External LDAP Authentification issue

[cswihart]

I am currently testing Zimbra Network Edition on a SLES9 server. Zimbra currently is configured to Authenticate against our External Novell eDirectory server. The problem I have run into is that there are a few users who have alias user objects created in our Novell Tree. These users are unable to authenticate against zimbra. The zimbra mailbox.log indicates that the ldapsearch filter is returning more than one result for the username. Is there a way to adjust the search filter in order to leave out the aliased objects?

[Bevan Bennett]

There probably is.

Could you post the LDIF for a user and one of his alias objects? I'm not familiar with "alias user objects" personally, but I strongly suspect there's enough of a difference to tell them apart in a standard manner.

Something similar to the following should work, for example, if the actual user is a posixAccount but his aliases are not... (&(uid=%u)(objectclass=posixAccount))

[cswihart]

Bevan,

Thank you for the advice.

Here is the filter I tried to use for LDAP authentification:

(& (cn=%u)(! (objectClass=aliasObject)))

However I recieve this error when I try to authenticate using credentials that have alias objects in the Novell tree.:

AuthenticationException: too many results from search filter!

An ldapsearch from the command line on the Zimbra server using the above ldap filter only returns the actual user object.

I also tried this filter

(& (cn=%u)(objectClass=inetOrgPerson))

, but had the same results.

Here are the ldif entries you requested.

# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: cn=cjs
# requesting: ALL
#

# CJS, OU1, BC
dn: cn=CJS,ou=ORGANIZATION,o=BC
mail: "Test User"
uid: CJS
givenName: Test
fullName: Test User
messageServer: cn=COURTHOUSE,ou=ORGANIZATION,o=BC
sn: User
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
loginTime: 20070628100502Z
loginIntruderAddress:: MCP//wADAAAAAAABBFE=
loginGraceRemaining: 5
loginGraceLimit: 6
loginDisabled: FALSE
ndsHomeDirectory: cn=ORG_VOL2,ou=ORGANIZATION,o=BC#0#HOMES\CJS
groupMembership: cn=Internet,o=MAIL
cn: CJS
cn: Test User

# cjs, OU2, BC
dn: cn=cjs,ou=OU2,o=BC
objectClass: aliasObject
objectClass: Top
cn: cjs

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

[Bevan Bennett]

Hmm, I'd expect the two you tried to work.
If you run a manual ldapsearch using those filters, what do you see?
It's a longshot, but you seem to have whitespace after your & and !... I don't remember if that can be a problem or not.

Also, given your example, have you tried using simply (uid=%u) ?