Navigation

Directory Service (LDAP)

Introduction to Directory Service (LDAP)

Zentyal integrates OpenLDAP [3] as a directory service, with Samba [4] to implement the domain controller functionality of Windows and also file and printer sharing.

[3]http://www.openldap.org/
[4]http://en.wikipedia.org/wiki/Samba_(software)

Configuring a master Zentyal server

As we have mentioned above, Zentyal is designed in a modular way, allowing the system administrator to distribute the services between several hosts in the network. To make it real, the users and groups module can be configured using a master/slave architecture in order to share users between the different servers.

By default, if we don’t configure otherwise in the menu Users and Groups ‣ Mode, the module will act as a master LDAP directory and the Distinguished Name (DN) [7] of the directory will be establish according to the host name. If we want to configure a different DN, we can change this on the text field LDAP DN.

[7]Every entry on a LDAP directory has a unique identifier called Distinguished Name which have some similarities with the concept of complete path on a file system.
_images/users-mode.png

Zentyal users mode

Other servers can be configured to use a master as a source for their users, becoming then slave servers. To do this, we have to choose slave mode in Users and Groups ‣ Mode. The slave configuration needs two more fields, the IP address or name of the host containing the master directory and its LDAP password. This password is not the Zentyal password, but one automatically generated when we activate the module users and groups. We can obtain this password in the field Password in the option Users and group ‣ LDAP data in the master server.

_images/ldap-info.png

LDAP info

There is another requirement to register a slave server against a master. The master has to be able to resolve the name of the slave machines using DNS. To do so, we have to configure the DNS service in Zentyal, adding a new domain with the slave host name and the IP address.

If the firewall module is enabled in the master server, it must be configured in a way that allow the incoming traffic from the slaves. By default, the firewall forbids this traffic, so it’s necessary to make the required adjustments before going on.

Once all the parameters had been established and the host name of the slave can be resolved from the master, the slave can be registered in the master Zentyal server enabling the module users and groups in Module status.

The slaves will create a copy of the master directory when they register for the first time, and it will be automatically maintained when new users and groups are added. We can see the slave list in the menu Users and groups ‣ Slave status in the master Zentyal machine.

_images/slave-status.png

Slave status

The modules which have users like mail and filesharing can be installed now in the slaves and they will use the users configured in the master Zentyal. Some modules need some actions to be executed when you add users, for instance filesharing, which needs to create the user directories. To do so, the master will notify the slaves about the new users and groups when they are created , giving the opportunity to the slaves to perform the associated actions.

There can be some problem running these actions in some circunstances, for example if one of the slaves is powered down. In this case, the master will remember that there are remaining actions that must be performed and will retry periodically. The system administrator can also check the slaves status on the menu Users and groups ‣ Slave status and then force the retry of the actions manually at any time. From this section is also possible to remove a slave.

There is an important limitation of the master/slave architecture. The master Zentyal server cannot have installed modules which depend of users and groups, for example filesharing and mail. If the master has any of this modules installed, they can be uninstalled before trying to register any slave in it.

Configuring Zentyal as a slave of Windows Active Directory

Apart from the master-slave deployment that can be performed between different Zentyal hosts, a Zentyal server can be used in the role of slave of a Windows Active Directory host, acting as master.

The replication can be performed only in one direction, from Windows to Zentyal, and there are two separate processes for data and for passwords. All the users data from users and groups will be synchronized through the LDAP protocol. Nevertheless, the passwords can be transferred through a cyphered TCP communication, with the server listening in the Zentyal host and the client notifying the passwords when a new user is created or the password in the master Windows server is modified.

To deploy an scenario with this feature, we will need a installed Zentyal server with an advanced configuration of the users directory and a Windows server with Active Directory configured. In the Windows server, we have to install the software that will perform the slave synchronization and in the slave machines, we will need to register in the master server.

Configuring the Windows server as a master

We need to install a special package of software in the Active Directory server in order to notify the password changes to Zentyal.

These packages can be downloaded, for the different versions of Zentyal from the download page of the project [8]

[8]http://sourceforge.net/projects/zentyal/files/

Once downloaded and executed, it will launch the configuration tool automatically, where we can input the following data:

Zentyal slave host:
IP Address of the Zentyal host.
Port:
We can use the default value or change it to a different one which is available of the Zentyal host.
Secret key:
We can choose any password, as long as its length is at least 16 characters
Enable service:
Check this box if we want to write the data in the Windows registry. It won’t have effect until the server is restarted.
Configuration dialog during installation

Configuration dialog during installation

The values for port and secret key have to be entered after during the Zentyal host configuration, they will be explained in the following section.

To finish the installation, click on the button Save to Registry and Exit. It’s not recommended to restart the server yet, as there are some configuration steps left.

In the menu Start, go to Administrative Tools ‣ Domain security policy and activate the complexity requirements for password as shown in the figure:

Editing password policy.

Editing password policy.

There we will add a user and we will assign a password. We have to take into account that this credentials will be used to connect via LDAP, thus, the relevant part is the complete name (CN) and not the user name. The recommendation for avoiding any problem is to leave blank the fields for name and surname and assign the same value to the Complete Name and the Session startup name.

Añadiendo el nuevo usuario eboxadsync

Adding the new user eboxadsync

Once we have finish this configuration we can restart the hosts as told by the installer.

Configuring the Zentyal server as slave

Once we have the Windows server ready, we can proceed to configure Zentyal from Users and groups ‣ Mode. Here we can provide the following data:

Mode:
Choose the option Windows AD slave.
Master host:
IP address of the Windows server.
Modo de usuarios de Zentyal

Users mode in Zentyal.

Once we have entered this values, we can activate the module Users and groups and save the changes. When we have Zentyal prepared to work in this mode, we can input the authentication data for the Windows server from Users and groups ‣ Windows AD synchronization.

AD Users:
Name of the user that we have created in the Windows host.
AD Password:
The password of the former user.
Reception port:
Port entered during the Windows server configuration.
AD Secret key: The 16 character key that we used
during the configuration in the Windows host.

Warning

The passwords assigned to the previously existing users will need to be reassigned again (or changed) to be notified to Zentyal. Once the users are synchronized, the updates can take up to 5 minutes.

Configuration of an LDAP server with Zentyal

LDAP configuration options

After configuring our Zentyal server as master, from Users and Groups ‣ LDAP Configuration Options we can check what is our current LDAP configuration and perform some adjustments related with the configuration of PAM authentication in the system.

In the upper part, we can see the LDAP Information:

Configuración de ldap en Zentyal

LDAP configuration in Zentyal

Base DN:
Base of the domain names in this server.
Root DN:
Domain name of the server root.
Password:
Password that other services and applications that want to use this LDAP server need to use. If we want to configure a Zentyal server as a slave of this server, this will be the password that will be used.
Users DN:
Domain name of the user’s directory.
Groups DN:
Domain name of the groups’s directory.

In the lower part we can stablish some PAM configuration options

Configuración de PAM en Zentyal

PAM Configuration in Zentyal.

Enabling PAM, we will allow the users managed by Zentyal to be also used as normal system users, making possible to start sessions in the server.

We call also specify in this sections the default command interpreter for our users. This option is initially configured as nologin, blocking the users from starting sessions. Changing this options will not modify the existing users in the system, will be applied only to the users created after the change.

Creating users and groups

We can create a group from the menu Users and groups ‣ Groups. A group will be identified by its name, and can also contain a description.

_images/01-groupadd.png

Adding a group to Zentyal

Going to Users and groups ‣ Groups we can see all the existing groups, edit or delete them.

While we are editing a group, we can choose the users that belong to the group, and also the information associated with the modules in Zentyal that have some specific configuration for the users groups.

_images/02-groupedit.png

Editing a group

Among other users, with users groups is possible to:

  • Have a directory shared between the members of the group.
  • Give permissions over a printer for all the users of a group.
  • Create an alias for a mail address that will forward to all the users of a group.
  • Assign access permissions to the different groupware applications to the users of a group.

The users created from the menu Users and Groups‣ Users, where we have to fill the following information:

_images/03-useradd.png

Adding a user to Zentyal

User name:
Name that the user will have in the system, it will be the name used in the authentication processes.
Name:
Name of the user.
Surname:
Surname of the user.
Comment:
Additional information about the user.
Password:
Password that will be used in the authentication processes. This information will have to be typed twice to avoid typing errors.
Group:
Is possible to add the user to a group during the creation process.

From Users and Groups ‣ Users we can obtain a list of the users, edit or delete them.

_images/04-users.png

List of users in Zentyal

While we are editing an user, we can change all the former data, save the user name, and the information that is associated with the installed Zentyal modules that contain some specific configuration for the users. We can also modify the list of groups that contain this user.

_images/05-useredit.png

Editing a user

Editing a user we can:

  • Create an account for the jabber server.
  • Create an account for the filesharing or PDC with a personalized quota.
  • Grant permissions to the user to use a printer.
  • Create an e-mail account for the user and alias for it.
  • Assign a telephony extension for the user.
  • Enable or disable the user account for Zarafa and check if it has administrator rights.

In a master/slave configuration, the basic user and groups fields can be edited in the master, while the rest of attributes related with other installed modules in the slave will be edited from the slave.

User’s corner

The user’s data can only be modified by the Zentyal administrator, which can be inefficient when the number of users to be managed becomes too big. Administration tasks like changing the password of a user can be very time consuming. For this reason, we need the User’s corner. This corner is a Zentyal service designed to allow the users to change its own data. This functionality has to be enabled like the rest of the modules. The user’s corner is listening in other port by other process to enhance the system security.

_images/06-usercorner-server.png

Configure user’s corner port

The user can enter in the User corner using the URL:

https://<ip_de_Zentyal>:<usercorner_port>/

Once user enter his name and password, he can perform changes in his personal configuration. The exposed functionality will be the following:

  • Change the current password.
  • Configuration of the voice mail for the user.
  • Configure an external personal account to retrieve the mail and synchronize it with the content of the mail server in Zentyal.
_images/07-usercorner-user.png

Change the current password in user’s corner

English

Table Of Contents

Other documents

Previous topic

Zentyal Office

Next topic

File sharing and authentication service

Navigation