Results 1 to 4 of 4

Thread: Ldap authentication fails but ldapsearch works

  1. #1
    jherington is offline Intermediate Member
    Join Date
    Oct 2007
    Posts
    19
    Rep Power
    7

    Default Ldap authentication fails but ldapsearch works

    Hello,
    I am having a problem with ldap. I was able to get GAL configured just fine but when I try to configure Authentication the test fails because: Unable to resolve LDAP name. Here is the result:

    Code:
    javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031521D2, problem 2001 (NO_OBJECT), data 0, best match of:
    	'O=itsa,C=us'
    I have tried a couple of Ldap filters: 1) the full bind DN and 2) (uid=%u). I do have the uid set on the user in the external Ldap. My Ldap search base is: OU=Itsa_TechnicalStaff,O=itsa,C=us. I can ping my external ldap just fine and again I can configure GAL just fine.

    Yet if I run ldapsearch I can get a successful search but I must include -x in the command:

    Code:
    [zimbra@itsa bin]$ ldapsearch -h itsa1.local -p 389 -D "cn=jherington, ou=Itsa_TechnicalStaff, o=itsa, c=us" -w "password" -x -b "o=itsa,c=us" "(CN=jherington,OU=Itsa_TechnicalStaff,O=itsa,C=us)"
    # extended LDIF
    #
    # LDAPv3
    # base  with scope subtree
    # filter: (CN=jherington,OU=Itsa_TechnicalStaff,O=itsa,C=us)
    # requesting: ALL
    #
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 1
    [zimbra@itsa bin]$
    Local ldap is running and I am able to login to zimbra. I did set up a user in the local ldap and the external ldap (which is actually ADAM Active Directory Application Mode) with the same name and password. The -x is for "simple authentication" I do not have ssl setup on the external ldap server.

    Any help would be greatly appreciated!

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,580
    Rep Power
    57

    Default

    Your error is caused by "A non-existent DN specified in the User Search field.".

    You probably need to bind to AD with a user that can do a query, check this wiki article.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    jherington is offline Intermediate Member
    Join Date
    Oct 2007
    Posts
    19
    Rep Power
    7

    Default

    Thanks Phoenix,

    Here is the result of the command: ldifde -f c:\export.txt -s itsa1:389 -d o=itsa,c=us

    Code:
    dn: O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: organization
    o: itsa
    distinguishedName: O=itsa,C=us
    instanceType: 5
    whenCreated: 20071023220539.0Z
    whenChanged: 20071023220539.0Z
    uSNCreated: 8196
    uSNChanged: 8210
    name: itsa
    objectGUID:: Yv4+t5kTcU2uuryqn+USuw==
    wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Roles,O=itsa,C=us
    wellKnownObjects: 
     B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,O=itsa,C=us
    wellKnownObjects: 
     B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,O=itsa,C=us
    wellKnownObjects: 
     B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,O=itsa,C=us
    objectCategory: 
     CN=Organization,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA436
     3CCDA}
    msDs-masteredBy: 
     CN=NTDS Settings,CN=ITSA1$ItsaCommunity,CN=Servers,CN=Default-First-Site-Name,
     CN=Sites,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4363CCDA}
    
    dn: OU=Itsa_TechnicalStaff,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: organizationalUnit
    ou: Itsa_TechnicalStaff
    distinguishedName: OU=Itsa_TechnicalStaff,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023222129.0Z
    whenChanged: 20071023222129.0Z
    uSNCreated: 12505
    uSNChanged: 12505
    name: Itsa_TechnicalStaff
    objectGUID:: b8TU+7k980qiYBBfvCdYhQ==
    objectCategory: 
     CN=Organizational-Unit,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-
     09EA4363CCDA}
    
    dn: CN=jherington,OU=Itsa_TechnicalStaff,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: jherington
    distinguishedName: CN=jherington,OU=Itsa_TechnicalStaff,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023222208.0Z
    whenChanged: 20071119043955.0Z
    uSNCreated: 12506
    memberOf: CN=AppDev,OU=Itsa_TechnicalStaff,O=itsa,C=us
    uSNChanged: 77836
    name: jherington
    objectGUID:: 8IbBWRnQZkGZQE8lXMyfvw==
    badPwdCount: 0
    badPasswordTime: 0
    pwdLastSet: 128398963024843750
    objectSid:: AQUAABOOzxd+c/HZWbRRMghqr0uqwvNbmedjBQ==
    objectCategory: 
     CN=Person,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4363CCDA}
    lastLogonTimestamp: 128399105652652654
    givenName: Jeff Herington
    uid: jherington
    
    dn: CN=AppDev,OU=Itsa_TechnicalStaff,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: group
    cn: AppDev
    member: CN=jherington,OU=Itsa_TechnicalStaff,O=itsa,C=us
    distinguishedName: CN=AppDev,OU=Itsa_TechnicalStaff,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023224124.0Z
    whenChanged: 20071023225811.0Z
    uSNCreated: 12508
    uSNChanged: 12512
    name: AppDev
    objectGUID:: AHZ6XEXW5ka2/si+5npyaA==
    objectSid:: AQUAABOOzxd+c/HZ7GkNoNqUCk6xD6tHTTXp+w==
    groupType: 8
    objectCategory: 
     CN=Group,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4363CCDA}
    
    dn: CN=LostAndFound,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: lostAndFound
    cn: LostAndFound
    distinguishedName: CN=LostAndFound,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023220539.0Z
    whenChanged: 20071023220539.0Z
    uSNCreated: 8203
    uSNChanged: 8203
    showInAdvancedViewOnly: TRUE
    name: LostAndFound
    objectGUID:: wQausgJdwEyYDcUihB41uA==
    systemFlags: -1946157056
    objectCategory: 
     CN=Lost-And-Found,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4
     363CCDA}
    isCriticalSystemObject: TRUE
    
    dn: CN=NTDS Quotas,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: msDS-QuotaContainer
    cn: NTDS Quotas
    distinguishedName: CN=NTDS Quotas,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023220539.0Z
    whenChanged: 20071023220539.0Z
    uSNCreated: 8204
    uSNChanged: 8204
    showInAdvancedViewOnly: TRUE
    name: NTDS Quotas
    objectGUID:: esFUKLENik2RM0OATU78eA==
    systemFlags: -1946157056
    objectCategory: 
     CN=ms-DS-Quota-Container,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB
     9-09EA4363CCDA}
    isCriticalSystemObject: TRUE
    
    dn: CN=Roles,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: container
    cn: Roles
    distinguishedName: CN=Roles,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023220539.0Z
    whenChanged: 20071023220539.0Z
    uSNCreated: 8205
    uSNChanged: 8205
    showInAdvancedViewOnly: TRUE
    name: Roles
    objectGUID:: hZZ6apST7EuVQ+f6cV90eA==
    systemFlags: -2080374784
    objectCategory: 
     CN=Container,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4363CC
     DA}
    isCriticalSystemObject: TRUE
    
    dn: CN=Administrators,CN=Roles,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: group
    cn: Administrators
    member: 
     CN=Administrators,CN=Roles,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA43
     63CCDA}
    distinguishedName: CN=Administrators,CN=Roles,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023220539.0Z
    whenChanged: 20071023220539.0Z
    uSNCreated: 8207
    uSNChanged: 8207
    name: Administrators
    objectGUID:: 4fNq4i1kfE+MQS6Fwf87NQ==
    objectSid:: AQIAABOOzxd+c/HZAAIAAA==
    systemFlags: -2080374784
    groupType: -2147483646
    objectCategory: 
     CN=Group,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4363CCDA}
    isCriticalSystemObject: TRUE
    
    dn: CN=Users,CN=Roles,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: group
    cn: Users
    distinguishedName: CN=Users,CN=Roles,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023220539.0Z
    whenChanged: 20071023220539.0Z
    uSNCreated: 8208
    uSNChanged: 8208
    name: Users
    objectGUID:: wFBQVU4m4EWc29yignexsw==
    objectSid:: AQIAABOOzxd+c/HZAQIAAA==
    systemFlags: -2080374784
    groupType: -2147483646
    objectCategory: 
     CN=Group,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4363CCDA}
    isCriticalSystemObject: TRUE
    
    dn: CN=Readers,CN=Roles,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: group
    cn: Readers
    distinguishedName: CN=Readers,CN=Roles,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023220539.0Z
    whenChanged: 20071023220539.0Z
    uSNCreated: 8209
    uSNChanged: 8209
    name: Readers
    objectGUID:: YA/TTMlx6UOIOjcKuDDN6A==
    objectSid:: AQIAABOOzxd+c/HZAgIAAA==
    systemFlags: -2080374784
    groupType: -2147483646
    objectCategory: 
     CN=Group,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4363CCDA}
    isCriticalSystemObject: TRUE
    I believe the relevent portion is the dn for jherington. I there something about this that does not look right?

    Code:
    dn: CN=jherington,OU=Itsa_TechnicalStaff,O=itsa,C=us
    changetype: add
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: jherington
    distinguishedName: CN=jherington,OU=Itsa_TechnicalStaff,O=itsa,C=us
    instanceType: 4
    whenCreated: 20071023222208.0Z
    whenChanged: 20071119043955.0Z
    uSNCreated: 12506
    memberOf: CN=AppDev,OU=Itsa_TechnicalStaff,O=itsa,C=us
    uSNChanged: 77836
    name: jherington
    objectGUID:: 8IbBWRnQZkGZQE8lXMyfvw==
    badPwdCount: 0
    badPasswordTime: 0
    pwdLastSet: 128398963024843750
    objectSid:: AQUAABOOzxd+c/HZWbRRMghqr0uqwvNbmedjBQ==
    objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={6490D725-998A-4B32-9FB9-09EA4363CCDA}
    lastLogonTimestamp: 128399105652652654
    givenName: Jeff Herington
    uid: jherington
    Given the above could you give me the commands you would use in the Zimbra external auth config?

    I am using as the binding dn: CN=jherington,OU=Itsa_TechnicalStaff,O=itsa,C=us and as the naming context: o=itsa,c=us and as the filter: (uid=%u). I have user in zimbra with the username: jherington and the password is the same as that in my ldap.

    I was lead to beleive that possibly this was an issue with the encryption method because it seemed that is what the -x was bypassing in the ldapsearch command?? Also, the GAL config for Zimbra works fine?

    Thanks!
    Last edited by jherington; 11-19-2007 at 10:23 AM.

  4. #4
    jherington is offline Intermediate Member
    Join Date
    Oct 2007
    Posts
    19
    Rep Power
    7

    Default

    I solved this issue.

    Note: the ldap service I use is a free and semi-open microsoft product: ADAM.

    I needed to assign the bind user dn to the Readers role within ADAM using the adsiedit application. I will need to read a little more to find out how to assign similar acl rights to objects via the dsacls command-line application.

    Thanks...I do appreciate this forums quick response...I know this ADAM ldap service is probably a different then openLDAP.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  2. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  3. External LDAP Authentication Issue
    By xtreme-one in forum Installation
    Replies: 10
    Last Post: 02-16-2007, 07:52 PM
  4. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 03:17 PM
  5. Replies: 2
    Last Post: 05-24-2006, 10:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •