GAL Question

[rjpaw]

It seems I have everything working, with the exception of getting the GAL to work with AD. I get a message in the wizard that the test was successful, but I get no results returned regardless what I search for.

I'm curious as to what field is polled in AD for the GAL searches in Zimbra?


BTW: Great site! The few prior issues I had getting set up to this point were only a search or two away on the forums here.

[KevinH]

Quote:

Originally Posted by rjpaw

I'm curious as to what field is polled in AD for the GAL searches in Zimbra?

You should be able to see the LDAP filter we use with zmlocalconfig

[rjpaw]

Call me slow, but I've been through the information and various config files listed there in numerous times, but I don't see where in ZMLOCALCONFIG the LDAP query to AD is. This is my one stumbling point here.

Here's the output from the command:

[zimbra@tux conf]$ zmlocalconfig
av_notify_user = admin@asherco1.com
ldap_connect_pool_debug = false
ldap_connect_pool_initsize = 1
ldap_connect_pool_maxsize = 25
ldap_connect_pool_prefsize = 0
ldap_connect_pool_timeout = 120000
ldap_connect_timeout = 10000
ldap_host =
ldap_is_master = true
ldap_log_level = 0
ldap_master_url = ldap://tux.ash.web:389
ldap_port =
ldap_root_password = *
ldap_url = ldap://tux.ash.web
localized_msgs_directory = ${zimbra_home}/conf/msgs
logger_mysql_bind_address = localhost
logger_mysql_data_directory = ${zimbra_home}/logger/db/data
logger_mysql_directory = ${zimbra_home}/logger/mysql
logger_mysql_mycnf = ${zimbra_home}/conf/my.logger.cnf
logger_mysql_pidfile = ${zimbra_home}/logger/db/mysql.pid
logger_mysql_port = 7307
logger_mysql_socket = ${zimbra_home}/logger/db/mysql.sock
mysql_bind_address = localhost
mysql_data_directory = ${zimbra_db_directory}/data
mysql_directory = ${zimbra_home}/mysql
mysql_innodb_log_buffer_size = 8388608
mysql_innodb_log_file_size = 104857600
mysql_logger_root_password = *
mysql_memory_percent = 40
mysql_mycnf = ${zimbra_home}/conf/my.cnf
mysql_pidfile = ${zimbra_db_directory}/mysql.pid
mysql_port = 7306
mysql_read_buffer_size = 1048576
mysql_root_password = *
mysql_socket = ${zimbra_db_directory}/mysql.sock
mysql_sort_buffer_size = 1048576
mysql_table_cache = 500
nio_imap_enable = false
nio_imap_log_buffers = false
postfix_alias_maps = hash:/etc/aliases
postfix_broken_sasl_auth_clients = yes
postfix_command_directory = /opt/zimbra/postfix-${postfix_version}/sbin
postfix_daemon_directory = /opt/zimbra/postfix-${postfix_version}/libexec
postfix_header_checks = pcre:/opt/zimbra/conf/postfix_header_checks
postfix_mailq_path = /opt/zimbra/postfix-${postfix_version}/sbin/mailq
postfix_manpage_directory = /opt/zimbra/postfix-${postfix_version}/man
postfix_newaliases_path = /opt/zimbra/postfix-${postfix_version}/sbin/newaliases
postfix_queue_directory = /opt/zimbra/postfix-${postfix_version}/spool
postfix_sender_canonical_maps = ldap:/opt/zimbra/conf/ldap-scm.cf
postfix_sendmail_path = /opt/zimbra/postfix-${postfix_version}/sbin/sendmail
postfix_smtpd_client_restrictions = reject_unauth_pipelining
postfix_smtpd_data_restrictions = reject_unauth_pipelining
postfix_smtpd_helo_required = yes
postfix_smtpd_tls_cert_file = ${zimbra_home}/conf/smtpd.crt
postfix_smtpd_tls_key_file = ${zimbra_home}/conf/smtpd.key
postfix_smtpd_tls_loglevel = 3
postfix_transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf
postfix_version = 2.2.9
postfix_virtual_alias_domains = ldap://opt/zimbra/conf/ldap-vad.cf
postfix_virtual_alias_maps = ldap:/opt/zimbra/conf/ldap-vam.cf
postfix_virtual_mailbox_domains = ldap:/opt/zimbra/conf/ldap-vmd.cf
postfix_virtual_mailbox_maps = ldap:/opt/zimbra/conf/ldap-vmm.cf
postfix_virtual_transport = error
smtp_destination = admin@asherco1.com
smtp_notify = yes
smtp_source = admin@asherco1.com
snmp_notify = yes
snmp_trap_host = tux.ash.web
ssl_allow_untrusted_certs = TRUE
stats_img_folder = ${zimbra_home}/zimbramon/rrdtool/work
tomcat_directory = ${zimbra_home}/tomcat
tomcat_java_heap_memory_percent = 30
tomcat_java_home = ${zimbra_java_home}
tomcat_java_options = -client -XX:NewRatio=2
tomcat_keystore = ${tomcat_directory}/conf/keystore
tomcat_pidfile = ${zimbra_log_directory}/tomcat.pid
trial_expiration_date = 20060909
wiki_enabled = false
wiki_user = wiki
zimbra_auth_always_send_refer = false
zimbra_db_directory = ${zimbra_home}/db
zimbra_extension_directory = ${zimbra_home}/lib/ext
zimbra_gid = 501
zimbra_home = /opt/zimbra
zimbra_index_directory = ${zimbra_home}/index
zimbra_index_idle_flush_time = 600
zimbra_index_lru_size = 100
zimbra_index_max_uncommitted_operations = 200
zimbra_java_home = ${zimbra_home}/java
zimbra_ldap_password = *
zimbra_ldap_userdn = uid=zimbra,cn=admins,cn=zimbra
zimbra_log4j_properties = ${zimbra_home}/conf/log4j.properties
zimbra_log_directory = ${zimbra_home}/log
zimbra_logger_mysql_password = *
zimbra_mtareport_max_recipients = 50
zimbra_mtareport_max_senders = 50
zimbra_mysql_connector_maxActive = 20
zimbra_mysql_password = *
zimbra_mysql_user = zimbra
zimbra_server_hostname = tux.ash.web
zimbra_spam_report_queue_size = 100
zimbra_store_directory = ${zimbra_home}/store
zimbra_store_sweeper_max_age = 480
zimbra_tmp_directory = /tmp/zimbra
zimbra_uid = 500
zimbra_user = zimbra
zimlet_directory = ${tomcat_directory}/webapps/service/zimlet
[zimbra@tux conf]$

