Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Zimbra LDAP Group Membership Cannot Be recognized from Apache 2

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 01-06-2011, 05:07 AM
Starter Member
  
Posts: 2
Unhappy Zimbra LDAP Group Membership Cannot Be recognized from Apache 2
Hello,

I have successfully set up the zimlet forthe zimbra LDAP administration (the "gregzimbra" Description in wiki), but without the Samba part. As the domain I took as example aaa.algites.eu. My Zimbra installation ismulti-server install with 1 LDAP, 1 MTA and 1 MBOX virtual server

I want to use the LDAP from zimbra also for the authentication of the Subversion Users, going through apache 2 http server.

I got working the authentification with zimbra LDAP, works well, but I have problem with the resolution of the required group. In Apache I have defined the Location like
Code:
        <Location "/">
                AuthType Basic
                AuthName "SVN Repository"
                AuthBasicProvider ldap
                AuthzLDAPAuthoritative off
                AuthLDAPBindDN uid=zmposix,cn=appaccts,cn=zimbra
                AuthLDAPBindPassword zimbraposixaccount
                AuthLDAPURL "ldap://zildap:389/OU=people,DC=aaa,D
C=algites,DC=eu?uid
                Require ldap-group CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu
        </Location>
but this required group is never resolved. I get in apache log for that site after there has been successfully validated the password then always following error messages:

Code:
[Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(745): [client A.B.C.D] [
2421] auth_ldap authorise: require group: testing for member: uid=test2,ou=people,dc=aaa,dc=algites,dc=eu (CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu)
[Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(761): [client A.B.C.D] [
2421] auth_ldap authorise: require group "CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
[Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(745): [client A.B.C.D] [
2421] auth_ldap authorise: require group: testing for uniquemember: uid=test2,ou=people,dc=aaa,dc=algites,dc=eu (CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu)
[Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(761): [client A.B.C.D] [
2421] auth_ldap authorise: require group "CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
In the LDAP LOG turned on with everything logged what is possible I have:

Code:
Jan  6 13:11:45 zildap slapd[2532]: => acl_mask: access to entry"cn=svn_access,ou=groups,dc=aaa,dc=algites,dc=eu", attr "uniqueMember" requested
Jan  6 13:11:45 zildap slapd[2532]: => acl_mask: to value by "uid=zmposix,cn=appaccts,cn=zimbra", (=0)
Jan  6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: cn=admins,cn=zimbra
Jan  6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: uid=zmposixroot,cn=appaccts,cn=zimbra
Jan  6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: uid=zmposix,cn=appaccts,cn=zimbra
Jan  6 13:11:45 zildap slapd[2532]: <= acl_mask: [3] applying read(=rscxd) (stop)
Jan  6 13:11:45 zildap slapd[2532]: <= acl_mask: [3] mask: read(=rscxd)
Jan  6 13:11:45 zildap slapd[2532]: => slap_access_allowed: compare access granted by read(=rscxd)
Jan  6 13:11:45 zildap slapd[2532]: => access_allowed: compare access granted by read(=rscxd)
Jan  6 13:11:45 zildap slapd[2532]: send_ldap_result: conn=2334 op=5 p=3
Jan  6 13:11:45 zildap slapd[2532]: send_ldap_result: err=16 matched="" text=""
Jan  6 13:11:45 zildap slapd[2532]: send_ldap_response: msgid=6 tag=111 err=16
Jan  6 13:11:45 zildap slapd[2532]: conn=2334 op=5 RESULT tag=111 err=16 text=
In the logs there are also the requests for "member" attribute but with the same unsucess... I habe also tried the attribute "memberOf" by redefinition of the group membership attribute name in the location by

Code:
AuthLDAPGroupAttribute memberOf
but then it returned some other error which is also returned in the case the attribute name is invalid.
I also tried to putthere some non-existent group instead of "svn_acccess", then I get the correct (and different) error message the group object is not found...

The given user test2@aaa.algites.eu is defined in zimbra, posix Ids are created ok.

Possible causes could be following (I have tried everything possible but do not know what exactly):

1. I have specified in the given group SVN_access the membership i a wrong way - as memberUID Ihave tried to write there the posix number of the user or the username ("test2"). Is this correct? It does not work with number or username - what should be entered as memberUID into theposix group definition?

2. Are the group names case sensitive? I think it helped me also not to remove the capital letters fromthe group name, as well as the dots and underlines from the group name, but possibly I could forgot something somewere...

3. Should be someother group membership attribute on Apache used? But which?

I would really appreciate any help or pointers, it took me really a lot of time and the solution is still unknown...

Thanx in advance, Archie
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.