Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: GAL Question

  1. #1
    rjpaw is offline Member
    Join Date
    Jun 2006
    Posts
    10
    Rep Power
    9

    Question GAL Question

    It seems I have everything working, with the exception of getting the GAL to work with AD. I get a message in the wizard that the test was successful, but I get no results returned regardless what I search for.

    I'm curious as to what field is polled in AD for the GAL searches in Zimbra?


    BTW: Great site! The few prior issues I had getting set up to this point were only a search or two away on the forums here.

  2. #2
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by rjpaw
    I'm curious as to what field is polled in AD for the GAL searches in Zimbra?
    You should be able to see the LDAP filter we use with zmlocalconfig
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    rjpaw is offline Member
    Join Date
    Jun 2006
    Posts
    10
    Rep Power
    9

    Default

    Call me slow, but I've been through the information and various config files listed there in numerous times, but I don't see where in ZMLOCALCONFIG the LDAP query to AD is. This is my one stumbling point here.

    Here's the output from the command:

    [zimbra@tux conf]$ zmlocalconfig
    av_notify_user = admin@asherco1.com
    ldap_connect_pool_debug = false
    ldap_connect_pool_initsize = 1
    ldap_connect_pool_maxsize = 25
    ldap_connect_pool_prefsize = 0
    ldap_connect_pool_timeout = 120000
    ldap_connect_timeout = 10000
    ldap_host =
    ldap_is_master = true
    ldap_log_level = 0
    ldap_master_url = ldap://tux.ash.web:389
    ldap_port =
    ldap_root_password = *
    ldap_url = ldap://tux.ash.web
    localized_msgs_directory = ${zimbra_home}/conf/msgs
    logger_mysql_bind_address = localhost
    logger_mysql_data_directory = ${zimbra_home}/logger/db/data
    logger_mysql_directory = ${zimbra_home}/logger/mysql
    logger_mysql_mycnf = ${zimbra_home}/conf/my.logger.cnf
    logger_mysql_pidfile = ${zimbra_home}/logger/db/mysql.pid
    logger_mysql_port = 7307
    logger_mysql_socket = ${zimbra_home}/logger/db/mysql.sock
    mysql_bind_address = localhost
    mysql_data_directory = ${zimbra_db_directory}/data
    mysql_directory = ${zimbra_home}/mysql
    mysql_innodb_log_buffer_size = 8388608
    mysql_innodb_log_file_size = 104857600
    mysql_logger_root_password = *
    mysql_memory_percent = 40
    mysql_mycnf = ${zimbra_home}/conf/my.cnf
    mysql_pidfile = ${zimbra_db_directory}/mysql.pid
    mysql_port = 7306
    mysql_read_buffer_size = 1048576
    mysql_root_password = *
    mysql_socket = ${zimbra_db_directory}/mysql.sock
    mysql_sort_buffer_size = 1048576
    mysql_table_cache = 500
    nio_imap_enable = false
    nio_imap_log_buffers = false
    postfix_alias_maps = hash:/etc/aliases
    postfix_broken_sasl_auth_clients = yes
    postfix_command_directory = /opt/zimbra/postfix-${postfix_version}/sbin
    postfix_daemon_directory = /opt/zimbra/postfix-${postfix_version}/libexec
    postfix_header_checks = pcre:/opt/zimbra/conf/postfix_header_checks
    postfix_mailq_path = /opt/zimbra/postfix-${postfix_version}/sbin/mailq
    postfix_manpage_directory = /opt/zimbra/postfix-${postfix_version}/man
    postfix_newaliases_path = /opt/zimbra/postfix-${postfix_version}/sbin/newaliases
    postfix_queue_directory = /opt/zimbra/postfix-${postfix_version}/spool
    postfix_sender_canonical_maps = ldap:/opt/zimbra/conf/ldap-scm.cf
    postfix_sendmail_path = /opt/zimbra/postfix-${postfix_version}/sbin/sendmail
    postfix_smtpd_client_restrictions = reject_unauth_pipelining
    postfix_smtpd_data_restrictions = reject_unauth_pipelining
    postfix_smtpd_helo_required = yes
    postfix_smtpd_tls_cert_file = ${zimbra_home}/conf/smtpd.crt
    postfix_smtpd_tls_key_file = ${zimbra_home}/conf/smtpd.key
    postfix_smtpd_tls_loglevel = 3
    postfix_transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf
    postfix_version = 2.2.9
    postfix_virtual_alias_domains = ldap://opt/zimbra/conf/ldap-vad.cf
    postfix_virtual_alias_maps = ldap:/opt/zimbra/conf/ldap-vam.cf
    postfix_virtual_mailbox_domains = ldap:/opt/zimbra/conf/ldap-vmd.cf
    postfix_virtual_mailbox_maps = ldap:/opt/zimbra/conf/ldap-vmm.cf
    postfix_virtual_transport = error
    smtp_destination = admin@asherco1.com
    smtp_notify = yes
    smtp_source = admin@asherco1.com
    snmp_notify = yes
    snmp_trap_host = tux.ash.web
    ssl_allow_untrusted_certs = TRUE
    stats_img_folder = ${zimbra_home}/zimbramon/rrdtool/work
    tomcat_directory = ${zimbra_home}/tomcat
    tomcat_java_heap_memory_percent = 30
    tomcat_java_home = ${zimbra_java_home}
    tomcat_java_options = -client -XX:NewRatio=2
    tomcat_keystore = ${tomcat_directory}/conf/keystore
    tomcat_pidfile = ${zimbra_log_directory}/tomcat.pid
    trial_expiration_date = 20060909
    wiki_enabled = false
    wiki_user = wiki
    zimbra_auth_always_send_refer = false
    zimbra_db_directory = ${zimbra_home}/db
    zimbra_extension_directory = ${zimbra_home}/lib/ext
    zimbra_gid = 501
    zimbra_home = /opt/zimbra
    zimbra_index_directory = ${zimbra_home}/index
    zimbra_index_idle_flush_time = 600
    zimbra_index_lru_size = 100
    zimbra_index_max_uncommitted_operations = 200
    zimbra_java_home = ${zimbra_home}/java
    zimbra_ldap_password = *
    zimbra_ldap_userdn = uid=zimbra,cn=admins,cn=zimbra
    zimbra_log4j_properties = ${zimbra_home}/conf/log4j.properties
    zimbra_log_directory = ${zimbra_home}/log
    zimbra_logger_mysql_password = *
    zimbra_mtareport_max_recipients = 50
    zimbra_mtareport_max_senders = 50
    zimbra_mysql_connector_maxActive = 20
    zimbra_mysql_password = *
    zimbra_mysql_user = zimbra
    zimbra_server_hostname = tux.ash.web
    zimbra_spam_report_queue_size = 100
    zimbra_store_directory = ${zimbra_home}/store
    zimbra_store_sweeper_max_age = 480
    zimbra_tmp_directory = /tmp/zimbra
    zimbra_uid = 500
    zimbra_user = zimbra
    zimlet_directory = ${tomcat_directory}/webapps/service/zimlet
    [zimbra@tux conf]$

    My apologies in advance if the answer is there and I keep missing it...

  4. #4
    bobby is offline Zimbra Employee
    Join Date
    Nov 2005
    Posts
    518
    Rep Power
    10

    Default

    try looking in "zmprov gd asherco1.com" and "zmprov gacf"

  5. #5
    Shurik is offline Member
    Join Date
    Aug 2006
    Posts
    12
    Rep Power
    8

    Default Same Issue

    Hi, I just installed Zimbra. At first I had issues w. GAL working w. AD then it somehow started working using LDAP setting instead of AD. After rebooting Zimbra server it stopped working agian. I get a successful test, but no reluts?
    Is this a bug? please help

  6. #6
    rjpaw is offline Member
    Join Date
    Jun 2006
    Posts
    10
    Rep Power
    9

    Default

    Quote Originally Posted by Shurik
    Hi, I just installed Zimbra. At first I had issues w. GAL working w. AD then it somehow started working using LDAP setting instead of AD. After rebooting Zimbra server it stopped working agian. I get a successful test, but no reluts?
    Is this a bug? please help

    Honestly, I never got results to appear in the test window regardless of the settings that I applied in the GAL setup wizard, however as long as an error was not returned for the test, I usually got good results doing a GAL search in the WEB UI.

