S4 Ldap Cetifatate settings


#1

Hi,
When I try to start the Univention S4 connecter service, I receive the following error message
" connector/s4/ldap/certificate not set" Unfortunately I can’t find any documentation where I can set, or change this settings.
Als I didn’t find whery I can apply this in the Univention Configuration Registry.
I can from Windows as well from an linux devce log-on with the same domain account nsme.

All sugetions are welcome!


#2

Hi!

could you please provide the connector-s4.log file? At least the part that covers the failed start of the service.
Additionally, the output of the following command would be helpful:

ucr search --brief s4/ldap

Best regards,
Michael Grandjean


#3

[quote=“Grandjean”]Hi!

could you please provide the connector-s4.log file? At least the part that covers the failed start of the service.
Additionally, the output of the following command would be helpful:

ucr search --brief s4/ldap

[/quote]
Hi Grandjean,

root@MYdc001:~# ucr search --brief s4/ldap
connector/s4/ldap/base: DC=MYDomain,DC=org
connector/s4/ldap/binddn:
connector/s4/ldap/bindpw: <empty>
connector/s4/ldap/host: MYdc001.MyDomain.org
connector/s4/ldap/port: 389
connector/s4/ldap/protocol: ldapi
connector/s4/ldap/socket: /var/lib/samba/private/ldap_priv/ldapi
connector/s4/ldap/ssl:

#4

Okay, I think I found it:

this:

connector/s4/ldap/binddn: [...] connector/s4/ldap/ssl:

should be:

connector/s4/ldap/binddn: <empty> [...] connector/s4/ldap/ssl: no

The latter is the default configuration. (The S4-Connector operates locally and not over the network, so SSL/TLS can be considered overhead).
To resolve your problem it should be sufficient to execute:

ucr unset connector/s4/ldap/binddn ucr set connector/s4/ldap/ssl=no service univention-s4-connector restart

The S4-Connector demands a certificate via “connector/s4/ldap/certificate” if “connector/s4/ldap/ssl” is anything else than “no”. In your case “connector/s4/ldap/ssl” is set to an empty string. Since this is not the same as “no”, the error is shown.
Additionally, “connector/s4/ldap/binddn” should be unset (that is what “” indicates), unless you really want to use a different DN than the default one. Especially it should not be set to an empty string as in your case, because again: an empty string is not the same as no value at all (unset / ).

I hope this was helpful :slight_smile:

Best regards,
Michael Grandjean


#5

[quote=“Grandjean”]Okay, I think I found it:

this:

connector/s4/ldap/binddn: [...] connector/s4/ldap/ssl:

should be:

[code]
To resolve your problem it should be sufficient to execute:

ucr unset connector/s4/ldap/binddn ucr set connector/s4/ldap/ssl=no service univention-s4-connector restart

I hope this was helpful :slight_smile:
[/quote]

Thanks!!

This was the right solution!
It solved also the issue, where I was unable to read my mail from different domain systems.

One strange issue, between the sync from LDAP to Samba.
When I open the Microsoft Active Directory Users and Computers,
I find all the OU’s
But as soon I open the Group Policy management, I miss a lot off OU"S for example the Computers, and the Users OU.
While the sync works, While I create for test an test_OU on LDAP, and an TEST2_OU on Samba.
after the sync both OU’s where visible in both locations.

Is this happens while they are dedicated UNIVENTION GROUPS? Then I can solve this to create an dedicated Samba Computers, and Users OU,
Or is there an other option available, to resolve this issue?
Thanks!


#6

Hi goudduif,

[quote=“goudduif”]
One strange issue, between the sync from LDAP to Samba.
When I open the Microsoft Active Directory Users and Computers,
I find all the OU’s
But as soon I open the Group Policy management, I miss a lot off OU"S for example the Computers, and the Users OU.
While the sync works, While I create for test an test_OU on LDAP, and an TEST2_OU on Samba.
after the sync both OU’s where visible in both locations.

Is this happens while they are dedicated UNIVENTION GROUPS? Then I can solve this to create an dedicated Samba Computers, and Users OU,
Or is there an other option available, to resolve this issue?
Thanks![/quote]
If I’m not mistaken, they are not all Organizational Units (OU). Some are only regular Containers (CN). And for some reason, Microsoft decided that you can link GPOs only to OUs. The regular Containers are therefore just not shown in the Group Policy Management Tool.
IIRC, this is the same for a newly installed Microsoft Active Directory - users and computers exist, but are only regular Containers. Only the discontinued Microsoft Small Business Server came with OUs for users and computers by default.

Imho, the best solution is to create new OUs for your users and computers (with different names) and move all user objects and computer objects to the new OUs. Don’t forget to add those OUs to the “standard containers”: docs.software-univention.de/man … cn-and-ous
This way, you can select them while adding a new user/computer in the UMC.

Best regards,
Michael Grandjean