Setting-up LDAP integration with Samba 4 AD

alcsight · November 30, 2022, 10:48am

Latest Nextcloud version, I’m trying to connect Nextcloud to a Samba 4 AD.

In the Integration App, on the first configuration screen, I need to enter a user DN, that has a form of ‘uid=agent,dc=example,dc=com’.

Where can I find that notation for a given user in Samba 4 AD ?

I can connect to the Samba 4 server, use ‘samba-tool show user’, but none of the entries have this form.
Note that simply replacing ‘uid’ and ‘dc’ entries with mine didn’t work.
Also note that I found the actual ‘distinguishedName’ in “Active Directory Users and Computers”, which has a form of ‘CN=user,OU=IT,OU=Team,OU=UsersOU=Groups,DC=ad,DC=sight-sound,DC=ch’ (because the user is nested in various OU’s), and it doesn’t work with that syntax either.

And here are the logs :

{"reqId":"cmUGGB6ZLucqwoguXCaT","level":2,"time":"2022-11-30T15:23:40+00:00","remoteAddr":"192.168.2.104","user":"admin","app":"user_ldap","method":"POST","url":"/index.php/apps/user_ldap/ajax/getConfiguration.php","message":"Configuration Error (prefix s01): No LDAP Login Filter given!","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0","version":"25.0.1.1","data":{"app":"user_ldap"}}
{"reqId":"cmUGGB6ZLucqwoguXCaT","level":2,"time":"2022-11-30T15:23:40+00:00","remoteAddr":"192.168.2.104","user":"admin","app":"user_ldap","method":"POST","url":"/index.php/apps/user_ldap/ajax/getConfiguration.php","message":"Configuration Error (prefix s01): login filter does not contain %uid place holder.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0","version":"25.0.1.1","data":{"app":"user_ldap"}}
{"reqId":"zPO8h3bU3SPNPxlVIEFu","level":2,"time":"2022-11-30T15:23:43+00:00","remoteAddr":"192.168.2.104","user":"admin","app":"user_ldap","method":"POST","url":"/index.php/apps/user_ldap/ajax/wizard.php","message":"Configuration Error (prefix s01): No LDAP Login Filter given!","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0","version":"25.0.1.1","data":{"app":"user_ldap"}}
{"reqId":"zPO8h3bU3SPNPxlVIEFu","level":2,"time":"2022-11-30T15:23:43+00:00","remoteAddr":"192.168.2.104","user":"admin","app":"user_ldap","method":"POST","url":"/index.php/apps/user_ldap/ajax/wizard.php","message":"Configuration Error (prefix s01): login filter does not contain %uid place holder.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0","version":"25.0.1.1","data":{"app":"user_ldap"}}
{"reqId":"zPO8h3bU3SPNPxlVIEFu","level":2,"time":"2022-11-30T15:23:43+00:00","remoteAddr":"192.168.2.104","user":"admin","app":"user_ldap","method":"POST","url":"/index.php/apps/user_ldap/ajax/wizard.php","message":"Configuration Error (prefix s01): No LDAP Login Filter given!","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0","version":"25.0.1.1","data":{"app":"user_ldap"}}
{"reqId":"zPO8h3bU3SPNPxlVIEFu","level":2,"time":"2022-11-30T15:23:43+00:00","remoteAddr":"192.168.2.104","user":"admin","app":"user_ldap","method":"POST","url":"/index.php/apps/user_ldap/ajax/wizard.php","message":"Configuration Error (prefix s01): login filter does not contain %uid place holder.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0","version":"25.0.1.1","data":{"app":"user_ldap"}}

Kerasit · December 1, 2022, 11:26am

CN=user,OU=IT,OU=Team,OU=UsersOU=Groups,DC=ad,DC=sight-sound,DC=ch

Has a missing comma:

CN=user,OU=IT,OU=Team,OU=Users**,**OU=Groups,DC=ad,DC=sight-sound,DC=ch

Kerasit · December 1, 2022, 11:28am

However the user in the LDAP app has to be a service account, or any account what the delegated rights to read all the needed information of the LDAP directory, including testing Users passwords.

alcsight · December 1, 2022, 12:35pm

Thanks !

Tested again with the comma doesn’t work.

The user I’m using is a Domain Admin… I think I should not use this one for production use but for testing this should work the best, right ?

alcsight · December 2, 2022, 8:28pm

New unsuccessful tests I’ve done :

Adding a uid in Active Directory Users and Computers (with Show Advanced Features On) → User ‘Properties’ → ‘Attribute Editor’ → Edited ‘uid’ field that was empty and added the name of the user to then use it in Nextcloud as in : uid=<uid_in_ad>,DC=<domain>,DC=<country>
Using the Distinguished Name indicated by the Samba4 server, literally, with the use of samba-tool show user. In my case : distinguishedName: CN=Samba AD Administrator,OU=Administrateurs,OU=Groupes,OU= Sight-Sound,DC=ad,DC=sight-sound,DC=ch
Used without distinguishedName: in the login field in Nextcloud but otherwise copypasted.
Using the ‘uid’ given by Samba4’s commands :

$ wbinfo --name-to-sid USERNAME
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)

$ wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005
3000011

I’m guessing the first and last one have nothing to do with what the ‘uid’ field in Nextcloud’s LDAP connection interface refers to, but figured I’d give it a shot.

dzidek23 · December 5, 2022, 2:05pm

Hi alcsight,

try this for the LDAP user login:

CN=name surname,OU=container,DC=domain,DC=name

something like:
CN=Santa Claus,OU=Users,DC=domain,DC=name

not sure why but I never worked out how to get the uid working…

Tested with Samba4 AD served from Zentyal server.

alcsight · December 5, 2022, 2:46pm

Still no luck.

Did you have to go to the Advanced or Expert tab to connect or did it work with just the first page of config ?

dzidek23 · December 5, 2022, 2:59pm

All worked from the first page.

alcsight · December 14, 2022, 1:29pm

What did you use as base DN ?

Maybe that’s my issue.

I’m trying with DC=ad,DC=mydomain,DC=com (because my AD domain has ‘ad’ first, like in ad.mydomain.com).

Kerasit · December 15, 2022, 8:25am

That is a perfectly fine base dn. However make sure that the service account you are using, also has delegated rigthts to traverse the OU structure from that top and down.

alcsight · December 15, 2022, 1:36pm

Ok still not got it :k

Port is detected automatically, but I can’t confirm anything works further than that.

Note that I’m now only using the base DN specified in message #9 and the user login in the form specified by @dzidek23 in message #6 - that I actually copy and paste from “Active Directory Users and Computers” → User’s Attributes Explorer → ‘distinguishedName’.

EDIT: Oh, and to address your remark about users, I’m not really an AD afficionado so I’m using the very first admin ever created in the process of setting-up the AD. It has every right on the AD afaik.

Kerasit · December 16, 2022, 10:14am

First of all stop testing from Nextcloud and verify connectivity and settings, using an LDAP browser. I use Apache Directory Studio to connect to and manage basically any LDAP capable directory service, including AD. If you can get it working with that, you can copy-paste basically all your settings in the ApacheDS connection properties to nextcloud, and you can be damn sure it is not config mistakes.

dzidek23 · December 16, 2022, 10:37am

Ditto, make sure your domain is working first and then try to connect to nextcloud.

Also using Admin account for nextcloud isn’t best in my opinion. If you have a working AD just add another user and use it to search the directory.

Kerasit · December 16, 2022, 10:39am

Yes. As Nextcloud SHOULD not be used to update your LDAP, any user - even without any rights - should be enough to read what is needed.

dzidek23 · December 16, 2022, 11:23am

Apache Directory Studio - I never heard of this so had to give it a go… Whoa goodness me, this is more than avarage AD admin needs… There is potential, infact there is good chance that someone with little experience will mess up their domain

@alcsight If you have access to Windows see if you can get RSAT installed (not all modules work but AD does and is relatively easy to use)

Kerasit · December 16, 2022, 11:27am

Yes it is powerfull and has some outright smart features.
My most loved feaure is batch operations aswell as exporting filteret results. However with just and only a regular domain user, you can do no damage as you cannot write. But you can still use ApacheDS formany cool things with just read access.

alcsight · December 19, 2022, 9:34am

Hi @Kerasit and @dzidek23, thanks for all the inputs.

Thing is the AD is definitely working, has been for a year, it’s used for a 40 computers company, I use RSAT since then, have a ton of GPO’s, and have set up some new ones even those last few days.

I will still try Apache Studio and let you know if I manage to connect or get more feedback from this app.

dzidek23 · December 19, 2022, 11:34am

Yeah use the ApacheDS there’s enough information just about everything (and probably more)

I use what’s in the “distinguishedName” for my user in the LDAP form.

Kerasit · December 19, 2022, 12:09pm

just right click the user in the left side and use “copy dn”