My apologies in advance if the answer is there and I keep missing it...

[bobby]

try looking in "zmprov gd asherco1.com" and "zmprov gacf"

[Shurik]

Hi, I just installed Zimbra. At first I had issues w. GAL working w. AD then it somehow started working using LDAP setting instead of AD. After rebooting Zimbra server it stopped working agian. I get a successful test, but no reluts?
Is this a bug? please help

[rjpaw]

Quote:

Originally Posted by Shurik

Hi, I just installed Zimbra. At first I had issues w. GAL working w. AD then it somehow started working using LDAP setting instead of AD. After rebooting Zimbra server it stopped working agian. I get a successful test, but no reluts?
Is this a bug? please help

Honestly, I never got results to appear in the test window regardless of the settings that I applied in the GAL setup wizard, however as long as an error was not returned for the test, I usually got good results doing a GAL search in the WEB UI.

As an aside, I also was never able to get the AD "Server Type" setting to work, however if I used Both or external for the GAL mode and used the generic LDAP setting for the server type, it worked perfectly. Currently I'm using "both" as the mode and LDAP as the server type with ZCS 3.2 Beta 2 on RHEL, and don't have any problems on the ZCS side.

If you can't get good results in the Web UI try doing an ldapsearch from the command line on the server to see if you're getting good results returned from the LDAP filter that you're using.

Hope some of that helps a little...

[Shurik]

Well.. the GUI test doest show me anything, but says success.. but it used to at one point before a reboot, it actually showed me results. I am not really sure on the cyntax of ldapsearch command, but i do use
zmprov sg domain.com to test it and it works. I get results based on my search. So I am not sure what is going on..
In the Webmail interfase doing a search in GAL returns nothing either.
The frustrating part is, it WORKED at one point, i have no idea how I got it to work, and now it's broken.
I am running in Both mode.
Server Type LDAP - connecting to 2000 AD
here is my string:
(&(|(displayName=*%s*)(department=*%s*)(telephoneN umber=*%s*)(mail=*%s*)))

this used to work in Admin GUI and Webmail. Please help. I have to demo this thing to clients this Thursday and it broke at a very bad time for me. Yikes!!
Oh.. just remembered. I tried to run the webmail interface over https for a minute there, but decided to change it back to http. That was the breaking point.

[rjpaw]

Are you using ZCS 3.14 or the 3.2 beta?

I never used the zmprov sg command before and just tried it, but it errored out for me. Do you know for a fact though that it actually searches the AD GAL and not the internal Zimbra GAL? (i.e., Zimbra just searching it's user account base, as opposed to going out to the AD server and pulling the information out of AD.)

Here's a sample LDAPsearch string based off my LDAP schema:

ldapsearch -x -D cn=ZimbraAccount,cn=users,dc=domain,dc=com -w password -h server.domain.com -b cn=users,dc=domain,dc=com mail=*

-D is the Bind DN account for your AD domain and it's LDAP path,
-w is the password fo that account,
-h is one of your DCs for AD, and
-b is the search base for your query.
I used mail=* as my query just for test purposes in LDAP search.

The other thing I would try is to limit the scope of the ldap search. Try just (mail=*%s*) at first and see if you can get that working. Also try stoping and starting Tomcat after you make a change to be sure any old configuration is flushed out. If that works, there's a problem with your search filter, and you can work up from there to figure out where your problem is.

Are there any errors in the logs after you try and do a search?

[Shurik]

I am useing 3.14 on Fedora 4. Yes I was able to verify that zmprov command does indeed search the AD because it returns reluts of uses that are not a part of internal zimbra GAL. They only exist in AD.
I am still not having any luck w. ldapsearch command using your example.
I get
"ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893"
when i run the command.
The credentials that I use are the same that I specify in the Admin GUI for Bind DN and are also the same credentials that zmprov command uses to authenticate w. my AD server.. So i know for a fact that the credentials are good as well. I aslo did reduce my scope of ldap search down to
(&(|(mail=*%s*) and still get blanks.
I did find a posting that some one finally got it to work but had no idea how. it just started working for them.. I don't really like that type of a solution
I wish that someone at Zimbra could give some more input to this issue.. ehhh
Where are the logs that i need to look at?

[rjpaw]

Quote:

Originally Posted by Shurik

I am useing 3.14 on Fedora 4. Yes I was able to verify that zmprov command does indeed search the AD because it returns reluts of uses that are not a part of internal zimbra GAL. They only exist in AD.
I am still not having any luck w. ldapsearch command using your example.
I get
"ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893"
when i run the command.
The credentials that I use are the same that I specify in the Admin GUI for Bind DN and are also the same credentials that zmprov command uses to authenticate w. my AD server.. So i know for a fact that the credentials are good as well.

I've had this same problem. AD Auth would work in 3.14, however the GAL would not using the same account. In my case it turned out to be a bad search string. I was using the default AD search base and had the server type set to AD. I used the zmprov mcf to modify the AD filter and it started to work for me.
Now I'm using the LDAP server type in ZCS version 3.2, and use
(|(cn=*%s*)(sn=*%s*)(gn=*%s*)(mail=*%s*))
which is the default string.

Quote:

I aslo did reduce my scope of ldap search down to
(&(|(mail=*%s*) and still get blanks.
I did find a posting that some one finally got it to work but had no idea how. it just started working for them.. I don't really like that type of a solution
I wish that someone at Zimbra could give some more input to this issue.. ehhh

I don't know if it was a typo or not, but the filter seems to be missing )) at the end of the string. I think you have to close each ( but not positive on that one. You also should just have to use (mail=*%s*) and nothing else. What is odd though is that ldapsearch isn't working. Assuming all the pathing is correct in your accounts, this should return a list of your users in AD that have something entered in the E-Mail: field in their account. The fact that doesn't work but zmprov sg works is odd. I don't really know what direction to point you in at this point, though I am still kind concerned that ldapsearch didn't work. If you have an ldap browser you can try using that to browse the AD with the same credentials just to be certain there are no account issues. I still have an unresolved issue with getting LDAP queries to work with anything but the Domain admin account in AD as my bind DN.

I know there were a few quirks in 3.14 that had me questioning if I could put this in a production environment. I started testing 3.2 at the same time on a separate box, and everything seemed to work so much smoother that I upgraded the main box to beta 3.2. Honestly, the autocomplete feature for mail addresses in the Web UI is worth the upgrade alone. Prob not what you wanted to hear, but almost all of my GAL issues never appeared on the 3.2 box. (Still have a bug report in about sorting A-Z, and only being able to use my admin account as the Bind DN).

The other users I have testing love the autocomplete feature (and never use the GAL search) as well. At the very least, if you have another box you should check it out. Not sure what OS it runs on though, I'm using RHEL 4, and I don't know if the beta was just limited to that OS.

Quote:

Where are the logs that i need to look at?

Logs can be found in /opt/zimbra/log and /var/log.