Active Directory / LDAP Revisited

  • This is early stage of testing only. Use at your own risk. Your mileage may vary.


    Update 9/2019 The script works on OMV 3, 4 and 5. With windows server 2008, 2012 and 2016. Maybe others?


    Seems to be quite a few threads about this over the years. I have had it working for years but it seems to be quite tricky. With 3.0 coming I decided to look at it again. I did not test against 2.x but it may work as well. I started clean and found something I had not seen before, sssd. It seems to do both AD and other ldap well. I only have a 2008 server to test with so please test other variants if you are interested. I test this in a proxmox vm against a 2008 sbs server with only a few users. I am pasting my notes and hope they are readable.
    I start with a clean install from the iso of a few days ago.


    The ultimate goal is to get sssd into the code or at least as a plugin. Another useful tool may be realmd, I have not tried that yet.


    I hope this is of interest to others.


    Added a script here. script post

    If you make it idiot proof, somebody will build a better idiot.

    Edited 3 times, last by donh: added link to script ().

  • Forgot to mention the users and groups don't show in the web ui under access rights. They are there under acl were it counts. Anybody know were in the code the users get displayed?

  • I think for normal users it will parse passwd file populating only users with a uid higher that 1000


    I think this is the function i will parse all users


    https://github.com/openmediava…ediavault/system/user.inc


    then they will get filtered by type depending on the parameters.


    https://github.com/openmediava…ned/rpc/usermgmt.inc#L138

  • Thanks for the reply. I can't see why the users would not show. Is there a limit other than /etc/login.defs. I raised that way high.


    test:*:201163:200513:Test:/home/exanple.COM/test:


    The uid is 201163, gid is 200513 is that causing them to be ignored in the webui? Any way they show up under acl.

  • Got users showing. in /etc/sssd/sssd.conf

    Code
    ldap_idmap_range_min = 20000
    #to hide computer names that show as users
    ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com

    With those changes you don't need to edit login.defs.

  • Simplified instructions.





    Please test this against other directory services.


    Thanks

  • Good news bad news, Votdev looks to add it. Bad news targeted for 4.0. bugtracker I guess I should have looked at this earlier, sorry. There are 2 plugins now that could be combined by doing this or eliminated. Simplifying everything, a major goal of OMV.


    So I guess we will need a plugin. Unfortunately that is above my skill level. It should be fairly easy to do. Install a few apt packages and and gather some info for smb.conf and sssd.conf. I can probably help write a script to get some of the info if it is available.


    So 400 views and only 1 other comment. Does anyone care about this feature? Has anyone tested other ldap or active directory servers?


    Thanks

  • I would really like to have this functionality since right now I have to create users twice. Once in my Zentyal AD and once on OMV.


    In my test VM, I have tried to follow instructions on how to join an active directory...... unfortunately it failed
    Probably something I did, but unfortunately I don't have much time to go through and figure it out.



    I will however be no help creating this plugin, since that is way above my skill set.

  • Does anyone care about this feature? Has anyone tested other ldap or active directory servers?

    Looks interesting. Now that I know more about ldap and sssd, I could look into a bit more. If you could create a list of fields you would like to see in the plugin with their data type and default value (optional), that would help me greatly.


    Just a warning... I have no way to test AD nor do I want to mess with anything Windows related. Just ldap on my end :) If it works with AD, great.

    omv 5.5.13 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.4.2
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I will get some info to you about ad at least as of 2008 sbs and maybe a script. AD relies heavily on dns. If it is correctly setup it could be filled in automatically. I did look for a "sample" sssd.conf file that would have all the options, but never found one. Probably need to read the man pages for that. I did document some above. Are there others needed for other types?


    For other directories I would search for sssd and whatever ldap server you use.


    The goal is not to manage the directory from OMV, but only to use users and groups for permissions. That keeps it simple.

  • First installment. There are 2 files that are already in use by OMV and they need to be dealt with appropriately, smb.conf and nsswitch.conf. They were sometimes modified by saving changes. Not sure that is still the case. Below are what I needed to add to smb.conf for a 2008 sbs server. I just add them to the extra options of SMB/CIFS. They seem to survive settings updates.


    ###########
    Install and upgrade to latest



    Not sure if this step is just my setup. nsswitch needs to get things from dns for AD
    The sssd apt install adds entries for itself



    Setup nsswitch.conf if needed. Move dns up in the order.



    apt-get install krb5-user krb5-config
    ## will get settings from dns and might ask if not available there.
    ## Would that popup from the install? Could it?



