Friday, November 9, 2012

Sympa and Active Directory

Some basic steps on running sympa on Ubuntu 12.04 and using Active Directories Global Directory to auto-populate groups.

Ubuntu Notes 
  • apt-get install sympa will give you a 'mostly' working version
  •  Chown -R /var/lib/sympa sympa 
  • The suid wrapper does not work on 12.04. You will need to create a sudo wrapper instead:
  • set use_fast_cgi 1 in /etc/sympa/wwsympa.conf
  • /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.fcgi
  • #!/usr/bin/perl
    
    exec '/usr/bin/sudo', '-E', '-u', 'sympa', '/usr/lib/cgi-bin/sympa/wwsympa.fcgi';
    
  • In apache/conf.d/sympa, change:
    ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl
  • add the following line to your sudoers file:
    www-data ALL = (sympa) SETENV: NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
  • References:
 LDAP/AD Bound Lists
  • If you only have one domain, then you can just use the following and point at one of your domain controllers.
  • If you want to use forest-wide groups, you have two options for accessing those groups.
  • This will work this either security or distribution groups, however will NOT include nested membership.
    • In the ldap config for the group, point at the dc the group resides in. CHange suffix, host and user as appropriate, set use_ssl to yes, drop the :3268
    • Make the group universal and use the global directory (route I chose)
  • LDAP Configuration
    include_ldap_query
    attrs mail
    filter memberof=Some Group,OU=...,OU=...,DC=research,DC=domain,DC=org
    ssl_ciphers ALL
    name any_name
    host dc1.mydomain.org:3268
    use_ssl no
    passwd your_password
    timeout 30
    suffix DC=domain,DC=org
    user   CN=Read Account,OU=...,DC=domain,DC=org
    ssl_version sslv2
    scope sub
    select first
    ssl_version tls
    
  • References