Sync of user passwords between UCS master and member-servers (also UCS with kopano)

Hi,

it seems that the user passwords from UCS master are not synced to ucs member-servers.
Because kopano-server does ongoing kerberos-requests to check credentials against UCS master.

How can the sync be enabled between UCS-master and member-server?

connector/ad/mapping/user/password/kinit only works with microsoft AD
(https://forge.univention.org/bugzilla/show_bug.cgi?id=53592)

What is the current status regarding password sync?

Hi!

The member got no local LDAP by design.

From the 4.4 manual: “member server are server systems without a local LDAP server. Access to domain data here is performed via other servers in the domain.” (https://docs.software-univention.de/manual-4.4.html#domain-ldap:Member_server)

I guess you are looking for a replica node (slave in 4.4) which got a read only local LDAP.

Cheers

Hi, maybe i used the wrong terminology. My kopano UCS server got joined to domain.

Via the ad-connector service, i have a local copy of users & settings.
slapd is running and local ldap database holds data.
If i change user flags in the UCS domain controller, i instantly get the changes synced to kopano ldap. Thats what univention-notifier and listener reports.

Just the passwords itself seem to do not get synced.

I see. You got an AD Domain with a joined UCS on which Kopano is running. The scenario in the bug is a UCS primary with a UCS replica node. Therefor I mentioned that replica nodes don’t have a local LDAP.

By default passwords are not synced between AD and UCS and the account which is used for the default synchronisation is not sufficient to sync passwords.

Is the user you are using for the synchronisation member of the Domain Admins group in AD?

More information is available in the manual: https://docs.software-univention.de/manual-5.0.html#ad-connector:ad-member-einrichtung

Cheers

Hi, the above bugreport is mine. I already tried it with a domain admin user.
I started with a microsoft domain 2012 and joined the kopano.
later on, the microsoft domain was taken over by a NEW ucs server. Kopano is still member of this domain and data get synced. Unfortunately, just not the passwords. I’m unsure if i did not just hit a situation, that is not planned by UCS. Like using the AD-connector with a UCS(AD).

I have 2 servers (NEW UCS-Master that took over MS Domain) and one kopano member-server of this domain.

thank you.

I think so too. I guess it would be easier to install a new UCS Domain controller slave and migrate Kopano to that system.