not getting UIDnumber using univention AD/LDAP server

[chonkat]

So I have spent about two weeks now and then trying to get things right with Active Directory and Freenas on our Freenas Mini, searching, testing, and debugging....

As the Directory Server we are using Univention v4.1 and FreeNAS is FreeNAS-9.3-STABLE-201512121950.

I can get FreeNAS to AD working but can only get UID's from posix accounts working with rid as the idmap (or even any readings with getent passwd and getent group). With rid, though, the UID's are pretty much random and useless. I have tried ad, ldap, etc, and no dice. Having the proper UID's mapped is important for us to preserve because the data I'm passing (rsync -avue ssh) from our current production fileserver (OpenBSD) to the FreeNAS mini (ZFS, yaaay!) have proper permissions for the 40+ users and about 15 groups. Worst case is not too bad, just more downtime during the transition while reassigning permissions after the lastest data sync.

UCS (Univention Corporate Server) runs two servers- OpenLDAP (ports 7389 and 7636) and Samba's Active Directory (port 389). I have been through trying with and without encryption (TLS, SSL, testing for valid connection with "openssl s_client -connect server_name port" successfully) that some connections are not made to the proper port and have modified some of the code (see https://forums.freenas.org/index.php?threads/ldap-port-hard-coded-to-389-in-3-places.26959/) and have advanced but pretty much cannot connect to the LDAP server.

My intention is for FreeNAS to only connect to the OpenLDAP server which does provide uidNumber and gidNumber attributes.

I can connect to the openldap server fine from a freenas shell through ldapsearch, with and without encryption… sample output data from ldapsearch:

DN: uid=joeuser,cn=users,dc=otrolugar,dc=com,dc=sv
ARG: None
homedrive: None
CtxKeyboardLayout: None
PasswordRecoveryEmail: None
disabled: none
postcode: None
CtxWFProfilePath: None
CtxRASDialin: E
networkAccess: 1
PasswordRecoveryMobile: None
title: None
organisation: None
CtxMaxIdleTime: None
lastname: Quiros
employeeNumber: None
password: {crypt}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
passwordexpiry: None
sambaRID: 1111
profilepath: None
objectFlag: None
sambahome: None
CtxWFHomeDirDrive: None
CtxCallback: None
street: None
CtxShadow: 00000000
e-mail: joeuser@otrolugar.com.sv
CtxWorkDirectory: None
CtxNWLogonServer: None
CtxMaxConnectionTime: None
umcProperty: appcenterSeen = false
umcProperty: favorites = updater,appcenter:appcenter,udm:users/user,udm:groups/group,udm:computers/computer,apps:radius,apps:icinga,apps:self-service
groups: cn=Domain Admins,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=Domain Users,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=Administrators,cn=Builtin,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCmusic,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCcontabilidad,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCimportaciones,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETClegales,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCgerentes,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCactfijo,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCdet,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCprovee,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCsupplychain,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCtestoreria,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCmtto,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCcalidad,cn=groups,dc=otrolugar,dc=com,dc=sv
overridePWHistory: None
country: None
pwdChangeNextLogin: None
UniventionDovecotUserQuota: 0
primaryGroup: cn=Domain Users,cn=groups,dc=otrolugar,dc=com,dc=sv
CtxInitialProgram: None
scriptpath: None
city: None
CtxStartprogramClient: 0
userexpiry: None
username: joeuser
departmentNumber: None
shell: /bin/bash
CtxMinEncryptionLevel: None
CtxCallbackNumber: None
mailHomeServer: dir.otrolugar.com.sv
CtxCfgFlags1: 00000100
gidNumber: 5001
sambaLogonHours: None
CtxBrokenSession: 0000
locked: none
CtxReconnectSession: 0000
roomNumber: None
homeShare: None
gecos: Joe User
CtxCfgClientPrinters: 0
jpegPhoto: None
uidNumber: 2008
employeeType: None
homeSharePath: None
CtxCfgPresent: 551e0bb0
CtxWFHomeDir: None
unixhome: /home/joeuser
description: None
firstname: Jon
birthday: None
overridePWLength: None
CtxMaxDisconnectionTime: None
CtxCfgDefaultClientPrinters: 0
displayName: Joe User
mailPrimaryAddress: jaq@interno.otrolugar.com.sv
CtxCfgClientDrivers: 0
CtxCfgTSLogon: 0

I cannot, however, get FreeNAS to bind to the ldapserver correctly.

Any questions to help clarify, or pointers are appreciated, as I am assuming freenas is at the level where I should be able to get it to bind correctly, and am attaching a typical log for an attempt to connect to OpenLDAP with TLS enabled.... Either that, or are there any pointers as to other idmap alternatives (periodically make a hash using ldapsearch, etc...)?

 

[chonkat]

Started fresh, reinstalling FreeNAS and Univention (this one in a vbox in a jail in freenas), and "rid" mapping in AD worked correctly.

 

[sanuko]

@choncat
I will try exactly what you did, because I want to make use of Univention. Univention has a very good Server setup, but they don't know the advanantage of using ZFS Storage.

Do you remember of something special I have to consider, in order to get this thing up and running?

Could you please send me a sample Directory -> LDAP or "Active Directory" screenprint?

 

[chonkat]

sanuko,
After a clean install of both I had no "special" things to consider, especially if you are creating users and groups (uid, gid, uidnumber, gidnumber) fresh.
Funny- I actually prefer using windows ACL's now for their flexibility.
The only thing I can strongly suggest is to not install univention in a jail on the same freenas server. In my case, I did, and then quickly migrated the virtualbox image to another host so that all domain info is available when freenas is starting up.
Good luck and let us know how it went!