GALsync LDAP query in AD; mailnickname=Bug?

[ypong]

I'm testing a 7.1.2 OSE on Ubuntu 10.04.3 LTS server, with multi-server+multi-domain setup.

I've noticed, when testing the GALsync setup, that one of my domains tests fine (this domain has an existing exchange server), i.e. when I type something into the test field, it does retrieve some results.

However, on another two domains (which have never had exchange installed before), when I type something into the test field, even though it says passed, no results are returned.

According to the output of "zmprov gcf zimbraGalLdapFilterDef | grep ad:", the filter used is:

Code:

(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(!(msExchHideFromAddressLists=TRUE))(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

So to troubleshoot, I started by building an LDAP query manually, using this:

Code:

(&(|(displayName=*)(cn=*)(sn=*)(givenName=*)(mail=*))(!(msExchHideFromAddressLists=TRUE))(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

As expected, this works fine in the 1st domain, and returns an empty set for the other two.

So by trial and error, I found that if I delete these two clauses (not one, not the other, but both), the query works:

Code:

	(!(msExchHideFromAddressLists=TRUE))
	(mailnickname=*)

i.e. the query is now just:

Code:

(&(|(displayName=*)(cn=*)(sn=*)(givenName=*)(mail=*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

The values for attribute mailnickname are not populated in my other two domains, so that would explain why the result set is empty, but anybody know why:
1) mailnickname needs to be populated
2) why does the query still not work, by removing just the mailnickname clause?
3) what's a better solution, to populate the mailnickname, or change the zimbraGalLdapFilterDef filter?
4) from some googling, it seems that mailnickname is strictly an MS Exchange attribute, so for non-exchange environments, this would be a bug to be using as a filter?

For better readability, I reformatted the default query so it looks like this (braces matching; you can't use the query like this, so have to replace \t and \n with null):

Code:

(&
	(|(displayName=*)(cn=*)(sn=*)(givenName=*)(mail=*))
	(!(msExchHideFromAddressLists=TRUE))
	(mailnickname=*)
	(|
		(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
		(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))
		(&(objectCategory=person)(objectClass=contact))
		(objectCategory=group)
		(objectCategory=publicFolder)
		(objectCategory=msExchDynamicDistributionList)
	)
)

[ypong]

I found this old bug: https://bugzilla.zimbra.com/show_bug.cgi?id=11562

According to the last updates, it wasn't fixed in 7.1.1 or 7.1.2, but is fixed in 7.1.3?

So looks like the correct fix is to remove the mailnickname clause from the filter, will test...

[ypong]

To followup, I configured one of the domains as follows:
1) Configure GAL
2) changed Server type from AD to LDAP
3) without touching anything else, changed the LDAP filter to:

Code:

(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

4) without touching anything else, changed the Autocomplete filter to:

Code:

(&(|(displayName=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(mail=%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

4) testing on the next few panels now work (i.e. I can retrieve results)

Note that if I leave "(!(msExchHideFromAddressLists=TRUE))" in the query, it still fails to retrieve anything. So in the end I had to, as per my testing, take out both the mailnickname and msExchHideFromAddressLists clauses out.

[ypong]

Finally, I modifed the queries to excluded disabled accounts:
LDAP filter:

Code:

(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(&(objectCategory=person)(objectClass=contact)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

Autocomplete filter:

Code:

(&(|(displayName=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(mail=%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(&(objectCategory=person)(objectClass=contact)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

Not sure if I can take "(!(userAccountControl:1.2.840.113556.1.4.803:=2)) " and put it further outside as part of the initial &, so I don't need to write that clause three times... more testing...

[50asm]

Quote:

Originally Posted by ypong

finally, i modifed the queries to excluded disabled accounts:
Ldap filter:

Code:

(&(|(displayname=*%s*)(cn=*%s*)(sn=*%s*)(givenname=*%s*)(mail=*%s*))(|(&(objectcategory=person)(objectclass=user)(!(homemdb=*))(!(msexchhomeservername=*))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(objectcategory=person)(objectclass=user)(|(homemdb=*)(msexchhomeservername=*))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(objectcategory=person)(objectclass=contact)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(objectcategory=group)(objectcategory=publicfolder)(objectcategory=msexchdynamicdistributionlist)))

autocomplete filter:

Code:

(&(|(displayname=%s*)(cn=%s*)(sn=%s*)(givenname=%s*)(mail=%s*))(|(&(objectcategory=person)(objectclass=user)(!(homemdb=*))(!(msexchhomeservername=*))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(objectcategory=person)(objectclass=user)(|(homemdb=*)(msexchhomeservername=*))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(objectcategory=person)(objectclass=contact)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(objectcategory=group)(objectcategory=publicfolder)(objectcategory=msexchdynamicdistributionlist)))

not sure if i can take "(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)) " and put it further outside as part of the initial &, so i don't need to write that clause three times... More testing...

wow!!! I have been working on this all day. I thought i had something configured wrong. This did the trick!!! Thank you!

[ypong]

no worries, glad I could help. I've certainly learnt a lot from the community too.

[b0rek]

I'm using for both:

Code:

(&(objectClass=person)(|(useraccountcontrol=66048)(useraccountcontrol=512))(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(sAMAccountName=%s*)(mail=*%s*)))

but I don't have Exchange.