Zentyal linux active directory

Introduction to Directory Service (LDAP)

Zentyal integrates OpenLDAP(3) as a directory service, with Samba(4) to implement the domain controller functionality of Windows and also file and printer sharing.

Configuring Zentyal servers in master/slave mode

Configuring Zentyal as a slave of Windows Active Directory

Configuration of an LDAP server with Zentyal

LDAP configuration options

After configuring the Zentyal server as master, from Users and Groups ‣ LDAP Configuration Options you can check the current LDAP configuration and perform some adjustments related to the configuration of PAM authentication on the system.

In the upper part, you can see the LDAP Information:

Base DN:Base of the domain names in this server.

Root DN:Domain name of the server root.

Password:The password of other services and applications that want to use this LDAP server. If you want to configure a Zentyal server as a slave of this server, this is the password that will be used.

Users DN:Domain name of the users’ directory.

Groups DN:Domain name of the groups’ directory.

In the lower part you can establish some PAM settings

Enabling PAM, you will allow the users managed by Zentyal to also act as normal system users, rendering it possible to start sessions in the server.

You also specify in this section the default command interpreter for your users. This option is initially configured as nologin, blocking the users from starting sessions. Changing this options will not modify the existing users in the system, and will only be applied to the users created after the change.

Creating users and groups

You can create a group from the Users and groups ‣ Groups menu. A group will be identified by its name, and can also contain a description.

Going to Users and groups ‣ Groups you can see all the existing groups, edit or delete them.

While you are editing a group, you can choose the users that belong to the group, and also the information associated with the modules in Zentyal that have some specific configuration associated with user groups.

Among other things, with users groups is possible to:

• Have a directory shared between the members of the group.

• Set permissions to a printer for all the users of a group.

• Create an alias for a mail address that will forward to all the users of a group.

• Assign access permissions of different groupware applications to the users of a group.

The users created from the Users and Groups‣ Users menu, is where you need to add the following information:

User name:Name of the user on the system, it will be the name used in the authentication processes.

Name:Name of the user.

Surname:Surname of the user.

Comment:Additional information about the user.

Password:Password that will be used in the authentication processes. This information will have to be typed twice to avoid typing errors.

Group:Is possible to add the user to a group during the creation process.

From Users and Groups ‣ Users you can obtain a list of the users, edit or delete them.

While editing a user, you can change all the details, except the user name and the information that is associated with the installed Zentyal modules. These contain some specific configuration details assigned to users. You can also modify the list of groups that contain this user.

When editing a user you can:

• Create an account for the jabber server.

• Create an account for the filesharing or PDC with a personalised quota.

• Grant permissions to the user to use a printer.

• Create an e-mail account for the user and alias for it.

• Assign a telephone extension for the user.

• Enable or disable the user account for Zarafa and check if it has

In a master/slave configuration, the basic user and groups fields can be edited in the master, while the rest of attributes related with other installed modules in the slave will be edited from the slave.

User’s corner

The user’s data can only be modified by the Zentyal administrator, which can be inefficient when the number of users to be managed becomes too big. Administration tasks like changing the password of a user can be very time consuming. For this reason, you need the User’s corner. This corner is a Zentyal service designed to allow the users to change their own data. This functionality has to be enabled like the rest of the modules. The user’s corner is listening on another port different to other processes to enhance the system security.

The user can access the User corner using the URL:

Once the user enters his/her name and password, he/she can perform changes in his personal configuration. User’s corner offers the following functionality:

• Change the current password.

• Configure the voice mail for the user.

• Configure an external personal account to retrieve the mail and

synchronise it with the content of the mail server in Zentyal.

Источник

En/3.2/Users and Computers

Zentyal integrates OpenLDAP(3) as a directory service.

Contents

Configuration of an OpenLDAP server with Zentyal

LDAP configuration options

Going to Users and Computers ‣ LDAP Settings you can check the current LDAP configuration and perform some adjustments related to the configuration of PAM authentication on the system.

In the upper part, you can see the LDAP Information:

Base DN:Base of the domain names in this server.

Root DN:Domain name of the server root.

Password:The password of other services and applications that want to use this LDAP server. If you want to configure a Zentyal server as a slave of this server, this is the password that will be used.

Users DN:Domain name of the users’ directory.

Groups DN:Domain name of the groups’ directory.

In the lower part you can establish some PAM settings

Enabling PAM, you will allow the users managed by Zentyal to also act as normal system users, making possible to start sessions in the server (for example SSH and SFTP).

