I recently kinda upgrade from Zimbra 5.x to 6.0.7. Because of database corruptions, my "upgrade" was actually a fresh installation and then a migration of accounts.
I have a HTTP reverse proxy that, amongst other things, knows about my internal mail server. It uses the apache 2.2 version of LDAP Apache - Zimbra :: Wiki , which was working fine on the old ZCS 5.x.
However, it does not work here.
I have verified through tshark that the LDAP TCP session is happening, and I can see that the username is passed inside that TCP session. So I know that network connectivity is not an issue.
Apache reports the following error:
[Sun Aug 22 12:49:41 2010] [warn] [client 18.104.22.168]  auth_ldap authenticate: user firstname.lastname@example.org authentication failed; URI / [User not found][No such object]
[Sun Aug 22 12:49:41 2010] [error] [client 22.214.171.124] user email@example.com not found: /
And tshark shows:
0.000000 192.168.36.5 -> 192.168.141.11 TCP 52184 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=260756728 TSER=0 WS=7
0.000394 192.168.141.11 -> 192.168.36.5 TCP ldap > 52184 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=44614768 TSER=260756728 WS=7
0.000452 192.168.36.5 -> 192.168.141.11 TCP 52184 > ldap [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=260756728 TSER=44614768
0.000487 192.168.36.5 -> 192.168.141.11 LDAP bindRequest(1) "<ROOT>" simple
0.000814 192.168.141.11 -> 192.168.36.5 TCP ldap > 52184 [ACK] Seq=1 Ack=15 Win=5888 Len=0 TSV=44614768 TSER=260756728
0.001127 192.168.141.11 -> 192.168.36.5 LDAP bindResponse(1) success
0.001145 192.168.36.5 -> 192.168.141.11 TCP 52184 > ldap [ACK] Seq=15 Ack=15 Win=5888 Len=0 TSV=260756728 TSER=44614768
0.001231 192.168.36.5 -> 192.168.141.11 LDAP searchRequest(2) "<ROOT>" wholeSubtree
0.002013 192.168.141.11 -> 192.168.36.5 LDAP searchResDone(2) success
0.042309 192.168.36.5 -> 192.168.141.11 TCP 52184 > ldap [ACK] Seq=91 Ack=29 Win=5888 Len=0 TSV=260756739 TSER=44614768
Looking at wireshark for more information, I see that the "searchResDone(2) success" reports "0 results".
So at the moment, I have disabled the authentication lookup in the proxy.
As per can't figure out why apache LDAP auth fails - Server Fault I have verified that the clocks are in sync (they weren't but now both use NTP)
One difference between the old and new servers (as part of the migration) is that it's in a different subnet. The old server was in the same /24 as the proxy, but the new one is not. Is there some setting in Zimbra that says that it will offer LDAP authentication services to the default subnet?
Another option I see relates to zimbraReverseProxyHttpEnabled but I couldn't find good clue as to how to use it.
Seeking clues, thanks in advance.