Searching Slave server for LDAP Info


#1

Hello All,
I am hoping some one can give me some insight into my issue, its possible that what I am trying to accomplish just might not be possible, but sometimes you do not know what you do not know.
I am trying to setup a Slave DC at a remote location for the copiers/email clients there to able to search it for contact info. While I am able to do this directly from the Master DC, I am having issues logging into the the Slave DC for this purpose. Even though I am using the same login credentials that allow me to login accomplish this task with the Master DC, the Slave is giving me some issues. Can any one provide me any direction on to what the issue could possibly be? Is there a separate set of credentials needed to login directly into the LDAP data on the Slave? I am by no means an expert when it comes to LDAP so please let me know if there are any questions that I can answer to help clarify the issue.
Thanks again,
J.B.


#2

Hey,

I assume that by “log in to the server” you mean you’re using an LDAP client and are trying to query the LDAP server on the DC Slave.

What you need to be aware of is that a UCS machine actually runs up to two LDAP servers. The one that’s always running is the OpenLDAP server where UCS stores its users, groups, configuration etc.

The other one that may or may not run is the one provided by the Samba 4 software. An Active Directory server/controller requires LDAP for its functionality. This LDAP has a similiar structure to the OpenLDAP one, but there are many important differences; therefore there have to be two LDAP servers in such a case (with a separate program synchronizing content in both ways; that program’s called the Univention Samba4 Connector).

Why is this important? Well, the Samba component is actually optional and doesn’t have to be installed, but if it is installed it has to run on the default LDAP port 389. Therefore the OpenLDAP server, the one that’s always present, always runs on the non-standard port 7389. So it’s quite possible that you don’t have an LDAP server running on port 389 if you don’t use Samba on your DC Slave.

There are some more differences, especially regarding the authentication. Both server types contain the same user accounts with the same passwords, but they accept slightly different syntaxes:

[ul][li]For the OpenLDAP server on port 7389 you must use a full DN as the user name, e.g. “uid=cbonnie,cn=users,dc=mbu-test,dc=intranet”.[/li]
[li]With the Samba4 LDAP on port 389 you can use either the DNs (but note that they’re slightly different! in my case: “cn=cbonnie,cn=users,dc=mbu-test,dc=intranet”), the Kerberos principal (“cbonnie@mbu-test.intranet”) or even the old domain login syntax (“mbu-test\cbonnie”).[/li][/ul]

If you’re unsure whether or not you’re running Samba4 on your DC Slave you can check if it’s installed (“dpkg -l | grep univention-samba4”). If you need the actual DNs for the OpenLDAP server try running “univention-ldapsearch uid=REPLACE-WITH-YOUR-LOGIN-NAME dn”.

Kind regards,
mosu


#3

Mosu,
That is exactly the info I needed! Thank you so much for the help and direction.
Thanks,
J.B.


#4

You’re quite welcome.