External LDAP Authentication Issue

[xtreme-one]

I have searched the forums and read the related WIKI, but I'm still having issues with authenticating via LDAP with the web client.

The default domain is set to domain.com on the server. I have configured this domain for both external/internal LDAP GAL and external LDAP authentication. While I have had some success I have more set backs than promise.

Going through the wizards the GAL works fine and returns valid data in the test. The Configure Authentication wizard works correctly as well and validates the test user yet I am unable to login any users into the domain.

I have added a couple of test users into Zimbra manually and set their passwords to blanks and verified their existence and functionality on the LDAP server so as to provision those users into Zimbra.

My Zimbra settings are:

LDAP URL: ldaps://10.142.81.5:636
LDAP filter: (cn=%n)
LDAP search base: o=mydepartment
Use DN/Password to bind to external server: Yes
Bind DN: cn=usertest, o= mydepartment

Using the test user kells and mypassword I get a:

Authentication test successful

When I try to login user kells to a web client I get the following: The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. Any suggestions?

And another question - related to GAL. When I pull up a global list from my LDAP directory I get the cn and email address displayed, is there a way to display another object besides cn? Since this is my userID data this is very hard to read by the users would be nice to map first and last name . . .

Thanks in advance!

[Klug]

Hello, welcome to the forum.

Quote:

Originally Posted by xtreme-one

When I try to login user kells to a web client I get the following: The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. Any suggestions?

Are you trying to log in with the full user name (someone@domain.tld) or just what is before the @domain.tld ?

Quote:

Originally Posted by xtreme-one

And another question - related to GAL. When I pull up a global list from my LDAP directory I get the cn and email address displayed, is there a way to display another object besides cn? Since this is my userID data this is very hard to read by the users would be nice to map first and last name . . .

What are the filter and search query you're currently using ?

[xtreme-one]

Thanks for friendly welcome!

Since I have configured this domain as the default I should not have to enter the full user name with @domain.tld info. I have verified that I can log into this domain by turning the LDAP authentication off and I can indeed access the domain with just the user name. The answer to your question then is just the user name: kells for example.

Quote:

GAL mode: Both
Most results returned by GAL search: 100
Server type: LDAP
LDAP filter:*(ObjectClass=user)
Autocomplete filter: (|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))
LDAP search base: o=mydepartment
LDAP URL: ldaps://10.142.81.5:636
Bind DN: cn=usertest,o=mydepartment

Shows the filter I am using the the base search.

I hope that helps!

[kirme3]

Couple things I notice right away:

Your base search is just o=mydepartment, make sure you have the entire path ie...ou=people,dc=company,dc=com

For external authentication, try this filter
uid=%u
or
cn=%u(depending on how your ldap is setup)...also no need for the parenthesis if just 1 check for the filter


For your GAL question, you can definitely get more than just cn data....here's my GAL filter - (|(uid=*%s*)(sn=*%s*)(givenName=*%s*)) ..of course this also depends on your LDAP config.

[xtreme-one]

Quote:

Your base search is just o=mydepartment, make sure you have the entire path ie...ou=people,dc=company,dc=com

My LDAP server is a Novell eDirectory server and the o is the base container. That was something that caused me grief earlier in my quest. Since the test works fine I'd be very unhappy to find that the scope is not correct. In other words I have nothing other than the TREE name which is at the Root of the container and I cannot scope to it using dc as I have tried already.

Quote:

For external authentication, try this filter uid=%u or cn=%u

Changing the the filter to cn=%u did the trick for the authentication! Thanks very much! I do wonder why?

Quote:

For your GAL question, you can definitely get more than just cn data....here's my GAL filter - (|(uid=*%s*)(sn=*%s*)(givenName=*%s*)) ..of course this also depends on your LDAP config.

My question here is how do you map this data into something usable in Zimbra. My example was that when I open a GAL list it gives two items cn and email. Since my userid is mapped to cn when users pull up this listing they see peoples login ID's and not their names. I would like to list the names, not userid's and their email addresses. Make sense?

thanks again for the pointers!

[kirme3]

I'm not sure where you got %n from...the help page says to use %u

I'm not too familiar with eDirectory. Are you using anonymous bind to it, or a specific account? Does the specific account have the correct permissions?

I'm using OID for my ldap backend with a specific account over LDAP SSL. I'll have to double check the CN values to see what it responds as because I haven't done anything special and I get the persons full name and email when I do a GAL lookup to send mail. If I just do a GAL search, I get name, email, phone, address.

[xtreme-one]

I got the %n from the help screen in the admin console. It also listed the %u but I did not think I would need to filter anything out of it. But I am very grateful for your help here.

Now, for the GAL I would get the same as you IF my cn contained the full name, but it does not, it contains the userid . . .When I search by first name for example it finds the correct items, but lets say I searched for Kevin, it shows me kells and his email address instead of Kevin Ells and his email address? See my issue? I'm getting data, and good data at that, just it is hard to see without the full name.

Thanks again!

[kirme3]

I haven't done any testing with it but this may lead you in the right direction:

on a mailstore:

zmprov gacf | grep zimbraGalLdapAttrMap

More specifically, this is probably the mapping you are looking for

zimbraGalLdapAttrMap: displayName,cn=fullName

To change I believe it is
zmprov mcf -zimbraGalLdapAttrMap "displayName,cn=fullName"
zmprov mcf +zimbraGalLdapAttrMap "map1=map2"

I would not suggest trying this on a production system and definitely have a backup.

The Zimbra folks would know better than I though.

[xtreme-one]

Cha-Ching! That is what I am talking about right there. Do you know where, if anywhere, there is documentation on those commands?

This is a non-production system. The idea is to see if I can work all the bugs out and then bring a fresh system online - I have already re-installed Zimbra so many times I can't tell you how good I am at it now!

If this works as well as I hope, I will buy the seats I need this summer. But so far I am VERY impressed with the simplicity of the over-all administration and usability of the this system. Beats GroupWise, Exchange and Notes hands down.

thanks some more!

[xtreme-one]

I was able to successfully modify the Zimbra configuration based on the zmprov command. However, I would warn anybody using this command to backup their system prior to executing.

Also, VERY IMPORTANT I was not able to change only one entry at a time, I had to change all the related entries (zimbraGalLdapAttrMap) in order to make the command work properly.

Bottom Line: You can make it work. Thanks for your help kirme3!