In this section you also specify the default command interpreter for your users. This option is initially configured as nologin, blocking the users from starting sessions. Changing this options will not modify the existing users in the system, and will only be applied to the users created after the change.

Managing Users, Groups and Computers

Going to Users and Computers ‣ Manage you will see the LDAP tree. From this interface you can also create and delete nodes, manage the LDAP attributes and adjust the permissions for other LDAP-connected services.

On the left side, you can see the tree, with your «local» domain as the root. There are several Organizational Units already created.

• Computers: Hosts joined to the domain, both servers and desktops, this section is useful for inventory reasons and

also to apply host-based rules and configuration as you will see in the File sharing and Domain Services chapter.

• Domain Controllers: Servers that replicate this directory information, they can also assume the different FSMO roles

of a Samba4/Active Directory domain.

• Groups: Generic OU container node for the groups in your organization.

• Users: Generic OU container node for the users in your organization.

An Organizational Unit is a container for other objects, like groups, users or even other nested OUs. It’s a concept closely related to the tree data structure and the different policies associated with each node. If you are not using Samba4/Active Directory capabilities, you probably don’t need to create new Organizational Units in your domain.

Some Zentyal modules are only compatible with the classical LDAP structure and will not recognize users that are created on custom OUs (different than the default Users/Groups OUs described above). Currently, File sharing and Domain Services, HTTP Proxy Service, Electronic Mail Service (SMTP/POP3-IMAP4) and Groupware service modules are compatible with multi OU users.

You can delete any node using the trash can icon or you can create a new one clicking on a container and then on the green plus icon.

It’s important to note that each time you create a user in the LDAP tree, a directory /home/ is created in the filesystem of the server, if the directory already exists, you may have problems creating the user. Move or remove the directory before creating the user if this is the case.

The Contacts are personal information objects not related with the authorization mechanism. In other words, contacts will not be able to login on the domain services.

On the right side you can see and modify the LDAP attributes of the currently selected node, for example, the surname of an user.

Clicking on a user, you can also modify user’s membership to the different groups, and make use of the user plugins. At the bottom of the right hand side of the interface, you will see a section named Modules Configuration, this section has a variable number of subsections, depending on the Zentyal modules installed and enabled. From here, you can modify the specific parameters of that module regarding this user. The default configuration of the user plugins depends on the User Template explained below.

Clicking on a group, you can also modify the users belonging to the group, create distribution mail lists and change the type of group. The Security Group (default) contains users that will be able to login on the domain services, the Distribution Group contains user that will be used for other purposes, like mail lists.

User Template

Going to Users and Computers —> User Template you can modify the default service settings for the new user, for example, default domain for their mail account. It’s important to note that any modifications will only be applied to the users created after changing the template. The number of sections is variable, depending on the user-related Zentyal modules present on your system.

Configuring external Microsoft Active Directory

It’s possible to configure Zentyal as an additional (or Operations Masters) controller of a Microsoft Active Directory domain using Samba4 technologies (see File sharing and Domain Services).

Nevertheless, you may want to just read the directory information from an external Active Directory without becoming a controller.

Zentyal offers this possibility though a wizard during installation time, if you have chosen the Users and Computers modules or later on, if you clean and destroy local users configuration, you can do this using the command: sudo /usr/share/zentyal/unconfigure-module users

First of all, you have to configure Windows Server as your main DNS resolver from Network ‣ DNS and make sure that in the Windows Server, the forward and reverse DNS zones are correctly configured for both servers, Zentyal and Windows.

Supposing that you have not used the installation wizard and have executed the command above, you will find a menu option going to Users and Computers ‣ Configure mode

If you choose then to Use external Active Directory server you will be presented with the following form

Now, you just need to enable the Users and Computers module again, and you will be able to use the Windows Server directory information to validate in all the user-depending modules (HTTP Proxy, RADIUS, mail, etc. )

User’s corner

User editable data

The user’s data can only be modified by the Zentyal administrator, which can be inefficient when the number of users to be managed becomes too big. Administration tasks like changing the password of a user can be very time consuming. For this reason, you need the User’s corner. This corner is a Zentyal service designed to allow the users to change their own data. This functionality has to be enabled like the rest of the modules. The user’s corner is listening on another port different to other processes to enhance the system security.

Going to Users and Computers ‣ Usercorner you can configure the listening port

The user can access the User corner using the URL:

Once the user enters his/her name and password, he/she can perform changes in his personal configuration. User’s corner offers the following functionality:

• Change the current password.

• Configure the voice mail for the user.

• Configure an external personal account to retrieve the mail and

synchronise it with the content of the mail server in Zentyal.

Источник