GLPI + Univention

openldap

#1

Hello guys.

Could anyone help me with GLPI configuration? I am trying to authenticate in UCS ldap base with no succes.


#2

Can you show us a screenshot of the settings that can be made in GLPI and what you’ve entered there so far?

Always keep the following three points in mind when configuring a third-party application for access to the UCS LDAP:

  1. There are actually two LDAP servers running, one provided by Samba 4 and the OpenLDAP one that the Univention Management Console & assorted tools use (with bidirectional data sync between them). The Samba 4 LDAP server is running on the standard LDAP ports 389 (unencrypted or via StartTLS) and 636 (encrypted) whereas the OpenLDAP server is running on ports 7389 (unencrypted or via StartTLS) and 7636 (encrypted).
  2. Both servers require authentication before they can be searched. For this you need a user account. We often create one named ldapsearch just for this purpose. The format of the user name used to bind depends on the LDAP server you’re contacting: domain\username or username@f.q.dn should work with Samba 4 whereas you need the user name’s LDAP DN for the OpenLDAP server (e.g. uid=username,cn=users,dc=your,dc=domain).
  3. If you’re using encryption, then it’s quite possible that the connecting device won’t like the certificate authority used by the UCS server. In such a case try importing the UCS CA certificate on the other device. The CA certificate can be downloaded from the UCS DC Master web site or copied via scp from the DC Master where it’s can be found in /etc/univention/ssl/ucsCA/CAcert.pem.
  4. Group membership is usually easier to handle in Samba 4’s LDAP server as there’s an attribute for that stored in the user object called memberOf which can be used in LDAP filters. OpenLDAP on the other hand stores group membership in the group object, not in the user object, and that you cannot filter for; the application has to handle OpenLDAP group membership on its own.

…ok there are four important things to remember :grin:


#3

I could. This is AD pre-configuration.

My test failed on encryption, but not yet checked the certs.

OpenLDAP works without encryption.


#4

Hey,

your bind user’s DN uid=ldapsearch,cn=users,… is wrong for Samba. In OpenLDAP the user objects are indeed named uid=…, but in Samba’s LDAP they’re named cn=…. See univention-s4search samaccountname=ldapsearch dn for its actual DN.

Kind regards,
mosu


#5

Got it almost working. Except on every 2nd or 3rd connection I’ve got an “Unable to start TLS” (retrying works).