Results 1 to 6 of 6

Thread: About external LDAP problem, urgent!

Hybrid View

  1. #1
    Join Date
    May 2007
    Posts
    40
    Rep Power
    8

    Default About external LDAP problem, urgent!

    Hello, Dear all,

    The objective to post this thread is to hope someone give me clear answer about external LDAP problem. my company is going to put this zimbra server in real production, however, the user intergration and authentication problem is making me a heavy headache.

    What I really want is to authenciate user system logon, and email box logon by a same LDAP server, the LDAP that comes with zimbra is pretty good and powerful, but the main drawback is only can authenticate user logon mail box, I sheached on wiki LDAP Authentication - ZimbraWiki, and got a article guide how to make zimbra uses external LDAP to authenticate use, the all stops went really well, the test returned a successful result, however, logon process is always failed when I logon with username that created in external LDAP.

    thus, I searched zimbra forum for this issue, lot of thread about this, but the answer confused me. it seems that we have to create an user account in both zimbra amdin console and external LDAP server, It was confirmed by testing on my server.

    My doubt is the objective that zimbra work with external LDAP server, in my opnion, the objective is to centrolize user information , to simplify system upgrading and migratoin. but the fact is not what I expected.

    Is there any ways to solve this problem? in my company , there will be more than 200 hundred staff moving to linux platform. if create and manage such many of users' information in two places , the task will be unimaginable!

    by the way, several days before, I also tried to use samba and postfix extension, but failed in step 3. anyway I prefer to use external LDAP, it will be more flexible.

    any idea? any reply will be appreicated very much! Thanks!

  2. #2
    Join Date
    Mar 2007
    Location
    Austin
    Posts
    441
    Rep Power
    8

    Default

    Hi,

    Are you creating the user accounts in Zimbra as well as the external LDAP server?

    I realize this is some duplication of work, but here I've created scripts to create LDAP and Zimbra users at the same time to make it easier.

    Zimbra will not create accounts on the fly, even if they're in LDAP. It stores much more information than simply a username and a password.

  3. #3
    Join Date
    May 2007
    Posts
    40
    Rep Power
    8

    Default Thanks, is it possible to share your script with me?!

    Hello, p24t

    I currently have to create user in both openLDAP and LDAP comes with Zimbra, but it is not what I want.

    how is your script working? is it possible to teach me how to create it and use it? is it possible to share your script with me? many thanks to you in advance!

  4. #4
    Join Date
    Mar 2007
    Location
    Austin
    Posts
    441
    Rep Power
    8

    Default

    Unfortunately, my script is fairly customized.. it's a ruby script with a web interface, and it depends on ssh keys.

    Essentially, I take the user information, and write a LDIF file to enter in the LDAP entry, which I use with ldapadd. Then I write a shell script file, which gets scp'd to the zimbra user, run the file, and delete it. If my user is already in LDAP, it updates the password, and still adds to Zimbra.

    I'll post the code here for you, hopefully you can make some use of it. This is the part that gets the CGI user info from the web form.

    Code:
    require 'cgi'
    require 'md5'
    require 'sha1'
    require 'base64'
    
    cgi = CGI.new
    basedn = "cn=admin,dc=bog3d,dc=com"   # my admin dn
    host = '192.168.1.71'   # my zimbra box IP
    user, pass, fname, lname = cgi['user'], cgi['pass'], cgi['fname'], cgi['lname']
    user.untaint
    pass.untaint
    fname.untaint
    lname.untaint
    
    command = "ldapsearch -x -h ldap.bog3d.com 'uid=#{user}' -b 'ou=people,dc=bog3d,dc=com'"
    command.untaint
    userinfo = `#{command}`
    
    if answer = /numEntries/.match(userinfo)
    
            puts "LDAP User #{user} exists.  Updating password.<br>"
            seed = sprintf "%x", (1000000000 * rand).to_i
            ldapfile = File.new( "/tmp/#{seed}", 'w' )
            ldapfile.write "dn: uid=#{user},ou=people,dc=bog3d,dc=com\n"
            ldapfile.write "changetype: modify\n"
            ldapfile.write "replace: userPassword\n"
    
            salt = ((26 * rand).to_i + 65).chr + ((26 * rand).to_i + 65).chr
            newpass = "{CRYPT}" + pass.crypt(salt)
            ldapfile.write "userPassword: #{newpass}\n"
    
            ldapfile.close
            system "ldapmodify -x -h ldap.bog3d.com -f /tmp/#{seed} -D '#{basedn}' -w [password here]"
            File.delete("/tmp/#{seed}")
    else
            puts "Adding entry for #{user} <br>"
            seed = sprintf "%x", (1000000000 * rand).to_i
            ldapfile = File.new( "/tmp/#{seed}", 'w' )
            ldapfile.write "dn: uid=#{user},ou=people,dc=bog3d,dc=com\n"
            ldapfile.write "objectClass: top\n"
            ldapfile.write "objectClass: inetOrgPerson\n"
            ldapfile.write "uid: #{user}\n"
            ldapfile.write "cn: #{fname} #{lname}\n"
    
            ldapfile.write "sn: #{lname}\n"
    
            salt = ((26 * rand).to_i + 65).chr + ((26 * rand).to_i + 65).chr
            newpass = "{CRYPT}" + pass.crypt(salt)
            ldapfile.write "userPassword: #{newpass}\n"
            ldapfile.close
            system "ldapadd -h ldap.bog3d.com -x -f /tmp/#{seed} -D '#{basedn}' -w [password here]"
            File.delete("/tmp/#{seed}")
            puts "User added to LDAP.<br>"
    end
    
    seed = sprintf "%x", (1000000000 * rand).to_i
    scriptfile = File.new( "/tmp/#{seed}", 'w' )
    scriptfile.puts "zmprov ca #{user}@bexp3d.com #{pass} givenName #{fname} sn #{lname} displayName '#{fname} #{lname}'"
    scriptfile.puts "zmprov aaa #{user}@bexp3d.com #{user}@bog3d.com"
    scriptfile.close
    
    system "scp /tmp/#{seed} zimbra@#{host}:~/log"
    system "ssh zimbra@#{host} sh log/#{seed}"
    system "ssh zimbra@#{host} rm log/#{seed}"
    
    File.delete("/tmp/#{seed}")
    
    puts "User added to Zimbra."

  5. #5
    Join Date
    May 2007
    Posts
    40
    Rep Power
    8

    Default thanks a lot!

    Dear p24t,

    Thanks for your script, I don't know how to use ruby, but know programming, so after reading your code, I got my mind opened. that's your script serve as a middle layer receive user information from web interfac, and then write to both places, zimbra's ldap and system embeded ldap. right? so , this means all user management work is on the web interface?

    I 'd like to analysis in detail, if no other ways this method might be the only way should be applied. thanks!

  6. #6
    Join Date
    Mar 2007
    Location
    Austin
    Posts
    441
    Rep Power
    8

    Default

    The script takes 4 values from CGI:

    Code:
    cgi['user'], cgi['pass'], cgi['fname'], cgi['lname']
    username, password, first name, last name (just to keep with proper SN syntax)

    The if clause is if it finds the user already in ldap. The else if it's not. All the

    Code:
    ldapfile.write ".....
    are the LDIF information written to the file, and the file is called using ldapadd / ldapmodify.

    After the if/else is the zimbra shell script. Just 2 lines, the "scriptfile.puts", and the file is scp'd to the Zimbra server, under the zimbra user, and I run and delete the script over ssh. I set up ssh keys between the web interface server and the zimbra user.

    I had a migration script that used part of this too. There may be better ways to do this than using command line utilities, but this was quick and easy. My web interface for this little script is just a form with 4 boxes. I haven't written anything fancy for it yet. At some point I'll probably make a LDAP manager, since I use the LDAP for my *nix authentication as well.

Similar Threads

  1. external ldap authentication over SSL problem
    By eyablon in forum Administrators
    Replies: 2
    Last Post: 05-05-2014, 03:44 AM
  2. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  3. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  4. External LDAP Problem
    By facerw in forum Installation
    Replies: 7
    Last Post: 05-08-2007, 04:29 AM
  5. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 02:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •