| Welcome to the Zimbra - Forums! | |
Welcome, if you would like to post a comment in the forums, please register and review our posting policy & tips.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
04-30-2007, 04:35 PM
| | |  GAL not working with Active Directory
I haven't been able to get GAL lookups to work with Active Directory. My authentication with active directory works great.
In the zimbraAdmin I configured my baseDN "dc=company,dc=corp" which matches my actual AD setup. I bind with my username, do a search and hit "test", and while it says it is successful, it never comes back with data.
If I remove the baseDN I get a SOAP error, I tried putting () around basedn and got a java excpetion, I tried both and external searches, and I never get data back. I also get no data when searching GAL with the webclient.
Is there somewhere I can look for logs on what may be going on, or has someone configured this recently and it worked? I'm running ZCS 4.5.4. |
05-02-2007, 10:57 AM
| | Zimbra Employee | |
Posts: 119
| |
Quote:
Originally Posted by ardiederich  I haven't been able to get GAL lookups to work with Active Directory. My authentication with active directory works great.
In the zimbraAdmin I configured my baseDN "dc=company,dc=corp" which matches my actual AD setup. I bind with my username, do a search and hit "test", and while it says it is successful, it never comes back with data.
If I remove the baseDN I get a SOAP error, I tried putting () around basedn and got a java excpetion, I tried both and external searches, and I never get data back. I also get no data when searching GAL with the webclient.
Is there somewhere I can look for logs on what may be going on, or has someone configured this recently and it worked? I'm running ZCS 4.5.4. | Can you post a SOAP trace? (run zimbraAdmin as https://yourserver.com:7071/zimrbaAd...=false&debug=1) |
05-02-2007, 11:35 AM
| | |
Quote:
Originally Posted by Greg | Sure. Note: This doesn't work in IE 6. There is a script error:
Line: 45
Char: 3
Error: Invalid argument.
Code: 0
URL: https://yourserver.com:7071/zimbraAd...=false&debug=1
In firefox 2.0 it works, though. My slightly obfuscated SOAP: HTML Code: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> <context xmlns="urn:zimbra"> <userAgent name="ZimbraWebClient - FF2.0 (Win)" version="undefined"/> <sessionId id="37"/> <authToken>
0_b5eb8141bf6f5b13229d3f2842d84756b2e8110f_69643d33363a35396434306663312d656530322d346433372d626239382d6664393431656136363739393b6578703d31333a313137383137333830393532363b61646d696e3d313a313b
</authToken> <format type="js"/> </context> </soap:Header> <soap:Body> <CheckGalConfigRequest xmlns="urn:zimbraAdmin"> <a n="zimbraGalMode">
ldap
</a> <a n="zimbraGalLdapURL">
ldap://exampledc.example.corp:389
</a> <a n="zimbraGalLdapSearchBase">
dc=example,dc=corp
</a> <a n="zimbraGalLdapFilter">
ad
</a> <a n="zimbraGalLdapBindDn">
andrew.diederich@example.corp
</a> <a n="zimbraGalLdapBindPassword">
notmypassword
</a> <query>
*andrew*
</query> </CheckGalConfigRequest> </soap:Body> </soap:Envelope> And the response: Code: Body: {
CheckGalConfigResponse: {
_jsns: "urn:zimbraAdmin",
code: [
0: {
_content: "check.OK"
}
],
message: [
0: {
_content: ""
}
]
}
},
Header: {
context: {
_jsns: "urn:zimbra",
sessionId: [
0: {
_content: "37",
id: "37",
type: "admin"
}
]
}
},
_jsns: "urn:zimbraSoap" That SOAP debugger is really neat, by the way. I like the Mark feature.
Last edited by ardiederich : 05-02-2007 at 11:40 AM.
Reason: Fixing code / html posting
|
05-02-2007, 01:16 PM
| | Zimbra Employee | |
Posts: 228
| |
Do you also have Exchange running? I seem to recall our default search filter for AD has a dependency on Exchange.
