Results 1 to 8 of 8

Thread: Active Directory / Email Address Authentication Question

  1. #1
    dlochart is offline Advanced Member
    Join Date
    Nov 2006
    Posts
    177
    Rep Power
    8

    Default Active Directory / Email Address Authentication Question

    I am a novice with LDAP and Active Directory so this may be basic but I do not know it and I need to test it.

    We will be using AD for our terminal services deployment. The users will be setup in AD. They currently have exchange profiles in another exchange server that we will be migrating from using the Outlook plugin. Once the profiles are migrated to zimbra how do we point there newly created email accounts (that were migrated) to be authenticated by the AD accounts? I have a feeling that the outlook migration will create local auth user accounts and we won't be able to match each user account with an AD auth account.

    If it is possible to match do the zimbra email account names need to match the AD account names or is there a way to link these for authentication

    Thanks in advance

  2. #2
    dlochart is offline Advanced Member
    Join Date
    Nov 2006
    Posts
    177
    Rep Power
    8

    Default Come on now !!

    I know this has been addressed by someone and the Zimbra people should know anyway.

    I have a feeling that it needs to be addressed via the properties in LDAP but since docs covering the guts of zimbra are lacking IMHO and I am new to LDAP I am asking for assistance. If this is covered somewhere please point me in the right direction.

    thanks

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    Quote Originally Posted by dlochart View Post
    I know this has been addressed by someone and the Zimbra people should know anyway.
    Did you search the forums and the wiki for an answer?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    dlochart is offline Advanced Member
    Join Date
    Nov 2006
    Posts
    177
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    Did you search the forums and the wiki for an answer?
    Yes I did that is why I posted to the forum. Maybe I should mention that I have searched the forum and WIKI in my post so that people do not assume that I did not. That being said I may not have searched with the proper criteria to get the solutions or approaches I need. Many of the forum responses seem to speak to an audience that deals with Active Directory / LDAP on a day to day basis. I have never messed with it thus I am at a loss to interpret the posts properly.

    I currently have a domain that I was going to switch from Zimbra auth to Active Directory auth but i remember reading a post about the admin account being lost or something if you do not do something with a command line tool. Since I can't recall nor find that thread I decided to create a new zimbra domain with GAL set to both and Auth set to Active Directory. I followed the wizard but things are not working and I do not know where to start.

    The new domain is called capeinternaltest (there is no existing AD domain by that name). The existing AD domain is called CapeTest. I have an account with god permissions (so I have been told)

    I copied and fixed this LDAP filter from the docs

    (|(cn = %s*)(sn=%s*)(gn=%s*)(mail=%s*))
    (zimbraMailDeliveryAddress = %s*)
    (zimbraMailAlias=%s*)
    (zimbraMailAddress = %s*)

    I searched and found this autocomplete filter from the forums
    (|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))

    This was in the ldap search base by default (which I do not know what it means)
    dc=capetestinternal,dc=com

    Then on the GAL settings it asks about using DN/password to bind to external server so I entered my domain account info. I did it incorrectly at first and got an auth error. I added the @CapeTest to the end it it went further.

    next page is ready for the test. At the bottom its asks
    for "Please provide a search term" not really knowing what that meant I guessed it was a part of a name to search for so I used "test" as there is a test1 account in that domain.

    When I test I get the following exception:

    javax.naming.CommunicationException: Request: 2 cancelled; remaining name 'dc=capetestinternal,dc=com'
    at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequ est.java:60)
    at com.sun.jndi.ldap.Connection.readReply(Connection. java:405)
    at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapCl ient.java:611)
    at com.sun.jndi.ldap.LdapClient.search(LdapClient.jav a:534)
    at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:19 44)
    at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1 806)
    at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:17 31)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_sea rch(ComponentDirContext.java:368)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContex t.search(PartialCompositeDirContext.java:338)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContex t.search(PartialCompositeDirContext.java:321)
    at javax.naming.directory.InitialDirContext.search(In itialDirContext.java:248)
    at com.zimbra.cs.account.ldap.LdapUtil.searchLdapGal( LdapUtil.java:864)
    at com.zimbra.cs.account.ldap.Check.checkGalConfig(Ch eck.java:188)
    at com.zimbra.cs.service.admin.CheckGalConfig.handle( CheckGalConfig.java:57)
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:261)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:162)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:84)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:223)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:709)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:173)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:252)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
    at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:541)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:869)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11 ConnectionHandler.processConnection(Http11BaseProt ocol.java:667)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)

    So now I am stuck (what does this mean). Again for understanding I still need my basic question answered and that is what links a Zimbra account to an AD account? If I have this:

    test1@capeinternal.com as an email address in Zimbra and its common name is test1. Then I setup an AD account that is test1. What do I need to do (if anything and assuming the domain is set to externally authenticate) to do to link the zimbra account to the AD account or is it linked based on the common name? What if the AD account was different? Say I wanted 3 different zimbra accounts to authenticate against 1 AD account how is that accomplished.

