• Dear All,


    may i ask, how to use the LDAP Plugin?


    I'm running an up-to-date Sardaukar OMV and would like to use it as storage in my company.


    What i've done so far:
    - (obviously) installed the plugin
    - enabled the plugin and entered
    - server
    - port
    - Base DN
    - Root Bind DN
    - Password
    - left user and group suffix unchanged.
    - additional options are empty.


    i connected my OCS and my GLPI to my LDAP-Server, using the same data so i assume they are correct.
    However i cannot see the Users / Groups anywhere in the config, nor can i use my credentials to login to my samba share.


    Any help is highly appreciated.


    Thank you
    BR Marc

  • I'd like to add, what i've done:
    This is the configuration as setup in the GUI: (i just grayed out the company name).


    according to the linked manpage ( found in the plugin http://linux.die.net/man/5/nss_ldap ) the default config-patch is /etc/ldap.conf


    However i saw, that on my OMV there is no such file. It is placed in /etc/ldap/ldap.conf.


    I can see, that it is the only file in its sub-folder.


    and (most interestingly) the whole config is not stored in this file.
    the root base dn (for example) is missing.


    Please tell me, what do i have to to, in order to configure my SMB-Shares for LDAP Users and Groups.


    Thank you.


    BR Marc

  • Yesterday I tried to set up LDAP for authentication of Win clients, too. But to no avail.
    Unfortunately there is not that much documentation available, so I had a look into Debian wiki where the set-up of LDAP auth is explained. With the installation of the OMV plugin it looks like all steps are done to make LDAP auth possible. The packages seemed to be installed, only the paths as stated above seemed to be different.
    Later I installed ldap-utils so I could query an AD server with ldapsearch, all queries were successful. Even a query with -s base "(objectclass=*)" delivered every single information about a certain user, so I assumed the connection to the AD server is up and working.
    But a try to connect with the OMV box was not successful. I controlled the pam settings with pam-auth-update and it offers me the possibility to activate unix and/or LDAP auth. I played with these settings, but it still was not possible to connect. The auth log is not very helpful, it delivered only few informations like "nss_ldap: could not search LDAP server - Server is unavailable".
    Hmpf.
    Maybe I will raise a system just for working that out, because after uninstalling the plugin I was not able to connect again to the shares like before, only disabling and re-enabling SMB/CIFS service brought it back to life.

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

    • Offizieller Beitrag

    I'm no LDAP expert, thus i assume the plugin is missing some config to get your setup working. I was only able to setup a small and simple LDAP environment because of less and not deep LDAP knowledge. Any help and debugging is welcome to get it working with more than simple setups. If you found something please open a new bugreport/feature request at http://bugtracker.openmediavault.org.

  • I am not that LDAP hero, too. But I have been using it for a long time and usually installation is pretty straight-forward. Actually I have no clue why that does'nt work out of the box, but I have hardware enough to raise a simple OMV system for testing. Will come back and report.

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

  • i changed to small case - letters and rebooted the whole system.
    sadly, it was not the solution :(


    Edit: honestly i don't know, how i could grab the systems traffic, using wireshark? can't i only monitor my traffic?

  • Depends. You could run wireshark on the AD, check if anything reaches it. You could also run it on your OpenMediaVault and check what is is outgoing.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

    • Offizieller Beitrag

    Set wireshark up on your ldap server and watch (filter) for connections from your OMV server. When you click users on OMV it should request users from the server.


    If your switch is a smart or managed switch you can mirror the port of the OMV machine and watch it that way. What ldap are you using? I may have time over the weekend to set up a vm and play with it. I am testing out proxmox anyway.

  • The Domain is currently "ownd" by two Windows 2008 DC's.
    We will migrate to 2012R2 in near future, but not yet.


    I'm busy with other issues, and this OMV is more a "nice to have" for me and my IT colleagues, but i'll try to do this monitoring next week.


    PS: No the switches are not managed, so i cannot grab dumps there, sorry.


    Thanks for your help and i wish you a nice weekend :)

    • Offizieller Beitrag

    Active directory is very complicated. Set up a VM and try the steps I use. Dns has to work and you need to install Kerberos and winbind. Nsswitch.conf needs to use winbind and put dns ahead of mdns. Also time is very important. It has to join the domain.