One thing you might want to try is to configure your GAL as an external LDAP server, then enter a really simple search filter that you know should work and see if that works. |
05-02-2007, 03:07 PM
| | |
Quote:
Originally Posted by schemers Do you also have Exchange running? I seem to recall our default search filter for AD has a dependency on Exchange. | No, we aren't using exchange. My hope is to use ZCS instead of exchange. Quote: |
One thing you might want to try is to configure your GAL as an external LDAP server, then enter a really simple search filter that you know should work and see if that works.
| That one does the trick. I used (&(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))) as the LDAP filter. I left (|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*)) as the autocomplete filter.
The admin UI keeps deleting my LDAP filter when I go and configure GAL, which is unfortunate. I've just moved from 'both' to external, so I know which LDAP I'm getting data from.
Last edited by ardiederich : 05-02-2007 at 03:11 PM.
Reason: correctness
|
05-02-2007, 03:09 PM
| | Zimbra Employee | |
Posts: 228
| |
That is probably you best (well, only  ) bet for now, then.
I think there is already a bug filed that says our default AD filter assumes Exchange is installed so we need to update it. |
05-02-2007, 03:16 PM
| | |
I spoke slightly too soon. I get the first & last names back from the search to Active Directory, but not other data -- phone, cell phone, email, etc. Is there a way to specify the data to come back?
I've done a command line ldapsearch, and I am getting data back:
ldapsearch -h exampledc.example.corp -x -b "dc=example,dc=corp" -D "andrew.diederich@example.corp" -W cn="*andrew*"
Gets back info like:
cn: Andrew Diederich
...
telephoneNumber: (202)555-1212
mail:
Last edited by ardiederich : 05-02-2007 at 03:25 PM.
Reason: more info added
|
05-02-2007, 03:37 PM
| | Zimbra Employee | |
Posts: 228
| |
The value of zimbraGalLdapAttrMap controls which gal attributes get requested, and how they get converted to our contact model. The default map can be obtained via zmprov: Code: /opt/zimbra/bin/zmprov gacf|grep zimbraGalLdapAttr
zimbraGalLdapAttrMap: co=workCountry
zimbraGalLdapAttrMap: company=company
zimbraGalLdapAttrMap: description=notes
zimbraGalLdapAttrMap: displayName,cn=fullName
zimbraGalLdapAttrMap: givenName,gn=firstName
zimbraGalLdapAttrMap: initials=initials
zimbraGalLdapAttrMap: l=workCity
zimbraGalLdapAttrMap: objectClass=objectClass
zimbraGalLdapAttrMap: ou=department
zimbraGalLdapAttrMap: physicalDeliveryOfficeName=office
zimbraGalLdapAttrMap: postalCode=workPostalCode
zimbraGalLdapAttrMap: sn=lastName
zimbraGalLdapAttrMap: st=workState
zimbraGalLdapAttrMap: street,streetAddress=workStreet
zimbraGalLdapAttrMap: telephoneNumber=workPhone
zimbraGalLdapAttrMap: title=jobTitle
zimbraGalLdapAttrMap: whenChanged,modifyTimeStamp=modifyTimeStamp
zimbraGalLdapAttrMap: whenCreated,createTimeStamp=createTimeStamp
zimbraGalLdapAttrMap: zimbraCalResLocationDisplayName=zimbraCalResLocationDisplayName
zimbraGalLdapAttrMap: zimbraCalResType=zimbraCalResType
zimbraGalLdapAttrMap: zimbraId=zimbraId
zimbraGalLdapAttrMap: zimbraMailDeliveryAddress,zimbraMailAlias,mail=email,email2,email3,email4,email5,email6
zimbraGalLdapAttrMap: zimbraMailForwardingAddress=zimbraMailForwardingAddress The map is basically a set of rules that looks like: Where the attrs on the left-hand come from LDAP, and get mapped to the values on the right-hand side, which correspond to our contact model.
For example the rule:
zimbraGalLdapAttrMap: street,streetAddress=workStreet
says if the LDAP result contains "street" map it to workStreet. If it doesn't contain "street" , then see if it contains "streetAddress" and map that to workStreet.
If there are multiple values for a given attribute on the left-hand side, and multiple listed on the right-hand side, then it will map the values on the left to the values on the right, sequential. i.e if you have:
a=b,c
And the LDAP result contains two values for a (lets assume "a1", and "a2"), then "b" will get set to "a1" , and "c" will get set to "a2".
You can add/remove mappings using zmprov: Code: /opt/zimbra/bin/zmprov
prov> mcf
usage: modifyConfig(mcf) attr1 value1 [attr2 value2...]
prov> mcf +zimbraGalLdapAttrMap x=y
prov> mcf -zimbraGalLdapAttrMap x=y
prov> The syntax "+zimbraGalLdapAttrMap" means to add an additional zimbraGalLdapAttrMap attribute to the config, while "-zimbraGalLdapAttrMap" means to remove an existing setting.
Our contact model contains (roughly, some of these might not be displayed in the client) the following set of fields, which I grabbed from Contact.java in the ZimbraServer source: Code: public static final String A_birthday = "birthday";
public static final String A_callbackPhone = "callbackPhone";
public static final String A_carPhone = "carPhone";
public static final String A_company = "company";
public static final String A_companyPhone = "companyPhone";
public static final String A_department = "department";
public static final String A_dlist = "dlist";
public static final String A_email = "email";
public static final String A_email2 = "email2";
public static final String A_email3 = "email3";
public static final String A_fileAs = "fileAs";
public static final String A_firstName = "firstName";
public static final String A_fullName = "fullName";
public static final String A_homeCity = "homeCity";
public static final String A_homeCountry = "homeCountry";
public static final String A_homeFax = "homeFax";
public static final String A_homePhone = "homePhone";
public static final String A_homePhone2 = "homePhone2";
public static final String A_homePostalCode = "homePostalCode";
public static final String A_homeState = "homeState";
public static final String A_homeStreet = "homeStreet";
public static final String A_homeURL = "homeURL";
public static final String A_image = "image";
public static final String A_initials = "initials";
public static final String A_jobTitle = "jobTitle";
public static final String A_lastName = "lastName";
public static final String A_middleName = "middleName";
public static final String A_mobilePhone = "mobilePhone";
public static final String A_namePrefix = "namePrefix";
public static final String A_nameSuffix = "nameSuffix";
public static final String A_nickname = "nickname";
public static final String A_notes = "notes";
public static final String A_office = "office";
public static final String A_otherCity = "otherCity";
public static final String A_otherCountry = "otherCountry";
public static final String A_otherFax = "otherFax";
public static final String A_otherPhone = "otherPhone";
public static final String A_otherPostalCode = "otherPostalCode";
public static final String A_otherState = "otherState";
public static final String A_otherStreet = "otherStreet";
public static final String A_otherURL = "otherURL";
public static final String A_pager = "pager";
public static final String A_workCity = "workCity";
public static final String A_workCountry = "workCountry";
public static final String A_workFax = "workFax";
public static final String A_workPhone = "workPhone";
public static final String A_workPhone2 = "workPhone2";
public static final String A_workPostalCode = "workPostalCode";
public static final String A_workState = "workState";
public static final String A_workStreet = "workStreet";
public static final String A_workURL = "workURL";
public static final String A_type = "type"; So you'll want to look the AD attributes that you have set as the ones on the left-hand side of the rule, and then the above contact fields as the ones to map them to on the right hand.
All this information needs to be put into the Wiki, I'll see if I can it updated with the info in this post. |
05-02-2007, 04:05 PM
| | |
This is all excellent info, thanks. So, if I want to look at the mail addresses that have predefined maps, I do:
/opt/zimbra/bin/zmprov gacf | grep zimbraGalLdapAttr | grep mail
and I get
zimbraGalLdapAttrMap: zimbraMailDeliveryAddress,zimbraMailAlias,mail=ema il,email2,email3,email4,email5,email6
so what ZCS does is go from zimbraMailDeliveryAddress though mail, and as it finds results for those, maps them to email, email2, etc. So, my Active Directory value for mail should get mapped to the Zimbra value of email?
What I'm seeing with packet sniffing from wireshark is the correct ldap responses are getting back to the linux server. e.g. I see a mail=me@example.com. What I see in the webmail UI, though, is just their FirstName LastName in the (cool) contact card resultset.
Is there a way to debug the SOAP on the client, as well? That way I can see if the results are getting to the client, or are getting dropped on the server. |
05-03-2007, 12:11 AM
| | Zimbra Employee | |
Posts: 228
| |
If you start the client with ?debug=1 you should get a popup window with the soap debug in it. Another option is to use Firefox and install Firebug, as it has some nice debugging tools. | | Thread Tools | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