    As an aside, I also was never able to get the AD "Server Type" setting to work, however if I used Both or external for the GAL mode and used the generic LDAP setting for the server type, it worked perfectly. Currently I'm using "both" as the mode and LDAP as the server type with ZCS 3.2 Beta 2 on RHEL, and don't have any problems on the ZCS side.

    If you can't get good results in the Web UI try doing an ldapsearch from the command line on the server to see if you're getting good results returned from the LDAP filter that you're using.

    Hope some of that helps a little...

  7. #7
    Shurik is offline Member
    Join Date
    Aug 2006
    Posts
    12
    Rep Power
    8

    Default

    Well.. the GUI test doest show me anything, but says success.. but it used to at one point before a reboot, it actually showed me results. I am not really sure on the cyntax of ldapsearch command, but i do use
    zmprov sg domain.com to test it and it works. I get results based on my search. So I am not sure what is going on..
    In the Webmail interfase doing a search in GAL returns nothing either.
    The frustrating part is, it WORKED at one point, i have no idea how I got it to work, and now it's broken.
    I am running in Both mode.
    Server Type LDAP - connecting to 2000 AD
    here is my string:
    (&(|(displayName=*%s*)(department=*%s*)(telephoneN umber=*%s*)(mail=*%s*)))

    this used to work in Admin GUI and Webmail. Please help. I have to demo this thing to clients this Thursday and it broke at a very bad time for me. Yikes!!
    Oh.. just remembered. I tried to run the webmail interface over https for a minute there, but decided to change it back to http. That was the breaking point.
    Last edited by Shurik; 08-07-2006 at 08:40 AM.

  8. #8
    rjpaw is offline Member
    Join Date
    Jun 2006
    Posts
    10
    Rep Power
    9

    Default

    Are you using ZCS 3.14 or the 3.2 beta?

    I never used the zmprov sg command before and just tried it, but it errored out for me. Do you know for a fact though that it actually searches the AD GAL and not the internal Zimbra GAL? (i.e., Zimbra just searching it's user account base, as opposed to going out to the AD server and pulling the information out of AD.)

    Here's a sample LDAPsearch string based off my LDAP schema:

    ldapsearch -x -D cn=ZimbraAccount,cn=users,dc=domain,dc=com -w password -h server.domain.com -b cn=users,dc=domain,dc=com mail=*

    -D is the Bind DN account for your AD domain and it's LDAP path,
    -w is the password fo that account,
    -h is one of your DCs for AD, and
    -b is the search base for your query.
    I used mail=* as my query just for test purposes in LDAP search.

    The other thing I would try is to limit the scope of the ldap search. Try just (mail=*%s*) at first and see if you can get that working. Also try stoping and starting Tomcat after you make a change to be sure any old configuration is flushed out. If that works, there's a problem with your search filter, and you can work up from there to figure out where your problem is.

    Are there any errors in the logs after you try and do a search?

  9. #9
    Shurik is offline Member
    Join Date
    Aug 2006
    Posts
    12
    Rep Power
    8

    Default

    I am useing 3.14 on Fedora 4. Yes I was able to verify that zmprov command does indeed search the AD because it returns reluts of uses that are not a part of internal zimbra GAL. They only exist in AD.
    I am still not having any luck w. ldapsearch command using your example.
    I get
    "ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893"
    when i run the command.
    The credentials that I use are the same that I specify in the Admin GUI for Bind DN and are also the same credentials that zmprov command uses to authenticate w. my AD server.. So i know for a fact that the credentials are good as well. I aslo did reduce my scope of ldap search down to
    (&(|(mail=*%s*) and still get blanks.
    I did find a posting that some one finally got it to work but had no idea how. it just started working for them.. I don't really like that type of a solution
    I wish that someone at Zimbra could give some more input to this issue.. ehhh
    Where are the logs that i need to look at?
    Last edited by Shurik; 08-07-2006 at 10:28 AM.

