Sync of user passwords between UCS master and member-servers (also UCS with kopano)

siegmarb · July 19, 2021, 9:31am

Hi,

it seems that the user passwords from UCS master are not synced to ucs member-servers.
Because kopano-server does ongoing kerberos-requests to check credentials against UCS master.

How can the sync be enabled between UCS-master and member-server?

connector/ad/mapping/user/password/kinit only works with microsoft AD
(https://forge.univention.org/bugzilla/show_bug.cgi?id=53592)

What is the current status regarding password sync?

vector · July 19, 2021, 12:57pm

Hi!

The member got no local LDAP by design.

From the 4.4 manual: “member server are server systems without a local LDAP server. Access to domain data here is performed via other servers in the domain.” (https://docs.software-univention.de/manual-4.4.html#domain-ldap:Member_server)

I guess you are looking for a replica node (slave in 4.4) which got a read only local LDAP.

Cheers

siegmarb · July 19, 2021, 2:47pm

Hi, maybe i used the wrong terminology. My kopano UCS server got joined to domain.

Via the ad-connector service, i have a local copy of users & settings.
slapd is running and local ldap database holds data.
If i change user flags in the UCS domain controller, i instantly get the changes synced to kopano ldap. Thats what univention-notifier and listener reports.

Just the passwords itself seem to do not get synced.

vector · July 22, 2021, 3:26pm

I see. You got an AD Domain with a joined UCS on which Kopano is running. The scenario in the bug is a UCS primary with a UCS replica node. Therefor I mentioned that replica nodes don’t have a local LDAP.

By default passwords are not synced between AD and UCS and the account which is used for the default synchronisation is not sufficient to sync passwords.

Is the user you are using for the synchronisation member of the Domain Admins group in AD?

More information is available in the manual: https://docs.software-univention.de/manual-5.0.html#ad-connector:ad-member-einrichtung

Cheers

siegmarb · July 23, 2021, 5:27am

Hi, the above bugreport is mine. I already tried it with a domain admin user.
I started with a microsoft domain 2012 and joined the kopano.
later on, the microsoft domain was taken over by a NEW ucs server. Kopano is still member of this domain and data get synced. Unfortunately, just not the passwords. I’m unsure if i did not just hit a situation, that is not planned by UCS. Like using the AD-connector with a UCS(AD).

I have 2 servers (NEW UCS-Master that took over MS Domain) and one kopano member-server of this domain.

thank you.

vector · July 23, 2021, 12:34pm

I think so too. I guess it would be easier to install a new UCS Domain controller slave and migrate Kopano to that system.