We want to use user pictures in NextCloud, Linux, Windows, etc. We put test pictures via the UCS web interface to test accounts. We can see the jpegPhoto attribute in ldaps://dc:7636, but not in ldaps://dc:363.
Do I have to activate the sync somewhere? There are no error messages that gives me a hint that the system is not working correctly. Therefore I assume the system works as intented - but not as expected for me, though.
Tested on a 5.0-9 errata 1187 - the jpegPhoto attribute is synced with Samba.
Personally I would go with slapd/OpenLDAP listening on 7636. From our experience this works out of the box, also with jpegPhoto to be synced to Nextcloud for example.
In general I do not care which LDAP is used. However, I have to invest time to collect the OpenLDAP entities to switch the LDAP base for the LDAP apps.
Most applications can work out of the box with LDAP Active Directory, therefore this was my approach to go for. It worked out for a long time. The first big issue was this one.
However, I am also worried (and also a bit curious) that or why the heck jpegPhoto is not synced. And furthermore, are there other attributes that are not synced?
Adding user photos never crossed my mind but this post made me to give it a go. Added my beautiful face to my account and all is working as intended, Nextcloud reloaded with this photo too.
However, I recall another post on this forum where ports for LDAPS are mentioned and they are rather annoying.
If you go to UCR and search for LDAPS (or port 636) you’ll see that it is only listening on port 7636 and port 636 is used by SAMBA.
The LDAP/S ports are altered to 7389 and 7636 respectively if you install univention-samba4 and univention-s4-connector (AD DS compatible services) from the app store.
The ports 7389 (unencrypted) and 7636 (TLS) are used by OpenLDAP. This directory is primary used if you use the web interface (users, passwords, groups, etc.).
The ports 389 (unencrypted) and 636 (TLS) are used by Samba4’s LDAP (let’s call it S4) to represent a AD compatible LDAP. It uses the LDAP standard ports, since you can configure LDAP apps for other ports, but you cannot convince Windows clients to use different ports…
In theory, both LDAPs are independent. But if we upload a picture to OpenLDAP (UCS standard), we may want to have it in S4 for Windows. If a Windows client is used to change the password, we want to have also the password changed in OpenLDAP.
For these reasons, UCS has the S4 Connector to sync both worlds permanently.
And here is the point, it does not (fully) work for me, especially jpegPhoto is not synced.
@dzidek23 Which port do you use for your NC<>UCS connection?
Interestingly, I noticed that my domain joined workstation hasn’t received (didn’t recognize) my profile picture. But it definitely is marked in the AD:
In my desperation I read a lot of forum entries and found ucr search. I thought, it has to be something with configuration - if it works for you folks and not with me, but the debug log of the S4 connector was pretty much as intended.
So I ended up with running this command and looked for suspicious entries:
sudo ucr search --brief s4
To sum it up, almost everything can be ignored with these variables:
here the output of the command from above is just filtered to “ignore”
My UCS is damn old, it took over a domain from a self-configured Samba4 and was initially installed in 2016ish. I’m thinking about to rebuild it from scratch. Or maybe I build a new one and start comparing ucr variables… since I am THAT sure, I never put this attribute into this list.
to my account and all is working as intended, Nextcloud reloaded with this photo too.
