroup_script              =       /etc/kopano/userscripts/creategroup
deletegroup_script              =       /etc/kopano/userscripts/deletegroup
createcompany_script    =       /etc/kopano/userscripts/createcompany
deletecompany_script    =       /etc/kopano/userscripts/deletecompany
user_safe_mode = no
thread_stacksize = 512
enable_hosted_kopano = false
enable_distributed_kopano = false
storename_format = %f
loginname_format = %u
client_update_enabled = false
client_update_path = /var/lib/kopano/client
client_update_log_level = 1
client_update_log_path = /var/log/kopano/autoupdate
hide_everyone = no
hide_system = yes 
search_enabled = yes
search_socket = file:///var/run/kopano/search.sock
search_timeout = 10
enable_enhanced_ics = yes
enable_sql_procedures = no
sync_gab_realtime = no
disabled_features = imap pop3
max_deferred_records = 0
max_deferred_records_folder = 20
restrict_admin_permissions = no
embedded_attachment_limit = 20
proxy_header =

Has someone a hint or suggestion what to do next ?

@flyingpenguinman said in KC Active Directory and Windows Server 2016 Datacenter:

!include /usr/share/kopano/ldap.active-directory.cfg

what are the ldap port settings ?
can you post the ldap.active-directory.cfg too

rg
Christian

Sure.

ldap_last_modification_attribute = uSNChanged
ldap_object_type_attribute = objectClass
ldap_user_type_attribute_value = user
ldap_group_type_attribute_value = group
ldap_contact_type_attribute_value = contact
ldap_company_type_attribute_value = organizationalUnit
ldap_addresslist_type_attribute_value = kopanoAddresslist
ldap_dynamicgroup_type_attribute_value = kopanoDynamicGroup
ldap_server_type_attribute_value = computer
ldap_user_search_filter = (objectCategory=Person)
ldap_user_unique_attribute = objectGuid
ldap_user_unique_attribute_type = binary
ldap_fullname_attribute = cn
ldap_loginname_attribute = sAMAccountName
ldap_password_attribute = unicodePwd
ldap_authentication_method = bind
ldap_emailaddress_attribute = mail
ldap_emailaliases_attribute = otherMailbox
ldap_isadmin_attribute = kopanoAdmin
ldap_nonactive_attribute = kopanoSharedStoreOnly
ldap_resource_type_attribute = kopanoResourceType
ldap_resource_capacity_attribute = kopanoResourceCapacity
ldap_sendas_attribute = kopanoSendAsPrivilege
ldap_sendas_attribute_type = dn
ldap_sendas_relation_attribute = distinguishedName
ldap_user_certificate_attribute = userCertificate
!propmap /usr/share/kopano/ldap.propmap.cfg
ldap_group_search_filter = (objectCategory=Group)
ldap_group_unique_attribute = objectSid
ldap_group_unique_attribute_type = binary
ldap_groupname_attribute = cn
ldap_groupmembers_attribute = member
ldap_groupmembers_attribute_type = dn
ldap_groupmembers_relation_attribute = 
ldap_group_security_attribute = groupType
ldap_group_security_attribute_type = ads
ldap_company_search_filter =
ldap_company_unique_attribute = objectGUID
ldap_company_unique_attribute_type = binary
ldap_companyname_attribute = ou
ldap_company_view_attribute = kopanoViewPrivilege
ldap_company_view_attribute_type = dn
ldap_company_view_relation_attribute =
ldap_company_admin_attribute = kopanoAdminPrivilege
ldap_company_admin_attribute_type = dn
ldap_company_admin_relation_attribute = 
ldap_company_system_admin_attribute = kopanoSystemAdmin
ldap_company_system_admin_attribute_type = dn
ldap_company_system_admin_relation_attribute =
ldap_addresslist_search_filter = 
ldap_addresslist_unique_attribute = cn
ldap_addresslist_unique_attribute_type = text
ldap_addresslist_filter_attribute = kopanoFilter
ldap_addresslist_search_base_attribute = kopanoBase
ldap_addresslist_name_attribute = cn
ldap_dynamicgroup_search_filter = 
ldap_dynamicgroup_unique_attribute = cn
ldap_dynamicgroup_unique_attribute_type = text
ldap_dynamicgroup_filter_attribute = kopanoFilter
ldap_dynamicgroup_search_base_attribute = kopanoBase
ldap_dynamicgroup_name_attribute = cn
ldap_quota_userwarning_recipients_attribute = kopanoQuotaUserWarningRecipients
ldap_quota_userwarning_recipients_attribute_type = text
ldap_quota_userwarning_recipients_relation_attribute =
ldap_quota_companywarning_recipients_attribute = kopanoQuotaCompanyWarningRecipients
ldap_quota_companywarning_recipients_attribute_type = text
ldap_quota_companywarning_recipients_relation_attribute =
ldap_quotaoverride_attribute = kopanoQuotaOverride
ldap_warnquota_attribute = kopanoQuotaWarn
ldap_softquota_attribute = kopanoQuotaSoft
ldap_hardquota_attribute = kopanoQuotaHard
ldap_userdefault_quotaoverride_attribute = kopanoUserDefaultQuotaOverride
ldap_userdefault_warnquota_attribute = kopanoUserDefaultQuotaWarn
ldap_userdefault_softquota_attribute = kopanoUserDefaultQuotaSoft
ldap_userdefault_hardquota_attribute = kopanoUserDefaultQuotaHard
ldap_quota_multiplier = 1048576
ldap_addressbook_hide_attribute = kopanoHidden 
ldap_object_search_filter = (anr=%s)
ldap_filter_cutoff_elements = 1000
ldap_user_server_attribute = kopanoUserServer
ldap_company_server_attribute = kopanoCompanyServer
ldap_server_address_attribute = kopanoHostAddress
ldap_server_http_port_attribute = kopanoHttpPort
ldap_server_ssl_port_attribute = kopanoSslPort
ldap_server_file_path_attribute = kopanoFilePath
ldap_server_contains_public_attribute = kopanoContainsPublic
ldap_server_proxy_path_attribute = kopanoProxyURL
ldap_server_search_filter = (objectCategory=Computer)
ldap_server_unique_attribute = cn
ldap_search_base = dc=homelab,dc=loc