How to combine users from company's LDAP and manually added

jvorisek · January 28, 2019, 3:29pm

Dear all,

I am new to UCS, running 4.3-3 errata410, and I would like setup system, so it will combine users from our company’s LDAP (read-only) and manually added users from outside of company.

I have got these details from our IT and I am not sure where should I enter them, preferably using UCS UI:

server address: ldap.fnusa.cz,
port: 389 or using TLS port (ldaps) port: 636
User DN: ou=users,dc=fnusa,dc=cz username attribute: uid
filter: (accessto=icrc-is)

I went through UCS documentation and Univention help but I haven’t found the answer. Btw. I have limited experience with setting up servers and our IT limited user-friendliness:)

Thank you very much for any suggestions.

Jan

Christian_Voelker · January 29, 2019, 2:07pm

Hi,

simply: you can’t.

You can have UCS as part of an ActiveDirectory domain (which is, at least partially, LDAP). But not out of the box of a native OpenLDAP.

/CV

jolentes · January 30, 2019, 10:17am

Hi @Christian_Voelker ,
would it be possible with UCS to create a separate domain and establish a domain trust?

@jvorisek, would be good to know a little bit more about the intended use case.
What would you like to use UCS for?

BR,
Jörn

Christian_Voelker · January 30, 2019, 11:17am

As far as I know you can establish a domain trust between UCS and AD but not between two LDAPs. See Blog.

/CV

jvorisek · January 30, 2019, 1:29pm

Thank you @Christian_Voelker and @jolentes for your help.

I think that it very good idea to describe our use case as you guys may have some clever suggestion and my knowledge of LDAP/AD is limiting to zero:)

We are clinical research centre and part of university hospital. Hospital IT doesn’t have ActiveDirectory and is running OpenLDAP.

Our research centre consists of employees of our hospital and also researchers from all around the world.

For better cooperation within teams (research and admins) we would like to give them tools for better collaboration.

We found UCS as perfect tool, because of central management of users for all software solutions installed through UCS.

To minimise administration of users (adding new employees or deactivating leavers), we were thinking if it would be possible that we somehow combine our hospital LDAP and manually maintain external users in UCS.

Thank you very much for all your time you have spent to help us!

Jan

Christian_Voelker · January 30, 2019, 1:58pm

Hi,

as I said, there is no possibility to have an online-trust-whatever-relationship between oepnLDAP and UCS.

You have several possibilities:

Create a new domain and sync your users from the “main” domain once. Then, maintain you users on your own without interaction the the main domain.
Create a new domain, sync as above and schedule a re-sync every x time intervals. Add external users manually. You will have some time delay in case a user changed it’s password on the main domain and then tries to connect to your domain with the new password…

To sync, you could use a csv import scripting. There has been a thread recently related to this.

Does it help so far?

/CV

jolentes · January 30, 2019, 5:22pm

Hello @jvorisek,
with privacyIDEA you can consolidate multiple UserIdResolvers into a single realm and authenticate your services via RADIUS, SAML, LDAP proxy or privacyIDEA PAM module. privacyIDEA offers you One-Time-Passcode (OTP) features in addition.
As far as I know the UCS integration version requires a license while it is available as open source for free when you do the configuration for integration with UCS on your own.
BR,
Jörn

jvorisek · January 31, 2019, 4:20pm

Hi @jolentes,

thank you very much for your suggestion. I am afraid that I won’t get any money to do this and privacyIDEA is not free of charge.

Hi @Christian_Voelker,

thank you for your reply and your second suggestion sounds most convenient for us.

Please would you be so kind and point me to some documentation how to add the new domain and also how do I modify that script so it can sync with the LDAP details I have got from IT (see my initial post and I’m not even sure if I don’t need more details).
Sorry - the very beginner here:)

Have a nice day!

Jan

jolentes · January 31, 2019, 5:10pm

Hi @jvorisek,

privacyIDEA has a community and an enterprise edition: https://www.privacyidea.org/
UCS comes with enterprise edition preconfigured, but you could still install community edition manually and configure it yourself.

BR,
Jörn

jvorisek · February 12, 2019, 9:08am

Hi @jolentes
thank you very much for your help, but I think I will have to leave this bit for someone with more Linux-server-knowledge.
Have a nice day!
Jan