Authenticating against Zimbra's LDAP Server

[tstrimp]

I know next to nothing about LDAP structure but I'm certain it's possible for us to authenticate against Zimbra's LDAP server. It's already there and running so this would help centralize our authentication methods. The only thing I'm interested in authenticating with currently is SVN which is just apache authentication via mod_auth_ldap.

As I've said, I know very little about LDAP and nothing about how zimbra lays it out. It shouldn't be very difficult for someone who knows what they are doing..

http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

[phoenix]

I'm not really sure if there's a question in there or not.

[tstrimp]

How would one authenticate against the zimbra ldap server? Some of their examples are

AuthLDAPURL ldap://ldap1.airius.com:389/ou=People,o=Airius?uid?sub?(objectClass=*)
require valid-user

However since I don't know how the zimbra ldap server is layed out, I don't know how I would authenticate against it via mod_auth_ldap.

[phoenix]

Does this wiki article answer your question?

[tstrimp]

Looks like it's supposed to but it doesn't specify where to get the user information. When I try to log in it gives me...

[Fri Mar 16 09:24:15 2007] [debug] mod_authnz_ldap.c(373): [client 192.168.254.150] [26052] auth_ldap authenticate: using URL ldap://zimbra.collectivedata.local/dc=collectivedata,dc=com
[Fri Mar 16 09:24:15 2007] [warn] [client 192.168.254.150] [26052] auth_ldap authenticate: user tstrimple@collectivedata.com authentication failed; URI /repos [User not found][No such object]
[Fri Mar 16 09:24:15 2007] [error] [client 192.168.254.150] user tstrimple@collectivedata.com not found: /repos

Edit: In every example I see of ldap authentication there is an ou provided. ou=Users, ou=people etc. Is that not required?

[tstrimp]

I found this thread and added the .htaccess exactly like he did (but with my own domain name) and I get the exact same error as above....

apache 2.2 mod_authnz_ldap to zimbra help?

Any ideas?

Here are the results from the ldap logs...

Code:

Mar 16 11:02:31 zimbra slapd[24850]: connection_get(11): got connid=6
Mar 16 11:02:31 zimbra slapd[24850]: connection_read(11): checking for input on id=6
Mar 16 11:02:31 zimbra slapd[24850]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
Mar 16 11:02:31 zimbra slapd[24850]: do_bind
Mar 16 11:02:31 zimbra slapd[24850]: >>> dnPrettyNormal: <>
Mar 16 11:02:31 zimbra slapd[24850]: <<< dnPrettyNormal: <>, <>
Mar 16 11:02:31 zimbra slapd[24850]: do_bind: version=3 dn="" method=128
Mar 16 11:02:31 zimbra slapd[24850]: send_ldap_result: conn=6 op=0 p=3
Mar 16 11:02:31 zimbra slapd[24850]: send_ldap_response: msgid=1 tag=97 err=0
Mar 16 11:02:31 zimbra slapd[24850]: do_bind: v3 anonymous bind
Mar 16 11:02:31 zimbra slapd[24850]: connection_get(11): got connid=6
Mar 16 11:02:31 zimbra slapd[24850]: connection_read(11): checking for input on id=6
Mar 16 11:02:31 zimbra slapd[24850]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
Mar 16 11:02:31 zimbra slapd[24850]: do_search
Mar 16 11:02:31 zimbra slapd[24850]: >>> dnPrettyNormal: <ou=people,dc=collectivedata,dc=com>
Mar 16 11:02:31 zimbra slapd[24850]: <<< dnPrettyNormal: <ou=people,dc=collectivedata,dc=com>, <ou=people,dc=collectivedata,dc=com>
Mar 16 11:02:31 zimbra slapd[24850]: ==> limits_get: conn=6 op=1 dn="[anonymous]"
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_search
Mar 16 11:02:31 zimbra slapd[24850]: bdb_dn2entry("ou=people,dc=collectivedata,dc=com")
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_dn2id("dc=com")
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_dn2id: got id=0x00000011
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_dn2id("dc=collectivedata,dc=com")
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_dn2id: got id=0x00000028
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_dn2id("ou=people,dc=collectivedata,dc=com")
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_dn2id: got id=0x00000029
Mar 16 11:02:31 zimbra slapd[24850]: entry_decode: "ou=people,dc=collectivedata,dc=com"
Mar 16 11:02:31 zimbra slapd[24850]: <= entry_decode(ou=people,dc=collectivedata,dc=com)
Mar 16 11:02:31 zimbra slapd[24850]: search_candidates: base="ou=people,dc=collectivedata,dc=com" (0x00000029) scope=2
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_equality_candidates (objectClass)
Mar 16 11:02:31 zimbra slapd[24850]: => key_read
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_index_read: failed (-30990)
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_equality_candidates: id=0, first=0, last=0
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_dn2idl("ou=people,dc=collectivedata,dc=com")
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_dn2idl: id=17 first=41 last=79
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_equality_candidates (objectClass)
Mar 16 11:02:31 zimbra slapd[24850]: => key_read
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_index_read: failed (-30990)
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_equality_candidates: id=0, first=0, last=0
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_equality_candidates (objectClass)
Mar 16 11:02:31 zimbra slapd[24850]: => key_read
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_index_read 13 candidates
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_equality_candidates: id=13, first=3, last=69
Mar 16 11:02:31 zimbra slapd[24850]: => bdb_equality_candidates (uid)
Mar 16 11:02:31 zimbra slapd[24850]: => key_read
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_index_read: failed (-30990)
Mar 16 11:02:31 zimbra slapd[24850]: <= bdb_equality_candidates: id=0, first=0, last=0
Mar 16 11:02:31 zimbra slapd[24850]: bdb_search_candidates: id=0 first=41 last=0
Mar 16 11:02:31 zimbra slapd[24850]: bdb_search: no candidates
Mar 16 11:02:31 zimbra slapd[24850]: send_ldap_result: conn=6 op=1 p=3
Mar 16 11:02:31 zimbra slapd[24850]: send_ldap_response: msgid=2 tag=101 err=0

[tstrimp]

I've figured it out. I was trying to login with the full email like in zimbra. When I dropped the domain name off of the username it let me in. Is there a way to authenticate against the full email address to keep things consistent?

Thanks,
Tim