On Mon, 31 Jul 2023 13:37:17 +0200 Guido Berhoerster <gu...@berhoerster.name> wrote: > I've fixed and improved ldap-createuser-krb5 based on the template users, > gosa behavior in bullseye, the gosa-create script as well as above > suggestion so that it can now be used to create student/teacher which can > successfully login on the server as well as from a workstation in the > internal network. The only thing that does not work for the created users > is logging into gosa although I've added the gosaAccount which was > missing before. > > gosa logs the following error: > > GOsa[unauthenticated]: (view) error : PHP error: ldap_bind(): Unable to bind > to server: Invalid credentials (/usr/share/gosa/include/class_ldap.inc, line > 240) > GOsa[unauthenticated]: (view) error : PHP error: Attempt to read property > "dn" on null (/usr/share/gosa/include/class_log.inc, line 59) > GOsa[unauthenticated]: (security) login : Authentication failed for user > "musma" [from 10.0.2.2] > > I'm not sure whether this is another problem in gosa or if the LDAP user is > still missing something.
The solution is to create a valid userPassword entry (using crypt(3) via slappasswd) based on the same password used by Kerberos. In addition IMAP access via can be fixed by sending a welcome email to the user which makes exim create /var/mail/<user>. Together with the CLI improvements allowing to set the department and additional groups ldap-createuser-krb5 can now be used as an alternative to gosa for creating users. -- Guido Berhoerster