    I appologize for being such a neophite in this. I am a java/linux developer not a sys admin and all of this is LDAP / Active Directory stuff is new to me.

    One more thing the instance I am working on has its license expired. I have to reinstall onto production hardware and then apply our network license but until the hardware is ready I am still testing against an expired test license. Could this be the cause of my failed connection?

    thanks

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    Quote Originally Posted by dlochart View Post
    Yes I did that is why I posted to the forum. Maybe I should mention that I have searched the forum and WIKI in my post so that people do not assume that I did not.
    I wasn't assuming you hadn't but you'd be surprised how many people don't.

    OK, it's been a while since I used AD but here goes.

    Quote Originally Posted by dlochart View Post
    This was in the ldap search base by default (which I do not know what it means)
    dc=capetestinternal,dc=com
    This has to be a 'real' domain name where all the users live on the AD server. If this is the email address test1@capeinternal.com then it should be 'dc=capeinternal,dc=com' for the search base - that's where the domain name has been defined and where the search for a user will commence. See if that makes any difference to your setup.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    dlochart is offline Advanced Member
    Join Date
    Nov 2006
    Posts
    177
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    OK, it's been a while since I used AD but here goes.

    This has to be a 'real' domain name where all the users live on the AD server. If this is the email address test1@capeinternal.com then it should be 'dc=capeinternal,dc=com' for the search base - that's where the domain name has been defined and where the search for a user will commence. See if that makes any difference to your setup.
    I used rdp to log into the AD controller and I found out its true name is capetest.capecomputing.com. I assume zimbra prefilled this info based on the new domain I am creating and assumed the backing AD domain would be the same. So would the search base be this:

    'dc=capetest.capecomputing,dc=com' OR

    'dc=capetest,dc=capecomputing,dc=com' ?

    I tried both flavors and I am still getting the same result. I am no longer getting that other exception (I changed to using an ip address for the Bind DN) however now I am getting check_AUTH_FAILED

    javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece

    Which I think is AUTH FAILED. Now this is just for the GAL.

    When I setup External Authentication the test works. However when I try to log in to my mail account for that new domain I keep getting authentication failed. The logs don't seem to provide enough answers. I can't tell any of the following:

    1) Is it failing because it can't find the associated account in AD
    2) Is it trying to authenticate against something else
    3) Is it a comm error

    Thats why I wish I knew how the accounts were being linked. What is the ldap connection used to link Zimbra accounts to authenticate against AD accounts. Is it common name, or a combination of several other LDAP atributes? Is there a command line tool that I can test with (maybe ldapsearch) that will let me authenticate to the domain from the zimbra box just to narrow my search down.

    thanks again for helping phoenix.

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    OK, the easiest thing to do is have a look at this page in the wiki:

    http://wiki.zimbra.com/index.php?tit...tive_Directory

    that tells you how to find the DN of a user, it will be any user that you want to authenticate in the AD. That gives you the correct details for the search base but post here if you still have problems.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    dlochart is offline Advanced Member
    Join Date
    Nov 2006
    Posts
    177
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    OK, the easiest thing to do is have a look at this page in the wiki:

    http://wiki.zimbra.com/index.php?tit...tive_Directory

    that tells you how to find the DN of a user, it will be any user that you want to authenticate in the AD. That gives you the correct details for the search base but post here if you still have problems.
    I had read that prior to my post but it did not make any sense to me. I am still unsure but after I was able to get to the AD controller and run that command I see that the DN is something strange like

    CN=doug,CN=users,DC=capetest,DC=capecomputing,DC=c om
    I stuck in there and at least it worked (well it did not fail) after I added a a few entries to my /etc/hosts.

    So the test went successfully but nothing was returned. Well at least its not failing.

    I also seem to have one account authenticating with the AD server but not the other. That may be an issue with the way the account is in AD.

    I will start a new thread to ask my remaining questions so as not to cloud it up with this one.

    Bill ... thanks again for pointing me back to that WIKI page. Also I believe a tomcat restart helped me get the AD auth working.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. External Authentication with Active Directory via LDAPS
    By merrill in forum Administrators
    Replies: 1
    Last Post: 10-21-2007, 01:13 PM
  2. centos 5 zimbra 4.5.6 no statistics
    By rutman286 in forum Installation
    Replies: 9
    Last Post: 08-14-2007, 09:30 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. upgrade to 4.0.3 antispam does'nt work
    By lucanannipieri in forum Administrators
    Replies: 14
    Last Post: 11-07-2006, 03:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •