Active Directory / Email Address Authentication Question

[dlochart]

I am a novice with LDAP and Active Directory so this may be basic but I do not know it and I need to test it.

We will be using AD for our terminal services deployment. The users will be setup in AD. They currently have exchange profiles in another exchange server that we will be migrating from using the Outlook plugin. Once the profiles are migrated to zimbra how do we point there newly created email accounts (that were migrated) to be authenticated by the AD accounts? I have a feeling that the outlook migration will create local auth user accounts and we won't be able to match each user account with an AD auth account.

If it is possible to match do the zimbra email account names need to match the AD account names or is there a way to link these for authentication

Thanks in advance

[dlochart]

I know this has been addressed by someone and the Zimbra people should know anyway.

I have a feeling that it needs to be addressed via the properties in LDAP but since docs covering the guts of zimbra are lacking IMHO and I am new to LDAP I am asking for assistance. If this is covered somewhere please point me in the right direction.

thanks

[phoenix]

Quote:

Originally Posted by dlochart

I know this has been addressed by someone and the Zimbra people should know anyway.

Did you search the forums and the wiki for an answer?

[dlochart]

Quote:

Originally Posted by phoenix

Did you search the forums and the wiki for an answer?

Yes I did that is why I posted to the forum. Maybe I should mention that I have searched the forum and WIKI in my post so that people do not assume that I did not. That being said I may not have searched with the proper criteria to get the solutions or approaches I need. Many of the forum responses seem to speak to an audience that deals with Active Directory / LDAP on a day to day basis. I have never messed with it thus I am at a loss to interpret the posts properly.

I currently have a domain that I was going to switch from Zimbra auth to Active Directory auth but i remember reading a post about the admin account being lost or something if you do not do something with a command line tool. Since I can't recall nor find that thread I decided to create a new zimbra domain with GAL set to both and Auth set to Active Directory. I followed the wizard but things are not working and I do not know where to start.

The new domain is called capeinternaltest (there is no existing AD domain by that name). The existing AD domain is called CapeTest. I have an account with god permissions (so I have been told)

I copied and fixed this LDAP filter from the docs

(|(cn = %s*)(sn=%s*)(gn=%s*)(mail=%s*))
(zimbraMailDeliveryAddress = %s*)
(zimbraMailAlias=%s*)
(zimbraMailAddress = %s*)

I searched and found this autocomplete filter from the forums
(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))

This was in the ldap search base by default (which I do not know what it means)
dc=capetestinternal,dc=com

Then on the GAL settings it asks about using DN/password to bind to external server so I entered my domain account info. I did it incorrectly at first and got an auth error. I added the @CapeTest to the end it it went further.

next page is ready for the test. At the bottom its asks
for "Please provide a search term" not really knowing what that meant I guessed it was a part of a name to search for so I used "test" as there is a test1 account in that domain.

When I test I get the following exception:

javax.naming.CommunicationException: Request: 2 cancelled; remaining name 'dc=capetestinternal,dc=com'
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequ est.java:60)
at com.sun.jndi.ldap.Connection.readReply(Connection. java:405)
at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapCl ient.java:611)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.jav a:534)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:19 44)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1 806)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:17 31)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_sea rch(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContex t.search(PartialCompositeDirContext.java:338)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContex t.search(PartialCompositeDirContext.java:321)
at javax.naming.directory.InitialDirContext.search(In itialDirContext.java:248)
at com.zimbra.cs.account.ldap.LdapUtil.searchLdapGal( LdapUtil.java:864)
at com.zimbra.cs.account.ldap.Check.checkGalConfig(Ch eck.java:188)
at com.zimbra.cs.service.admin.CheckGalConfig.handle( CheckGalConfig.java:57)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:261)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:162)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:84)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:223)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:709)
at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:173)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:541)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11 ConnectionHandler.processConnection(Http11BaseProt ocol.java:667)
at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)

So now I am stuck (what does this mean). Again for understanding I still need my basic question answered and that is what links a Zimbra account to an AD account? If I have this:

test1@capeinternal.com as an email address in Zimbra and its common name is test1. Then I setup an AD account that is test1. What do I need to do (if anything and assuming the domain is set to externally authenticate) to do to link the zimbra account to the AD account or is it linked based on the common name? What if the AD account was different? Say I wanted 3 different zimbra accounts to authenticate against 1 AD account how is that accomplished.