    Mine connects to my 2008 sbs. For server 2012 you will be on your own. Lol

  • Rethink about that when kralizec is out and the userbase (hopefully) gets a big push.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

    • Offizieller Beitrag

    donh, can you write a script of what needs to be done to set this up? This plugin might not be too bad since there is a start with volker's AD plugin.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    I think at this point we should wait till we see what the new wheezy based version brings. There are a few discussions in the bug tracker. I make the assumption that active directory is setup properly and this is not always the case. If it needs to make up for all the possible misconfigurations that complicates the heck out of it. It might be best to fix a few things that need tweaking.


    AD relies heavily on dns and dhcp providing info to members. There is no logical order to these suggestions. There should be a check-box in the time settings to use dhcp for the time server. A domain controller should be serving time or know the time server above it if not.

    Code
    set ntp manually or
            The steps to enable from dhcp
                update-rc.d ntp defaults
                update-rc.d ntp enable
                /etc/init.d/ntp start #might require a reboot for dhcp?
            To show the results of "ntpq -p" could be used to show the time server it is connected to. Or "ntpdc -l" is a little prettier.


    The next major irritating factor is mdns. nsswtich.conf needs to be adjusted to give dns priority over mdns especially for networks using .local. .local is used in most ms examples by default so I am sure there are a lot set up with that stupid extension. See the sample file uploaded too. Maybe a checkbox to enable these changes? Of course it may break things that use mdns like itunes or other apple crap who knows. I would think if dns doesn't resolve it would fall over to mdns but have no way of testing.


    It may only need passwd, group and hosts modified but I did them all when trying to figure it out


    One other thing that would be good in general is the ability to add hosts to /etc/hosts file and not have them over written by any update from the UI.


    I think it would be best to start with the current ldap plugin as the one votdev uploaded is quite old. There are some files I uploaded in this link and discussions with votdev.
    http://bugtracker.openmediavault.org/view.php?id=707 There are a few other AD threads there too.

  • Zitat von "ryecoaaron"

    donh, can you write a script of what needs to be done to set this up? This plugin might not be too bad since there is a start with volker's AD plugin.


    Well, this plugin is not really an AD plugin, it is named as a directory plugin and uses LDAP to query users. By now and that's all it does. An AD plugin contains more than a simple LDAP query.
    The QNAP's I administer have a full-featured AD plugin and all I have to do is to enter the name of an AD server and the appropriate credentials and voila, the box is a part of the AD.


    But back to the topic:
    Today I had the chance to raise a simple OMV box, installed the backport kernels and the LDAP plugin. Connected the box to my test lab, the switch is a 3COM 5500G-EI and this one luckily is able to mirror and monitor ports. So I created a monitor group and connected a W7 box running Wireshark to fetch the network packets from the OMV box.
    Then I configured the plugin and needed to fiddle with the LDAP settings, because we have different CN names for users and groups. After some searching I found the reason for that: Our AD is very very old, it was raised in 1997 on a NT4 server and over the years I upgraded it from NT4 to W2K3 up to server 2008 by now and that seems to be the reason for some hiccups concerning LDAP configurations I had in the past. Now I know the reason for that.


    The OMV box connects to the configured AD server using LDAP protocol, send a bind, sends queries and receives successful answers when I click on users in the web UI:

    Code
    72041	7991.322321000	192.168.200.181	192.168.200.12	LDAP	132	bindRequest(1) "cn=admin,cn=Users,dc=mynet,dc=test" simple 
    72042	7991.323230000	192.168.200.12	192.168.200.181	LDAP	88	bindResponse(1) success 
    72043	7991.323499000	192.168.200.181	192.168.200.12	TCP	66	35341 > ldap [ACK] Seq=67 Ack=23 Win=14608 Len=0 TSval=1271208 TSecr=485799826
    72044	7991.323555000	192.168.200.181	192.168.200.12	LDAP	171	searchRequest(2) "CN=Users,dc=mynet,dc=test" wholeSubtree 
    72045	7991.323808000	192.168.200.12	192.168.200.181	LDAP	88	searchResDone(2) success  [0 results]
    72046	7991.324163000	192.168.200.181	192.168.200.12	LDAP	227	searchRequest(3) "OU=Gruppen,dc=mynet,dc=test" wholeSubtree 
    72047	7991.324461000	192.168.200.12	192.168.200.181	LDAP	137	searchResDone(3) success  [0 results]


    So far, so good. But when I try to open the OMV box in the windows explorer, I get a login screen and no matter which user I try, I always receive "Unknown user or wrong password".


    That's all for today, weekend is calling. ;) Bye for now, on monday I will go on.

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!