Using custom attributes in UCS LDAP tree and sync them with Samba AD

UCS - Univention Corporate Server
, ,
#1

Hello,

I have a fresh installation of UCS 5.0 with the latest updates and I want to use it as an authentication source VPN users. I’m using Freeradius which connects to UCS server and retrieves usernames for authentication which so far works fine when connecting tp UCS LDAP (port 7389)

I want to assign to users specific IP addresses and for this i need some custom attributes to extend the LDAP schema for User module and for this I have imported the Freeradius schema into LDAP and I was able to create the custom attributes required by Radius.

The UCS machine has also the domain controller role (Samba4) installed I need to synchronize these custom attributes between UCS LDAP and Samba. I’m using a localmapping.py script with the s4 connector to map the ucs custom attributes to Samba but it does not work. Below is an example

import univention.s4connector.s4.mapping

def mapping_hook(s4_mapping):
        s4_mapping['user'].attributes['radiusFramedIPAddress'] = \
                univention.s4connector.attribute(
                        ucs_attribute='radiusFramedIPAddress',
                        ldap_attribute='radiusFramedIPAddress',
                        con_attribute='radiusFramedIPAddress'
        )
        return s4_mapping

Whenever I run univention-s4connector-list-rejected command I see the below reject

UCS rejected

    1:   UCS DN: uid=admin,cn=users,dc=domain,dc=net
          S4 DN: cn=admin,cn=users,DC=domain,DC=net
         Filename: /var/lib/univention-connector/s4/1674598987.209238

S4 rejected

        last synced USN: 4171

Also when I check the /var/log/univention/connector-s4.log file I see an error message constantly being displayed that the custom attribute is not being found in the schema.

25.01.2023 00:59:53.556 LDAP        (PROCESS): sync UCS > AD: Resync rejected file: /var/lib/univention-connector/s4/1674598987.209238
25.01.2023 00:59:53.567 LDAP        (PROCESS): sync UCS > AD: [          user] [       add] 'cn=admin,cn=users,DC=domain,DC=net'
25.01.2023 00:59:53.582 LDAP        (ERROR  ): sync_from_ucs: traceback during add object: cn=admin,cn=users,DC=domain,DC=net
25.01.2023 00:59:53.583 LDAP        (ERROR  ): sync_from_ucs: traceback due to addlist: [('objectClass', [b'top', b'user', b'person', b'organizationalPerson']), ('userAccountControl', [b'512']), ('givenName', [b'System']), ('sn', [b'Admin']), ('displayName', [b'System Admin']), ('radiusRealm', [b'domain.net']), ('radiusFramedIPAddress', [b'0.0.0.0']), ('radiusFramedIPNetmask', [b'255.255.254.0']), ('sAMAccountName', [b'admin'])]
25.01.2023 00:59:53.589 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1674598987.209238
25.01.2023 00:59:53.590 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 827, in __sync_file_from_ucs
    if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new):
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 2128, in sync_from_ucs
    self.lo_s4.lo.add_ext_s(object['dn'], addlist, serverctrls=ctrls)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 414, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.NO_SUCH_ATTRIBUTE: {'desc': 'No such attribute', 'info': "0000200A: objectclass_attrs: attribute 'radiusFramedIPAddress' on entry 'CN=admin,CN=Users,DC=domain,DC=net' was not found in the schema!"}

How does the schema syncronization takes place between UCS LDAP and Samba AD?

Is being done automatically or do I need to manually also import the Freeradius schema into Samba so that the custom attributes to be recognized by Samba ?

What is the proper way to sync custom attributes between UCS LDAP and Samba AD ?

I could not find a clear answer in the documentation or any of the forum topics.

Thank you.

1 Like
#2

Can someone provide some guidance steps for syncing extended attributes between UCS LDAP and Samba AD ?

#3

Hi
Can you please provide the extendet attribute configuration?
udm settings/extended_attribute list --filter cn=<name>

#4

Hello,
Thanks for replying. I performed a clean reinstall of UCS 5.0 and imported succesfully the Freeradius schema into UCS LDAP, then I defined two extended attributes radiusFramedIPAddress and radiusFramedIPNetmask. When I run the command you have posted on a newly created user it does not return any extended attributes.

# udm settings/extended_attribute list --filter CN=john_doe,CN=Users,DC=domain,DC=net
CN=john_doe,CN=Users,DC=domain,DC=net

If i run the above command without –filter parameter I can see at the end the extended attributes created by me previously

# udm settings/extended_attribute list
...
DN: cn=radiusFramedIPAddress,cn=custom attributes,cn=univention,dc=domain,dc=net
DN: cn=radiusFramedIPNetmask,cn=custom attributes,cn=univention,dc=domain,dc=net

If i run ldapsearch I can see the extended attributes being visible on the user

# univention-ldapsearch -b uid=john_doe,CN=Users,DC=domain,DC=net
dn: uid=john_doe,cn=users,dc=domain,dc=net
uid: john_doe
displayName: John Doe
radiusFramedIPAddress: 172.20.30.5
radiusFramedIPNetmask: 255.255.254.0
cn: John Doe

But when I ran
# univention-s4search -b CN=john_doe,CN=Users,DC=domain,DC=net

I cannot see any of the extended attributes. I assume they are not synced to Samba AD.

#5

Hi,
the command is not for a user, but the extended attribute. Try this:

udm settings/extended_attribute list --filter cn=radiusFramedIPAddress
udm settings/extended_attribute list --filter cn=radiusFramedIPNetmask

I need the complete output from this to check the mapping.

#6

Hello,
Please find the output of the two commands

# udm settings/extended_attribute list --filter cn=radiusFramedIPAddress
cn=radiusFramedIPAddress
DN: cn=radiusFramedIPAddress,cn=custom attributes,cn=univention,dc=domain,dc=net
  CLIName: radiusFramedIPAddress
  copyable: 1
  default: 0.0.0.0
  deleteObjectClass: 0
  disableUDMWeb: 0
  doNotSearch: 0
  fullWidth: 0
  groupName: Radius attributes
  groupPosition: 1
  hook: None
  ldapMapping: radiusFramedIPAddress
  longDescription: IP address assigned to Radius user
  mayChange: 1
  module: users/user
  multivalue: 0
  name: radiusFramedIPAddress
  notEditable: 0
  objectClass: radiusprofile
  overwritePosition: None
  overwriteTab: 0
  shortDescription: Radius IP address
  syntax: ipv4Address
  tabAdvanced: 0
  tabName: Radius
  tabPosition: 1
  valueRequired: 1
  version: 2

# udm settings/extended_attribute list --filter cn=radiusFramedIPNetmask
cn=radiusFramedIPNetmask
DN: cn=radiusFramedIPNetmask,cn=custom attributes,cn=univention,dc=domain,dc=net
  CLIName: radiusFramedIPNetmask
  copyable: 1
  default: 255.255.254.0
  deleteObjectClass: 0
  disableUDMWeb: 0
  doNotSearch: 0
  fullWidth: 0
  groupName: Radius attributes
  groupPosition: 2
  hook: None
  ldapMapping: radiusFramedIPNetmask
  longDescription: Netmask assigned to Radius user
  mayChange: 1
  module: users/user
  multivalue: 0
  name: radiusFramedIPNetmask
  notEditable: 0
  objectClass: radiusprofile
  overwritePosition: None
  overwriteTab: 0
  shortDescription: Radius netmask
  syntax: None
  tabAdvanced: 0
  tabName: Radius
  tabPosition: 2
  valueRequired: 1
  version: 2
#7

HI,

okay thank you. The ldapmapping seems right, but I just understand the meaning of the traceback. So I guess samba does not have the attribute radiusFramedIPAddress so you need an attribute on the samba side you can use.
Unfortunately we do not have extended attributes in samba. So you can try an unused fitting existing attribute and overwrite it.

#8

Thank you for the answer.

Would not be possible to import the Freeradius schema into Samba and make it work like this so both LDAP and Samba have the same extended attributes or is not a recommended solution?
I looked at this article https://wiki.univention.de/index.php/Cool_Solution_-_Installation_of_Microsoft_SCCM#Schema_extension
and previously I managed to manually import Freeradius schema into Samba but it did not allow me to extend the User module with these two attributes radiusFramedIPAddress and radiusFramedIPNetmask altghough the schema was added to Samba

Regarding your proposed solution to use an existing attribute and overwrite it is there any document to show me how can I do this ?

#9

In the end I found a workaround to this problem, not the best solution but I can live with it.

Initially I wanted that Freeradius to authenticate using LDAP by connecting to the Samba LDAP using port 389 and that is why I needed to sync the extended attributes between UCS LDAP and Samba, but in the end I told Freeradius to connect to UCS LDAP on port 7389.

I also removed the localmapping.py script from the s4 connector and now Freeradius can send the two custom attributes radiusFramedIPAddress and radiusFramedIPNetmask to users.

I also need the Samba LDAP to authenticate users but there is not a must to have these custom attributes and I saw now that when I create a new account it is synced successfully from LDAP to Samba but without the custom attributes.

Mastodon