Speed up LDAP-Binds on AD member mode systems

LDAP-Binds are slower than usual in AD member mode scenario

The reason for this behaviour is the way the authentication is handled on the UCS system.

In the default setting, the Active Directory connection in AD member mode set up does not transfer any password data from AD to the UCS directory service. Authentication request (e.g. LDAP binds) are forwarded as Kerberos requests to the Windows Active Directory Controller. That may affect the performance of the authentication as it introduces additional overhead (network latency, response time of the Active Directory Controller etc.).

Some Apps that make heavy use of LDAP authentication, like Zarafa / Kopano WebApp for example, will benefit greatly when password hashes are synchronized to OpenLDAP.

In UCS 4.0 the password service has to be installed on the AD server first. For detailed instructions on how to set up the password service, please see the UCS manual, chapter: Setting up the password service on the AD system.

Since UCS4.1 the password service is no longer needed on the AD server.

Independend of the UCS version, the synchronization of encrypted password hashes needs to be activated manually via Univention Config Registry:

By default, in AD member mode, the UCS AD Connector reads object data from Microsoft Active Directory with the permissions of the machine account of the UCS DC Master. This machine account usually isn’t authorized to read encrypted password hashes from Active Directory. The Active Directory object LDAP DN of a privileged replication user should be configured in the Univention Configuration Registry variable connector/ad/ldap/binddn. This must be a member of the Domain Admins group in the AD.

The corresponding password must be saved in a file on the master domain controller and the file name entered in the Univention Configuration Registry variable connector/ad/ldap/bindpw. If the access password is changed at a later point in time, the new password must be entered in this file. The access rights for the file should be restricted so that only the root owner has access.

The following commands demonstrate the steps in an example:

ucr set connector/ad/ldap/binddn=Administrator
ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password
touch /etc/univention/connector/password
chmod 600 /etc/univention/connector/password
echo -n "Administrator password" > /etc/univention/connector/password

To actually switch to password synchronization mode, the UCR variable connector/ad/mapping/user/password/kinit must be unset and all objects need to be re-synchronized from Active Directory to read their passwords:

/etc/init.d/univention-ad-connector stop
ucr unset connector/ad/mapping/user/password/kinit

find /etc/univention/connector/ \
  -name "internal.cfg" -o -name "internal.sqlite" \
  -exec mv "{}" "{}.bak_$(date +%s)" \;

/etc/init.d/univention-ad-connector start