Active Directory based GAL

[alexbsa]

Okidoki,

Its all working:
Auth through AD -> GREAT (took 10 seconds)
Zimbra MAIL -> FINE
AS/AV -> GREAT

BUT, it seems my main admin guy wants to admin everything through AD. So, he wants the GAL through AD.

We support it of course, but when we set it as such (GAL through AD), nothing comes back.

I ran an ethereal trace and it seems LDAP searches are being done very well, and the server is politely answering success but returning empty sets since it just cannot find what im looking for.
So, this AD deployment is organizationally engineered it is pretty deep since this is a pretty big company (about 17 enterprises depend on a holding, which manages all IT for them... they are my client).
Now the LDAP query seems to do the right thing (tries three different searches, tries with both base and sub scopes), but still nothing comes back from the AD.

So, am i missing something? Is this common when attempting to set up an AD GAL?

[KevinH]

I think your going to need to wait for the next release for a fix. At this time we don't handle org based AD deployments very well. The next release is more flexible so it should work for you. BTW: How many users are on the system your trying to deploy here?

[alexbsa]

Well... right now we have about 1000 but growing. The thing is not the number of accounts but geographic and network distribution. This thing spans throughout all of Mexico and off-shores in costa rica and the U.S. one to 100 accounts per site, about 50 sites. So thats why the AD got to be that complex, not that i implemented it or recomended it -ugh.

So, by the way, if zimbra does this through ldap anyhow, you think id be better off right now to engineer another search string and go through pure LDAP? Can you share some info on how are you planning to fix this? Would someone describe the problem in terms of the ldap search string and why it isnt working?

Im also a pretty snappy (meaning old and cynical) hacker and this zimbra thing has me itching. Im finally implementing a devel box today to start hacking on it... so, I wanna be in your radar.

I think ive talked to you recently in an email.... mhm... cool.

[schemers]

I think Kevin was referring to authentication being more flexible in the next release, not GAL.

We've had other people get GAL working with AD without any trouble. I'd also suggest trying external LDAP with your search string, maybe something really trivial that you know works, like:

Code:

(|(cn=*%s*)(sn=*%s*)(gn=*%s*))

which will search for the user-entered string in the cn/sn/gn attributes. Also, you should ask your AD admin if security policies allow for the query to be made un-authenticated. If not, you'll need to setup a service account in AD that has permission to perform the search and then enter it in the GAL wizard setup.

If you want to see the search string we use for AD, type in:

Code:

/opt/zimbra/bin/zmprov gacf|grep zimbraGalLdapFilterDef

The line that starts with "ad:" is the one we use for AD, and the one that starts with "zimbra:" is the one we use for internal GAL searching.

You can also use zmprov to do a GAL search:

Code:

/opt/zimbra/bin/zmprov sg zimbra.com roland

Which can be more convenient for debugging then going through the UI.

roland

[malheiros]

Greetings,

I just upgraded to the new beta 2 release, and noticed the GAL searches to AD return empty now (it worked fine before)... Tried to reconfigure GAL through the admin interface and the tests finished successfuly even throwing back an empty result...

I've always mapped the AD access as a normal LDAP server (not selecting AD on the combo box), applying the following filter:

(&(|(displayName=*%s*)(department=*%s*)(telephoneN umber=*%s*)(mail=*%s*))(&(!(objectclass=computer)) (!(objectclass=organizationalUnit))(!(objectclass= volume))(!(objectclass=group))(!(objectclass=conne ctionPoint))))

(This is the same filter I use for another bunch of LDAP/AD integrated apps)

Just want to know if there is some place to start in the code i can look at or something to find and try fixing the problem...

Thanks!

[schemers]

I seem to recall seeing a bug go by recently WRT the client-side GAL. If you want to verify the server-side is working you can try zmprov:

/opt/zimbra/bin/zmprov sg {your.domain} {query-string}

I'll try and find out the status on the bug...

roland

[malheiros]

Hello Roland,

zmprov command line GAL search returns empty (back to prompt).

ldapsearch with same parameters return the expected results.

I'm still playing with it, any news I'll post them here at once.

Thanks guys,

[malheiros]

After searching with ldapsearch... zmprov started working... and so all the rest...

It's all fine now but... Don't ask me.. I'm clueless...

[riegersteve]

let me guess you user ldapsearch -x
do you have anything funke in you slapd.conf. did you modify it

also version 1 (didnt try version2 yes) could not handle multiple context's nor could it handle multiple trees, i been told that this version does.

can you confirm ?

[malheiros]

Well I did a couple of (from command history):

./ldapsearch -b "ou=Departments,dc=company,dc=com" -D "cn=LDAP Query,cn=Users,dc=company,dc=com" -h dc.company.com -w password '(&(|(displayName=*Some_Name*)(department=*%s*)(te lephoneNum ber=*%s*)(mail=*%s*))(&(!(objectclass=computer))(! (objectclass=organizationalUnit))(!(objectclass=vo lume))(!(objectclass=group))(!(objectclass=connect ionPoint))))'

(the %s are there cuz it was a lazy copy/paste from zimbra conf, doesn't affect the results anyway)

Then I went to zimbra admin reconfigure GAL for the 10000th time to test the search (expecting an empty result of course), and hey.. it worked now.

After that came back to the shell prompt and tried zmprov search again.. it worked.

About slapd.conf... Looks normal and nothing touched there or anywhere on the default installation...

I can't confirm the multi tree/context support, but would be nice to know hows that possible, if available...