The Mysteries of External LDAP Authentication

[bubarooni]

OK, this isn't a show stopper, but I really wanted my users to be authenticated against my nt 4.0 domain. I'd prefer they use their Domain username. I'm really having trouble with the syntax and have not found a doc that explains it in absurdly simple terms so I'm stuck.

I have an exchange 5.5 server on NT 4.0. It is also the PDC.

I can telnet to the exchange server from the zimbra server with no problem. When I try to use the config wizard I can't get it to work for nothing. Here is what I am currently using:

Summary of authenticaion settings:

Authentication mechanism: External LDAP
LDAP URL: ldap://192.168.1.222:389
LDAP filter: =%u@mydom.com
LDAP search base: p=mydom;o=CORPORATE;
Use DN/Password to bind to external server: No

Please provide username and password to test the authentication settings
User name:
Password

I'm sure that my problem is the syntax I'm using in the LDAP filter and LDAP search base, I've tried dozens of different combos of examples I've found on this site and others. I'm sure I'm hitting the LDAP for authentication as several of the 'things' I've tried have returned errors like 'object does not exist'.

A typical x400 email address on my Exchange Server looks like:

x400 c=US;a= ;p=mydom;o=CORPORATE;s=Schmoe;g=Joe

Thanks In Advance

[Klug]

Are you sure you can do auth against your (old) Exchange's LDAP server ?

It seems to me (but I can be wrong) that this LDAP can only be use to browser/search things in it but it's impossible to do any auth against it.
You can only do auth against an AD's LDAP server (that you don't have, as you're running NT4.

[bubarooni]

well, if it can't be done then it won't be a show stopper. this is actually the first step in getting rid of the nt 4.0. with the exchange server replaced i'm planning on replacing the box with a MS Server 2008 and CentOS samba combo for authentication.

with the mydom.com was one of the 'things' i was trying. read the wiki already, my syntax needs polishing though!

=%u returns:
soap:Receiver
system failure: java.lang.ArrayIndexOutOfBoundsException: -1

%u= returns:
javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error]; remaining name 'p=mydom;o=CORPORATE;'


2 LDAP_PROTOCOL_ERROR: Indicates that the server has received an invalid or malformed request from the client

which is why i think i'm using wrong syntax.

[bubarooni]

i guess i'm just looking for examples that other people have used. i think i can figure it out if i see some real examples.

[Rich Graves]

Try

LDAP filter: samaccountname=%u

Left side is the attribute to match; %u is replaced with username. The above would be for Active Directory. If the legacy Exchange LDAP service provides no single unique attribute to search for, then you'd lose, but I'd be surprised.

LDAP search base is specified from most to least specific, something like:

LDAP search base: o=corporate,p=mydom,c=US

Is the a=(BLANK) above a typo or an html scrubbing artifact? It's invalid.

[bubarooni]

i'll be going to active directory in july/august timeframe, so it's good to know the samaccountname thing.

from what i've dug up on it since i read your post, i think it may be supported under NT too and will give it a try!

[bubarooni]

I'm getting there!

Server message: Authentication failed. Invalid credentials (bad dn/password)

just gotta figure out what that error means now.

[bubarooni]

i actually have the exchange server set for doing anonymous searches, but it keeps giving me that:

Server message: Authentication failed. Invalid credentials (bad dn/password)
error message.

on the third page of the Authentication Configuration Wizard there is a place to use a dn/password combo.

the help doc says:

Use DN/Password to bind to external server. If the filter you entered cannot be run using an anonymous bind, then enter the DN/password for a service account on the external LDAP that has been granted access to the attributes required to do the search.

when i look in the exchange server 5.5 ldap settings it shows me the Service Account Admin user and I tried that like this:

Bind DN: cn=ThatUser;dc=MyDom;dc=com;
and
MyDom\ThatUser

all to no avail.

What should I be using for that Bind/DN?