The mailing list for listmasters using Sympa

[Hanno van den Boogaard <address@concealed>]

Hi Dirk,

in our DEV Environment ldapsearch -x -h host-01.de.domain.com -p 389  -D 
“address@concealed" -W  -b "cn=Users,dc=de,dc=domain,dc=com"  -s sub 
"(cn=*)" cn mail sn
and other applications using ldap are working with ldap on Port 389.
I realize that for a live environment, ldaps is preferable.
I don't think that's a connection problem.

Steve Shipways workaround with include_ldap_2level_query to use Active 
Directory for Sympa Data Sources makes me wonder if the current auth.conf 
ldap paragraph can be used for login against active direcotry at all.
Is there anyone here who uses active directory for sympa login? 

Kind Regards,
Hanno
 

Am 16.02.18, 17:12 schrieb "Jahnke-Zumbusch, Dirk" 
<address@concealed>:

    Hi Hanno, 
    
    I am astonished about port 389 in conjunction with AD 
    and would expect 3268 (ldap) or better 3269 (ldaps)
    instead. 
    
    When I used Linux and AD (not with SYMPA), i had 
    either /etc/openldap/ldap.conf or $HOME/.ldaprc 
    like this: 
    
    BASE dc=my, dc=example, dc=com 
    URI ldaps://my.example.com 
    TLS_CACERTDIR /etc/pki/tls/certs 
    TLS_REQCERT never 
    
    Obviously I did not want to check certificate validity and
    set coordinates for AD
    
    Perhaps testing connection with AD using ldapsearch helps:
    
    ldapsearch -x -H ldaps://adc.my.example.com:3269 \ 
    -W -D 'cn=ACCOUNTNAME,ou=my,ou=sub,ou=orgunit,dc=my,dc=example,dc=com’ \ 
    ’(mail=hanno*)’
    
    Here I used port 3269 (ldaps) and the bind DN could get lengthy.
    
    I would guess using AD w/o bind to extract data is not allowed
    and also binding over non-TLS transport may be forbidden.
    
    My 2c, hope they help
    Dirk
    
    ----- On 16 Feb, 2018, at 16:37, Hanno van den Boogaard 
address@concealed wrote:
    
    > Hi Soji,
    
    > I tried both. Even without bind user and password.
    
    > I can connect with ldapsearch linux tool from my sympa server to the 
active
    > directory ldap server.
    
    > I think the active directory connect works differently. Also found the 
following
    > in the documentation. I don't think that will help me with the auth.conf
    
    > [ https://www.sympa.org/manual/ldap | https://www.sympa.org/manual/ldap 
]
    
    > Active Directory having quite a specific functionning, Steve Shipway 
found a way
    > to make it work with Sympa. Here is his guidelines to achieve this goal.
    
    > First, create a service account in your LDAP so that Sympa can connect. 
This
    > only needs read-only access.
    
    > You need to use a 2level query, since AD stores DNs against group 
membership .
    > Also, note that if using a .incl file to define external list admins, 
you
    > cannot pass a full DN as a parameter as it contains commas (I’ve logged 
a bug
    > report for this).
    
    > Kind Regards,
    
    > Hanno
    
    > Hanno van den Boogaard
    
    > System Administration
    
    > [ mailto:address@concealed | address@concealed ]
    
    > Von: Soji Ikeda <address@concealed>
    > Datum: Freitag, 16. Februar 2018 um 03:37
    > An: Hanno van den Boogaard <address@concealed>
    > Cc: "address@concealed" <address@concealed>
    > Betreff: Re: [sympa-users] Can´t authenticate to windows active 
directory
    
    > Hi,
    
    > 2018/02/16 0:22 、 Hanno van den Boogaard < [ 
mailto:address@concealed |
    > address@concealed ] > のメール :
    
    >> Hello Listmasters,
    
    >> Iam new to sympa and I try to authenticate against our windows active 
directory
    >> using the ldap paragraph in the auth.conf without success.
    
    >> The sympa error log shows:
    
    >> Feb 15 15:35:52 DECGN-MLM01 wwsympa[1288]: err main::#1608 >
    >> main::do_renewpasswd#4265 > main::is_ldap_user#3988 >
    >> Sympa::Database::connect#154 > (eval)#154 >
    >> Sympa::DatabaseDriver::LDAP::_connect#162 Failed to bind to LDAP server
    >> ldap://xyz.de.abcd.com:389: (49) 80090308: LdapErr: DSID-0C090400, 
comment:
    >> AcceptSecurityContext error, data 52e, v1db1
    
    >> My auth conf:
    
    >> ldap
    
    >> host [ http://xyz.de.abcd.com:389/ | xyz.de.abcd.com:389 ]
    
    >> timeout 10
    
    >> bind_dn cn=ReaderUser,ou=Users,dc=de,dc=abcd,dc=com
    
    >> bind_password xxxyyyy
    
    >> suffix dc=de,dc=abcd,dc=com
    
    >> get_dn_by_uid_filter (uid=[sender])
    
    >> get_dn_by_email_filter 
(|(mail=[sender])(mailalternateaddress=[sender]))
    
    >> email_attribute mail
    
    >> scope sub
    
    >> user_table
    
    >> regexp .*
    
    >> bind password und dn should be ok.
    
    >> Are there special configs or sample configs for using windows active 
directory
    >> and auth conf ?
    
    > Result code 49 indicates “Invalid credential”. Bind DN or bind password 
seems
    > incorrect.
    
    > I don’t know the details but, with Active Directory LDAP profile, bind 
DN can be
    > in the form “user@domain” or “domain¥user”.
    
    > Regards,
    
    > — Soji
    
    >> Local authentication is working.
    
    >> Kind Regards,
    
    >> Hanno
    
    >> Hanno van den Boogaard
    
    >> System Administration
    
    >> [ mailto:address@concealed | address@concealed ]
    
    -- 
    --
    Dirk Jahnke-Zumbusch   Deutsches Elektronen-Synchrotron DESY
    IT Information Fabrics   Member of the Helmholtz Association
    D-22603 Hamburg              Notkestrasse 85 / 22607 Hamburg

Attachment: smime.p7s
Description: S/MIME cryptographic signature