Results 1 to 8 of 8

Thread: LDAP Authentication issue

  1. #1
    premoddev is offline Loyal Member
    Join Date
    Oct 2006
    Location
    Bangalore, India
    Posts
    95
    Rep Power
    8

    Default LDAP Authentication issue

    Hi all,

    I am configuring Zimbra-4.0.4 on CentOS -4.4, and i try to use my existing LDAP database of my SAMBA PDC for authentication. But some users cannot login using the existing LDAP credentials given by the samba ldap database, and its working fine for some other users.I have used the LDAP search filter as "(&(cn=%u)(objectClass=sambaSamAccount))". I have checked the credentials of both type users and i found that the users having password encryption algorithm as "{SSHA}" is working and others like "{Crypt} x" are not working. Can anyone please say how to rectify this issues through Zimbra.

    I am attaching the error log generated when i checked LDAP authentication for a user

    javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.jav a:2985)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2931)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2732)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:264 6)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapC txFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Ldap CtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(LdapCtxFactory.java:136)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext (LdapCtxFactory.java:66)
    at javax.naming.spi.NamingManager.getInitialContext(N amingManager.java:667)
    at javax.naming.InitialContext.getDefaultInitCtx(Init ialContext.java:247)
    at javax.naming.InitialContext.init(InitialContext.ja va:223)
    at javax.naming.ldap.InitialLdapContext.<init>(Initia lLdapContext.java:134)
    at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:248)
    at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:286)
    at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:153)
    at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:53)
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:261)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:162)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:84)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:223)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:709)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:173)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:252)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
    at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:541)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:869)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11 ConnectionHandler.processConnection(Http11BaseProt ocol.java:667)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)


    Thanks in advance

    Premoddev.k.v
    Last edited by premoddev; 12-21-2006 at 05:41 AM. Reason: attaching error logs

  2. #2
    schemers is offline Zimbra Employee
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    9

    Default

    In judging by the code path the stack (LdapUtil.java:248) it is indeed passing the username/password off to your LDAP server to do a bind. Can you turn on any extra logging in your ldap server to see if the request looks ok?
    Bugzilla - Wiki - Downloads - Before posting... Search!

  3. #3
    premoddev is offline Loyal Member
    Join Date
    Oct 2006
    Location
    Bangalore, India
    Posts
    95
    Rep Power
    8

    Default LDAP server logs

    Hi Schemers,

    As per your mail i am attaching the server log of my LDAP server

    Dec 22 10:14:54 db slapd[6294]: conn=5 op=6 SRCH base="ou=users,dc=mobiapps,dc=com" scope=2 deref=3 filter="(&(cn=srikanth)(objectClass=sambaSamAccoun t))"
    Dec 22 10:14:54 db slapd[6294]: conn=5 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
    Dec 22 10:14:54 db slapd[6294]: conn=29 fd=13 ACCEPT from IP=172.16.1.156:33566 (IP=0.0.0.0:389)
    Dec 22 10:14:54 db slapd[6294]: conn=29 op=0 BIND dn="uid=srikanth,ou=Users,dc=mobiapps,dc=com" method=128
    Dec 22 10:14:54 db slapd[6294]: conn=29 op=0 RESULT tag=97 err=49 text=
    Dec 22 10:14:54 db slapd[6294]: conn=29 fd=13 closed

    With the same username and password that user is able to login to the SAMBA domain. Pls help me...

    best regards,
    premoddev

  4. #4
    schemers is offline Zimbra Employee
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    9

    Default

    not sure. Error 49 is invalid credentials:

    http://www.directory-info.com/LDAP/LDAPErrorCodes.html

    ------

    LDAP_INVALID_CREDENTIALS: Indicates that during a bind operation one of the following occurred:

    The client passed either an incorrect DN or password.
    The password is incorrect because it has expired, intruder detection has locked the account, or some other similar reason.

    ------

    You might want to poke around in the google search results of "ldap err=49".
    Bugzilla - Wiki - Downloads - Before posting... Search!

  5. #5
    premoddev is offline Loyal Member
    Join Date
    Oct 2006
    Location
    Bangalore, India
    Posts
    95
    Rep Power
    8

    Default ldap login issues

    Hi schemers,

    If the credentials are invalid, how users can login through SAMBA. My all users are able to login the domain. And one more thing is that those users who are unable to login through Zimbra having password algorithm is "Crypt" (userPassword: {crypt}x) and that of others are "SSHA" (userPassword: {SSHA}yfX0GnKBJILh7aP3eCUbhOyOxv9tT0tZ). And one more thing is that if i changing the algorithm from Crypt to SSHA using PHPLdap admin, still its not working.Kindly advice..

    Regards
    Premoddev.k.v

  6. #6
    schemers is offline Zimbra Employee
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    9

    Default

    Sorry, not sure what else to try. If the bind dn in your logs looks correct but you are getting error 49, it is most likely some sort of configuration issue on your end. All Zimbra is doing is attempt to bind to that dn using the supplied password. If it works with some of your accounts but not others, then it is definitely an issue with your LDAP servers. Could be a configuration issue, could be some sort of password hashing issue, not sure.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  7. #7
    premoddev is offline Loyal Member
    Join Date
    Oct 2006
    Location
    Bangalore, India
    Posts
    95
    Rep Power
    8

    Default Remote & Local LDAP authentication

    Hi,

    Can anyone please say, is it possible to make authentication of some users on the local Zimbra's LDAP database and some other users to use the external LDAP
    database simultaneously. My server is using external LDAP for authentication. For getting authentication locally for a user i have tried "zmprov ma user@domain.com zimbraAuthFallbackToLocal TRUE". But i got the following error

    " ERROR: service.INVALID_REQUEST (invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'zimbraAuthFallbackToLocal' not allowed])"

    Pls help me

    regards

    Premoddev.k.v

  8. #8
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    You've already posted elsewhere about the zmprov command not working in that format, it should be:
    Code:
    zmprov md <domain> zimbraAuthFallbackToLocal TRUE
    where <domain> is your domain name NOT an account.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 23
    Last Post: 01-24-2013, 03:44 PM
  2. LDAP Filter issue and GAL
    By G-Money in forum Administrators
    Replies: 2
    Last Post: 06-24-2010, 12:13 PM
  3. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  4. External LDAP Authentication Issue
    By xtreme-one in forum Installation
    Replies: 10
    Last Post: 02-16-2007, 07:52 PM
  5. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 03:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •