Using Zimbra LDAP for authentication

[generalsnus]

Hi,

I'm running Zimbra 7.1.3 Open Source Edition, and very happy with that!

Running Zimbra on Amazon EC2-server (Ubuntu 10.04). Only issues I had was about split DNS, but used dnsmasq to fix this. All mx-records checks OK.

Everything works fine, and has been running for some months now.

I have set up a new Amazon server and installed a private MediaWiki to use for documentation. It would be great to use Zimbra LDAP to login. MediaWiki has a ldap extention that is easy to configure - or at least it looks easy. My issue starts before that.

On my Zimbra server I can use ldapsearch fine. From my laptop - or my MediaWiki server - I get:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

If try to telnet to my server on port 389 I get connection refused.

Telnet to other ports in use are OK.

Yes - port 389 is open in the Amazon Security Group (That is the FW) :-)

Have done to much searching about this topic without getting there. Is there somewhere in the LDAP config that only allow connections from localhost?

So - any help for getting Zimbra LDAP reachable from internet would be highy appreciated.

And also other thoughts about using LDAP like this - recommended or not?

Running Zimbra on a single server (AWS m1.small with 4 ECU and 7.5gb ram)

Thanks!

[generalsnus]

Not much response on this one :-)

Should I add some more information or config files?

I'm not really sure what to add - as my Zimbra server runs ok and I do not have any other problem that reaching Zimbra LDAP from the outside.

From the host itself I can do ldapsearch.

As I have port 389 open in the FW - and can not telnet I guess there is some config for ldap that restrict connections from the outside?

My knowledge about openldap is very (1) limited, and I have not been any better when googling this issue.

I have tried ldap browser like JXplorer - and the same problem with connection.

Any help here would be appreciated! Or if I need to provide any additional information.

Thanks.

[chauvetp]

Are you 100% sure there is no firewall in the way? In my experience port 389 doesn't need anything special as far as Zimbra is concerned to have it open. If its not allowing connections, I would make sure there is no firewall blocking it.

Check any firewall logs that you have access to (/var/log/messages for the system level firewall logs on most linux distributions).

P.S. Don't expect a lot of responses over the weekend. I don't think the forums are heavily trafficked then.

[generalsnus]

I would say yes - I'm 100 % sure - but I'm starting to loose faith in myself now :-) I have removed port 389 from the FW and added again just to be sure. I will have a look again tonight.

But can it have something to do with me running this on Amazon EC2 and using dnsmasq messing this up - but then strange it would be only for LDAP search and all other services on other ports are available.

And just so I don't misunderstand everything here - I should be able to do a ldapsearch from the command line from any other host just as I do on my Zimbra server?

If I get it to work I will only allow port 389 from my MediaWiki-server.

[chauvetp]

Yep - ldapsearch from other hosts should work fine. Without authenticating even, the following command works fine from me to give me info on all users (note: I do block port 389 on Zimbra from most systems so this is from one that is allowed through the firewall):

ldapsearch -h zimbra.mycampus.edu -x

I don't have any experience with EC2 and/or dnsmasq, so I cannot give any suggestions with regards to that unfortunately.

[generalsnus]

I solved it.

Everything showed port 389 available (nmap etc) so I found out I had to mess up something with regards to DNS etc during the Zimbra setup.

I documented every step I did, and where I found it. I made one mistake during the pre setup steps. In my my hosts file I had:
127.0.0.1 mail.mydomain.com mail

Changed it to my private IP instead, restarted Zimbra. And it works!

... and MX still checks out ok. Found no other problems so far. Hope this can help somebody else as well if they see the same problem.

Thanks chauvetp - I was looking around in the Zimbra ldap conf files and was on the wrong track.