AD to UCS migration

showiproute · July 19, 2021, 8:08am

Hello everyone,

I am currently evaluating the newest UCS 5.0 Core edition as I want to replace my current AD (Win2k19) servers (all VMs).

In general I am using AD currently for central authentication for different services:

Zimbra (email)
Nextcloud
Login for different Windows workstations (Win 10 only)
Firewall authentication
WLAN (NPS/Radius)

Mostly is that with dedicated AD groups.

My question: Is the above mentioned login things also available via UCS?

Thanks for any answers!

showiproute · July 19, 2021, 9:11am

Okay first thing I have seen:
Althought I have installed my AD root CA certificates the LDAP does not “like” it and throwing errors Setting connector/ad/ldap/ssl to “no” solved it.

Any idea how to setup the TLS certificate the right way?
I have even tried to put it to the Debian CA store.

peichert · July 19, 2021, 2:55pm

Hello @showiproute,

did you follow the instructions and export the certificate from Windows and upload it to UCS? It has to be a .crt file in der format. See: http://docs.software-univention.de/manual-5.0.html#windows:adconn:win2012

This way the certificate will be set in connector/ad/ldap/certificate to “/etc/univention/connector/ad/ad_cert_date_time.pem”

What errors do you get? Setting connector/ad/ldap/ssl to “no” will deactivate ssl and does not solve an issue with the certificate.

You can check the exported cer-file with the following command
openssl x509 -inform der -in exported.cer -noout -text

or if you already uploaded it and was stored as a pem-file
openssl x509 -inform pem -in /etc/univention/connector/ad/ad_cert_date_time.pem -text -noout

showiproute · July 19, 2021, 3:21pm

Good afternoon @peichert,

I have crosschecked the certificates and would not see any differences.
The error log would say:

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 683, in open_ad
    use_ldaps=ldaps, ca_certfile=self.ad_ldap_certificate,
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 288, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 365, in __open
    self.__starttls()
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 216, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 379, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'}

If I disable SSL then I have the error that Univention seems to have issues if the email domain != AD domain.
Is this just an “informational error” or a real one?

19.07.2021 17:15:17.971 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=xxx,OU=Users,OU=xxx,DC=xxx,DC=xx
19.07.2021 17:15:17.974 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=xxx,ou=users,ou=xxx,dc=xxx,dc=xxx
19.07.2021 17:15:18.011 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
19.07.2021 17:15:18.011 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 1399, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 1175, in add_in_ucs
    res = ucs_object.create(serverctrls=serverctrls, response=response)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 543, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1235, in _create
    self._call_checkLdap_on_all_property_syntaxes()
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1684, in _call_checkLdap_on_all_property_syntaxes
    prop.syntax.checkLdap(self.lo, self.info.get(pname))
  File "/usr/lib/python3/dist-packages/univention/admin/syntax.py", line 2136, in checkLdap
    raise univention.admin.uexceptions.valueError(self.errMsgDomain % (', '.join(faillist),))
univention.admin.uexceptions.valueError: The domain part of the primary mail address is not in list of configured mail domains: openhab@differentDomain.com

It seems that this could be an issue as I do not see all users from AD.

peichert · July 19, 2021, 5:07pm

certificate verify failed (unable to get local issuer certificate)

Just a guess, you might have exported another certificate. Please double check:

There is a root certificate you want to export (computer name, right click, properties, certificate #0)
- Hint: “Issuer” and “Subject” will be the same in the root certificate
and there are other certificates you do not want to export (Revoked Certificates, Issued Certificates, Pending Requests, Failed Requests and Certificate Templates)

See the documentation how to export the root certificate: http://docs.software-univention.de/manual-5.0.html#windows:adconn:win2012

The domain part of the primary mail address is not in list of configured mail domains: openhab@differentDomain.com

If you want to manage more than one mail domain for the primary e-mail address, you have to add it for your users. Otherwise it has to be stored as an alternative e-mail address on AD site for synchronization to UCS.

More mail domains can be added in the Mail module: http://docs.software-univention.de/manual-5.0.html#mail::management::domains

showiproute · July 19, 2021, 6:01pm

Okay the certificate thing seems to be solved (restarted the service).

But I have another issues:

The DNS zones/entries are not getting synced from AD to UCS
No GPOs are being synced
I still get errors regarding email addresses: univention.admin.uexceptions.noLock: The attribute 'mailPrimaryAddress' could not get locked.

peichert · July 26, 2021, 3:24pm

The AD Connector can sync user, group and computer objects, and also organizational units (ou) and containers (cn) between the UCS LDAP and Active Directory.
GPOs are files in the SYSVOL-Share. Please have a look to the documentation and the robocopy command to copy them once: https://docs.software-univention.de/manual-5.0.html#windows:ad:sysvol
please describe this more whether it occur once or is a ongoing problem