ipbrick - member of an ad domaindownloads.ipbrick.com/.../en/main_adsfuautofs_en.pdf · you must...
TRANSCRIPT
2
Copyright c© IPBRICKAll rights reserved. 2015.
The information contained in this document is subject to alterations without priornotice. Statements, technical data, configurations and recommendations foundin this document are supposedly precise and reliable, but are presented withoutexpressed or implicit warranties.
IPBrick AD integration IPBRICK - 2015
Contents
1 Active Directory - LDAP 51.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 Microsoft Services For Unix . . . . . . . . . . . . . . . . . . . . . . 6
1.2.1 Installing SFU . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2.2 Windows Server 2003 R1 . . . . . . . . . . . . . . . . . . . . 61.2.3 Windows Server 2003 R2 . . . . . . . . . . . . . . . . . . . . 71.2.4 Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . 91.2.5 Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . 121.2.6 SFU Configuration . . . . . . . . . . . . . . . . . . . . . . . 13
1.3 Active Directory - Schema SNAP-IN . . . . . . . . . . . . . . . . . 161.4 Windows 2003 Server Support Tools . . . . . . . . . . . . . . . . . 191.5 LDAP Schema update . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.5.1 AD Schema Registration . . . . . . . . . . . . . . . . . . . . 251.5.2 Anonymous Access to LDAP . . . . . . . . . . . . . . . . . . 28
1.6 AD users management . . . . . . . . . . . . . . . . . . . . . . . . . 31
2 IPBrick configuration 372.1 AD Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372.2 IPBrick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 38
3 Troubleshooting 413.1 FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.2 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.2.1 Scenario: 0 - Starting Point . . . . . . . . . . . . . . . . . . 423.2.2 Scenario - A . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.2.3 Scenario - B . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.2.4 Scenario - C . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.2.5 Scenario - D . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
IPBRICK - 2015 IPBrick AD integration
Chapter 1
Active Directory - LDAP
1.1 Introduction
Created by Microsoft Corporation, Active Directory (AD) provides the meansto manage the identities and relationships that make up your organization’s net-work. Active Directory stores information and settings in a central database andalso allows administrators to assign policies, organize available software, and applyvital updates to an organization.
When installed, IPBrick uses the local Lightweight Directory Access Protocol(LDAP) to authenticate the users (Advanced Configurations -> IPBrick ->
Authentication). It means that these users are created in IPBrick, so IPBrickwill be acting as the network PDC1. If the organization already has a PDC (eg:Windows 2003 Active Directory) and an IPBrick is being installed, it could benecessary to integrate the IPBrick with the Active Directory. The integrationlevel depends on the services that will be running in IPBrick:
• No integration: If the IPBrick is a communications server without servicesrequiring user authentication, these services serve as examples that will re-quire no integration:
– Mail relay
– Transparent/Standard Proxy
– VoIP
– Firewall
– Webserver.
• Partial integration: If the IPBrick needs to authenticate users, you mustchange the authentication type to AD Domain Member (IPBrick Master).It’s called a partial integration because the IPBrick only will need to querythe Windows LDAP for the authentication process (please consult Chapter1.2 and Chapter 2).
1Primary Domain Controller
IPBRICK - 2015 IPBrick AD integration
6 Active Directory - LDAP
– These are some services/applications running in IPBrick that need thistype of integration:
– Proxy with authentication;
– PPTP VPN;
– Intranet applications running on IPBrick (Calendar, Contacts etc)
• Total integration: In a total integration, the IPBrick besides querying LDAPfor authentication, will have physically a user’s account. However the LDAPserver must be extended in order to support all the IPBrick requirements,such as:
– UNIX attributes: NIS domain, UID, GID, login shell and home direc-tory;
– Automount information LDAP attributes;
– Mail server LDAP attributes (qmail-ldap).
• Examples when a total integration is needed:
– The IPBrick will be the internal mail server: Windows Exchange servicewill be replaced by IPBrick qmail service.
– You will use the documentation management system developed by iPor-talMais - iPortalDoc
• If the goal is to do a total integration with AD, please follow all the stepspresented in this Manual.
1.2 Microsoft Services For Unix
1.2.1 Installing SFU
1.2.2 Windows Server 2003 R1
If you have installed a Windows 2003 Server (R1), you’ll need to install the Ser-vices for UNIX (SFU) version 3.5 that can be obtained from Microsoft’s Website at:
http://www.microsoft.com/en-us/download/details.aspx?id=274
You must login with a MSN passport, the same account information that en-ables you to login to the msn messenger service. The file size is about 217.6 MBand it is an auto-executable zip file.
To proceed with the installation you’ll need to login in Windows as a user ofthe ’Schema Admins’ group.
To install, you must follow these steps:
IPBrick AD integration IPBRICK - 2015
1.2 Microsoft Services For Unix 7
1. Download the file to the server;
2. Uncompress it to c:\tempsfu;
3. Now you must close all Microsoft Management Consoles (MMC) as well asany AD Management windows you might have open;
4. Execute c:\tempsfu\setup.exe (you can delete this file later)
5. Select all the default options - Do not write anything in any of thefields!
6. For the modifications to take place, you must reboot the server. This can bedone at the end.
1.2.3 Windows Server 2003 R2
If you have installed a Windows 2003 Server (R2), the SFU is included withversion 4.0 so we just need to activate the service:
• Click Start, select Control Panel, and click Add or Remove Programs;
Figure 1.1: Start - Control Panel - Add or Remove Programs
IPBRICK - 2015 IPBrick AD integration
8 Active Directory - LDAP
• Click Add/Remove Windows Components. Next, select the Active DirectoryServices component and click Details;
Figure 1.2: Active Directory Services Component
• Check Identity Management for UNIX and click OK. Click Next to begininstallation. After it’s completion this prompt will appear, please click onFinish.
IPBrick AD integration IPBRICK - 2015
1.2 Microsoft Services For Unix 9
Figure 1.3: Installation complete
1.2.4 Windows Server 2008
The Identity Management for Unix is a role service which means it is basicallyand extra feature of the ADS role.
If you have Windows Server 2008, to install the Identity Management youshould follow these steps:
Start -> Administrative Tools-Server Manager
IPBRICK - 2015 IPBrick AD integration
10 Active Directory - LDAP
Figure 1.4: 2008 Server Manager
Start -> Administrator Tools -> Services for Network File System
Choose Roles
Scroll down to the Active Directory Domain Services
IPBrick AD integration IPBRICK - 2015
1.2 Microsoft Services For Unix 11
Figure 1.5: Active Directory Domain Services
Click the Add Role Services link.
On the the next screen Select Role Services Check the Indentity Manage-ment Checkbox.
Figure 1.6: Active Directory Domain Services
This will lead you through a wizard which will require a reboot of the server.
IPBRICK - 2015 IPBrick AD integration
12 Active Directory - LDAP
1.2.5 Windows Server 2012
From page:
http://technet.microsoft.com/en-us/library/cc731178.aspx
To install Identity Management for UNIX by using Dism.exe On a domaincontroller that runs Windows Server 2012, Right-click Windows PowerShell andclick Run as Administrator.
Type one of the following, and then press ENTER:
• To install the administration tools for Identity Management for UNIX.
Dism.exe /online /enable-feature /featurename:adminui /all
Note This installs only the the administration tools. Using Dism.exe, Serverfor NIS and Password Synchronization must be installed separately.
• To install Server for NIS:
Dism.exe /online /enable-feature /featurename:nis /all
• To install Password Synchronization:
Dism.exe /online /enable-feature /featurename:psync /all
A restart of the server is required when you install Identity Management forUNIX. The /quiet parameter restarts the computer automatically after installa-tion is finished.
Conflicts when migrationg the AD to 2008R2
In certain situations, when you run the AD automatic migration script to AD2008R2 certain conflicts with object (OID 1.3.6.1.1.1.1.9) may occur.
Shortly, in the first IPBRICK integrations with AD we used this OID, whichwas free (it was not used by MS). In the meantime, MS decided to start using thisidentifier.
In these situations it is necessary to release the OID so that automatic scriptcan run normally.
At this time the auto_r2.ldif no longer makes use of this ID.
IPBrick AD integration IPBRICK - 2015
1.2 Microsoft Services For Unix 13
The following procedure is similar to that described in the following link (de-scribes a similar situation experienced with third-party software, Apple).
http://support.microsoft.com/?id=887426
1.2.6 SFU Configuration
SFU has tabs to the Active Directory that allows the editing and managementof unix properties, like User Identification (UID) and Group Identification (GID)of objects, like groups, users and machines.
It’s necessary to specify the Unix Attributes for:
• Users:
– NIS Domain: It’s the AD domain;
– UID: User identification;
– Login Shell: Default is /bin/sh;
– Home Directory: Users home directory in Unix;
– Primary group name/GID: The user group.
• Groups:
– NIS Domain: It’s the AD domain;
– GID: Group identification;
– Members: Group members.
This attribute definition is done in Active Directory at Users and Computers.
Groups example
Next we have an example of the user ’administrador’ that is a Domain Adminuser:
First in Domain Admins group:
IPBRICK - 2015 IPBrick AD integration
14 Active Directory - LDAP
Figure 1.7: Domain Admins properties
Users example
Only after the definition of Unix Attributes for groups, it’s possible to definethe Unix Attributes for users, because each user has a Primary Group ID. For theuser ’administrador’ we have:
IPBrick AD integration IPBRICK - 2015
1.2 Microsoft Services For Unix 15
Figure 1.8: ’administrador’ properties
⇒ Note: To have groups in IPBrick that will include users belongingto those same groups, it’s necessary that:
• Those groups have the Unix Attributes defined;
• The users, members of these groups, have the Unix Attributesdefined;
• The users should be added to groups in the groups tab: UNIXAttributes, Members;
Additional information:
• GID Domain Users : Must be 513;
• GID Domain Admins : Must be 512;
• UID administrator : Must be 10000
• The other users will have the UID 100001, 100002 etc.
• If using other LDAP groups you can use GID 514, 515 etc.
IPBRICK - 2015 IPBrick AD integration
16 Active Directory - LDAP
1.3 Active Directory - Schema SNAP-IN
IMPORTANT NOTE: You may only advance from this stage onwards if theWindows Server is NOT an SBS (Small Business Server)!!!
To enable working in LDAP schema in AD, you must activate the correct MMCSnap-In. This must be done one time per server as follows:
start -> run
regsvr32 schmmgmt.dll
Figure 1.9: Start - Run
Figure 1.10: Run: ’regsvr32 schmmgmt.dll’
IPBrick AD integration IPBRICK - 2015
1.3 Active Directory - Schema SNAP-IN 17
Figure 1.11: ’regsvr32 schmmgmt.dll’ succeeded
To access the snap-in, please follow these steps:
1. Start -> Run : mmc
Figure 1.12: Run: ’mmc’
2. File -> Add/Remove Snap-in
IPBRICK - 2015 IPBrick AD integration
18 Active Directory - LDAP
Figure 1.13: File - Add/Remove Snap-in
3. Add
Figure 1.14: Add Snap-in
IPBrick AD integration IPBRICK - 2015
1.4 Windows 2003 Server Support Tools 19
4. Active Directory Schema
Figure 1.15: Active Directory Schema
5. Add
6. Close
7. Ok
1.4 Windows 2003 Server Support Tools
Active Directory Service Interfaces Editor (ADSI Edit) is part of Windows 2003Server Support Tools. It is a LDAP editor that you can use to manage objects andattributes in AD. ADSI Edit lets you have a view of every object and attribute inAD. You can query, view, and edit attributes that are not shown with other ADMMC snap-ins.
We will need ADSI Edit later on for several tasks. To use it you must installthe Windows 2003 Server Support Tools, and then:
1. press START -> Run : mmc
IPBRICK - 2015 IPBrick AD integration
20 Active Directory - LDAP
Figure 1.16: Run: ’mmc’
2. File -> Add/Remove Snap-in
Figure 1.17: File - Add/Remove Snap-in
3. Add
4. ADSI Edit
IPBrick AD integration IPBRICK - 2015
1.4 Windows 2003 Server Support Tools 21
Figure 1.18: Adding ADSI Edit
5. Add
6. Close
7. Ok
If you want to work locally at the server, you must:
1. Right click at ADSI Edit
IPBRICK - 2015 IPBrick AD integration
22 Active Directory - LDAP
Figure 1.19: ADSI Edit - Connect to...
2. Select Connect To...
3. Then you should check:
• Connection Point: Domain and Configuration
IPBrick AD integration IPBRICK - 2015
1.4 Windows 2003 Server Support Tools 23
Figure 1.20: ADSI Edit - Domain
Figure 1.21: ADSI Edit - Configuration
• Computer: Default or Domain domain.com
IPBRICK - 2015 IPBrick AD integration
24 Active Directory - LDAP
NOTE: Until the end of this chapter, we’ll work with Connection Point checkedfor both Domain and Configuration.
Figure 1.22: Domain and Configuration under ADSI Edit
If you dont have the standard ADSI Edit, you can download it athttp://tinyurl.com/yhgn9u and follow these steps:
• Extract all files to a folder;
• Copy the adsiedit.dll to c:\windows
• At Start - Run insert regsvr32 adsiedit
• Start using the ADSIEdit executing the file adsiedit.msc
1.5 LDAP Schema update
You must register the schema of Automount and Qmail service at WindowsLDAP. It’s necessary to do this, because these schema attributes don’t exist in thebase Windows LDAP schema. An application called ldifde will be used to addthese new LDAP attributes. A LDIF2 file is a LDAP standard that represents thedirectory content or some update requests for the LDAP service.
2LDAP Data Interchange Format
IPBrick AD integration IPBRICK - 2015
1.5 LDAP Schema update 25
1.5.1 AD Schema Registration
1. In some versions of Windows 2000/2003 we need to modify a variable inorder to have permission to update the AD schema. To do this you must usethe registry editor (Start ->Run -> regedt32 );
Figure 1.23: Run: ’regedt32’
2. Find the following key:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
NTDS
Parameters
- Schema Update Allowed
IPBRICK - 2015 IPBrick AD integration
26 Active Directory - LDAP
Figure 1.24: Schema Update Allowed key location
3. If present, edit the variable named (Schema Update Allowed)
4. Click at Binary and change its value to 1.
Note: If ’Schema Update Allowed’ isn’t listed at the Registry, it means that itis already active and you won’t need to do any change.
Now, that the schema update is allowed, we can proceed:
1. If you got a Windows 2003 Release 1 download the auto_r1.ldif file on theDocumentation section at the IPBrick’s site:
http://eshop.ipbrick.com/
Downloads � Documentation � Other documentation
Note: Please bear in mind that you need to register at our site in order toaccess the Downloads page.
2. At the same location, please download the auto_r2.ldif file if it’s a Win-dows 2003 Release 2.
IPBrick AD integration IPBRICK - 2015
1.5 LDAP Schema update 27
3. Open the file in a text editor, such as Wordpad and do a Replace All of<DOMAIN_BASE_DN> to the domain you’re using. As an example, if you areusing a domain named domain.com you should have: DC=domain,DC=com.You can use the ADSI Edit tool to know the base DN.
Figure 1.25: .ldif file opened in Wordpad - Replace All
4. Go to Start - Run and hit cmd. At command line you must execute thefollowing command to add these attributes to AD (change the DC=domain,DC=com to your domain and the LDIF file path):
ldifde -i -k -c CN=Schema,CN=Configuration,DC=domain,DC=com CN=Schema,
CN=Configuration,DC=domain,DC=com -s localhost -f auto_r2.ldif
IPBRICK - 2015 IPBrick AD integration
28 Active Directory - LDAP
Figure 1.26: Command line input
1.5.2 Anonymous Access to LDAP
It’s mandatory to allow anonymous access to the LDAP’s information. Thiscan be done through the ADSI Edit in the Configuration connection point.
1. Rigth click over the following entrance and select Properties;
CN=Configuration, CN=Services, CN=Windows NT, CN=Directory Service
Figure 1.27: Configuration Connection Point - dsHeuristics
IPBrick AD integration IPBRICK - 2015
1.5 LDAP Schema update 29
2. Edit the variable named dsHeuristics:
• If not set change it to - 0000002
• If set to 001 change it to - 0010002
3. Click OK
4. Click OK
Then you must configure the Access Lists at OU=auto.home:
1. At ADSI Edit confirm that the connection point is Domain;
2. Select the OU=auto.home entry and right click;
Figure 1.28: Domain Connection Point - OU=auto.home
3. Select Properties and choose Security;
4. Add an entry with the following information:
• Add: ANONYMOUS LOGON : Check: Read
IPBRICK - 2015 IPBrick AD integration
30 Active Directory - LDAP
Figure 1.29: ANONYMOUS LOGON
Figure 1.30: Check: Read
• Advanced
• Select the line ANONYMOUS LOGON
IPBrick AD integration IPBRICK - 2015
1.6 AD users management 31
• Change Apply into: This object and all child objects
Figure 1.31: ANONYMOUS LOGON - This object and all child objects
• Confirm all with OK
Atention: Anonymous logon permissions should be defined only forOU=auto.home and his childs.
1.6 AD users management
The users database is at the Domain Controller LDAP (Active Directory).The IPBrick servers configured in order to authenticate at the AD domain usethe LDAP authentication services. For that reason we did the AD LDAP schemaupdate to support the LINUX/UNIX authentication services. The additional in-formation needed for each LDAP user is:
• UID and GID - User and group identifier
• UNIX password - User password sincronized to Windows password
• Automount - Physical account location (homedir) (work area and server)
Note: The first two items are installed with Microsoft Services For Unix.
IPBRICK - 2015 IPBrick AD integration
32 Active Directory - LDAP
Create users
1. Create users in Active Directory:
Start -> All Programs -> Administrative Tools ->
Active Directory Users and Computers
Figure 1.32: Active Directory Users and Computers
(a) Right click over the Users folder: New -> User
IPBrick AD integration IPBRICK - 2015
1.6 AD users management 33
Figure 1.33: Creating a new User
(b) Fill the Name and Email - used in internal contacts
(c) In Unix Attributes option, insert the user in NIS domain
(d) Identify the primary user group - If you have doubts choose ’DomainUsers’
IPBRICK - 2015 IPBrick AD integration
34 Active Directory - LDAP
Figure 1.34: User form
2. In the Master IPBrick, by the interface web access to IPBrick - Users Management
(a) Choose syncronize in AD
(b) Select the users that you want to syncronize (you can filter the usersview by selecting a group)
(c) For each user choose the server (local or remote) and work area
(d) Syncronize
(e) Update settings
ATTENTION: The Windows 2003 AD date must match the datedefined in IPBrick
Remove users
Remove the user information from IPBrick servers.
1. In the Master IPBrick:
(a) Access to IPBrick Web interface IPBrick - Users Management.
(b) Find the user(s) and click in the name;
(c) Hit Delete and Confirm
(d) Update settings
IPBrick AD integration IPBRICK - 2015
1.6 AD users management 35
2. In the Windows AD:
(a) Remove the Unix Attributes information by selecting in NIS Domainthe option <none>
IPBRICK - 2015 IPBrick AD integration
Chapter 2
IPBrick configuration
2.1 AD Data
An easy way to find the necessary Base DNs needed is using the ADSI Edittool refered in 1.4.
After connecting to server (refered in 1.4), a window like Figure 2.1 appearsand the domain in use is visible (dc=iporatal2003,dc=local).
Figure 2.1: ASDI Edit - Domain
In Figure 2.2 the users BASE DN is visible. In this case is the usernameadministrador. The BASE DN for that user is:
cn=administrador,cn=users,dc=iporatal2003,dc=local
IPBRICK - 2015 IPBrick AD integration
38 IPBrick configuration
And the users BASE DN is:
cn=users,dc=iporatal2003,dc=local.
Figure 2.2: ASDI Edit - Users
In groups (Figure 2.2), the BASE DN is cn=builtin,dc=iporatal2003,dc=local.
2.2 IPBrick Configuration
In IPBrick the configuration should be in agreement to the AD. It will be donein the following menu:
Advanced Configurations -> IPBrick -> Authentication
Modify the authentication type to AD Domain Member (IPBrick Master).In Figure 2.4, the junction will be done to an AD with the following definitions:
• Services for Unix Version: v3.5 (used for Windows 2003 R1. You must choosev4.0 if you use Windows 2003 R2)
• AD Server IP Adress: 192.168.69.28
• Netbios Domain: iporatal2003
• Realm: iporatal2003.local
• Domain Administrator: administrador;
IPBrick AD integration IPBRICK - 2015
2.2 IPBrick Configuration 39
Figure 2.3: ASDI Edit - Groups
• Password:
• Base DN: dc=iporatal2003,dc=local;
• Administrator DN: cn=administrador,cn=users,dc=iporatal2003,dc=local;
• Users search base DN: cn=users,dc=iporatal2003,dc=local;
• Groups search base DN: ou=builtin,dc=iporatal2003,dc=local
An easy way to list all the users and groups is to set the Users and Groupssearch base DN to the Base DN.
E.g: dc=iporatal2003,dc=local
! Attention !: This data must be the same as the one in the AD con-figuration. The data presented here is just an example. Please contactthe AD administrator to know the correct BASE DNs, or alternativelyyou can obtain it through ADSI Edit.
! Attention !: Windows 2003 AD is usually the organization’sinternal DNS server, so IPBrick must resolve names there. At AdvancedConfigurations - Support Services - DNS - Name Resolution, the firstline must be destined to the Windows server IP. The second line canbe the IPBrick’s localhost IP (127.0.0.1). If needed you can alter theorder of the addresses.
IPBRICK - 2015 IPBrick AD integration
Chapter 3
Troubleshooting
3.1 FAQs
• Why is the machine so slow and with such a high load average?
– Because processes are beginning to accumulate due to the delay in thename resolution (UIDs, UID Numbers, Logins, etc..) caused by thepending query to the LDAP/AD server, that is, in itself, very timeconsuming
• What are the causes of those problems at AD level?
– The Performance of the server when responding to LDAP queries;
– A heavy structure with many users and changes done to the AD - whenthe clean installation was done, the performance was fast and efficient,however, and since so many alterations were implemented, such as;upgrades, new software installation, updates in the AD schema, softwareremoval, user creation, etc. that the performance has been hindered;
– Also noteworthy is the addition of new AD Domain Controllers (of thesame version as the original or not), the migration from one domaincontroller server to another, from one version to another, and the re-moval of other AD Domain Controllers (correctly removed or simplyterminated with or without important tasks attributed - OperationsMasters/Roles).
All these actions are normal practice in a modern organization, but that ’mistreat’of the database information - LDAP - will not help the AD to perform at its bestand also, historically, the AD/LDAP will keep record of all these ’ill-treatments’,creating thus, instability and unreliability in the system.
• So what can be done to minimize these problems?
– If the windows workstations are functioning unaware of the LDAP(AD), using just a service called Domain Controller (DC) that residesin the Samba server, they apparently work in a reasonably and accept-able manner! At least most of the time, unless someone tries to add a
IPBRICK - 2015 IPBrick AD integration
42 Troubleshooting
new DC and/or migrate ’Roles’ (important AD tasks) from one serverto another. In this case there’s no solution in sight.
3.2 Scenarios
As we can see, the problems are inherent to the dependence on the AD’s LDAP.On the following subsection of this document we will present you with some sce-narios that have been helpful in solving some of this issues.
3.2.1 Scenario: 0 - Starting Point
In ALL integrations with the AD, the rule when configuring IPBrick is:
• DNS Domain: DNS matches the domain used by the AD (realm);
• Name resolution: use the IP of the domain’s DNS server (Usually the ADitself)
• Time: Synchronize the time by NTP via the AD’s server (NTP : AD_IP)
• AD’s DNS: The DNS server must be updated with ALL the IPBrick’s records- eg:
– IPBrick-name: ipbrick.domain.com
– Alias: iportaldoc.domain.com (contacts, etc.)
– IP: 192.168.69.199
– Do not forget to register the A record ipbrick.domain.com pointingto the IP: 192.168.69.199 as well as the respective PTR record
– All other aliases must be registered as such - CNAME
• Login link to AD: Domain Administrator Login (DN): the rule is to createa NEW user in AD exclusively for connecting to the AD - Do not use theadministrator’s login since it is typically used by many other services andthus the password tends to be regularly changed, and so IPBrick would haveto update and restart itself!
• Sometimes it is necessary to ’help’ the AD Domain Join and Kerberos, soyou should type at the console:
kinit [link to AD]
net ads join-U [AD Administor’s login]-S [AD_NAME]
IPBrick AD integration IPBRICK - 2015
3.2 Scenarios 43
3.2.2 Scenario - A
The AD has more than 1000 objects (active users,inactive users, groups, ma-chines).
By default the LDAP/AD only responds with up to 1000 items in each query.You must change this parameter in the configuration of the AD.
In the MS Windows server change the parameter MaxPageSize using the Ntdsutil.exetool.
For more information, please consult the following page:http://support.microsoft.com/kb/315071
3.2.3 Scenario - B
The AD has an unsatisfactory performance. However, by coincidence or not,the users/groups that will use the IPBrick services are all located in a specific OU(Organizational Unit) of the AD (and/or sub-OUs of this specific OU).
Eg: ou=myfavoritefolder,dc=domain,dc=com
In IPBrick, in the parameterization of the authentication mode we can changethe values for connecting to the AD.
Note: By default it is recommended that the DN of the groups search and theDN of the users’ search is identical to the base DN (top), because neither of themare always in the same OU and thus, working in all cases.
However, in some situations, like this one in scenario B, we find that makingthe following changes increases the AD’s (IPBrick) performance:
• DN User Search: ou=myfavoritefolder,dc=domain,dc=com
• DN Groups Search: ou=myfavoritefolder,dc=domain,dc=com
3.2.4 Scenario - C
At one point an organization had several AD DC servers, since then some wereterminated, but the other remaining ADs were not properly notified of that ter-mination. So, it’s more often than not, that in direct queries to the AD/LDAPreturns the same type of referral (Referred this request) to another server that isoff and in these situations the LDAP client tries to communicate with an inactiveIP and awaits for a tiemout.
In this situation the manual changes to be implemented in the IPBrick serverare:
IPBRICK - 2015 IPBrick AD integration
44 Troubleshooting
• Add/edit the line referrals no in the files:
– /etc/libnss-ldap.conf
– /etc/pam_ldap.conf
3.2.5 Scenario - D
After all the other presented scenarios, we are left with a manual patch thatcan be of use if all the other situations were not helpful:
/etc/qmail/ldapcluster - change from "0" to "1"
IPBrick AD integration IPBRICK - 2015