Authentication to external ldap stop working.

[jahaj]

I have configured Zimbra to authenticate to my external ldap/samba server. I tested before and it was working all last week. I was able to access webmail with the users I created with zimprov (no password set on zimbra).
Last Friday I could not login anymore. I went and test the external authentication from the Zimbra admin console and it was not working anymore. The test failed with the following error: Server Message Authentication failed. Invalid credentials (bad dn/password).

I am surprised with the DN error since I know for sure that I am using the correct dn account and password. I use our external ldap server to manage all our samba accounts and I can go login to my Ldap account manager (LAM) right now with the dn account: cn=Manager,dc=mydomain,dc=com and with the dn password mypassword without any problem. Our windows xp /samba users are being authenticated every day from our LDAP server and I haven't changed the Ldap dn password since I installed the ldap Samba 2 months ago.

Here my authentication settings:

Authentication mechanism: External LDAP
LDAP URL: ldap://192.168.0.5:389
LDAP filter: (uid=%u)
LDAP search base: dc=mydomain,dc=com
Use DN/password to bind to external server: yes
Bind DN: cn=Manager, dc=mydomain,dc=com


I did not made any change on my ldap server or on my zimbra configuration. I had createt a secondaire domain which was set to use internal authentication But after experiencing all these issues, I deleted it.

Any help? I have search the forum to checked again and again the wiki.

The complete error message when testing with the authentication config wizard from admin console:

Server Message Authentication failed. Invalid credentials (bad dn/password).

javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.jav a:2985)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2732)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:264 6)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapC txFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Ldap CtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext (LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(N amingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(Init ialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.ja va:223)
at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
at com.zimbra.cs.account.ldap.LdapUtil.getDirContext( LdapUtil.java:231)
at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:263)
at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:153)
at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:53)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:261)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:162)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:84)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:223)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:709)
at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:173)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:541)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11 ConnectionHandler.processConnection(Http11BaseProt ocol.java:667)
at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)


Thank you for your help

[jahaj]

Anyone has an idea what may be wrong with the Ldap external authentication.
I have reinstalled after running install.sh -u. The only change I remember now is that I installed a new version of kernel source 2.6.18-1.2239.fc5smp on my system.

[jahaj]

I found the problem. it is with the ldap server. I have ldap running on my samba server for authenticating samba users and I want it to authenticate zimbra users as well. The problem is that I am using ldap account manager LAM to manage the Ldap accounts. I found out that zimbra authentication failed for any ldap account created with LAM. Accounts created with the smbldap-tools script - smbldap-useradd.pl won't have any problem authenticating zimbra users. The fix for me is to delete the accounts (around 10 ) that cannot authenticate with Zimbra and recreate them again using smbldap-useradd.

jahaj

[facerw]

We had a similar issue in converting NT to Samba accounts and then Samba to LDAP. In our case we have 60 users but it would be nice if there was a step to convert the Samba accounts to Ldap after converting from NT with passwords still intact.