Hi,

I have recently successfully installed UCS image ISO in virtual box.

Then I have deployed the Active Directory Connection application through UCS Management console.

During deployment of the application there was no option available to download password service msi files.

I am successfully able to synchronise users and groups from AD to UCS OpenLDAP but I need to synchronise passwords from AD to UCS OenLDAP.

Is there a problem with the deployment of Active directory application ?

During deployment of Active Directory Connection I had chosen option of ‘Synchronisation of user data between AD and UCS’

Regards,
Nitin

Since UCS 4.1 there is no longer a need for an extra windows service due to the functionality had been implemented into the AD-Connector.

http://errata.software-univention.de/ucs/4.1/173.html

As it was only mentioned in the german section of this forum:
The new password service for AD connection is not documented atm.
see [bug]40911[/bug]

Thanks a lot for your help.

Can you please let me know how I can validate whether passwords are getting synchronised from AD to UCS OpenLDAP?

If I try to do an ldapsearch using users DN and password then it gives me error “Invalid credentials”.

root@ucs:/usr/sbin# ldapsearch -x -b “dc=example,dc=local” “objectClass=person” -D “cn=nitin prabhu,cn=users,dc=sdh,dc=local” -w Password1

ldap_bind: Invalid credentials (49)

Is there a way to use UCS openldap for authentication for users sychronised from AD?

Regards,
Nitin

Hi,

I have setup synchronisation between Active Directory and UCS OpenLDAP using Active Directory Connection app installed from UCS Management console.

Can you please let me know how I can validate whether passwords are getting synchronised from AD to UCS OpenLDAP?

If I try to do an ldapsearch using users DN and password then it gives me error “Invalid credentials”.

root@ucs:/usr/sbin# ldapsearch -x -b “dc=example,dc=local” “objectClass=person” -D “cn=nitin prabhu,cn=users,dc=sdh,dc=local” -w Password1

ldap_bind: Invalid credentials (49)

Is there a way to use UCS openldap for authentication for users sychronised from AD?

Regards,
Nitin

First of all, you can verify the functionality of the sync via the following commands and Logfiles:

univention-connector-list-rejected

/var/log/univention/connector.log

/var/log/univention/connector-status.log

If the passwords (or other stuff) are not synchronized, you will most likely see rejects and tracebacks in the connector logfiles.

Next, have a look at: http://sdb.univention.de/1332. There you find mentioned the new password sync process, I citate for easy use:

[quote]Since UCS4.1 the password service is no longer needed on the AD server.

Independend of the UCS version, the synchronization of encrypted password hashes needs to be activated manually via Univention Config Registry:

By default, in AD member mode, the UCS AD Connector reads object data from Microsoft Active Directory with the permissions of the machine account of the UCS DC Master. This machine account usually isn’t authorized to read encrypted password hashes from Active Directory. The Active Directory object LDAP DN of a privileged replication user should be configured in the Univention Configuration Registry variable connector/ad/ldap/binddn. This must be a member of the Domain Admins group in the AD.

The corresponding password must be saved in a file on the master domain controller and the file name entered in the Univention Configuration Registry variable connector/ad/ldap/bindpw. If the access password is changed at a later point in time, the new password must be entered in this file. The access rights for the file should be restricted so that only the root owner has access.

The following commands demonstrate the steps in an example:

ucr set connector/ad/ldap/binddn=Administrator
ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password
touch /etc/univention/connector/password
chmod 600 /etc/univention/connector/password
echo -n “Administrator password” > /etc/univention/connector/password
To actually switch to password synchronization mode, the UCR variable connector/ad/mapping/user/password/kinit must be unset and all objects need to be re-synchronized from Active Directory to read their passwords:

/etc/init.d/univention-ad-connector stop
ucr unset connector/ad/mapping/user/password/kinit
find /etc/univention/connector/ ( -name “internal.cfg” -o -name “internal.sqlite” ) -exec mv “{}” “{}.bak_$(date +%s)” ;
/etc/init.d/univention-ad-connector start[/quote]

Kind Regards,
Jens Thorp-Hansen

Hi Thorp-Hansen,

Thanks for your reply.

I have create a new UCS Domain(not joined UCS as a member of AD Domain) and then deployed Active Directory Connection application through UCS management console.

So if I change a password of Windows client connected to AD Domain then in the connector logs(/var/log/univention/connector.log) I can see below lines

28.11.2016 10:10:47,245 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=nitinprabhu,cn=users,dc=sdh,dc=local

So I think passwords are getting synchronised to UCS OpenLDAP but I need to use UCS OpenLDAP for authentication.

Is there a way to use UCS OpenLDAP for authentication by doing an LDAP bind or something else ?

Regards,
Nitin

When you set the UCS in “membermode” - so when you connect it to a Windows DC - the aforementioned Windows DC takes over the command. It syncs every user in the UCS LDAP (the UCS only reads in this case). So you get every user you create in the AD with password and everything in the LDAP. The search you are trying to do is not allowed for the binduser you are searching with. I give two examples from my testingenvironment:

root@ucs-8007:~# univention-ldapsearch -x -b "dc=hel,dc=underworld" "objectClass=person" -D "cn=tmtt,cn=users,dc=hel,dc=underworld" -W Enter LDAP Password: ldap_bind: Invalid credentials (49)

(tmtt is a newly created standard-user)

Now with the proper credentials:

[code]root@ucs-8007:~# univention-ldapsearch -x -b “dc=hel,dc=underworld” “objectClass=person” -D “cn=admin,dc=hel,dc=underworld” -y “/etc/ldap.secret”
[…]

search result

search: 3
result: 0 Success

numResponses: 12

numEntries: 11[/code]

So it seems you have a working system, you just need to put it to use. Though you cannot use it as bind vor “ldapsearch” or “univention-ldapsearch” but you should be able to login, etc. with the users.

Here are additional ressources regarding LDAP:
https://docs.pexip.com/admin/managing_users.htm

Kind regards,
Jens Thorp-Hansen

Thanks Thorp-Hansen.

I have got it working now i.e I am able to authenticate with the users synced from AD to UCS OpenLDAP.

Thanks a lot for your help.

Cheers,
Nitin