I appologize for being such a neophite in this. I am a java/linux developer not a sys admin and all of this is LDAP / Active Directory stuff is new to me.

One more thing the instance I am working on has its license expired. I have to reinstall onto production hardware and then apply our network license but until the hardware is ready I am still testing against an expired test license. Could this be the cause of my failed connection?

thanks

[phoenix]

Quote:

Originally Posted by dlochart

Yes I did that is why I posted to the forum. Maybe I should mention that I have searched the forum and WIKI in my post so that people do not assume that I did not.

I wasn't assuming you hadn't but you'd be surprised how many people don't.

OK, it's been a while since I used AD but here goes.

Quote:

Originally Posted by dlochart

This was in the ldap search base by default (which I do not know what it means)
dc=capetestinternal,dc=com

This has to be a 'real' domain name where all the users live on the AD server. If this is the email address test1@capeinternal.com then it should be 'dc=capeinternal,dc=com' for the search base - that's where the domain name has been defined and where the search for a user will commence. See if that makes any difference to your setup.

[dlochart]

Quote:

Originally Posted by phoenix

OK, it's been a while since I used AD but here goes.

This has to be a 'real' domain name where all the users live on the AD server. If this is the email address test1@capeinternal.com then it should be 'dc=capeinternal,dc=com' for the search base - that's where the domain name has been defined and where the search for a user will commence. See if that makes any difference to your setup.

I used rdp to log into the AD controller and I found out its true name is capetest.capecomputing.com. I assume zimbra prefilled this info based on the new domain I am creating and assumed the backing AD domain would be the same. So would the search base be this:

'dc=capetest.capecomputing,dc=com' OR

'dc=capetest,dc=capecomputing,dc=com' ?

I tried both flavors and I am still getting the same result. I am no longer getting that other exception (I changed to using an ip address for the Bind DN) however now I am getting check_AUTH_FAILED

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece

Which I think is AUTH FAILED. Now this is just for the GAL.

When I setup External Authentication the test works. However when I try to log in to my mail account for that new domain I keep getting authentication failed. The logs don't seem to provide enough answers. I can't tell any of the following:

1) Is it failing because it can't find the associated account in AD
2) Is it trying to authenticate against something else
3) Is it a comm error

Thats why I wish I knew how the accounts were being linked. What is the ldap connection used to link Zimbra accounts to authenticate against AD accounts. Is it common name, or a combination of several other LDAP atributes? Is there a command line tool that I can test with (maybe ldapsearch) that will let me authenticate to the domain from the zimbra box just to narrow my search down.

thanks again for helping phoenix.

[phoenix]

OK, the easiest thing to do is have a look at this page in the wiki:

http://wiki.zimbra.com/index.php?tit...tive_Directory

that tells you how to find the DN of a user, it will be any user that you want to authenticate in the AD. That gives you the correct details for the search base but post here if you still have problems.

[dlochart]

Quote:

Originally Posted by phoenix

OK, the easiest thing to do is have a look at this page in the wiki:

http://wiki.zimbra.com/index.php?tit...tive_Directory

that tells you how to find the DN of a user, it will be any user that you want to authenticate in the AD. That gives you the correct details for the search base but post here if you still have problems.

I had read that prior to my post but it did not make any sense to me. I am still unsure but after I was able to get to the AD controller and run that command I see that the DN is something strange like

CN=doug,CN=users,DC=capetest,DC=capecomputing,DC=c om
I stuck in there and at least it worked (well it did not fail) after I added a a few entries to my /etc/hosts.

So the test went successfully but nothing was returned. Well at least its not failing.

I also seem to have one account authenticating with the AD server but not the other. That may be an issue with the way the account is in AD.

I will start a new thread to ask my remaining questions so as not to cloud it up with this one.

Bill ... thanks again for pointing me back to that WIKI page. Also I believe a tomcat restart helped me get the AD auth working.