Page MenuHomekolab.org

This is first attempt to add a AD schema import / load to kolab setup tools. The idea is that when setup-kolab is run with --with-ad it should ask questions about where the AD server is and how to connect to it. Then it should compile a AD schema...
Needs ReviewPublic

Authored by adomaitis on Mar 14 2019, 2:46 PM.

Details

Summary

...and load it to AD server. AD if Kolab Schema can be used as LDAP server then.

Test Plan

run setup with and without --with-ad

Diff Detail

Repository
rP pykolab
Branch
AD_setup_ldap
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 23091
Build 9537: arc lint + arc unit

Event Timeline

adomaitis created this revision.Mar 14 2019, 2:46 PM
adomaitis updated this revision to Diff 1652.Mar 28 2019, 10:45 AM

Kind of finished version of Pykolab way of Active Directory setup:

  • For AD LDAP modification I decided to use Jinja2 templates, which are in templates folder. Several reasons for that:
    • Long texts of changes to be performed in python code does not look nice, especially when AD Kolab schema needs to be added.
    • Ansible uses Jinja2 for templates, so templates used by setup_ldap.py can be reused with Ansible.
    • It becomes easier to load additional data to LDAP (like data to for testing purposes) or setup OpenLDAP for use with Kolab.

Using Jinja2 creates python-jinja2 package dependency
TODO - Need to decide where Jinja2 templates should be installed. Currently /etc/kolab/templates/, /usr/share/kolab/templates/ and os.path.join(__file__, '..', '..', '..', 'share', 'templates' paths are used to find templates.

  • I changed setup_ldap.py code flow. Now it first tries to determine all configuration options and then execute required steps (be it setup of Directory Server or Active Directory). If setup is not using alternative --config file then get_answers() function should gather all required information otherwise all information is from alternative config file.
  • A change in pykolab/conf/__init__.py file may affect other components of pykolab. It is not clear why would default config_file and file supplied with --config CLI argument should be the same. Not sure what other implications will this have, but it helps to solve the issue with setup_ldap.py to follow 2 different code flow paths when --config is supplied and when it is not.

Now to setup Active Directory to work with Kolab you need to run:
setup-kolab ldap --with-ad
or alternatively
setup-kolab ldap --with-ad --config path.to.config.file
this will:

  • ask questions what is your domain, base_dn (in AD), Administrator's bind_dn and password, AD server LDAP URI, Kolab dedicated LDAP tree DN (this is where we keep domains, groups, shared folders, resources).
  • connect to AD LDAP and find where to load Kolab schema (in case of AD Forest only one server can be used to load schema, need to make sure we load schema onto right server)
  • connect to AD LDAP and create necessary LDAP tree for Kolab related LDAP objects. This is done using Jinja2 templates.
  • connect to AD LDAP and add service users (kolab-service and cyrus-admin) using templates. Users passwords can be set up using ldaps:// connection, therefore that if LDAP URI is just ldap:// users passwords need to be set via Windows Active Directory interface.
  • write all the information to default config file /etc/kolab/kolab.conf

TODO - next steps is to review other components setup. Active Directory uses different object class for groups - objectclass=group instead of objectclass=groupofuniquenames. That needs to be reflected in all components setup.

adomaitis updated this revision to Diff 1670.Apr 3 2019, 4:05 PM
  • Don't need this log.
  • Fail immediatly if connection to LDAP server could not be made
  • Get supported ldap controls and match with what is supported by pykolab
adomaitis updated this revision to Diff 1691.Apr 12 2019, 1:07 PM
  • fix error message by showing which template file was not found
  • Move find_template function to utils as there is a plan to use it elsewhere.
  • Changes to setup-kolab mta utility to support AD. Postfix LDAP lookup tables are now created using Jinja2 templates.
  • Log clamav updates to /var/log/freshclam.log file. Don't want to create a dir.
  • Jinja2 templates for Postfix and Amavisd configuration.