    Setup SMB/CIFS



    In extra options



    #Extra Options
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    password server = mustang.example.com ## needed ??
    realm = EXAMPLE.COM ## could be extracted from /etc/krb.conf with script



    security = ads ## SECURITY = AUTO This is the default security setting
    ## in Samba, and causes Samba to consult the server role
    ## parameter (if set) to determine the security mode.
    ## See man page options user, ads, domain,
    ## Will test this later.



    apt-get install sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit



    nano /etc/sssd/sssd.conf
    [sssd]



    To be continued



    Will do more for sssd conf later.


    Thanks.

  • What version is your Zentyal? Do you have support? When you tried did you get errors, what were they. Do you like Zentyal? It looks interesting, might try it in a vm.

  • Honestly I would love to see this feature. I'm not using it in a corp environment but I am at home. I have a small AD setup at home using Server 2016 and while testing with OMV in a VM (not using my primary OMV system), this worked nicely. It would be great as a plugin as I initially attempted with the LDAP plugin and it just seemed like there was a lot of old info that didn't work with my OMV3 setup. I'm mainly doing this because I want an AD system to make maintaining/etc the numerous systems I have in my easier. It would be nice to have one place to add/remove users and password changes instead of multiple.


    My one question, will the accounts stay in sync or will in I need to setup a cron job to run the getent passwd command every so often?

  • Thanks for testing. Did you have any suggestions? They should stay synced with no need to do anything. There may be some caching or delay in propagating from the ad system. In a small network it should be minimal. You can test it easily, create a user and see how soon it shows up in users etc.


    Since it is working on 2008sbs and 2016 I assume it will work on anything in between.

  • No suggestions really. I'm not quite deep enough into the OMV/Linux architecture to really be able to provide suggestions/changes but can provide logs/errors if any of that pops up. Wish I could be more helpful on that end.


    Although if you have any questions on the AD side of things including some of the LDAP elements I might be able to help out. Kinda like the two lines:


    ldap_user_search_base = ou=omvusers,dc=example,dc=com
    ldap_group_search_base = ou=omvgroups,dc=example,dc=com


    I purposely created two AD OU's to clean up what was brought into OMV so only users/groups I WANT in OMV gets sent to OMV. You can find the full LDAP path of these things in ADSI Edit. I can't imagine it would cause a problem to only pass specific users/groups from AD to OMV.


    It would be great to see this as a plugin but really the manual install is easy enough even if you're only semi familiar with the CLI. The only thing that initially tripped me up was editing the nsswitch.conf file. I didn't do it at first and kept getting an error when attempting to run the kinit line saying it was unable to reach a KDC server. Messing around a bit I noticed I forgot that step. Made the change and bam, worked instantly.

  • Ya nsswitch.conf seems to be a problem for some reason. I thought it might be just my system. Not sure why it does not fall threw to dns? The original order is.

    Code
    files mdns4_minimal [NOTFOUND=return] mdns4 dns

    Seems it should get to dns eventually but for some reason doesn't. That seems to be one of the biggest faults in most tutorials I have read. I am not sure if moving dns up in the search order might break some things like mdns (bonjour), I don't think I am using it.

  • Ya nsswitch.conf seems to be a problem for some reason. I thought it might be just my system. Not sure why it does not fall threw to dns? The original order is.

    Code
    files mdns4_minimal [NOTFOUND=return] mdns4 dns

    Seems it should get to dns eventually but for some reason doesn't. That seems to be one of the biggest faults in most tutorials I have read. I am not sure if moving dns up in the search order might break some things like mdns (bonjour), I don't think I am using it.

    I did some research on the nsswitch.conf. Basically from what I'm reading, "NOTFOUND=return" if the lookup hasn't returned a success by now, to basically return a failure and not to continue on. I would imagine moving anything to the left of that entry won't hurt but could cause some slight lag. In fact, it could probably be beneficial to move dns first if you have a correctly configured dns.

  • I have it implemented completely. Works pretty well. The updates in AD take some time to propagate but that's not surprising. I don't intend on making lots of updates.


    On another note, I had to make a few changes here and there to allow/tweak SSH and sudo. Sudo was a little trickier as it requires altering the AD schema and making edits within ADSI edit. SSH was relatively easy. Also had to add an entry in the sssd.config to set the default shell.


    in /etc/ssh/sshd_Config I added the AD group I created domain_ssh for the users I want to have SSH rights.


    The sudo stuff like I said is a little more involved. I can possibly provide some instructions if anyone is interested. I just googled something about sssd sudo and found the process to do it. Wound up following two different sets of instructions to get it to work successfully.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!