Domini utente

Gli utenti e i gruppi vengono memorizzati in un database LDAP, servito da un modulo account provider. Molti moduli possono lavorare insieme per servire lo stesso database LDAP come repliche. Un database LDAP rappresenta un dominio di account.

Il cluster NS8 può ospitare più domini di account locali di diverse implementazioni. È possibile configurare e collegare anche servizi LDAP esterni. Gli schemi LDAP supportati sono

• Active Directory - Samba

• Attributi Unix RFC2307 <https://www.rfc-editor.org/rfc/rfc2307> `_ - `OpenLDAP

Oltre a scegliere di collegare un provider esterno o installarne uno interno, l’amministratore deve decidere quale tipo di backend si adatta alle sue esigenze. L’applicazione File server può autenticare i client SMB/CIFS solo quando si utilizza un dominio Active Directory. D’altra parte, il provider OpenLDAP interno è più facile da installare e configurare. Alla fine, se il supporto del protocollo di condivisione dei file SMB non è richiesto, un provider LDAP è la scelta migliore.

Notare anche che è possibile ospitare più istanze OpenLDAP sullo stesso nodo, mentre è possibile installare solo un’istanza Samba per nodo.

Active Directory

Per installare un nuovo dominio utente con Samba Active Directory come provider locale:

• accedere alla pagina ``Domini e utenti`

• fare clic sul pulsante Crea dominio e scegliere Interno

• selezionare Samba nella finestra di dialogo e fare clic su Installa provider

Una volta installato il provider, verrà chiesto di inserire i seguenti parametri:

• Dominio: il dominio utente, che dovrebbe essere un FQDN valido. Definisce il suffisso DNS del nuovo dominio. Il Domain Controller (DC) funge da server DNS autoritativo per quel dominio. Se non si è sicuri, mantenere il valore proposto.

• NetBIOS domain: un dominio NetBIOS valido (noto anche come «domain short name», «NT domain name»), è l’identificatore di dominio Active Directory alternativo, compatibile con i client più datati. La lunghezza massima è di 15 caratteri ASCII. Se non si è sicuri, mantenere il valore proposto.

• Scegli il nome utente dell'amministratore di Samba e Scegli una password per l'utente amministratore di Samba: impostare le credenziali iniziali dell’account amministrativo; è possibile utilizzare administrator (default) o qualsiasi altro nome utente. In quest’ultimo caso, il nome utente specificato viene aggiunto al gruppo Domain Admins, mentre l’utente administrator viene disabilitato e configurato con una password casuale

• ``Nome host`: il nome host del Domain Controller (DC). Se non si è sicuri, mantenere il valore proposto.

• Fornire condivisioni di file e autenticazione per i client Windows. Se abilitato, le cartelle condivise del DC sono accessibili dalla rete locale. Solo uno dei DC del dominio Active Directory può offrire cartelle condivise, autenticazione e servizi DNS. Per ulteriori informazioni, consultare File server.

Nota

A parte le credenziali amministrative, gli altri parametri di Active Directory non possono essere modificati una volta che il dominio è stato creato

At the end, you will see a new user domain with one connected provider. You can now manage users and groups, add a replica or copy the bind settings to connect an external application.

DNS and AD domain

An Active Directory domain requires a reserved DNS domain to work. It is a good choice to allocate a sub-domain of the public DNS domain for it. The AD sub-domain can be accessed only from local networks.

Example:

• public (external) domain: nethserver.org

• server FQDN: mail.nethserver.org

• Active Directory (internal LAN only) domain: ad.nethserver.org

• domain controller FQDN: dc1.ad.nethserver.org

Suggerimento

When choosing a domain for Active Directory use an internal domain which is a sub-domain of the external domain [1]

[1]

https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx#Recommendation

Furthermore, the AD Windows clients must be configured to use the domain controller as their DNS server for network name resolution. Set the IP address of DC dc1.ad.nethserver.org in client DNS configuration.

The domain controller inherits the node DNS settings in /etc/resolv.conf for name resolution request forwarding.

LDAP server RFC2307

To install a new user domain with a local OpenLDAP as provider:

• accedere alla pagina ``Domini e utenti`

• fare clic sul pulsante Crea dominio e scegliere Interno

• select OpenLDAP on the dialog box and click Install provider

Una volta installato il provider, verrà chiesto di inserire i seguenti parametri:

• Domain: the user domain, it should be a valid FQDN. If unsure, keep the proposed value.

• OpenLDAP admin username and OpenLDAP admin password: admin credentials

Finally, you will see a new user domain with one connected provider. You can now manage users and groups or add a replica.

Nota

OpenLDAP provider is not currently accessible from outside the cluster.

Provider replicas

Provider replicas implement fault tolerance for user domains. To achieve real fault tolerance, replicas should be installed on different nodes.

You can add a replica from the Domains and users page by selecting the Configuration link from the three-dots menu. Then click the Add provider button, select the target node and proceed with the installation.

Replicas are configured in master-master mode.

Avvertimento

Active Directory provider does not replicate the SysVol volume. Therefore Microsoft’s Group Policy Object (GPO) will not be synchronized between replicas.

LDAP bind settings

Nota

External applications can connect only to a local Active Directory provider.

Binding is the process where the LDAP server authenticates the client and, if the client is successfully authenticated, the server allows client access.

Many applications may require to be bound to an existing NethServer 8 user domain. Bind settings can be accessed by selecting the Configuration link from the three-dots menu: user domain details are displayed on the top of the page.

External LDAP server

You can connect the NethServer 8 cluster to an existing LDAP server.

1. Access the Domains and users page.

2. Click on Create domain button and choose External.

3. Fill all required fields. Bear in mind that apart from «Host» and «Port», the domain settings cannot be changed later:

   • Domain: This should be in fully qualified domain name (FQDN) syntax, but it can be any logical name matching the LDAP base DN structure. For example, if your LDAP base DN is dc=example,dc=org, a suitable domain name would be «example.org».

   • Host: Enter the IP address or hostname of the LDAP server.

   • Port: Specify the TCP port number of the remote LDAP service. Standard values are 389 for LDAP and 636 for LDAPS. However, with Active Directory, certain applications like Mail [2] may require setting LDAP port 3268 or LDAPS port 3269. This is because they do not support «LDAP subordinate referrals».

   • Bind DN and Password: Credentials required to access the remote LDAP server.

   • Base DN: Define the level of the LDAP hierarchy to use as the base for user and group lookup. Leaving this field empty retrieves the correct value from the LDAP server itself.

   • TLS: Enable this switch to encrypt the connection with TLS. If the server does not support TLS on the specified port, an error will occur.

   • TLS verify: Enable this switch to ensure that the LDAP server provides a valid TLS certificate signed by a trusted authority, with the certificate name matching the hostname specified in the «Host» field. Continue reading to fully understand the implications of this option.

4. Once all fields are filled, click on the Configure domain button.

Avvertimento

Once configured, domain settings cannot be changed later!

If you choose not to verify TLS, you can configure additional hosts as backup providers. The first configured provider is considered the primary LDAP backend server. If a cluster node cannot reach it, it switches to another provider. It’s crucial that all domain providers are accessible from any cluster node.

Enabling «TLS verify» adds extra security but has limitations: only the first provider is considered. If it becomes unreachable, connection recovery is not possible.

Ensure each provider is accessible from all cluster nodes for seamless operation.

[2]

https://doc.dovecot.org/configuration_manual/authentication/ldap/#active-directory

Password policy

The password policy is a set of rules that defines the password complexity and the password expiration time. You can configure the password policy from the Domains and users page by selecting the interested domain and clicking Edit password policy from the three-dots menu of the Password card.

You can configure password age and password strength policy separately.

Password age

You can toggle password age policy by clicking on the Password age switch. If enabled, you can configure the following parameters:

• Minimum password age: the minimum number of days that must pass before a new password change.

• Maximum password age: password expiration time in days. After this period, the password is no longer valid for logins and must be changed. Users can change their expired password with User Management portal.

Password strength

By enabling the Password strength switch, you can configure the following parameters:

• Password history length: the number of old passwords that cannot be reused.

• Minimum password length: the minimum number of characters that a password must have.

• Enforce password complexity: enforce use of complex password, see note for more details.

Nota

A password is considered complex if it is long enough and meets three of the following rules:

• The password must contain at least one uppercase letter.

• The password must contain at least one lowercase letter.

• The password must contain at least one digit.

• The password must contain at least one special character.

After editing the password policy, you can click on Edit password policy button to save the changes. Strength setting changes do not affect old passwords: they are valid from now on. Age setting changes are retroactive and are applied to already set passwords, too.

User and groups

You can manage users and groups of a domain by clicking on User and groups link from the Domains and users page.

If an external user domain has been configured, the page shows read-only lists. Changes to the user base must be done on the external server.

On the other hand, if a local AD or LDAP account provider has been installed, the page allows to create, modify and delete users and groups.

When creating a user, the following fields are mandatory:

• User name

• Full name (name and surname)

• Password

A user can be added to one or more groups.

Sometimes you need to block user access to services without deleting the account. The safest approach is:

1. (optionally) change the user’s password with a random one

2. disable the user using the Disable action from the three-dots menu

When a user is deleted, user data will not be removed.

User Management portal

The user management portal is a web application that allows any non-administrator user to change their own password without the need for administrator intervention.

The portal is automatically configured on every instance of Active Directory or LDAP server RFC2307 provider.

The portal is available at the following URL:

https://<fqdn_node>/users-admin/<domain_name>/

Where <fqdn_node> is the FQDN of the node where the provider is and <domain_name> is the name of the domain provided while configuring the domain.

Avvertimento

Without the trailing slash, the portal will not work.

Once reached the page, the user is prompted for login and they can authenticate to the domain with user name and password.

If the login is successful, the user is directed to the User Management page, where they can proceed to change the password. The password must comply with the domain password policy during this process. The list of applications where the new password is effective is displayed next to the password changing form.