Bug#1042456: /usr/bin/ldap-createuser-krb5 does not work
On Mon, 31 Jul 2023 13:37:17 +0200 Guido Berhoerster <guido@berhoerster.name> wrote:
> I've fixed and improved ldap-createuser-krb5 based on the template users,
> gosa behavior in bullseye, the gosa-create script as well as above
> suggestion so that it can now be used to create student/teacher which can
> successfully login on the server as well as from a workstation in the
> internal network. The only thing that does not work for the created users
> is logging into gosa although I've added the gosaAccount which was
> missing before.
>
> gosa logs the following error:
>
> GOsa[unauthenticated]: (view) error : PHP error: ldap_bind(): Unable to bind to server: Invalid credentials (/usr/share/gosa/include/class_ldap.inc, line 240)
> GOsa[unauthenticated]: (view) error : PHP error: Attempt to read property "dn" on null (/usr/share/gosa/include/class_log.inc, line 59)
> GOsa[unauthenticated]: (security) login : Authentication failed for user "musma" [from 10.0.2.2]
>
> I'm not sure whether this is another problem in gosa or if the LDAP user is
> still missing something.
The solution is to create a valid userPassword entry (using crypt(3) via
slappasswd) based on the same password used by Kerberos.
In addition IMAP access via can be fixed by sending a welcome email to
the user which makes exim create /var/mail/<user>.
Together with the CLI improvements allowing to set the department and
additional groups ldap-createuser-krb5 can now be used as an
alternative to gosa for creating users.
--
Guido Berhoerster
Reply to: