Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page LDAP authentication of reverse HTTP proxy not working after migration/upgrade

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-22-2010, 06:39 AM
Member
  
Posts: 12
Default LDAP authentication of reverse HTTP proxy not working after migration/upgrade
I recently kinda upgrade from Zimbra 5.x to 6.0.7. Because of database corruptions, my "upgrade" was actually a fresh installation and then a migration of accounts.

I have a HTTP reverse proxy that, amongst other things, knows about my internal mail server. It uses the apache 2.2 version of LDAP Apache - Zimbra :: Wiki , which was working fine on the old ZCS 5.x.

However, it does not work here.

I have verified through tshark that the LDAP TCP session is happening, and I can see that the username is passed inside that TCP session. So I know that network connectivity is not an issue.

Apache reports the following error:

[Sun Aug 22 12:49:41 2010] [warn] [client 203.82.208.13] [7707] auth_ldap authenticate: user me@mydomain.com authentication failed; URI / [User not found][No such object]
[Sun Aug 22 12:49:41 2010] [error] [client 203.82.208.13] user me@mydomain.com not found: /

And tshark shows:

0.000000 192.168.36.5 -> 192.168.141.11 TCP 52184 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=260756728 TSER=0 WS=7
0.000394 192.168.141.11 -> 192.168.36.5 TCP ldap > 52184 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=44614768 TSER=260756728 WS=7
0.000452 192.168.36.5 -> 192.168.141.11 TCP 52184 > ldap [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=260756728 TSER=44614768
0.000487 192.168.36.5 -> 192.168.141.11 LDAP bindRequest(1) "<ROOT>" simple
0.000814 192.168.141.11 -> 192.168.36.5 TCP ldap > 52184 [ACK] Seq=1 Ack=15 Win=5888 Len=0 TSV=44614768 TSER=260756728
0.001127 192.168.141.11 -> 192.168.36.5 LDAP bindResponse(1) success
0.001145 192.168.36.5 -> 192.168.141.11 TCP 52184 > ldap [ACK] Seq=15 Ack=15 Win=5888 Len=0 TSV=260756728 TSER=44614768
0.001231 192.168.36.5 -> 192.168.141.11 LDAP searchRequest(2) "<ROOT>" wholeSubtree
0.002013 192.168.141.11 -> 192.168.36.5 LDAP searchResDone(2) success
0.042309 192.168.36.5 -> 192.168.141.11 TCP 52184 > ldap [ACK] Seq=91 Ack=29 Win=5888 Len=0 TSV=260756739 TSER=44614768

Looking at wireshark for more information, I see that the "searchResDone(2) success" reports "0 results".

So at the moment, I have disabled the authentication lookup in the proxy.

As per can't figure out why apache LDAP auth fails - Server Fault I have verified that the clocks are in sync (they weren't but now both use NTP)

One difference between the old and new servers (as part of the migration) is that it's in a different subnet. The old server was in the same /24 as the proxy, but the new one is not. Is there some setting in Zimbra that says that it will offer LDAP authentication services to the default subnet?

Another option I see relates to zimbraReverseProxyHttpEnabled but I couldn't find good clue as to how to use it.

Seeking clues, thanks in advance.
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.