  10. #10
    rjpaw is offline Member
    Join Date
    Jun 2006
    Posts
    10
    Rep Power
    9

    Default

    Quote Originally Posted by Shurik
    I am useing 3.14 on Fedora 4. Yes I was able to verify that zmprov command does indeed search the AD because it returns reluts of uses that are not a part of internal zimbra GAL. They only exist in AD.
    I am still not having any luck w. ldapsearch command using your example.
    I get
    "ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893"
    when i run the command.
    The credentials that I use are the same that I specify in the Admin GUI for Bind DN and are also the same credentials that zmprov command uses to authenticate w. my AD server.. So i know for a fact that the credentials are good as well.
    I've had this same problem. AD Auth would work in 3.14, however the GAL would not using the same account. In my case it turned out to be a bad search string. I was using the default AD search base and had the server type set to AD. I used the zmprov mcf to modify the AD filter and it started to work for me.
    Now I'm using the LDAP server type in ZCS version 3.2, and use
    (|(cn=*%s*)(sn=*%s*)(gn=*%s*)(mail=*%s*))
    which is the default string.

    I aslo did reduce my scope of ldap search down to
    (&(|(mail=*%s*) and still get blanks.
    I did find a posting that some one finally got it to work but had no idea how. it just started working for them.. I don't really like that type of a solution
    I wish that someone at Zimbra could give some more input to this issue.. ehhh
    I don't know if it was a typo or not, but the filter seems to be missing )) at the end of the string. I think you have to close each ( but not positive on that one. You also should just have to use (mail=*%s*) and nothing else. What is odd though is that ldapsearch isn't working. Assuming all the pathing is correct in your accounts, this should return a list of your users in AD that have something entered in the E-Mail: field in their account. The fact that doesn't work but zmprov sg works is odd. I don't really know what direction to point you in at this point, though I am still kind concerned that ldapsearch didn't work. If you have an ldap browser you can try using that to browse the AD with the same credentials just to be certain there are no account issues. I still have an unresolved issue with getting LDAP queries to work with anything but the Domain admin account in AD as my bind DN.

    I know there were a few quirks in 3.14 that had me questioning if I could put this in a production environment. I started testing 3.2 at the same time on a separate box, and everything seemed to work so much smoother that I upgraded the main box to beta 3.2. Honestly, the autocomplete feature for mail addresses in the Web UI is worth the upgrade alone. Prob not what you wanted to hear, but almost all of my GAL issues never appeared on the 3.2 box. (Still have a bug report in about sorting A-Z, and only being able to use my admin account as the Bind DN).

    The other users I have testing love the autocomplete feature (and never use the GAL search) as well. At the very least, if you have another box you should check it out. Not sure what OS it runs on though, I'm using RHEL 4, and I don't know if the beta was just limited to that OS.

    Where are the logs that i need to look at?
    Logs can be found in /opt/zimbra/log and /var/log.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Large GAL
    By padraig in forum Zimbra in Education
    Replies: 3
    Last Post: 05-13-2008, 03:43 AM
  2. GAL Question
    By swu in forum Administrators
    Replies: 10
    Last Post: 08-03-2007, 06:16 PM
  3. Bug Question all aliases GAL
    By fred3us in forum Administrators
    Replies: 1
    Last Post: 03-12-2007, 09:39 AM
  4. GAL not correct for Outlook
    By Richard in forum Zimbra Connector for Outlook
    Replies: 1
    Last Post: 03-07-2007, 12:48 PM
  5. GAL Question
    By tbullock in forum Administrators
    Replies: 13
    Last Post: 05-26-2006, 12:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •