Zimbra

lk2oo3 · #1 (**permalink**) 04-12-2010, 03:45 PM

Hi all,

from days I'm working to let zimbra users have the same password as 2008 AD Domain Controller
I've read a lot of post but no one helped me
the most intresting post i found on zimbra forum is:
Account Name different from Active Directory Username

now I'm working on a test scenario:
win2003 server DC of ps.dominio.it domain. all users are: name.surname@ps.dominio.it
zimbra 6.05 FOSS (on Ubuntu 8.04 Server) hosts mail domain dominio.it, all email are surname@dominio.it
I want enable Zimbra external AD authentication on 2003 DC.

The only working test I made is:
- new Zimbra domain ps.dominio.it, email name.surname@ps.dominio.it (that is not public), same as DC..
- enable external AD authentication on DC
any other test fails, also variants found in "account-name-different-active-directory-username" post
(that uses ldap as external auth method, insted of AD)
in particular, trying to configure ldap, I do not understand where set "LDAP bind DN template":
does not exist anymore on zimbra 6?

Any idea on howto map different zimbra username & domain from ones in AD?
My sensation is that it is possible using external ldap auth, and using an ad-hoc ldap filter,
but i'm not a ldap expert..

Thanx in advance,
bye, Luca.

phoenix · #2 (**permalink**) 04-13-2010, 12:11 AM

Quote:

Originally Posted by lk2oo3

Any idea on howto map different zimbra username & domain from ones in AD?

Surely the answer to your question is in post #5 in the thread you've linked to?

lk2oo3 · #3 (**permalink**) 04-13-2010, 06:45 AM

Hi Phoenix,
thanks for the answer, but I do not understand what you mean

i have only few users in the domain and the only thing i'm intrested in,
is zimbra authentication from AD, by the mean of a mapping.

if you can help, i'll be grateful
Thanx, bye, Luca.

phoenix · #4 (**permalink**) 04-13-2010, 06:52 AM

In this thread, post number 5 gives you details of what you need to do to authenticate against an AD server when you have a different name than the one in AD - isn't that what you wanted?

lk2oo3 · #5 (**permalink**) 04-13-2010, 10:44 AM

I'have yet tested this solution.

The authentication wizard in zimbra 6.05 does not have this request:
LDAP bind DN template: %u@ad.YOURDOMAINNAME.com

where I find this? perhaps it was part of zimbra 5.xx?

Also, the wizard ends with the test fail.
Maybe it depends on missing of "LDAP bind DN template" field ?

thanks again

lk2oo3 · #6 (**permalink**) 05-12-2010, 08:49 AM

ok, i've not been yet solved the problem:
i've setted up a virtual environment with win2008server (but same result with win 2003 server) and a zimbra 6.05 install on ubuntu 8.04server
and i'm trying to exactly do what suggested in
Account Name different from Active Directory Username
but something went wrong. Usually this is the error message i receive:

Quote:

javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090E0B, comment: Error initializing SSL/TLS, data 0, v1771 ] X; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.jav a:3106)

today i made 2 kind of test:

1. i installed softerra ldap browser on my windows pc and used it to connect to AD with same data i give to Zimbra LDAP wizard:
Softerra successfully connects to 2008 server AD

2. i installed ldap-utils on zimbra server:

and i run this command to test connectivity from zimbra ubuntu server to 2008 server AD

ldapsearch -x -b "dc=ps,dc=dominio,dc=it" -D administrator@ps.dominio.it -h cd.ps.dominio.it -w password "(objectCategory=CN=Person,CN=Schema,CN=Configurat ion,DC=ps,DC=dominio,DC=it)" |grep sAMAccountName | sed -e s/sAMAccountName\:\ //g > utenti.tmp

the result is exactly the one it should be: a list of AD user in file utenti.tmp

BUT

if during domain authentication setup wizard i enable startTLS,
why zimbra test fails this way??

Quote:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1123)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHa ndshake(StartTlsResponseImpl.java:344)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotia te(StartTlsResponseImpl.java:208)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotia te(StartTlsResponseImpl.java:161)
at com.zimbra.cs.account.ldap.ZimbraLdapContext.tlsNe gotiate(ZimbraLdapContext.java:339)
at com.zimbra.cs.account.ldap.ZimbraLdapContext.<init >(ZimbraLdapContext.java:468)
at com.zimbra.cs.account.ldap.ZimbraLdapContext.<init >(ZimbraLdapContext.java:402)
at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:120)
at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:168)
at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:53)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:419)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:273)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:157)
at com.zimbra.soap.SoapServlet.doWork(SoapServlet.jav a:291)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:212)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:727)
at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:181)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:511)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1166)
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(Set HeaderFilter.java:79)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at org.mortbay.servlet.UserAgentFilter.doFilter(UserA gentFilter.java:81)
at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter .java:132)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:418)
at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:230)
at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at org.mortbay.jetty.handler.rewrite.RewriteHandler.h andle(RewriteHandler.java:230)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at org.mortbay.jetty.handler.DebugHandler.handle(Debu gHandler.java:77)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:543)
at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:939)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:755)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:405)
at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:409)
at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:451)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:285)
at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validato r.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:1014)
... 51 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:280)
... 57 more

and WHY
if I disable startTLS, this is the error:

Quote:

javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ps.dominio.it:389 [Root exception is java.net.UnknownHostException: ps.dominio.it]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImp l(LdapNamingEnumeration.java:224)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Ld apNamingEnumeration.java:171)
at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:122)
at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:168)
at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:53)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:419)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:273)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:157)
at com.zimbra.soap.SoapServlet.doWork(SoapServlet.jav a:291)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:212)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:727)
at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:181)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:511)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1166)
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(Set HeaderFilter.java:79)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at org.mortbay.servlet.UserAgentFilter.doFilter(UserA gentFilter.java:81)
at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter .java:132)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:418)
at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:230)
at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at org.mortbay.jetty.handler.rewrite.RewriteHandler.h andle(RewriteHandler.java:230)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at org.mortbay.jetty.handler.DebugHandler.handle(Debu gHandler.java:77)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:543)
at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:939)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:755)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:405)
at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:409)
at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:451)
Caused by: javax.naming.CommunicationException: ps.dominio.it:389 [Root exception is java.net.UnknownHostException: ps.dominio.it]
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapR eferralContext.java:74)
at com.sun.jndi.ldap.LdapReferralException.getReferra lContext(LdapReferralException.java:132)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreRef errals(LdapNamingEnumeration.java:339)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImp l(LdapNamingEnumeration.java:208)
... 39 more
Caused by: java.net.UnknownHostException: ps.dominio.it
at java.net.PlainSocketImpl.connect(PlainSocketImpl.j ava:177)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.j ava:366)
at java.net.Socket.connect(Socket.java:525)
at sun.reflect.GeneratedMethodAccessor3.invoke(Unknow n Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.jndi.ldap.Connection.createSocket(Connecti on.java:336)
at com.sun.jndi.ldap.Connection.<init>(Connection.jav a:184)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.jav a:118)
at com.sun.jndi.ldap.LdapClientFactory.createPooledCo nnection(LdapClientFactory.java:46)
at com.sun.jndi.ldap.pool.Connections.<init>(Connecti ons.java:97)
at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Po ol.java:114)
at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(Ld apPoolManager.java:310)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClien t.java:1572)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:265 2)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapC txFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(LdapCtxFactory.java:134)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObj ectInstance(ldapURLContextFactory.java:35)
at javax.naming.spi.NamingManager.getURLObject(Naming Manager.java:584)
at javax.naming.spi.NamingManager.processURL(NamingMa nager.java:364)
at javax.naming.spi.NamingManager.processURLAddrs(Nam ingManager.java:344)
at javax.naming.spi.NamingManager.getObjectInstance(N amingManager.java:316)
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapR eferralContext.java:93)
... 42 more

It seems to me the problem is inside Zimbra,
but is it possible that nobody have an idea on howto help me solve the problem?

After all, I think that many people may have the need to extend users authentication
of Zimbra Mail Server with Windows AD Server,
even when the two servers were installed by different people at different times
and Zimbra installation users@domain cannot be exactly the same as AD.

thanx again,
luca.

lk2oo3 · #7 (**permalink**) 05-14-2010, 04:21 AM

So, finally, in some way I succeded to authenticate zimbra 6.05 to win2008 server AD via LDAP
these are the settings that worked fine for me.
Sure, it does not work with StartTLS or SSL enabled
(i think the problem is some certificate misconfiguration)
Referring to authentication wizard of domain dominio.it, these are the settings I done:

Quote:

1. on 2008 Server
mail attribute in AD LDAP same as Zimbra account

2. on zimbra:
account creation without password

3. on zimbra admin ui
Authentication mechanism: External LDAP
win2008Server: cd.ps.dominio.it
LDAP URL: ldap://cd.ps.dominio.it:389
***Enable StartTLS No
LDAP filter: (|(sAMAccountName=%u)(mail=%u@dominio.it)(mail=%n) )
***LDAP search base: cn=Users,dc=ps,dc=dominio,dc=it
Use DN/Password to bind to external server: Yes
Bind DN: zimbrauser@ps.dominio.it & password

In which I signed with *** the only differences with
Account Name different from Active Directory Username

Now, if it possible I would try to use StartTLS,
but I 've read various post, with issues related to certificates..

If someone have any suggestion on how make it work with self signed certificates, please help
bye, Luca.

mcdevil · #8 (**permalink**) 12-28-2010, 01:38 PM

I have a near same problem with different Usernames in Active Directory and Account name in zimbra.

The Account Name in zimbra should be in the form of givenname.surname@domain.tld (since it is used as the primary email address which is used for calendar invitation)

The Active Directory Name is shortname@domain.tld

Is there a way to configure zimbra to authenticate with the shortname against the active directory?
So the users can use the same shortname for there Windows Account Login and zimbra.

thank you for any help

Zimbra

Downloads

Product Information

Toolbox

Why Join?