IPBrick - Member of an AD domain IPBRICK SA
Size: px
Start display at page:

Download "IPBrick - Member of an AD domain IPBRICK SA"

Transcription

1 IPBrick - Member of an AD domain IPBRICK SA March 6, 2015

2 2 Copyright c IPBRICK All rights reserved The information contained in this document is subject to alterations without prior notice. Statements, technical data, configurations and recommendations found in this document are supposedly precise and reliable, but are presented without expressed or implicit warranties. IPBrick AD integration IPBRICK

3 Contents 1 Active Directory - LDAP Introduction Microsoft Services For Unix Installing SFU Windows Server 2003 R Windows Server 2003 R Windows Server Windows Server SFU Configuration Active Directory - Schema SNAP-IN Windows 2003 Server Support Tools LDAP Schema update AD Schema Registration Anonymous Access to LDAP AD users management IPBrick configuration AD Data IPBrick Configuration Troubleshooting FAQs Scenarios Scenario: 0 - Starting Point Scenario - A Scenario - B Scenario - C Scenario - D IPBRICK IPBrick AD integration

4 4 CONTENTS IPBrick AD integration IPBRICK

5 Chapter 1 Active Directory - LDAP 1.1 Introduction Created by Microsoft Corporation, Active Directory (AD) provides the means to manage the identities and relationships that make up your organization s network. Active Directory stores information and settings in a central database and also allows administrators to assign policies, organize available software, and apply vital updates to an organization. When installed, IPBrick uses the local Lightweight Directory Access Protocol (LDAP) to authenticate the users (Advanced Configurations -> IPBrick -> Authentication). It means that these users are created in IPBrick, so IPBrick will be acting as the network PDC 1. If the organization already has a PDC (eg: Windows 2003 Active Directory) and an IPBrick is being installed, it could be necessary to integrate the IPBrick with the Active Directory. The integration level depends on the services that will be running in IPBrick: No integration: If the IPBrick is a communications server without services requiring user authentication, these services serve as examples that will require no integration: Mail relay Transparent/Standard Proxy VoIP Firewall Webserver. Partial integration: If the IPBrick needs to authenticate users, you must change the authentication type to AD Domain Member (IPBrick Master). It s called a partial integration because the IPBrick only will need to query the Windows LDAP for the authentication process (please consult Chapter 1.2 and Chapter 2). 1 Primary Domain Controller IPBRICK IPBrick AD integration

6 6 Active Directory - LDAP These are some services/applications running in IPBrick that need this type of integration: Proxy with authentication; PPTP VPN; Intranet applications running on IPBrick (Calendar, Contacts etc) Total integration: In a total integration, the IPBrick besides querying LDAP for authentication, will have physically a user s account. However the LDAP server must be extended in order to support all the IPBrick requirements, such as: UNIX attributes: NIS domain, UID, GID, login shell and home directory; Automount information LDAP attributes; Mail server LDAP attributes (qmail-ldap). Examples when a total integration is needed: The IPBrick will be the internal mail server: Windows Exchange service will be replaced by IPBrick qmail service. You will use the documentation management system developed by iportalmais - iportaldoc If the goal is to do a total integration with AD, please follow all the steps presented in this Manual. 1.2 Microsoft Services For Unix Installing SFU Windows Server 2003 R1 If you have installed a Windows 2003 Server (R1), you ll need to install the Services for UNIX (SFU) version 3.5 that can be obtained from Microsoft s Website at: You must login with a MSN passport, the same account information that enables you to login to the msn messenger service. The file size is about MB and it is an auto-executable zip file. To proceed with the installation you ll need to login in Windows as a user of the Schema Admins group. To install, you must follow these steps: IPBrick AD integration IPBRICK

7 1.2 Microsoft Services For Unix 7 1. Download the file to the server; 2. Uncompress it to c:\tempsfu; 3. Now you must close all Microsoft Management Consoles (MMC) as well as any AD Management windows you might have open; 4. Execute c:\tempsfu\setup.exe (you can delete this file later) 5. Select all the default options - Do not write anything in any of the fields! 6. For the modifications to take place, you must reboot the server. This can be done at the end Windows Server 2003 R2 If you have installed a Windows 2003 Server (R2), the SFU is included with version 4.0 so we just need to activate the service: Click Start, select Control Panel, and click Add or Remove Programs; Figure 1.1: Start - Control Panel - Add or Remove Programs IPBRICK IPBrick AD integration

8 8 Active Directory - LDAP Click Add/Remove Windows Components. Next, select the Active Directory Services component and click Details; Figure 1.2: Active Directory Services Component Check Identity Management for UNIX and click OK. Click Next to begin installation. After it s completion this prompt will appear, please click on Finish. IPBrick AD integration IPBRICK

9 1.2 Microsoft Services For Unix 9 Figure 1.3: Installation complete Windows Server 2008 The Identity Management for Unix is a role service which means it is basically and extra feature of the ADS role. If you have Windows Server 2008, to install the Identity Management you should follow these steps: Start -> Administrative Tools-Server Manager IPBRICK IPBrick AD integration

10 10 Active Directory - LDAP Figure 1.4: 2008 Server Manager Start -> Administrator Tools -> Services for Network File System Choose Roles Scroll down to the Active Directory Domain Services IPBrick AD integration IPBRICK

11 1.2 Microsoft Services For Unix 11 Figure 1.5: Active Directory Domain Services Click the Add Role Services link. On the the next screen Select Role Services Check the Indentity Management Checkbox. Figure 1.6: Active Directory Domain Services This will lead you through a wizard which will require a reboot of the server. IPBRICK IPBrick AD integration

12 12 Active Directory - LDAP Windows Server 2012 From page: To install Identity Management for UNIX by using Dism.exe On a domain controller that runs Windows Server 2012, Right-click Windows PowerShell and click Run as Administrator. Type one of the following, and then press ENTER: To install the administration tools for Identity Management for UNIX. Dism.exe /online /enable-feature /featurename:adminui /all Note This installs only the the administration tools. Using Dism.exe, Server for NIS and Password Synchronization must be installed separately. To install Server for NIS: Dism.exe /online /enable-feature /featurename:nis /all To install Password Synchronization: Dism.exe /online /enable-feature /featurename:psync /all A restart of the server is required when you install Identity Management for UNIX. The /quiet parameter restarts the computer automatically after installation is finished. Conflicts when migrationg the AD to 2008R2 In certain situations, when you run the AD automatic migration script to AD 2008R2 certain conflicts with object (OID ) may occur. Resumidamente, nas primeiras integrações IPBRICK com AD usamos este OID que estava livre (não era usado pela MS). Entretanto a MS decidiu passar a usar este identificador. In these situations it is necessary to release the OID so that automatic script can run normally. At this time the auto_r2.ldif no longer makes use of this ID. IPBrick AD integration IPBRICK

13 1.2 Microsoft Services For Unix 13 The following procedure is similar to that described in the following link (describes a similar situation experienced with third-party software, Apple) SFU Configuration SFU has tabs to the Active Directory that allows the editing and management of unix properties, like User Identification (UID) and Group Identification (GID) of objects, like groups, users and machines. It s necessary to specify the Unix Attributes for: Users: NIS Domain: It s the AD domain; UID: User identification; Login Shell: Default is /bin/sh; Home Directory: Users home directory in Unix; Primary group name/gid: The user group. Groups: NIS Domain: It s the AD domain; GID: Group identification; Members: Group members. This attribute definition is done in Active Directory at Users and Computers. Groups example Next we have an example of the user administrador that is a Domain Admin user: First in Domain Admins group: IPBRICK IPBrick AD integration

14 14 Active Directory - LDAP Figure 1.7: Domain Admins properties Users example Only after the definition of Unix Attributes for groups, it s possible to define the Unix Attributes for users, because each user has a Primary Group ID. For the user administrador we have: IPBrick AD integration IPBRICK

15 1.2 Microsoft Services For Unix 15 Figure 1.8: administrador properties Note: To have groups in IPBrick that will include users belonging to those same groups, it s necessary that: Those groups have the Unix Attributes defined; The users, members of these groups, have the Unix Attributes defined; The users should be added to groups in the groups tab: UNIX Attributes, Members; Additional information: GID Domain Users : Must be 513; GID Domain Admins : Must be 512; UID administrator : Must be The other users will have the UID , etc. If using other LDAP groups you can use GID 514, 515 etc. IPBRICK IPBrick AD integration

16 16 Active Directory - LDAP 1.3 Active Directory - Schema SNAP-IN IMPORTANT NOTE: You may only advance from this stage onwards if the Windows Server is NOT an SBS (Small Business Server)!!! To enable working in LDAP schema in AD, you must activate the correct MMC Snap-In. This must be done one time per server as follows: start -> run regsvr32 schmmgmt.dll Figure 1.9: Start - Run Figure 1.10: Run: regsvr32 schmmgmt.dll IPBrick AD integration IPBRICK

17 1.3 Active Directory - Schema SNAP-IN 17 Figure 1.11: regsvr32 schmmgmt.dll succeeded To access the snap-in, please follow these steps: 1. Start -> Run : mmc Figure 1.12: Run: mmc 2. File -> Add/Remove Snap-in IPBRICK IPBrick AD integration

18 18 Active Directory - LDAP Figure 1.13: File - Add/Remove Snap-in 3. Add Figure 1.14: Add Snap-in IPBrick AD integration IPBRICK

19 1.4 Windows 2003 Server Support Tools Active Directory Schema Figure 1.15: Active Directory Schema 5. Add 6. Close 7. Ok 1.4 Windows 2003 Server Support Tools Active Directory Service Interfaces Editor (ADSI Edit) is part of Windows 2003 Server Support Tools. It is a LDAP editor that you can use to manage objects and attributes in AD. ADSI Edit lets you have a view of every object and attribute in AD. You can query, view, and edit attributes that are not shown with other AD MMC snap-ins. We will need ADSI Edit later on for several tasks. To use it you must install the Windows 2003 Server Support Tools, and then: 1. press START -> Run : mmc IPBRICK IPBrick AD integration

20 20 Active Directory - LDAP Figure 1.16: Run: mmc 2. File -> Add/Remove Snap-in Figure 1.17: File - Add/Remove Snap-in 3. Add 4. ADSI Edit IPBrick AD integration IPBRICK

21 1.4 Windows 2003 Server Support Tools 21 Figure 1.18: Adding ADSI Edit 5. Add 6. Close 7. Ok If you want to work locally at the server, you must: 1. Right click at ADSI Edit IPBRICK IPBrick AD integration

22 22 Active Directory - LDAP Figure 1.19: ADSI Edit - Connect to Select Connect To Then you should check: Connection Point: Domain and Configuration IPBrick AD integration IPBRICK

23 1.4 Windows 2003 Server Support Tools 23 Figure 1.20: ADSI Edit - Domain Figure 1.21: ADSI Edit - Configuration Computer: Default or Domain domain.com IPBRICK IPBrick AD integration

24 24 Active Directory - LDAP NOTE: Until the end of this chapter, we ll work with Connection Point checked for both Domain and Configuration. Figure 1.22: Domain and Configuration under ADSI Edit If you dont have the standard ADSI Edit, you can download it at and follow these steps: Extract all files to a folder; Copy the adsiedit.dll to c:\windows At Start - Run insert regsvr32 adsiedit Start using the ADSIEdit executing the file adsiedit.msc 1.5 LDAP Schema update You must register the schema of Automount and Qmail service at Windows LDAP. It s necessary to do this, because these schema attributes don t exist in the base Windows LDAP schema. An application called ldifde will be used to add these new LDAP attributes. A LDIF 2 file is a LDAP standard that represents the directory content or some update requests for the LDAP service. 2 LDAP Data Interchange Format IPBrick AD integration IPBRICK

25 1.5 LDAP Schema update AD Schema Registration 1. In some versions of Windows 2000/2003 we need to modify a variable in order to have permission to update the AD schema. To do this you must use the registry editor (Start ->Run -> regedt32 ); Figure 1.23: Run: regedt32 2. Find the following key: HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters - Schema Update Allowed IPBRICK IPBrick AD integration

26 26 Active Directory - LDAP Figure 1.24: Schema Update Allowed key location 3. If present, edit the variable named (Schema Update Allowed) 4. Click at Binary and change its value to 1. Note: If Schema Update Allowed isn t listed at the Registry, it means that it is already active and you won t need to do any change. Now, that the schema update is allowed, we can proceed: 1. If you got a Windows 2003 Release 1 download the auto_r1.ldif file on the Documentation section at the IPBrick s site: Downloads Documentation Other documentation Note: Please bear in mind that you need to register at our site in order to access the Downloads page. 2. At the same location, please download the auto_r2.ldif file if it s a Windows 2003 Release 2. IPBrick AD integration IPBRICK

27 1.5 LDAP Schema update Open the file in a text editor, such as Wordpad and do a Replace All of <DOMAIN_BASE_DN> to the domain you re using. As an example, if you are using a domain named domain.com you should have: DC=domain,DC=com. You can use the ADSI Edit tool to know the base DN. Figure 1.25:.ldif file opened in Wordpad - Replace All 4. Go to Start - Run and hit cmd. At command line you must execute the following command to add these attributes to AD (change the DC=domain, DC=com to your domain and the LDIF file path): ldifde -i -k -c CN=Schema,CN=Configuration,DC=domain,DC=com CN=Schema, CN=Configuration,DC=domain,DC=com -s localhost -f auto_r2.ldif IPBRICK IPBrick AD integration

28 28 Active Directory - LDAP Figure 1.26: Command line input Anonymous Access to LDAP It s mandatory to allow anonymous access to the LDAP s information. This can be done through the ADSI Edit in the Configuration connection point. 1. Rigth click over the following entrance and select Properties; CN=Configuration, CN=Services, CN=Windows NT, CN=Directory Service Figure 1.27: Configuration Connection Point - dsheuristics IPBrick AD integration IPBRICK

29 1.5 LDAP Schema update Edit the variable named dsheuristics: If not set change it to If set to 001 change it to Click OK 4. Click OK Then you must configure the Access Lists at OU=auto.home: 1. At ADSI Edit confirm that the connection point is Domain; 2. Select the OU=auto.home entry and right click; Figure 1.28: Domain Connection Point - OU=auto.home 3. Select Properties and choose Security; 4. Add an entry with the following information: Add: ANONYMOUS LOGON : Check: Read IPBRICK IPBrick AD integration

30 30 Active Directory - LDAP Figure 1.29: ANONYMOUS LOGON Figure 1.30: Check: Read Advanced Select the line ANONYMOUS LOGON IPBrick AD integration IPBRICK

31 1.6 AD users management 31 Change Apply into: This object and all child objects Figure 1.31: ANONYMOUS LOGON - This object and all child objects Confirm all with OK Atention: Anonymous logon permissions should be defined only for OU=auto.home and his childs. 1.6 AD users management The users database is at the Domain Controller LDAP (Active Directory). The IPBrick servers configured in order to authenticate at the AD domain use the LDAP authentication services. For that reason we did the AD LDAP schema update to support the LINUX/UNIX authentication services. The additional information needed for each LDAP user is: UID and GID - User and group identifier UNIX password - User password sincronized to Windows password Automount - Physical account location (homedir) (work area and server) Note: The first two items are installed with Microsoft Services For Unix. IPBRICK IPBrick AD integration

32 32 Active Directory - LDAP Create users 1. Create users in Active Directory: Start -> All Programs -> Administrative Tools -> Active Directory Users and Computers Figure 1.32: Active Directory Users and Computers (a) Right click over the Users folder: New -> User IPBrick AD integration IPBRICK

33 1.6 AD users management 33 Figure 1.33: Creating a new User (b) Fill the Name and - used in internal contacts (c) In Unix Attributes option, insert the user in NIS domain (d) Identify the primary user group - If you have doubts choose Domain Users IPBRICK IPBrick AD integration

34 34 Active Directory - LDAP Figure 1.34: User form 2. In the Master IPBrick, by the interface web access to IPBrick - Users Management (a) Choose syncronize in AD (b) Select the users that you want to syncronize (you can filter the users view by selecting a group) (c) For each user choose the server (local or remote) and work area (d) Syncronize (e) Update settings ATTENTION: The Windows 2003 AD date must match the date defined in IPBrick Remove users Remove the user information from IPBrick servers. 1. In the Master IPBrick: (a) Access to IPBrick Web interface IPBrick - Users Management. (b) Find the user(s) and click in the name; (c) Hit Delete and Confirm (d) Update settings IPBrick AD integration IPBRICK

35 1.6 AD users management In the Windows AD: (a) Remove the Unix Attributes information by selecting in NIS Domain the option <none> IPBRICK IPBrick AD integration

36 36 Active Directory - LDAP IPBrick AD integration IPBRICK

37 Chapter 2 IPBrick configuration 2.1 AD Data An easy way to find the necessary Base DNs needed is using the ADSI Edit tool refered in 1.4. After connecting to server (refered in 1.4), a window like Figure 2.1 appears and the domain in use is visible (dc=iporatal2003,dc=local). Figure 2.1: ASDI Edit - Domain In Figure 2.2 the users BASE DN is visible. administrador. The BASE DN for that user is: In this case is the username cn=administrador,cn=users,dc=iporatal2003,dc=local IPBRICK IPBrick AD integration

38 38 IPBrick configuration And the users BASE DN is: cn=users,dc=iporatal2003,dc=local. Figure 2.2: ASDI Edit - Users In groups (Figure 2.2), the BASE DN is cn=builtin,dc=iporatal2003,dc=local. 2.2 IPBrick Configuration In IPBrick the configuration should be in agreement to the AD. It will be done in the following menu: Advanced Configurations -> IPBrick -> Authentication Modify the authentication type to AD Domain Member (IPBrick Master). In Figure 2.4, the junction will be done to an AD with the following definitions: Services for Unix Version: v3.5 (used for Windows 2003 R1. You must choose v4.0 if you use Windows 2003 R2) AD Server IP Adress: Netbios Domain: iporatal2003 Realm: iporatal2003.local Domain Administrator: administrador; IPBrick AD integration IPBRICK

39 2.2 IPBrick Configuration 39 Figure 2.3: ASDI Edit - Groups Password: Base DN: dc=iporatal2003,dc=local; Administrator DN: cn=administrador,cn=users,dc=iporatal2003,dc=local; Users search base DN: cn=users,dc=iporatal2003,dc=local; Groups search base DN: ou=builtin,dc=iporatal2003,dc=local An easy way to list all the users and groups is to set the Users and Groups search base DN to the Base DN. E.g: dc=iporatal2003,dc=local! Attention!: This data must be the same as the one in the AD configuration. The data presented here is just an example. Please contact the AD administrator to know the correct BASE DNs, or alternatively you can obtain it through ADSI Edit.! Attention!: Windows 2003 AD is usually the organization s internal DNS server, so IPBrick must resolve names there. At Advanced Configurations - Support Services - DNS - Name Resolution, the first line must be destined to the Windows server IP. The second line can be the IPBrick s localhost IP ( ). If needed you can alter the order of the addresses. IPBRICK IPBrick AD integration

40 40 IPBrick configuration Figure 2.4: IPBrick as AD member IPBrick AD integration IPBRICK

41 Chapter 3 Troubleshooting 3.1 FAQs Why is the machine so slow and with such a high load average? Because processes are beginning to accumulate due to the delay in the name resolution (UIDs, UID Numbers, Logins, etc..) caused by the pending query to the LDAP/AD server, that is, in itself, very time consuming What are the causes of those problems at AD level? The Performance of the server when responding to LDAP queries; A heavy structure with many users and changes done to the AD - when the clean installation was done, the performance was fast and efficient, however, and since so many alterations were implemented, such as; upgrades, new software installation, updates in the AD schema, software removal, user creation, etc. that the performance has been hindered; Also noteworthy is the addition of new AD Domain Controllers (of the same version as the original or not), the migration from one domain controller server to another, from one version to another, and the removal of other AD Domain Controllers (correctly removed or simply terminated with or without important tasks attributed - Operations Masters/Roles). All these actions are normal practice in a modern organization, but that mistreat of the database information - LDAP - will not help the AD to perform at its best and also, historically, the AD/LDAP will keep record of all these ill-treatments, creating thus, instability and unreliability in the system. So what can be done to minimize these problems? If the windows workstations are functioning unaware of the LDAP (AD), using just a service called Domain Controller (DC) that resides in the Samba server, they apparently work in a reasonably and acceptable manner! At least most of the time, unless someone tries to add a IPBRICK IPBrick AD integration

42 42 Troubleshooting new DC and/or migrate Roles (important AD tasks) from one server to another. In this case there s no solution in sight. 3.2 Scenarios As we can see, the problems are inherent to the dependence on the AD s LDAP. On the following subsection of this document we will present you with some scenarios that have been helpful in solving some of this issues Scenario: 0 - Starting Point In ALL integrations with the AD, the rule when configuring IPBrick is: DNS Domain: DNS matches the domain used by the AD (realm); Name resolution: use the IP of the domain s DNS server (Usually the AD itself) Time: Synchronize the time by NTP via the AD s server (NTP : AD_IP) AD s DNS: The DNS server must be updated with ALL the IPBrick s records - eg: IPBrick-name: ipbrick.domain.com Alias: iportaldoc.domain.com (contacts, etc.) IP: Do not forget to register the A record ipbrick.domain.com pointing to the IP: as well as the respective PTR record All other aliases must be registered as such - CNAME Login link to AD: Domain Administrator Login (DN): the rule is to create a NEW user in AD exclusively for connecting to the AD - Do not use the administrator s login since it is typically used by many other services and thus the password tends to be regularly changed, and so IPBrick would have to update and restart itself! Sometimes it is necessary to help the AD Domain Join and Kerberos, so you should type at the console: kinit [link to AD] net ads join-u [AD Administor s login]-s [AD_NAME] IPBrick AD integration IPBRICK

43 3.2 Scenarios Scenario - A The AD has more than 1000 objects (active users,inactive users, groups, machines). By default the LDAP/AD only responds with up to 1000 items in each query. You must change this parameter in the configuration of the AD. In the MS Windows server change the parameter MaxPageSize using the Ntdsutil.exe tool. For more information, please consult the following page: Scenario - B The AD has an unsatisfactory performance. However, by coincidence or not, the users/groups that will use the IPBrick services are all located in a specific OU (Organizational Unit) of the AD (and/or sub-ous of this specific OU). Eg: ou=myfavoritefolder,dc=domain,dc=com In IPBrick, in the parameterization of the authentication mode we can change the values for connecting to the AD. Note: By default it is recommended that the DN of the groups search and the DN of the users search is identical to the base DN (top), because neither of them are always in the same OU and thus, working in all cases. However, in some situations, like this one in scenario B, we find that making the following changes increases the AD s (IPBrick) performance: DN User Search: ou=myfavoritefolder,dc=domain,dc=com DN Groups Search: ou=myfavoritefolder,dc=domain,dc=com Scenario - C At one point an organization had several AD DC servers, since then some were terminated, but the other remaining ADs were not properly notified of that termination. So, it s more often than not, that in direct queries to the AD/LDAP returns the same type of referral (Referred this request) to another server that is off and in these situations the LDAP client tries to communicate with an inactive IP and awaits for a tiemout. In this situation the manual changes to be implemented in the IPBrick server are: IPBRICK IPBrick AD integration

44 44 Troubleshooting Add/edit the line referrals no in the files: /etc/libnss-ldap.conf /etc/pam_ldap.conf Scenario - D After all the other presented scenarios, we are left with a manual patch that can be of use if all the other situations were not helpful: /etc/qmail/ldapcluster - change from "0" to "1" IPBrick AD integration IPBRICK

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information