Results 1 to 6 of 6

Thread: Has anybody successfully integrated sssd and zimbra ldap?

  1. #1
    skuran is offline Junior Member
    Join Date
    Jan 2010
    Posts
    8
    Rep Power
    5

    Post Has anybody successfully integrated sssd and zimbra ldap?

    Hi,

    I searched the admins forum for "sssd" and nothing found. I am trying to authenticate my users against ldap to login to my application server through ssh. The new way of pam_ldap for RHEL6 or CentOS 6 is "The System Security Services Daemon" what a name !! shortly sssd

    I wonder has anyone succeeded in setting up a working zimbra ldap + sssd. I followed this post to set up config files. Here are my config files:

    # cat /etc/sssd/sssd.conf
    [sssd]
    config_file_version = 2
    services = nss,pam
    debug_level = 0xFFF0
    enumerate = true
    domains = mydomain
    [nss]
    filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news, nscd
    [pam]
    [domain/mydomain]
    id_provider = ldap
    auth_provider = ldap
    ldap_schema = rfc2307
    ldap_id_use_start_tls = true
    ldap_tls_reqcert = allow
    ldap_uri = ldap://mail.mydomain.org.tr
    ldap_search_base = ou=people,dc=mydomain,dc=org,dc=tr
    ldap_default_bind_dn = uid=zimbra,cn=admins,cn=zimbra
    ldap_default_authtok_type = password
    ldap_default_authtok = zmldappassword
    ldap_user_object_class = zimbraAccount

    # cat /etc/nsswitch.conf
    #
    # /etc/nsswitch.conf
    passwd: files sss
    shadow: files sss
    group: files sss

    hosts: files dns
    ...
    ...

    I configured zimbra ldap to log debug messages the following message writes to log when running command #id zmtest on my app server console.

    Jun 25 10:37:52 posta slapd[24785]: conn=1118 fd=18 ACCEPT from IP=192.168.55.38:42222 (IP=192.168.55.34:389)
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=0 EXT oid=1.3.6.1.4.1.1466.20037
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=0 STARTTLS
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=0 RESULT oid= err=0 text=
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 fd=18 TLS established tls_ssf=256 ssf=256
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=1 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=2 BIND dn="uid=zimbra,cn=admins,cn=zimbra" method=128
    Jun 25 10:37:52 posta slapd[24785]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=2 BIND dn="uid=zimbra,cn=admins,cn=zimbra" mech=SIMPLE ssf=0
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=2 RESULT tag=97 err=0 text=
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=3 SRCH base="ou=people,dc=mydomain,dc=org,dc=tr" scope=2 deref=0 filter="(&(uid=zmtest)(objectClass=zimbraAccount)) "
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=3 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap
    Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=


    sssd can query zimbra LDAP! Wow! But the output of #id zmtest is "No such user" Instead of some id representing LDAP user. Also "getent passwd zmtest" command returns nothing.

    But ldapsearch from the console of app server returns attributes of use zmtest
    #ldapsearch -ZZZ -x -h mail.mydomain.org.tr -D uid=zimbra,cn=admins,cn=zimbra -Lb ou=people,dc=mydomain,dc=org,dc=tr -w zmldappassword "(&(uid=zmtest)(objectClass=zimbraAccount))"
    #
    # LDAPv3
    # base <ou=people,dc=mydomain,dc=org,dc=tr> with scope subtree
    # filter: (&(uid=zmtest)(objectClass=zimbraAccount))
    # requesting: ALL
    #

    # zmtest, people, mydomain.org.tr
    dn: uid=zmtest,ou=people,dc=mydomain,dc=org,dc=tr
    sn: Test
    zimbraMailStatus: enabled
    zimbraHideInGal: TRUE
    zimbraAccountStatus: active
    givenName: Zimbra
    displayName: Zimbra Test
    objectClass: inetOrgPerson
    objectClass: zimbraAccount
    objectClass: amavisAccount
    zimbraId: fbe94f4b-0947-4562-8370-33c69dde38f6
    zimbraCreateTimestamp: 20130625073304Z
    zimbraCOSId: 0dcff573-b04f-40f7-95ec-e00705696ea2
    zimbraMailHost: mail.mydomain.org.tr
    zimbraMailTransport: lmtp:mail.mydomain.org.tr:7025
    zimbraMailDeliveryAddress: zmtest@mydomain.org.tr
    mail: zmtest@mydomain.org.tr
    cn: Zimbra Test
    uid: zmtest
    userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    zimbraPasswordModifiedTime: 20130625073304Z

    # search result

    # numResponses: 2
    # numEntries: 1



    If you are still reading you might have experienced a similar LDAP integration case. Please comment.

    Best regards

  2. #2
    skuran is offline Junior Member
    Join Date
    Jan 2010
    Posts
    8
    Rep Power
    5

    Default

    Update ...


    if you set debug_level in domain section of /etc/sssd/sssd.conf then debug info is logged to /var/log/sssd/sssd_mydomain.log file.

    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=zmtest]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=people,dc=mydomain,dc=org,dc=tr]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=zmtest)(objectclass=zimbraAccount))][ou=people,dc=mydomain,dc=org,dc=tr].
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [zimbraId]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [zimbraId]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results.
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_save_user] (0x0020): no uid provided for [zmtest] in domain [mydomain].
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_save_user] (0x0040): Failed to save user [zmtest]
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
    (Tue Jun 25 14:00:08 2013) [sssd[be[mydomain]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success


    I am not sure if sssd + zimbra ldap + linux users is possible

  3. #3
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    Of course it fails, because the attributes it wants (loginshell, etc) are part of the "account" objectclass, not the "inetOrgPerson" objectclass. I.e., Zimbra stores people information, not account information. The two are mutually exclusive objectClasses.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  4. #4
    skuran is offline Junior Member
    Join Date
    Jan 2010
    Posts
    8
    Rep Power
    5

    Default

    Thanks for the reply. After adding nis schema which includes posixaccount, I am now able to add attributes and auth linux users, without installing unsupported extensions.

  5. #5
    strikermdd is offline Active Member
    Join Date
    Nov 2007
    Location
    Brazil
    Posts
    42
    Rep Power
    7

    Default

    Im facing a similar problem, im trying to auth centos 6.4 server using sssd but, i tried the example from the blog posted here, and your example skuran, but without sucess, if i run the id username or getent passwd it showed nothing. Someone can help ?

  6. #6
    skuran is offline Junior Member
    Join Date
    Jan 2010
    Posts
    8
    Rep Power
    5

    Default

    Did you add nis schema to zimbra ldap db?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 8
    Last Post: 03-12-2010, 07:15 AM
  2. Replies: 10
    Last Post: 10-26-2009, 03:26 AM
  3. Integrated Bugracker with Zimbra?
    By thehobbit in forum Developers
    Replies: 3
    Last Post: 02-26-2009, 11:34 AM
  4. Replies: 8
    Last Post: 11-28-2007, 11:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •