Loading...
 
LDAP / Active directory

LDAP / Active directory


Authentication against Samba 4 active directory (Univention)

Hi everyone!
I am currently trying to authenticate tiki users against my Samba 4 active directory.

I am using Univention Corporate Server Core 4.3 as AD domain controller. (But I guess this issues solution applies to users of Netserver, Zentyal, etc. as well) I was already successful at joining Windows 10, Debian 9.6, Proxmox 5.2 and a Samba file share to my AD domain. Almost none of those of these worked right out of the box, so I wasn't too frustrated that this did not either. I followed the guide at https://doc.tiki.org/LDAP-authentication" class="wiki wikinew text-danger tips">https://doc.tiki.org/LDAP-authentication and I recieved an error, but one, which I was not too unhappy about. The authentication method was not strong enough. I read that Samba 4 does not accept insecure connections per default any longer, which I consider a good thing. I further derived from that (please tell me if that is a misconception), that the tiki-server did actually communicate with the domain controller (and I can also ping ad-controller.intranet.mydomain.tld, so DNS is fine).

In order to meet the security requirements of Samba 4 I assumed (please tell me if that's possibly wrong) that SSL encryption is required and changed following settings to:

  • Port 636
  • Use SSL enabled


The next login test resulted in following syslog message:

Error: Bind failed: Cant connect LDAP server: Unknown Net_LDAP2 Error (-1) at line 239 in /.../ldap.php

I'm not sure if I should expect this problem being caused by the auto-created SSL certificate of the Univention-server. None of my previous experiments with joining the Samba 4 ad resulted in trouble with the SSL certificate. On the other hand I never had PHP involved in the process before.

Can anybody share his knowledge (or some links) on how the communication between tiki and a Samba 4 AD-DC works with me?

Aah, and please let me know what additional data (configs) you need in order to get a proper picture of the situation.

Tanks a lot in advance!
Kind regards

Why Register?

Register at tiki.org and you'll be able to use the account at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.