Apache auth to Zimbra ldap - failing with no useful log info to say why

[simonb]

I am trying to get Apache 2.2 on a remote Ubuntu 10.04 LTS machine to authenticate to Zimbra LDAP. Zimbra version is Release 7.0.0_GA_3077.UBUNTU10_64 UBUNTU10_64 FOSS edition.

I have ldap access set up between the two machines and I can successfully query ldap from the machine with Apache on it using the following command...

Code:

ldapsearch -x -b 'ou=people,dc=onepointltd,dc=com' -H 'ldap://mail.onepointltd.com:389' -D 'uid=zimbra,cn=admins,cn=zimbra' -w somethingsecret

However, when I install mod_authnz_ldap and follow these instructions it never authenticates. I get the following Apache error message

Code:

[Thu Aug 11 08:33:20 2011] [error] [client 78.105.1.254] user simon not found: /
[Thu Aug 11 08:33:56 2011] [warn] [client 78.105.1.254] [1033] auth_ldap authenticate: user simon authentication failed; URI / [User not found][No such object]

This is my .htaccess file...

Code:

AuthName "Subversion repository"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://mail.onepointltd.com:389/ou=people,dc=onepointltd,dc=com?uid?sub?(objectClass=organizationalPerson)
AuthLDAPBindDN uid=zimbra,cn=admins,cn=zimbra
AuthLDAPBindPassword somesecretthing
AuthzLDAPAuthoritative off
Require valid-user

I have tried with and without the AuthzLDAPAuthoritative statement.

I have tried increasing the log level of Apache to DEBUG but it still doesn't give any more information regarding the failed LDAP authentication.

The UID "simon" definitely exists. If I grep the ldapsearch output for "simon" I get,

Code:

# simon, people, onepointltd.com
dn: uid=simon,ou=people,dc=onepointltd,dc=com
uid: simon
# simon.blandford, people, onepointltd.com
dn: uid=simon.blandford,ou=people,dc=onepointltd,dc=com
uid: simon.blandford

I've tried logging in as "simon" and "simon.blandford". Same result.

I have increased the log level in /opt/zimbra/conf/log4j.properties.in on the Zimbra server to "DEBUG" for ldap and security.

Code:

log4j.logger.zimbra.ldap=DEBUG
log4j.logger.zimbra.security=DEBUG

Although I can see debug output go by when I tail the log for ldap. It shows no response to either a failed Apache attempt nor a successful ldapsearch query.

I have tried booting with Appamor disabled in case Apache was being blocked from accessing remote LDAP but this makes no difference.

Would appreciate any help or advice on either what the problem may be or how to get meaningful log output from somewhere.

[simonb]

OK. I finally found a solution for this.

LDAP authentication doesn't work with user or domain aliases, even though every other way of logging into Zimbra does.

I normally log into Zimbra using both a user alias and domain alias. Either of which do not work when authenticating. I had changed the server domain from one.consultinglimited.com to onepointltd.com but this didn't change the fact that onepointltd.com is still an alias domain of one.consultinglimited.com.

The following .htaccess file worked if I logged in using my original username, "simon.blandford", instead of just the alias, "simon".

Code:

AuthName "Subversion repository"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://mail.onepointltd.com:389/ou=people,dc=one,dc=consultinglimited,dc=com?uid?sub?(objectClass=organizationalPerson)
AuthLDAPBindDN uid=zimbra,cn=admins,cn=zimbra
AuthLDAPBindPassword thesecretzimbraldappassword
AuthzLDAPAuthoritative off
Require valid-user

I would still like to know how to get this to work with user aliases because otherwise I have to explain this to all the users and there will inevitably be support calls when they forget to use their original un-aliased name.