LDAP passthrough with AD backend

I try to set up our UCS with an Active Directory as a password backend as shown here

https://docs.microsoft.com/en-us/archive/blogs/alextch/configuring-openldap-pass-through-authentication-to-active-directory

and here

https://ltb-project.org/documentation/general/sasl_delegation

After following the steps I got a kind of functionality but not as I expected. Is there any hints to succeed in UCS (maybe in the SASL GUI)? And another big problem: How do I set the passwords like {SASL}user@domain ?

Thanks in advanced for any hint.

This documentation is from 2012, could be outdated / not reliable anymore.

It is mandatory that you “passthrough” the authentification or do you aim for having the possibility to use the Univention LDAP with existing MS AD userdata? This can done by the existing app “Active Directory Connection”: https://docs.software-univention.de/manual-4.4.html#ad-connector:ad-member-einrichtung

Cheers

Yes, it’s mandatory. Our division likes to run our own directory server but the users and passwords are centralized. So we found it best to get it with SASL.
BTW it works a kind of: I can see users and can log in with the AD users (ssh and web).

I think, the problem is UCS stores local passwords at different parts of the system with different hashes, so SASL only knows one of them. Maybe if I could store the password, i.e. {SASL}user@domain in plaintext?

There is also an issue with the root certificate from AD, we don’t have it integrated yet on the UCS, because of the bureaucracy here :wink:

As I don’t get any further I want to give a try to Active Directory Connection. I set up in read mode as I don’t have admin permission on AD and I don’t want to write to AD anyway.
I think it works a kind of. Part of the users are synced to the UCS but without any passwords as long I can see.
What I’m doing wrong?
Do I need SSL connection or certificate from the AD? I thought it would work without that.

You are doing nothing wrong. In the default settings no passwords are synchronized. Have a look for the following text in the documentation and you will find further steps to solve this " In AD member mode, in the default setting, the UCS AD Connector exports object data from the AD with the authorizations of the master domain controller’s machine account. These authorizations are not sufficient for exporting encrypted password data." (https://docs.software-univention.de/manual-4.4.html#ad-connector:ad-connector-einrichtung)

It should work without it. But encrypted communication would be the propper way :wink:

Cheers

Thanks vector

But my UCS isn’t member of the AD domain. What kind of permission do I need to sync passwords? I’m really confused about the settings.

These authorizations are not sufficient for exporting encrypted password data

About the part of the users: I just have to have time. Now there are more than 40000 users syncd to UCS. Maybe it works when the sync is done.

BTW. I have an issue with syncing LDAP and Samba on my UCS. It’s way behind. Maybe time will heal this also?