Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. DAViCal>
  3. General
davical and samba active directory
davical-general at lists
Mar 29, 2019, 6:35 AM
Post #1 of 3 (1015 views)
Permalink
Dear all,

we would like to use davical with samba4 AD as an authentication
backend. The ldap protocol reports group members with the member:
attribute and the full DN as its value, not the sAMAccountName only. I
found a number of posts related to this from the past:

http://davical-general.89287.n3.nabble.com/Davical-general-Patch-for-ActiveDirectory-group-synchronization-td4025346.html

http://davical-general.89287.n3.nabble.com/Davical-general-drivers-ldap-php-add-quot-filter-Users-by-Group-quot-and-improve-AD-support-td4026275.html

http://davical-general.89287.n3.nabble.com/Davical-general-AD-group-synchronisation-td2815385.html

Has any of these made it into a current release? Do other people have
experience? I tried this:

$c->authenticate_hook['call'] = 'LDAP_check';
$c->authenticate_hook['config'] = array(
'host' => 'ldap://XXXX',
'port' => '389',
'bindDN' => 'XXXX@XXXX',
'passDN' => 'XXXXX',
'baseDNUsers' => 'DC=XXX,DC=XXX,DC=XX',
'protocolVersion' => 3,
'optReferrals' => 0,
'filterUsers' => '(&(objectClass=person)(objectClass=user))',
'baseDNGroups' => 'DC=XXX,DC=XXX,DC=XX',
'filterGroups' => '(&(objectClass=posixGroup)(objectClass=group))',
'startTLS' => true,
'mapping_field' => array('username' => 'sAMAccountName',
'modified' => 'whenChanged',
'fullname' => 'description',
'user_no' => 'uidNumber',
'email' => 'mail'),
'group_mapping_field' => array('username' => 'sAMAccountName',
'updated' => 'whenChanged',
'fullname' => 'description' ,
'members' => 'member'),
'format_updated'=> array('Y' => array(0,4),
'm' => array(4,2),
'd' => array(6,2),
'H' => array(8,2),
'M' => array(10,2),
'S' => array(12,2)),
'scope' => 'subtree', ...

It gets the users just fine and creates davical principals with the same
name as the sAMAccountName. But when I try to sync the groups, it finds
members with their full DN, but then fails to associate this with the
corresponding davical principal, which is named after the sAMAccountName....

Thanks for any hints,

Christian


_______________________________________________
Davical-general mailing list
Davical-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/davical-general
Re: davical and samba active directory [ In reply to ]
bob at computerisms
Mar 29, 2019, 3:11 PM
Post #2 of 3 (1015 views)
Permalink
Not sure if it is helpful, I didn't go through your config, but my
production system syncs groups and has been working for many years
without problem. The production system is based on a sandbox model that
I documented, the config file for davical is here:

http://cocnm.computerisms.ca/index.php//etc/davical/cal.computerisms.com-conf.php

On 2019-03-29 6:35 a.m., Christian via Davical-general wrote:
> Dear all,
>
> we would like to use davical with samba4 AD as an authentication
> backend. The ldap protocol reports group members with the member:
> attribute and the full DN as its value, not the sAMAccountName only. I
> found a number of posts related to this from the past:
>
> http://davical-general.89287.n3.nabble.com/Davical-general-Patch-for-ActiveDirectory-group-synchronization-td4025346.html
>
> http://davical-general.89287.n3.nabble.com/Davical-general-drivers-ldap-php-add-quot-filter-Users-by-Group-quot-and-improve-AD-support-td4026275.html
>
> http://davical-general.89287.n3.nabble.com/Davical-general-AD-group-synchronisation-td2815385.html
>
> Has any of these made it into a current release? Do other people have
> experience? I tried this:
>
> $c->authenticate_hook['call'] = 'LDAP_check';
> $c->authenticate_hook['config'] = array(
> 'host' => 'ldap://XXXX',
> 'port' => '389',
> 'bindDN' => 'XXXX@XXXX',
> 'passDN' => 'XXXXX',
> 'baseDNUsers' => 'DC=XXX,DC=XXX,DC=XX',
> 'protocolVersion' => 3,
> 'optReferrals' => 0,
> 'filterUsers' => '(&(objectClass=person)(objectClass=user))',
> 'baseDNGroups' => 'DC=XXX,DC=XXX,DC=XX',
> 'filterGroups' => '(&(objectClass=posixGroup)(objectClass=group))',
> 'startTLS' => true,
> 'mapping_field' => array('username' => 'sAMAccountName',
> 'modified' => 'whenChanged',
> 'fullname' => 'description',
> 'user_no' => 'uidNumber',
> 'email' => 'mail'),
> 'group_mapping_field' => array('username' => 'sAMAccountName',
> 'updated' => 'whenChanged',
> 'fullname' => 'description' ,
> 'members' => 'member'),
> 'format_updated'=> array('Y' => array(0,4),
> 'm' => array(4,2),
> 'd' => array(6,2),
> 'H' => array(8,2),
> 'M' => array(10,2),
> 'S' => array(12,2)),
> 'scope' => 'subtree', ...
>
> It gets the users just fine and creates davical principals with the same
> name as the sAMAccountName. But when I try to sync the groups, it finds
> members with their full DN, but then fails to associate this with the
> corresponding davical principal, which is named after the sAMAccountName....
>
> Thanks for any hints,
>
> Christian
>
>
> _______________________________________________
> Davical-general mailing list
> Davical-general@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/davical-general
>


_______________________________________________
Davical-general mailing list
Davical-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/davical-general
Re: davical and samba active directory [ In reply to ]
davical-general at lists
Mar 30, 2019, 3:59 PM
Post #3 of 3 (1013 views)
Permalink
Thanks for the hint. I think I figured it out now. The current version
(1.1.8) from debian testing does a better job at this. If I set
'group_member_dnfix' => true, it will do the right thing (take the
member attributes of the group, take only the first component of the DN
returned, and strip the leading "WHATEVER=".

BTW, I noticed a typo in your config:

optReferrels should be optReferrals, I guess. Best wishes,

Christian

Am 29.03.2019 um 23:11 schrieb Computerisms Corporation:
> Not sure if it is helpful, I didn't go through your config, but my
> production system syncs groups and has been working for many years
> without problem.  The production system is based on a sandbox model that
> I documented, the config file for davical is here:
>
> http://cocnm.computerisms.ca/index.php//etc/davical/cal.computerisms.com-conf.php
>
>
> On 2019-03-29 6:35 a.m., Christian via Davical-general wrote:
>> Dear all,
>>
>> we would like to use davical with samba4 AD as an authentication
>> backend. The ldap protocol reports group members with the member:
>> attribute and the full DN as its value, not the sAMAccountName only. I
>> found a number of posts related to this from the past:
>>
>> http://davical-general.89287.n3.nabble.com/Davical-general-Patch-for-ActiveDirectory-group-synchronization-td4025346.html
>>
>>
>> http://davical-general.89287.n3.nabble.com/Davical-general-drivers-ldap-php-add-quot-filter-Users-by-Group-quot-and-improve-AD-support-td4026275.html
>>
>>
>> http://davical-general.89287.n3.nabble.com/Davical-general-AD-group-synchronisation-td2815385.html
>>
>>
>> Has any of these made it into a current release? Do other people have
>> experience? I tried this:
>>
>> $c->authenticate_hook['call'] = 'LDAP_check';
>> $c->authenticate_hook['config'] = array(
>>   'host'            => 'ldap://XXXX',
>>   'port'            => '389',
>>   'bindDN'          => 'XXXX@XXXX',
>>   'passDN'          => 'XXXXX',
>>   'baseDNUsers'     => 'DC=XXX,DC=XXX,DC=XX',
>>   'protocolVersion' => 3,
>>   'optReferrals'    => 0,
>>   'filterUsers'     => '(&(objectClass=person)(objectClass=user))',
>>   'baseDNGroups'    => 'DC=XXX,DC=XXX,DC=XX',
>>   'filterGroups'    => '(&(objectClass=posixGroup)(objectClass=group))',
>>   'startTLS'        => true,
>>   'mapping_field'   => array('username' => 'sAMAccountName',
>>                              'modified' => 'whenChanged',
>>                              'fullname' => 'description',
>>                              'user_no'  => 'uidNumber',
>>                              'email'    => 'mail'),
>>   'group_mapping_field' => array('username' => 'sAMAccountName',
>>                                  'updated'  => 'whenChanged',
>>                                  'fullname' => 'description' ,
>>                                  'members'  => 'member'),
>>   'format_updated'=> array('Y' => array(0,4),
>>                            'm' => array(4,2),
>>                            'd' => array(6,2),
>>                            'H' => array(8,2),
>>                            'M' => array(10,2),
>>                            'S' => array(12,2)),
>>   'scope' => 'subtree', ...
>>
>> It gets the users just fine and creates davical principals with the same
>> name as the sAMAccountName. But when I try to sync the groups, it finds
>> members with their full DN, but then fails to associate this with the
>> corresponding davical principal, which is named after the
>> sAMAccountName....
>>
>> Thanks for any hints,
>>
>> Christian
>>
>>
>> _______________________________________________
>> Davical-general mailing list
>> Davical-general@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/davical-general
>>



_______________________________________________
Davical-general mailing list
Davical-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/davical-general

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal