Results 1 to 6 of 6

Thread: Zimbra with Centos 6 as active directory problem

  1. #1
    gyt
    gyt is offline Junior Member
    Join Date
    Aug 2008
    Posts
    7
    Rep Power
    6

    Default Zimbra with Centos 6 as active directory problem

    Hello,
    I have been installing zimbra ver. zcs-7.1.3 under Centos 6 to act as Windows Domain Controller. I followed this steps UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

    zimbra installed fine and samba also but, when I try to query LDAP using getent group command, nothing happend and i got this error message on /var/log/messages

    domain nslcd[1321]: [5c55b5] failed to bind to LDAP server ldap://10.1.1.18/: Invalid credentials
    Oct 17 13:53:04 domain nslcd[1321]: [5c55b5] no available LDAP server found
    Oct 17 13:53:04 domain nslcd[1321]: [5c55b5] no available LDAP server found


    zimbra ldap root password is test1

    my nslcd.conf

    # This is the configuration file for the LDAP nameservice
    # switch library's nslcd daemon. It configures the mapping
    # between NSS names (see /etc/nsswitch.conf) and LDAP
    # information in the directory.
    # See the manual page nslcd.conf(5) for more information.

    # The uri pointing to the LDAP server to use for name lookups.
    # Multiple entries may be specified. The address that is used
    # here should be resolvable without using LDAP (obviously).
    uri ldap://10.1.1.18/

    #uri ldaps://127.0.0.1/
    #uri ldapi://%2fvar%2frun%2fldapi_sock/
    # Note: %2f encodes the '/' used as directory separator
    # uri ldap://127.0.0.1/

    # The LDAP version to use (defaults to 3
    # if supported by client library)
    #ldap_version 3

    # The distinguished name of the search base.
    base dc=test,dc=com

    # The distinguished name to bind to the server with.
    # Optional: default is to bind anonymously.
    binddn uid=zmposix,cn=appaccts,cn=zimbra

    # The credentials to bind with.
    # Optional: default is no credentials.
    # Note that if you set a bindpw you should check the permissions of this file.
    bindpw test1

    # The distinguished name to perform password modifications by root by.
    rootpwmoddn uid=zmposixroot,cn=appaccts,cn=zimbra

    # The default search scope.
    scope sub

    #scope one
    #scope base

    # Customize certain database lookups.
    base group ou=groups,dc=test,dc=com
    base passwd ou=people,dc=test,dc=com
    base shadow ou=people,dc=test,dc=com
    #scope group onelevel
    #scope hosts sub

    # Bind/connect timelimit.
    bind_timelimit 30

    # Search timelimit.
    timelimit 30


    # Idle timelimit. nslcd will close connections if the
    # server has not been contacted for the number of seconds.
    idle_timelimit 3600

    # Use StartTLS without verifying the server certificate.
    #ssl start_tls
    #tls_reqcert never

    # CA certificates for server certificate verification
    #tls_cacertdir /etc/ssl/certs
    #tls_cacertfile /etc/ssl/ca.cert

    # Seed the PRNG if /dev/urandom is not provided
    #tls_randfile /var/run/egd-pool

    # SSL cipher suite
    # See man ciphers for syntax
    #tls_ciphers TLSv1

    # Client certificate and key
    # Use these, if your server requires client authentication.
    #tls_cert
    #tls_key

    # NDS mappings
    #map group uniqueMember member

    # Mappings for Services for UNIX 3.5
    #filter passwd (objectClass=User)
    #map passwd uid msSFU30Name
    #map passwd userPassword msSFU30Password
    #map passwd homeDirectory msSFU30HomeDirectory
    #map passwd homeDirectory msSFUHomeDirectory
    #filter shadow (objectClass=User)
    #map shadow uid msSFU30Name
    #map shadow userPassword msSFU30Password
    #filter group (objectClass=Group)
    #map group uniqueMember msSFU30PosixMember

    # Mappings for Services for UNIX 2.0
    #filter passwd (objectClass=User)
    #map passwd uid msSFUName
    #map passwd userPassword msSFUPassword
    #map passwd homeDirectory msSFUHomeDirectory
    #map passwd gecos msSFUName
    #filter shadow (objectClass=User)
    #map shadow uid msSFUName
    #map shadow userPassword msSFUPassword
    #map shadow shadowLastChange pwdLastSet
    #filter group (objectClass=Group)

    #map group uniqueMember posixMember

    # Mappings for Active Directory
    #pagesize 1000
    #referrals off
    #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidN umber=*)(unixHomeDirectory=*))
    #map passwd uid sAMAccountName
    #map passwd homeDirectory unixHomeDirectory
    #map passwd gecos displayName
    #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidN umber=*)(unixHomeDirectory=*))
    #map shadow uid sAMAccountName
    #map shadow shadowLastChange pwdLastSet
    #filter group (objectClass=group)
    #map group uniqueMember member

    # Mappings for AIX SecureWay
    #filter passwd (objectClass=aixAccount)
    #map passwd uid userName
    #map passwd userPassword passwordChar
    #map passwd uidNumber uid
    #map passwd gidNumber gid
    #filter group (objectClass=aixAccessGroup)
    #map group cn groupName
    #map group uniqueMember member
    #map group gidNumber gid


    # The distinguished name of the search base.

    uid nslcd
    gid ldap
    # This comment prevents repeated auto-migration of settings.
    ------------------------------
    my pam_ldap.conf

    # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
    #
    # This is the configuration file for the LDAP nameservice
    # switch library and the LDAP PAM module.
    #
    # The man page for this file is pam_ldap(5)
    #
    # PADL Software
    # PADL Software Pty Ltd
    #

    # Your LDAP server. Must be resolvable without using LDAP.
    # Multiple hosts may be specified, each separated by a
    # space. How long nss_ldap takes to failover depends on
    # whether your LDAP client library supports configurable
    # network or connect timeouts (see bind_timelimit).
    host 10.1.1.18

    # The distinguished name of the search base.
    base dc=test,dc=com

    # Another way to specify your LDAP server is to provide an
    # uri with the server name. This allows to use
    # Unix Domain Sockets to connect to a local LDAP Server.
    uri ldap://10.1.1.18/

    #uri ldaps://127.0.0.1/
    #uri ldapi://%2fvar%2frun%2fldapi_sock/
    # Note: %2f encodes the '/' used as directory separator

    # The LDAP version to use (defaults to 3
    # if supported by client library)
    #ldap_version 3

    # The distinguished name to bind to the server with.
    # Optional: default is to bind anonymously.
    #binddn cn=proxyuser,dc=example,dc=com
    binddn uid=zmposix,cn=appaccts,cn=zimbra

    # The credentials to bind with.
    # Optional: default is no credential.
    bindpw test1


    # The distinguished name to bind to the server with
    # if the effective user ID is root. Password is
    # stored in /etc/ldap.secret (mode 600)
    #rootbinddn cn=manager,dc=example,dc=com
    rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra

    # The port.
    # Optional: default is 389.
    port 389

    # The search scope.
    #scope sub
    #scope one
    #scope base

    # Search timelimit
    timelimit 30

    # Bind/connect timelimit
    bind_timelimit 30

    # Reconnect policy: hard (default) will retry connecting to
    # the software with exponential backoff, soft will fail
    # immediately.
    bind_policy soft

    # Idle timelimit; client will close connections
    # (nss_ldap only) if the server has not been contacted
    # for the number of seconds specified below.
    #idle_timelimit 3600

    # Filter to AND with uid=%s
    #pam_filter objectclass=account

    # The user ID attribute (defaults to uid)
    #pam_login_attribute uid

    # Search the root DSE for the password policy (works
    # with Netscape Directory Server)
    #pam_lookup_policy yes

    # Check the 'host' attribute for access control
    # Default is no; if set to yes, and user has no
    # value for the host attribute, and pam_ldap is
    # configured for account management (authorization)
    # then the user will not be allowed to login.
    #pam_check_host_attr yes

    # Check the 'authorizedService' attribute for access
    # control
    # Default is no; if set to yes, and the user has no
    # value for the authorizedService attribute, and
    # pam_ldap is configured for account management
    # (authorization) then the user will not be allowed
    # to login.

    #pam_check_service_attr yes

    # Group to enforce membership of
    #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

    # Group member attribute
    #pam_member_attribute uniquemember

    # Specify a minium or maximum UID number allowed
    #pam_min_uid 0
    #pam_max_uid 0

    # Template login attribute, default template user
    # (can be overriden by value of former attribute
    # in user's entry)
    #pam_login_attribute userPrincipalName
    #pam_template_login_attribute uid
    #pam_template_login nobody

    # HEADS UP: the pam_crypt, pam_nds_passwd,
    # and pam_ad_passwd options are no
    # longer supported.
    #
    # Do not hash the password at all; presume
    # the directory server will do it, if
    # necessary. This is the default.
    #pam_password clear

    # Hash password locally; required for University of
    # Michigan LDAP server, and works with Netscape
    # Directory Server if you're using the UNIX-Crypt
    # hash mechanism and not using the NT Synchronization
    # service.
    #pam_password crypt

    # Remove old password first, then update in
    # cleartext. Necessary for use with Novell
    # Directory Services (NDS)
    #pam_password clear_remove_old
    #pam_password nds

    # RACF is an alias for the above. For use with
    # IBM RACF
    #pam_password racf

    # Update Active Directory password, by
    # creating Unicode password and updating
    # unicodePwd attribute.
    #pam_password ad

    # Use the OpenLDAP password change
    # extended operation to update the password.
    #pam_password exop

    # Redirect users to a URL or somesuch on password
    # changes.
    #pam_password_prohibit_message Please visit http://internal to change your password.

    # RFC2307bis naming contexts
    # Syntax:
    # nss_base_XXX base?scope?filter
    # where scope is {base,one,sub}
    # and filter is a filter to be &'d with the
    # default filter.
    # You can omit the suffix eg:
    # nss_base_passwd ou=People,
    # to append the default base DN but this
    # may incur a small performance impact.
    #nss_base_passwd ou=People,dc=example,dc=com?one
    #nss_base_shadow ou=People,dc=example,dc=com?one
    #nss_base_group ou=Group,dc=example,dc=com?one
    #nss_base_hosts ou=Hosts,dc=example,dc=com?one
    #nss_base_services ou=Services,dc=example,dc=com?one
    #nss_base_networks ou=Networks,dc=example,dc=com?one
    #nss_base_protocols ou=Protocols,dc=example,dc=com?one
    #nss_base_rpc ou=Rpc,dc=example,dc=com?one
    #nss_base_ethers ou=Ethers,dc=example,dc=com?one
    #nss_base_netmasks ou=Networks,dc=example,dc=com?ne
    #nss_base_bootparams ou=Ethers,dc=example,dc=com?one
    #nss_base_aliases ou=Aliases,dc=example,dc=com?one
    #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one

    nss_base_passwd ou=people,dc=test,dc=com?one
    nss_base_shadow ou=people,dc=test,dc=com?one

    nss_base_group ou=groups,dc=test,dc=com?one
    nss_base_hosts ou=machines,dc=test,dc=com?one

    # attribute/objectclass mapping
    # Syntax:
    #nss_map_attribute rfc2307attribute mapped_attribute
    #nss_map_objectclass rfc2307objectclass mapped_objectclass

    # configure --enable-nds is no longer supported.
    # NDS mappings
    #nss_map_attribute uniqueMember member

    # Services for UNIX 3.5 mappings
    #nss_map_objectclass posixAccount User
    #nss_map_objectclass shadowAccount User

    #nss_map_attribute uid msSFU30Name
    #nss_map_attribute uniqueMember msSFU30PosixMember
    #nss_map_attribute userPassword msSFU30Password
    #nss_map_attribute homeDirectory msSFU30HomeDirectory
    #nss_map_attribute homeDirectory msSFUHomeDirectory
    #nss_map_objectclass posixGroup Group
    #pam_login_attribute msSFU30Name
    #pam_filter objectclass=User
    #pam_password ad

    # configure --enable-mssfu-schema is no longer supported.
    # Services for UNIX 2.0 mappings
    #nss_map_objectclass posixAccount User
    #nss_map_objectclass shadowAccount user
    #nss_map_attribute uid msSFUName
    #nss_map_attribute uniqueMember posixMember
    #nss_map_attribute userPassword msSFUPassword
    #nss_map_attribute homeDirectory msSFUHomeDirectory
    #nss_map_attribute shadowLastChange pwdLastSet
    #nss_map_objectclass posixGroup Group
    #nss_map_attribute cn msSFUName
    #pam_login_attribute msSFUName
    #pam_filter objectclass=User
    #pam_password ad

    # RFC 2307 (AD) mappings
    #nss_map_objectclass posixAccount user
    #nss_map_objectclass shadowAccount user
    #nss_map_attribute uid sAMAccountName
    #nss_map_attribute homeDirectory unixHomeDirectory
    #nss_map_attribute shadowLastChange pwdLastSet
    #nss_map_objectclass posixGroup group
    #nss_map_attribute uniqueMember member
    #pam_login_attribute sAMAccountName
    #pam_filter objectclass=User
    #pam_password ad

    # configure --enable-authpassword is no longer supported
    # AuthPassword mappings
    #nss_map_attribute userPassword authPassword

    # AIX SecureWay mappings
    #nss_map_objectclass posixAccount aixAccount
    #nss_base_passwd ou=aixaccount,?one
    #nss_map_attribute uid userName
    #nss_map_attribute gidNumber gid
    #nss_map_attribute uidNumber uid
    #nss_map_attribute userPassword passwordChar

    #nss_map_objectclass posixGroup aixAccessGroup
    #nss_base_group ou=aixgroup,?one
    #nss_map_attribute cn groupName
    #nss_map_attribute uniqueMember member
    #pam_login_attribute userName
    #pam_filter objectclass=aixAccount
    #pam_password clear

    # Netscape SDK LDAPS
    #ssl on

    # Netscape SDK SSL options
    #sslpath /etc/ssl/certs

    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    #ssl start_tls
    #ssl on

    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    # Default is to use libldap's default behavior, which can be configured in
    # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
    # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
    #tls_checkpeer yes

    # CA certificates for server certificate verification
    # At least one of these are required if tls_checkpeer is "yes"
    #tls_cacertfile /etc/ssl/ca.cert
    #tls_cacertdir /etc/ssl/certs

    # Seed the PRNG if /dev/urandom is not provided
    #tls_randfile /var/run/egd-pool

    # SSL cipher suite
    # See man ciphers for syntax
    #tls_ciphers TLSv1

    # Client certificate and key
    # Use these, if your server requires client authentication.
    #tls_cert
    #tls_key

    # Disable SASL security layers. This is needed for AD.
    #sasl_secprops maxssf=0

    # Override the default Kerberos ticket cache location.
    #krb5_ccname FILE:/etc/.ldapcache

    # SASL mechanism for PAM authentication - use is experimental
    # at present and does not support password policy control

    #pam_sasl_mech DIGEST-MD5
    --------------------------------------------
    /etc/openldap/ldap.conf
    # LDAP Defaults
    #

    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.

    #BASE dc=example, dc=com
    #URI ldap://ldap.example.com ldap://ldap-master.example.com:666

    #SIZELIMIT 12
    #TIMELIMIT 15
    #DEREF never
    #
    URI ldaps://10.1.1.18/
    BASE dc=test,dc=com
    TLS_CACERTDIR /etc/openldap/cacerts

    ----------------------------------------
    /etc/hosts
    10.1.1.18 domain.test.com domain # Added by NetworkManager
    10.1.1.18 test.com test # Added by Me
    127.0.0.1 localhost.localdomain localhost
    --------------------------------------------
    DNS laso resolve to test.com



    what I missed?
    Thanks for help
    Last edited by gyt; 10-17-2011 at 07:55 AM.
    Thanks
    gyt

  2. #2
    gyt
    gyt is offline Junior Member
    Join Date
    Aug 2008
    Posts
    7
    Rep Power
    6

    Default

    any hellllllp
    Thanks
    gyt

  3. #3
    nickchacha is offline New Member
    Join Date
    Mar 2014
    Posts
    3
    Rep Power
    1

    Default

    I know it's way too late for this but has anyone cracked this? thanks
    env : Release 7.2.6_GA_2926.RHEL6_64_20131203115858 CentOS6_64 FOSS edition.

    Thanks

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by nickchacha View Post
    I know it's way too late for this but has anyone cracked this?
    This isn't a supported feature of ZCS, why don't you use Samba4 instead? In future don't add your posts to old threads.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    nickchacha is offline New Member
    Join Date
    Mar 2014
    Posts
    3
    Rep Power
    1

    Default

    Quote Originally Posted by phoenix View Post
    This isn't a supported feature of ZCS, why don't you use Samba4 instead? In future don't add your posts to old threads.
    Thanks Bill
    Am new so not so conversant with the forum.
    Quick one though.. will samba 4 resolve the above error please?? . That's if am following the same Wiki?
    Thanks
    Regards
    Nicholas

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by nickchacha View Post
    Quick one though.. will samba 4 resolve the above error please??
    Samba4 is a complete (replacement) AD server, Samba4 is available in CentOS6 but you'll have to search the internet for the most recent RPM.

    Quote Originally Posted by nickchacha View Post
    That's if am following the same Wiki?
    No, you should search the internet for tutorials on how to use Samba4 as a Domain Controller - it does work and is fairly straightforward to configure.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. fatal: parameter "smtpd_recipient_restrictions"
    By Robin in forum Administrators
    Replies: 8
    Last Post: 12-22-2010, 05:48 AM
  2. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  3. Replies: 31
    Last Post: 12-15-2007, 09:05 PM
  4. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  5. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 12:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •