Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: External LDAP Authentication Issue

  1. #1
    xtreme-one is offline Intermediate Member
    Join Date
    Feb 2007
    Location
    Pioche, Nevada
    Posts
    16
    Rep Power
    8

    Default External LDAP Authentication Issue

    I have searched the forums and read the related WIKI, but I'm still having issues with authenticating via LDAP with the web client.

    The default domain is set to domain.com on the server. I have configured this domain for both external/internal LDAP GAL and external LDAP authentication. While I have had some success I have more set backs than promise.

    Going through the wizards the GAL works fine and returns valid data in the test. The Configure Authentication wizard works correctly as well and validates the test user yet I am unable to login any users into the domain.

    I have added a couple of test users into Zimbra manually and set their passwords to blanks and verified their existence and functionality on the LDAP server so as to provision those users into Zimbra.

    My Zimbra settings are:

    LDAP URL: ldaps://10.142.81.5:636
    LDAP filter: (cn=%n)
    LDAP search base: o=mydepartment
    Use DN/Password to bind to external server: Yes
    Bind DN: cn=usertest, o= mydepartment

    Using the test user kells and mypassword I get a:

    Authentication test successful

    When I try to login user kells to a web client I get the following: The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. Any suggestions?

    And another question - related to GAL. When I pull up a global list from my LDAP directory I get the cn and email address displayed, is there a way to display another object besides cn? Since this is my userID data this is very hard to read by the users would be nice to map first and last name . . .

    Thanks in advance!

  2. #2
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,292
    Rep Power
    13

    Default

    Hello, welcome to the forum.

    Quote Originally Posted by xtreme-one View Post
    When I try to login user kells to a web client I get the following: The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. Any suggestions?
    Are you trying to log in with the full user name (someone@domain.tld) or just what is before the @domain.tld ?

    Quote Originally Posted by xtreme-one View Post
    And another question - related to GAL. When I pull up a global list from my LDAP directory I get the cn and email address displayed, is there a way to display another object besides cn? Since this is my userID data this is very hard to read by the users would be nice to map first and last name . . .
    What are the filter and search query you're currently using ?

  3. #3
    xtreme-one is offline Intermediate Member
    Join Date
    Feb 2007
    Location
    Pioche, Nevada
    Posts
    16
    Rep Power
    8

    Default

    Thanks for friendly welcome!

    Since I have configured this domain as the default I should not have to enter the full user name with @domain.tld info. I have verified that I can log into this domain by turning the LDAP authentication off and I can indeed access the domain with just the user name. The answer to your question then is just the user name: kells for example.

    GAL mode: Both
    Most results returned by GAL search: 100
    Server type: LDAP
    LDAP filter:*(ObjectClass=user)
    Autocomplete filter: (|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))
    LDAP search base: o=mydepartment
    LDAP URL: ldaps://10.142.81.5:636
    Bind DN: cn=usertest,o=mydepartment
    Shows the filter I am using the the base search.

    I hope that helps!

  4. #4
    kirme3 is offline Trained Alumni
    Join Date
    Apr 2006
    Location
    Illinois
    Posts
    194
    Rep Power
    9

    Default

    Couple things I notice right away:

    Your base search is just o=mydepartment, make sure you have the entire path ie...ou=people,dc=company,dc=com

    For external authentication, try this filter
    uid=%u
    or
    cn=%u(depending on how your ldap is setup)...also no need for the parenthesis if just 1 check for the filter


    For your GAL question, you can definitely get more than just cn data....here's my GAL filter - (|(uid=*%s*)(sn=*%s*)(givenName=*%s*)) ..of course this also depends on your LDAP config.

  5. #5
    xtreme-one is offline Intermediate Member
    Join Date
    Feb 2007
    Location
    Pioche, Nevada
    Posts
    16
    Rep Power
    8

    Default

    Your base search is just o=mydepartment, make sure you have the entire path ie...ou=people,dc=company,dc=com
    My LDAP server is a Novell eDirectory server and the o is the base container. That was something that caused me grief earlier in my quest. Since the test works fine I'd be very unhappy to find that the scope is not correct. In other words I have nothing other than the TREE name which is at the Root of the container and I cannot scope to it using dc as I have tried already.

    For external authentication, try this filter uid=%u or cn=%u
    Changing the the filter to cn=%u did the trick for the authentication! Thanks very much! I do wonder why?

    For your GAL question, you can definitely get more than just cn data....here's my GAL filter - (|(uid=*%s*)(sn=*%s*)(givenName=*%s*)) ..of course this also depends on your LDAP config.
    My question here is how do you map this data into something usable in Zimbra. My example was that when I open a GAL list it gives two items cn and email. Since my userid is mapped to cn when users pull up this listing they see peoples login ID's and not their names. I would like to list the names, not userid's and their email addresses. Make sense?

    thanks again for the pointers!

  6. #6
    kirme3 is offline Trained Alumni
    Join Date
    Apr 2006
    Location
    Illinois
    Posts
    194
    Rep Power
    9

    Default

    I'm not sure where you got %n from...the help page says to use %u

    I'm not too familiar with eDirectory. Are you using anonymous bind to it, or a specific account? Does the specific account have the correct permissions?

    I'm using OID for my ldap backend with a specific account over LDAP SSL. I'll have to double check the CN values to see what it responds as because I haven't done anything special and I get the persons full name and email when I do a GAL lookup to send mail. If I just do a GAL search, I get name, email, phone, address.

  7. #7
    xtreme-one is offline Intermediate Member
    Join Date
    Feb 2007
    Location
    Pioche, Nevada
    Posts
    16
    Rep Power
    8

    Default

    I got the %n from the help screen in the admin console. It also listed the %u but I did not think I would need to filter anything out of it. But I am very grateful for your help here.

    Now, for the GAL I would get the same as you IF my cn contained the full name, but it does not, it contains the userid . . .When I search by first name for example it finds the correct items, but lets say I searched for Kevin, it shows me kells and his email address instead of Kevin Ells and his email address? See my issue? I'm getting data, and good data at that, just it is hard to see without the full name.

    Thanks again!

  8. #8
    kirme3 is offline Trained Alumni
    Join Date
    Apr 2006
    Location
    Illinois
    Posts
    194
    Rep Power
    9

    Default

    I haven't done any testing with it but this may lead you in the right direction:

    on a mailstore:

    zmprov gacf | grep zimbraGalLdapAttrMap

    More specifically, this is probably the mapping you are looking for

    zimbraGalLdapAttrMap: displayName,cn=fullName

    To change I believe it is
    zmprov mcf -zimbraGalLdapAttrMap "displayName,cn=fullName"
    zmprov mcf +zimbraGalLdapAttrMap "map1=map2"

    I would not suggest trying this on a production system and definitely have a backup.

    The Zimbra folks would know better than I though.

  9. #9
    xtreme-one is offline Intermediate Member
    Join Date
    Feb 2007
    Location
    Pioche, Nevada
    Posts
    16
    Rep Power
    8

    Thumbs up

    Cha-Ching! That is what I am talking about right there. Do you know where, if anywhere, there is documentation on those commands?

    This is a non-production system. The idea is to see if I can work all the bugs out and then bring a fresh system online - I have already re-installed Zimbra so many times I can't tell you how good I am at it now!

    If this works as well as I hope, I will buy the seats I need this summer. But so far I am VERY impressed with the simplicity of the over-all administration and usability of the this system. Beats GroupWise, Exchange and Notes hands down.

    thanks some more!

  10. #10
    xtreme-one is offline Intermediate Member
    Join Date
    Feb 2007
    Location
    Pioche, Nevada
    Posts
    16
    Rep Power
    8

    Smile

    I was able to successfully modify the Zimbra configuration based on the zmprov command. However, I would warn anybody using this command to backup their system prior to executing.

    Also, VERY IMPORTANT I was not able to change only one entry at a time, I had to change all the related entries (zimbraGalLdapAttrMap) in order to make the command work properly.

    Bottom Line: You can make it work. Thanks for your help kirme3!

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. External LDAP with GSSAPI authentication method
    By izvictor in forum Installation
    Replies: 17
    Last Post: 03-11-2009, 08:14 AM
  2. Disable local authentication with an external ldap
    By turmace in forum Administrators
    Replies: 4
    Last Post: 05-17-2007, 02:13 AM
  3. External LDAP Problem
    By facerw in forum Installation
    Replies: 7
    Last Post: 05-08-2007, 04:29 AM
  4. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 03:17 PM
  5. external LDAP authentication in M2
    By jstewart in forum Installation
    Replies: 5
    Last Post: 12-08-2005, 09:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •