FOR ZENTYAL SAMURAI : SET UP LDAP SLAVE CONFIG MANUALLY

[adamzen]

Hi All,

I want to set my ZENTYAL LDAP server as SLAVE to an existing ZIMBRA LDAP which will be considered as MASTER.

The default config of ZENTYAL :
-------------------
Root DN:     cn=ebox,dc=serv
Password:     abcdefghabcdefgh
Users DN:     ou=Users,dc=serv
Groups DN:     ou=Groups,dc=serv
--------------------

doesn't much with the ZIMBRA ones

so my GOAL is to modify those default values

to achieve this I looked into :

/usr/share/zentyal/stubs/users/ldap.conf.mas

As all my needed parameters are there:

Code: [Select]

<%args>
$basedc
$ldap
$binddn
$usersdn
$computersdn
$groupsdn
</%args>

My question is where are stored args values ?

Let me know If you 've a better approche...

[adamzen]

Hello I achieved to change the DEFAULT LDAP CONFIG:

The default config of ZENTYAL :
-------------------
Root DN:     cn=ebox,dc=serv
Password:     abcdefghabcdefgh
Users DN:     ou=Users,dc=serv
Groups DN:     ou=Groups,dc=serv
--------------------
but when I restart the service manually:

/etc/init.d/zentyal users restart

I got this response in:/var/log/zentyal/zentyal.log

Code: [Select]

2011/11/12 13:01:32 ERROR> Ldap.pm:1124 EBox::Ldap::safeBind - Couldn't bind to LDAP server, result code: 34
2011/11/12 13:01:32 ERROR> Service.pm:721 EBox::Module::Service::__ANON__ - Error restarting service: Couldn't bind to LDAP server, result code: 34

When I do "LDAP TRAFFIC INTERCETION" througth protocol analyser
I still find that the requests sent from my ZNETYAL LDAP SLAVE to ZIMBRA LDAP SERVER try to bind with "cn=ebox"

It 's really strange !!

may be some one of the developers "ZENTYAL SAMURAI"  can tell us where to change this default config: "cn=ebox"

THANKS A LOT...

[maiquelrinco]

NO WORK, I have windows 2008 R2 AD and I try to configure LDAP as Windows Slave AD and in LDAP DN I put my DOMAIN MASTER DN is dc=sasipaweb,dc=local, and the IP of Master LDAP is my Windows Server IP. But don´t WORK...So I´d like to known where I can define manually to make a Zentyal a SLAVE of one Windows AD .

My zentyal is the last one from web site update and upgraded.

Linux sasipafw 2.6.32-38-server #83-Ubuntu SMP Wed Jan 4 11:26:59 UTC 2012 x86_64 GNU/Linux


Please someone helpp meee!

[J. A. Calvo]

I'm afraid Zentyal is prepared to be slave or another Zentyal master LDAP, not to any other LDAP like the Zimbra one, probably we can change that in the feature to ease integration with other products.

[maiquelrinco]

Sorry by my 5 posts, So you are sure the Zental latest version don´t work as SLAVE of Windows AD ? And I have no option to configure it manualy ? Because I found some files like this /var/lib/zentyal/tmp/slapd-master-db.ldif , but without sucess on modification, I can make LDAPSeach from Zental to my Windo 2k8 R2. So what´s posible going on ?

If you confirm that zentyal do not support to be a Windows Slave AD. Please told me why have manuals and configurations how to on the zentyal page ? I´m confuse..sorry.

I like zentyal, is a best integrated product, maybe I can buy it in the future, but I need to make the things work like Windows Slave AD it´s very important to me.

Regards, sorry again by my posts.

[christian]

There is some confusion about LDAP master/slave, at least in term of wording.
LDAP master/slave, means, i.e. that one LDAP server (the SLAVE) is used to handle only LDAP read operations while the other (the MASTER) handles read and write operations.
Usualy, both master and slave share same content.
In order to achieve this, there is a mechanism, known as "replication", pushing updates made on master to slave so that content is kept "aligned".

LDAP is a protocol (thus relying on RFCs) meaning that applications can access and use easily any LDAP server (although some limitations might be due to DIT, schema and ACI). Unfortunately, "replication" is not part of this protocol. As a result, it's almost impossible to replicate between LDAP servers from different editor. This is at protocol level...
Then, there is an extra level of complexity: as software or application editor, when you decide to use an existing LDAP server, you may either define, as parameters, attributes you need for your application or even produce your own schema to be added to this existing LDAP server.
If you decide to promote instead your own LDAP server (like Microsoft does with Active Directory), this is another story because other applications will have to be tuned or even modified to comply with your own LDAP DIT and schema.

So what? 

There is balance to be found:
    Zentyal relying on external LDAP server will ease integration with existing infrastructures but means trickier installation, at least for people not understanding LDAP concept.
    Zentyal bringing (as of today) its own LDAP server means no replication, even with other OpenLDAP implementations. Best case is to use synchronization script but this can't be supported by Zentyal because almost each implementation will be different. Such approach has to be kept for LDAP admins only.

One option could be to have different Zentyal deployments: with or without embedded LDAP. Does it make sense in term of support?

For what concerns Active Directory, there is no way, at least from a pure LDAP standpoint, that LDAP become "AD slave". Best case would be partial synchronization. But here again, it depends on software installed in your Windows domain that may have changed you AD schema.

The is at least the way I perceive it 

[maiquelrinco]

Well, I read your post and understand what´s are you talking...but my question is simple :

Can I configure manualy the files or using the web interface of zentyal to conect Zentyal to my LDAP: AD Windows and retrieve the users ? I´m talking only read operations and sync of password to auth proxy.

[christian]

The basic answer is NO just because you will never retrieve password from AD.
The only way you could, kind of, achieve it is to write Zentyal password in parallel of AD password at the time user change password. This is the way it currently works and Zentyal is not (yet) designed to rely on external LDAP server, AD  or any other LDAP server 
If some tweak is implemented to have "Zentyal" proxy relying on AD then this is no more Zentyal  and I'm afraid this is not that simple.