Can't connect to LDAP zu Windows Domäne

Hallo,

wir haben bei einem Kunden einen Windows Server 2012 mit AD und unseren Server als Member verbunden mit Owncloud. Seit einem Update auf die neuste Owncloud haben wir nun leider keine LDAP Verbindung mehr.

UCS Server $.4.14 errata

connector.log
14.07.2017 10:56:27,125 MAIN (------ ): DEBUG_INIT
14.07.2017 10:57:32,192 MAIN (------ ): DEBUG_INIT
14.07.2017 10:58:37,247 MAIN (------ ): DEBUG_INIT
14.07.2017 10:59:42,310 MAIN (------ ): DEBUG_INIT
14.07.2017 11:00:47,339 MAIN (------ ): DEBUG_INIT
14.07.2017 11:01:52,368 MAIN (------ ): DEBUG_INIT
14.07.2017 11:02:57,421 MAIN (------ ): DEBUG_INIT
14.07.2017 11:04:02,487 MAIN (------ ): DEBUG_INIT
14.07.2017 11:05:07,551 MAIN (------ ): DEBUG_INIT
14.07.2017 11:06:12,618 MAIN (------ ): DEBUG_INIT
14.07.2017 11:07:17,665 MAIN (------ ): DEBUG_INIT
14.07.2017 11:08:22,733 MAIN (------ ): DEBUG_INIT
14.07.2017 11:09:27,792 MAIN (------ ): DEBUG_INIT
14.07.2017 11:10:32,843 MAIN (------ ): DEBUG_INIT
14.07.2017 11:11:37,903 MAIN (------ ): DEBUG_INIT

listener.log:
14.07.17 11:12:12.420 LISTENER ( WARN ) : chosen server: UC01RZ03.ppa.local:7389
14.07.17 11:12:12.421 LDAP ( ERROR ) : start_tls: Can’t contact LDAP server
14.07.17 11:12:12.421 LISTENER ( WARN ) : can not connect to LDAP server UC01RZ03.ppa.local:7389
14.07.17 11:12:12.421 LISTENER ( WARN ) : can not connect any server, retrying in 30 seconds
14.07.17 11:12:42.421 LISTENER ( WARN ) : chosen server: UC01RZ03.ppa.local:7389
14.07.17 11:12:42.421 LDAP ( ERROR ) : start_tls: Can’t contact LDAP server
14.07.17 11:12:42.421 LISTENER ( WARN ) : can not connect to LDAP server UC01RZ03.ppa.local:7389
14.07.17 11:12:42.421 LISTENER ( WARN ) : can not connect any server, retrying in 30 seconds

connector-status.log
Warning: Can’t initialize LDAP-Connections, wait…
Warning: Can’t initialize LDAP-Connections, wait…
Warning: Can’t initialize LDAP-Connections, wait…
Warning: Can’t initialize LDAP-Connections, wait…

Das haben wir schon durchgeführt:

Zertifkat importiert
http://docs.software-univention.de/manual-4.1.html#ad-connector:general

http://sdb.univention.de/content/6/314/en/reinitialize-active-directory-connector.html

http://sdb.univention.de/content/6/321/en/speed-up-ldap_binds-on-ad-member-mode-systems.html

root@UC01RZ03:~# univention-ldapsearch
ldap_start_tls: Can’t contact LDAP server (-1)
ldap_start_tls: Can’t contact LDAP server (-1)
ldap_start_tls: Can’t contact LDAP server (-1)
ldap_start_tls: Can’t contact LDAP server (-1)
ldap_start_tls: Can’t contact LDAP server (-1)
ldap_start_tls: Can’t contact LDAP server (-1)
ldap_start_tls: Can’t contact LDAP server (-1)
ldap_start_tls: Can’t contact LDAP server (-1)
ldap_start_tls: Can’t contact LDAP server (-1)
^C
root@UC01RZ03:~# univention-run-join-scripts
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright © 2001-2017 Univention GmbH, Germany

Running 01univention-ldap-server-init.inst skipped (already executed)
Running 02univention-directory-notifier.inst skipped (already executed)
Running 03univention-directory-listener.inst skipped (already executed)
Running 04univention-ldap-client.inst skipped (already executed)
Running 05univention-bind.inst skipped (already executed)
Running 08univention-apache.inst skipped (already executed)
Running 10univention-ldap-server.inst skipped (already executed)
Running 11univention-heimdal-init.inst skipped (already executed)
Running 11univention-pam.inst skipped (already executed)
Running 15univention-directory-notifier-post.inst skipped (already executed)
Running 15univention-heimdal-kdc.inst skipped (already executed)
Running 18python-univention-directory-manager.inst skipped (already executed)
Running 20univention-directory-policy.inst skipped (already executed)
Running 20univention-join.inst skipped (already executed)
Running 26univention-nagios-common.inst skipped (already executed)
Running 26univention-samba.inst skipped (already executed)
Running 30univention-appcenter.inst skipped (already executed)
Running 30univention-nagios-client.inst skipped (already executed)
Running 31univention-nagios-ad-connector.inst skipped (already executed)
Running 34univention-management-console-server.inst skipped (already executed)
Running 35univention-appcenter-docker.inst skipped (already executed)
Running 35univention-management-console-module-adconnector.skipped (already executed)
Running 35univention-management-console-module-appcenter.inskipped (already executed)
Running 35univention-management-console-module-diagnostic.iskipped (already executed)
Running 35univention-management-console-module-ipchange.insskipped (already executed)
Running 35univention-management-console-module-join.inst skipped (already executed)
Running 35univention-management-console-module-lib.inst skipped (already executed)
Running 35univention-management-console-module-mrtg.inst skipped (already executed)
Running 35univention-management-console-module-passwordchanskipped (already executed)
Running 35univention-management-console-module-quota.inst skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.insskipped (already executed)
Running 35univention-management-console-module-setup.inst skipped (already executed)
Running 35univention-management-console-module-sysinfo.instskipped (already executed)
Running 35univention-management-console-module-top.inst skipped (already executed)
Running 35univention-management-console-module-ucr.inst skipped (already executed)
Running 35univention-management-console-module-udm.inst skipped (already executed)
Running 35univention-management-console-module-updater.instskipped (already executed)
Running 36univention-management-console-module-apps.inst skipped (already executed)
Running 40univention-virtual-machine-manager-schema.inst skipped (already executed)
Running 50owncloud82.inst skipped (already executed)
Running 81univention-ad-connector.inst skipped (already executed)
Running 81univention-nfs-server.inst skipped (already executed)
Running 90univention-bind-post.inst skipped (already executed)
Running 91univention-saml.inst skipped (already executed)
Running 92univention-management-console-web-server.inst skipped (already executed)
Running 98univention-pkgdb-tools.inst skipped (already executed)

root@UC01RZ03:~# ucr search --brief connector/ad
connector/ad/autostart: yes
connector/ad/ldap/base: DC=cc,DC=local
connector/ad/ldap/binddn: Administrator
connector/ad/ldap/bindpw: /etc/univention/connector/password
connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20170714_092416.pem
connector/ad/ldap/host: AD01.cc.local
connector/ad/ldap/kerberos: true
connector/ad/ldap/port: 389
connector/ad/ldap/ssl: yes
connector/ad/listener/dir: /var/lib/univention-connector/ad
connector/ad/mapping/container/ignorelist: mail,kerberos
connector/ad/mapping/group/grouptype: true
connector/ad/mapping/group/ignorelist: Windows Hosts,DC Slave Hosts,DC Backup Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Computers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self
connector/ad/mapping/group/language: de
connector/ad/mapping/group/primarymail: true
connector/ad/mapping/group/table/Printer-Admins: Druck-Operatoren
connector/ad/mapping/syncmode: read
connector/ad/mapping/user/ignorelist: krbtgt,root,pcpatch
connector/ad/mapping/user/primarymail: true
connector/ad/poll/sleep: 5
connector/ad/retryrejected: 10

root@UC01RZ03:~# host $(ucr get connector/ad/ldap/host)
AD01.cc.local has address 192.168.0.200

Was können wir noch tun?

Ich habe gerad selber in einem andern Log noch etwas gesehen:

management-console-web-server.log
Wenn das Problem bestehen bleibt, können weitere Hinweise zur Ursache in der/den folgenden Protokolldatei(en) gefunden werden:

• /var/log/univention/management-console-module-udm.log
• /var/log/univention/management-console-server.log
  14.07.17 11:45:43.369 MAIN ( PROCESS ) : CPCommand (192.168.10.204:46018) response result: None
  14.07.17 11:51:34.116 MAIN ( PROCESS ) : CPCommand (192.168.10.204:46842) response status code: 400
  14.07.17 11:51:34.116 MAIN ( PROCESS ) : CPCommand (192.168.10.204:46842) response message: Fehler: ldapsearch -x failed
  14.07.17 11:51:34.116 MAIN ( PROCESS ) : CPCommand (192.168.10.204:46842) response result: None
  14.07.17 11:51:34.331 MAIN ( PROCESS ) : CPCommand (192.168.10.204:46880) response status code: 400
  14.07.17 11:51:34.331 MAIN ( PROCESS ) : CPCommand (192.168.10.204:46880) response message: Die Initialisierung des Moduls ist fehlgeschlagen: Die LDAP-DN des Benutzers administrator konnte nicht ermittelt werden.
  Die folgenden Schritte können helfen, das Problem zu beheben:
• Stellen Sie sicher, dass der LDAP-Server auf diesem System läuft und ansprechbar ist
• Stellen Sie sicher, dass die DNS-Einstellungen dieses Servers korrekt eingestellt sind und der DNS-Server ansprechbar ist
• Stellen Sie sicher, dass alle Domänenbeitritt-Skripte erfolgreich ausgeführt wurden
• Installieren Sie alle Softwareaktualisierungen
  Wenn das Problem bestehen bleibt, können weitere Hinweise zur Ursache in der/den folgenden Protokolldatei(en) gefunden werden:
• /var/log/univention/management-console-module-udm.log
• /var/log/univention/management-console-server.log
  14.07.17 11:51:34.331 MAIN ( PROCESS ) : CPCommand (192.168.1.204:46880) response result: None

Hallo,

wegen der TLS-Fehler würde ich vermuten, dass mit dem Zertifikat des UCS OpenLDAP Servers etwas nicht stimmt. Ist das bzw. das Root-Zertifikat noch gültig?

univention-certificate check -name $(ucr get hostname).$(ucr get domainname)
/usr/lib/nagios/plugins/check_univention_ssl_certificate

und für das Root-Cert:

openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text | grep "Not "

root@UC01RZ03:~# univention-certificate check -name $(ucr get hostname).$(ucr get domainname)
Certificate “UC01RZ03.cc.local” is valid
root@UC01RZ03:~# /usr/lib/nagios/plugins/check_univention_ssl_certificate
OK: SSL host certificate expires in 1654 days (warn@45 - crit@15)
root@UC01RZ03:~# openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text | grep "Not "
Not Before: Jan 24 08:57:15 2017 GMT
Not After : Jan 23 08:57:15 2022 GMT

Alles gültig

Ich habe noch etwa herausgefunden, vielleicht hilft das

root@UC01RZ03:/etc/ldap# /etc/init.d/slapd restart
[info] Restarting ldap server(s).
[ ok ] Stopping ldap server(s): slapd …done.
[FAIL] Starting ldap server(s): slapd …failed.
[info] 5968dead regular file expected, got “/var/lib/univention-ldap/local-schema/.elinks” slapschema: bad configuration file!.

Ich habe jetzt in dieser Datei folgendes Deaktiviert:

/etc/ldap/slapd.conf

#include /var/lib/univention-ldap/local-schema/.elinks

Danach hat der AD Connector wieder getan.

Woher kommt diese Zeile?

Aber leider haben danach nicht alle Benutzer Syncronisiert. Habe jetzt noch herausgefunden, dass nur die Mitarbeiter Syncronsiert werden, bei denen keine proxyAddresses vorhanden ist. Diese benötigen wir aber dringend !!!

Wie kann man das jetzt lösen?

Problem konnte ich nun selber lösen. Kinit war nicht gestartet