Results 1 to 4 of 4

Thread: using the zimbra LDAP for authentication

Hybrid View

  1. #1
    Join Date
    Mar 2006
    Posts
    13
    Rep Power
    9

    Default using the zimbra LDAP for authentication

    I'd like to use the zimbra LDAP server to authenticate our users in our other applications, maybe using php or some other scripting language.

    Looking through the Zimbra LDAP Schema, I see that the objectclass zimbraAccount has a uid and the userPassword and the userPassword is hashed with something that ends up like:

    e1NTSEF9anR3T0Zqc0tsOHJhRrT0Zqc05PN0xrT0Zqc05PN0x3 eWk=

    QUESTION: what kind of hash is that?

    To list all the users I can run this command:
    /opt/zimbra/openldap/bin/ldapsearch -D "uid=zimbra,cn=admins,cn=zimbra" -x -w "[password]" |grep "dc=[ourdomain]"

    where [password] came from:
    zmlocalconfig -s zimbra_ldap_password
    and [ourdomain] is, well, our domain (e.g. the example part of example.com)

    QUESTION: anyone have tips on how I can query the zimbra ldap server with a username and password and return whether they are a valid user or not?

    ideas?

    jb

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    They are in {SSHA} format... Some more info here:

    http://www.zimbra.com/forums/showthread.php?t=1163

    If your just looking to check the user/pass you could use a SOAP request and do a AuthRequest. This way you can just pass in the userid and password and let zimbra do all the auth magic. Might be easier/faster than trying to write your own wrapper around ldapsearch.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    Join Date
    Mar 2006
    Posts
    13
    Rep Power
    9

    Default

    Thanks. Here's a way to use php and curl to get the soap response:

    <?

    $post_data = '<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">
    <Body>
    <AuthRequest xmlns="urn:zimbraAccount">
    <account by="name">[USERNAME]</account>
    <password>[PASSWORD]</password>
    </AuthRequest>
    </Body>
    </Envelope>';

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "https://[ZIMBRAURL]:7071/service/admin/soap" );
    curl_setopt($ch, CURLOPT_POST, 1 );
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    $postResult = curl_exec($ch);

    if (curl_errno($ch)) {
    print curl_error($ch);
    }
    curl_close($ch);
    print "$postResult";

    ?>


    where [USERNAME], [PASSWORD] and [ZIMBRAURL] are filled in with your particular values.

    interestingly, if the auth failes, the soap reply includes a java trace:

    <Trace>com.zimbra.cs.account.AccountServiceExcepti on: authentication failed for [USERNAME]@[DOMAIN].[EXTENSION]
    at com.zimbra.cs.account.AccountServiceException.AUTH _FAILED(AccountServiceException.java:76)
    at com.zimbra.cs.account.ldap.LdapProvisioning.verify Password(LdapProvisioning.java:2145)
    at com.zimbra.cs.account.ldap.LdapProvisioning.authAc count(LdapProvisioning.java:2004)
    at com.zimbra.cs.account.ldap.LdapProvisioning.authAc count(LdapProvisioning.java:1988)
    at com.zimbra.cs.service.account.Auth.handle(Auth.jav a:91)
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:252)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:163)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:84)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:228)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:709)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:154)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:252)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:214)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
    at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:526)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:825)
    at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.processConnection(Http11Protocol.jav a:738)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:526)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)
    </Trace>

  4. #4
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Yes. We include the stack on all errors if possible so user/qa/support can have easy access for debugging. Many times the user will not have access to logs of the system so getting the data back in a SOAP response is the best way.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

Similar Threads

  1. Replies: 26
    Last Post: 04-19-2011, 10:24 AM
  2. Replies: 31
    Last Post: 12-15-2007, 09:05 PM
  3. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  4. Replies: 16
    Last Post: 09-07-2006, 07:39 AM
  5. Seeming variety of problems on suse-9.1
    By Crexis in forum Installation
    Replies: 52
    Last Post: 03-04-2006, 12:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •