Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - icsy7867

Pages: [1]
Directory and Authentication / BDC not syncing to PDC
« on: July 16, 2018, 03:54:25 pm »
I have two zentyal instances (Both running 5.1). 

One is setup as a PDC and the other is setup as a BDC.

If I create a new AD object or DNS entry in the PDC, everything syncs to the BDC just fine.

However, if I create an object in the BDC, it does not sync to the PDC.  I am not quite sure what logs to look into or where to start.  Hoping to get some guidance!

Directory and Authentication / Re: Working with LDAPS?
« on: February 20, 2018, 03:49:22 pm »
So other applications are actually happy, but windows LDP.exe is not (Which I am okay with for now).

I am now successfully connected via LDAPS on port 3269 using LDAP intergration on Nextcloud.

Here is what I did, just in case someone else is trying to do the same...

First, get your LDAPS certificate from your zentyal domain.  We will call this

Code: [Select]
echo -n | openssl s_client -connect | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
You will then get a certificiate in the terminal.  You want to grab everything from BEGIN CERTIFICATE to END CERTIFICATE:

You will get a bunch of randomized characters here. 
This is your actual certificate.

You then want to save this somewhere else as a .pem file.  In the case of my Nextcloud VM running ubuntu 16.04, this was:

Code: [Select]
cd /etc/ssl/certs
sudo nano zentyalad.pem

Here you will copy and paste your cert.  You can obviously use whatever text editor you want.  You can then save with Ctrl + O (using nano).

once this is saved, you need to edit your openldap conf since this is what nextcloud/owncloud uses.  In my particular instance, this file was located at /etc/ldap/ldap.conf

Using nano I added two lines:
Code: [Select]
TLS_CACERT      /etc/ssl/certs/zentyalad.pem
CertificateFile /etc/ssl/certs/zentyalad.pem

I rebooted the server, and I was able to change LDAP to LDAPS over port 3269!


CA and LDAPS certificates can be found here:

Directory and Authentication / Working with LDAPS?
« on: February 19, 2018, 09:08:09 pm »
Just curious if anyone else has this working.

I used openSSL to pull the cert being used on port 636.  I think found the correct CA cert in /var/lib/zentyal/CA/cacert.pem

I have imported these into the windows certificate store and I am trying to get a successful SSL bind on port 636 using ldp.exe in windows.  I am just curious if anyone else has gotten this to work?  I dont particularly love passwords flying around in plaintext.  For my internal home network the threat is pretty low, but I would still love getting this setup using LDAPS for my ldap programs.


Directory and Authentication / Re: Zentyal 5.0 with Server 2016 BDC
« on: February 19, 2018, 03:30:00 pm »
I might be mistaken,

But after digging into the issue, I believe the account lockouts wont be handled by GPO, as the servers handling the bad login attempts would be zentyal itself.

I have set the account lockout threshold to 5 using the samba-tool, I will test and see how this works shortly.

Code: [Select]
samba-tool domain passwordsettings set --account-lockout-threshold=5

Yep this worked! I was able to monitor some bad passwords using Microsoft's account login status:

After 5 bad attempts the account successfully locked out in AD Users & Computers.  Now if I can just get LDAPS working, I will be happy :D

Directory and Authentication / Re: Zentyal 5.0 with Server 2016 BDC
« on: February 16, 2018, 05:42:22 pm »
I thought that Server 2016 might be a little too extreme for a Samba based DC, so I have installed a 2008 R2 VM and I have also tried with this.

I get an RPC Service is Unavailable. I have turned off windows firewall to ensure this was not the case, and I do not believe Zentyal blocks any internal communication.  Has anyone had any experience with this?

Directory and Authentication / Zentyal 5.0 with Server 2016 BDC
« on: February 15, 2018, 07:04:09 pm »
I have been playing around with some configurations and I have been having trouble getting account lockout policies to work.

I thought that I could mess around with spinning up a Windows Server 2016 VM and joining it to the zentyal domain as a BDC but this does not seem to want to work.

Has anyone been able to do this?  I really like having Zentyal as a PDC or BDC because I use LDAP authentication with Zentyal's openvpn configuration, and it's nice to use "LDAP://localhost:389" as I dont have to send passwords in plaintext over the network.

Just curious if anyone has gotten this to work, or if this just simply is not possible.

I know this post is old, but this is the first thing that popped up on google for me, and a quick search did not reveal anything too pertinent. I apologize if this has already been covered, but thought I would share my experience.  I used bits and pieces from all over.  I found that by using hooks, it was easier to setup LDAP support for openvpn than I thought.

Here are the steps that I performed to get it working

Code: [Select]
sudo apt-get install openvpn-auth-ldap
mkdir /etc/openvpn/auth
cd /etc/openvpn/auth
sudo nano ldap.conf

Now you need to setup your ldap conf so that your openvpn auth uses the right settings.  You need to change the BindDN, passwords and settings to allow access.  You can also use groups to allow VPN access, but I do not do that on mind so I left that section out.  I can provide a working example if necessary.  I also use "sAMAccountName" instead of UID like the op.

Code: [Select]
        # LDAP server URL
        URL             ldap://localhost:389

        # Bind DN (If your LDAP server doesn't support anonymous binds)
        BindDN          "Insert Bind_DN"

        # Bind Password
        Password        "Password"

        # Network timeout (in seconds)
        Timeout         15

        # Enable Start TLS
        #TLSEnable       yes

        # Follow LDAP Referrals (anonymously)
        FollowReferrals no
        # Base DN
        #BaseDN         "CN=Users,DC=test,DC=com"
        BaseDN          "Base_User_DN"

        # User Search Filter
        #SearchFilter   "(&(uid=%u)(accountStatus=active))"
        SearchFilter   "(sAMAccountName=%u)"

        # Require Group Membership
        RequireGroup    false


You then need to create your hooks:
Code: [Select]
cd /etc/zentyal/hooks/
sudo cp template.postsetconf openvpn.postsetconf
sudo nano openvpn.postsetconf

Here you need to add your LDAP auth to your openvpnhook add these lines (Editing for your correct names) above the "Exit 0"
Code: [Select]
echo 'plugin /usr/lib/openvpn/ "/etc/openvpn/auth/ldap.conf"' >> /etc/openvpn/VPNNameHere.d/VPNNameHere.conf
echo "client-cert-not-required" >> /etc/openvpn/VPNNameHere.d/VPNNameHere.conf

Lastly, you need to tell your openvpn client to ask for a username/password combo.
Simply add:
Code: [Select]
to your .ovpn file.

Pages: [1]