Domini utente#
Gli utenti e i gruppi vengono memorizzati in un database LDAP, servito da un modulo account provider. Molti moduli possono lavorare insieme per servire lo stesso database LDAP come repliche. Un database LDAP rappresenta un dominio di account.
Il cluster NS8 può ospitare più domini di account locali di diverse implementazioni. È possibile configurare e collegare anche servizi LDAP esterni. Gli schemi LDAP supportati sono
Active Directory - Samba
Attributi Unix RFC2307 <https://www.rfc-editor.org/rfc/rfc2307> `_ - `OpenLDAP
Oltre a scegliere di collegare un provider esterno o installarne uno interno, l’amministratore deve decidere quale tipo di backend si adatta alle sue esigenze. L’applicazione File server può autenticare i client SMB/CIFS solo quando si utilizza un dominio Active Directory. D’altra parte, il provider OpenLDAP interno è più facile da installare e configurare. Alla fine, se il supporto del protocollo di condivisione dei file SMB non è richiesto, un provider LDAP è la scelta migliore.
Notare anche che è possibile ospitare più istanze OpenLDAP sullo stesso nodo, mentre è possibile installare solo un’istanza Samba per nodo.
Active Directory#
Per installare un nuovo dominio utente con Samba Active Directory come provider locale:
accedere alla pagina ``Domini e utenti`
fare clic sul pulsante Crea dominio e scegliere
Interno
selezionare
Samba
nella finestra di dialogo e fare clic su Installa provider
Una volta installato il provider, verrà chiesto di inserire i seguenti parametri:
Dominio
: il dominio utente, che dovrebbe essere un FQDN valido. Definisce il suffisso DNS del nuovo dominio. Il Domain Controller (DC) funge da server DNS autoritativo per quel dominio. Se non si è sicuri, mantenere il valore proposto.NetBIOS domain
: un dominio NetBIOS valido (noto anche come «domain short name», «NT domain name»), è l’identificatore di dominio Active Directory alternativo, compatibile con i client più datati. La lunghezza massima è di 15 caratteri ASCII. Se non si è sicuri, mantenere il valore proposto.Scegli il nome utente dell'amministratore di Samba
eScegli una password per l'utente amministratore di Samba
: impostare le credenziali iniziali dell’account amministrativo; è possibile utilizzareadministrator
(default) o qualsiasi altro nome utente. In quest’ultimo caso, il nome utente specificato viene aggiunto al gruppoDomain Admins
, mentre l’utenteadministrator
viene disabilitato e configurato con una password casuale``Nome host`: il nome host del Domain Controller (DC). Se non si è sicuri, mantenere il valore proposto.
Fornire condivisioni di file e autenticazione per i client Windows
. Se abilitato, le cartelle condivise del DC sono accessibili dalla rete locale. Solo uno dei DC del dominio Active Directory può offrire cartelle condivise, autenticazione e servizi DNS. Per ulteriori informazioni, consultare File server.
Nota
A parte le credenziali amministrative, gli altri parametri di Active Directory non possono essere modificati una volta che il dominio è stato creato
At the end, you will see a new user domain with one connected provider. You can now manage users and groups, add a replica or copy the bind settings to connect an external application.
DNS and AD domain#
An Active Directory domain requires a reserved DNS domain to work. It is a good choice to allocate a sub-domain of the public DNS domain for it. The AD sub-domain can be accessed only from local networks.
Example:
public (external) domain:
nethserver.org
server FQDN:
mail.nethserver.org
Active Directory (internal LAN only) domain:
ad.nethserver.org
domain controller FQDN:
dc1.ad.nethserver.org
Suggerimento
When choosing a domain for Active Directory use an internal domain which is a sub-domain of the external domain [1]
Furthermore, the AD Windows clients must be configured to use the domain
controller as their DNS server for network name resolution. Set the IP
address of DC dc1.ad.nethserver.org
in client DNS configuration.
The domain controller inherits the node DNS settings in
/etc/resolv.conf
for name resolution request forwarding.
LDAP server RFC2307#
To install a new user domain with a local OpenLDAP as provider:
accedere alla pagina ``Domini e utenti`
fare clic sul pulsante Crea dominio e scegliere
Interno
select
OpenLDAP
on the dialog box and click Install provider
Una volta installato il provider, verrà chiesto di inserire i seguenti parametri:
Domain
: the user domain, it should be a valid FQDN. If unsure, keep the proposed value.OpenLDAP admin username
andOpenLDAP admin password
: admin credentials
Finally, you will see a new user domain with one connected provider. You can now manage users and groups or add a replica.
Nota
OpenLDAP provider is not currently accessible from outside the cluster.
Provider replicas#
Provider replicas implement fault tolerance for user domains. To achieve real fault tolerance, replicas should be installed on different nodes.
You can add a replica from the Domains and users
page by selecting the Configuration
link from the three-dots menu.
Then click the Add provider button, select the target node and proceed with the installation.
Replicas are configured in master-master mode.
Avvertimento
Active Directory provider does not replicate the SysVol volume. Therefore Microsoft’s Group Policy Object (GPO) will not be synchronized between replicas.
LDAP bind settings#
Nota
External applications can connect only to a local Active Directory provider.
Binding is the process where the LDAP server authenticates the client and, if the client is successfully authenticated, the server allows client access.
Many applications may require to be bound to an existing NethServer 8 user domain.
Bind settings can be accessed by selecting the Configuration
link from the three-dots menu: user domain
details are displayed on the top of the page.
External LDAP server#
You can connect the NethServer 8 cluster to an existing LDAP server.
Access the
Domains and users
page.Click on Create domain button and choose
External
.Fill all required fields. Bear in mind that apart from «Host» and «Port», the domain settings cannot be changed later:
Domain
: This should be in fully qualified domain name (FQDN) syntax, but it can be any logical name matching the LDAP base DN structure. For example, if your LDAP base DN is dc=example,dc=org, a suitable domain name would be «example.org».Host
: Enter the IP address or hostname of the LDAP server.Port
: Specify the TCP port number of the remote LDAP service. Standard values are 389 for LDAP and 636 for LDAPS. However, with Active Directory, certain applications like Mail [2] may require setting LDAP port 3268 or LDAPS port 3269. This is because they do not support «LDAP subordinate referrals».Bind DN
andPassword
: Credentials required to access the remote LDAP server.Base DN
: Define the level of the LDAP hierarchy to use as the base for user and group lookup. Leaving this field empty retrieves the correct value from the LDAP server itself.TLS
: Enable this switch to encrypt the connection with TLS. If the server does not support TLS on the specified port, an error will occur.TLS verify
: Enable this switch to ensure that the LDAP server provides a valid TLS certificate signed by a trusted authority, with the certificate name matching the hostname specified in the «Host» field. Continue reading to fully understand the implications of this option.
Once all fields are filled, click on the Configure domain button.
Avvertimento
Once configured, domain settings cannot be changed later!
If you choose not to verify TLS, you can configure additional hosts as backup providers. The first configured provider is considered the primary LDAP backend server. If a cluster node cannot reach it, it switches to another provider. It’s crucial that all domain providers are accessible from any cluster node.
Enabling «TLS verify» adds extra security but has limitations: only the first provider is considered. If it becomes unreachable, connection recovery is not possible.
Ensure each provider is accessible from all cluster nodes for seamless operation.
https://doc.dovecot.org/configuration_manual/authentication/ldap/#active-directory
Password policy#
The password policy is a set of rules that defines the password complexity and the password expiration time. You can configure the password policy from the Domains and users
page by selecting the interested domain and clicking Edit password policy from the three-dots menu of the Password
card.
You can configure password age and password strength policy separately.
Password age#
You can toggle password age policy by clicking on the Password age
switch. If enabled, you can configure the following parameters:
Minimum password age
: the minimum number of days that must pass before a new password change.Maximum password age
: password expiration time in days. After this period, the password is no longer valid for logins and must be changed. Users can change their expired password with User Management portal.
Password strength#
By enabling the Password strength
switch, you can configure the following parameters:
Password history length
: the number of old passwords that cannot be reused.Minimum password length
: the minimum number of characters that a password must have.Enforce password complexity
: enforce use of complex password, see note for more details.
Nota
A password is considered complex if it is long enough and meets three of the following rules:
The password must contain at least one uppercase letter.
The password must contain at least one lowercase letter.
The password must contain at least one digit.
The password must contain at least one special character.
After editing the password policy, you can click on Edit password policy button to save the changes. Strength setting changes do not affect old passwords: they are valid from now on. Age setting changes are retroactive and are applied to already set passwords, too.
User and groups#
You can manage users and groups of a domain by clicking on User and groups
link from the Domains and users
page.
If an external user domain has been configured, the page shows read-only lists. Changes to the user base must be done on the external server.
On the other hand, if a local AD or LDAP account provider has been installed, the page allows to create, modify and delete users and groups.
When creating a user, the following fields are mandatory:
User name
Full name (name and surname)
Password
A user can be added to one or more groups.
Sometimes you need to block user access to services without deleting the account. The safest approach is:
(optionally) change the user’s password with a random one
disable the user using the
Disable
action from the three-dots menu
When a user is deleted, user data will not be removed.
User Management portal#
The user management portal is a web application that allows any non-administrator user to change their own password without the need for administrator intervention.
The portal is automatically configured on every instance of Active Directory or LDAP server RFC2307 provider.
The portal is available at the following URL:
https://<fqdn_node>/users-admin/<domain_name>/
Where <fqdn_node>
is the FQDN of the node where the provider is and <domain_name>
is the name of the domain provided while configuring the domain.
Avvertimento
Without the trailing slash, the portal will not work.
Once reached the page, the user is prompted for login and they can authenticate to the domain with user name and password.
If the login is successful, the user is directed to the User Management
page, where they can proceed to change the password. The password must comply with the domain password policy during this process.
The list of applications where the new password is effective is displayed next to the password changing form.