Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: [SOLVED] strange ldapsearch issues

  1. #1
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default [SOLVED] strange ldapsearch issues

    Hi,

    I can ldapsearch all day long when on my Zimbra server, but from another host. nothing comes back.

    While I am prompted for my bind password and can getent from another host successfully, I can't seem to get any results using ldapsearch from anther host.

    My command is;

    ldapsearch -H 'ldap://ldap.host' -v -x -W -D 'uid=ldapadmin,ou=people,dc=foo,dc=bar'

    Any ideas?

  2. #2
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    I don't think you need quotes around the URI for the ldap host, although that isn't necessarily fatal.

    Try simplifying things:

    ldapsearch -H ldap://ldap.host -x

    In Zimbra 5.x, you can connect anonymously.

  3. #3
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default

    Hi ewilen,

    Thanks much for the rapid reply.

    I tried the simple query that you suggested and got the same empty results.

    I fixed it by;

    1 - Copy /opt/zimbra/{openldap,openssl} from my Zimbra server to one of my Centos 5.2 hosts.

    2 - From that host, I manually called out /opt/zimbra/openldap/bin/ldapearch with either your suggestion or mine and got results I was expecting.

    Does this make any sense? I assume by the results, that Zimbra does something proprietery with there openldap.

    Do you agree?

  4. #4
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Nope, I can query my zimbra from another host without a problem.

    My thoughts at the moment are:

    Use nmap or another tool to scan the open ports on your zimbra server.
    You could also telnet <ldap.host> 389. If the port is open, then you won't get back to the command line until you do ctrl-] and quit. If it's not open, you'll get an error right away.

    If 389 is open and you can't search, then shut down zimbra on the server, and scan again. I just went through several days of headscratching (on a non-Zimbra openLDAP server) before I realized that something else was using port 389.

    If it turns out something is using port 389, you can use ps aux to look for likely suspects. I think there's another (better) way to see which process is using which port, but I'm forgetting it right now.

    If 389 isn't open, you might have a (hardware? software?) firewall between Zimbra and the machine on which you're running ldapsearch.

  5. #5
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default

    hi elliot,

    nmap resulted in normal behavior, 389 is open on my zimbra.

    telnet was also normal.

    I did disable local/remote firewalls before doing my tests.

    this is odd.

    by the way, love nmap, together with iptraf, very cool stuff.

  6. #6
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    So, this is a longshot, but you didn't mention if you'd tried shutting down zimbra and re-scanning your ports. (To shut down zimbra, use zmcontrol shutdown as the zimbra user.)

  7. #7
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default

    Hi Elliot,

    I can't just yet but will do it tonight.

    The command getent from any linux box who is authenticated against Zimbra LDAP does return results.

    Because of this, I don't think turning off Zimbra and nmapping that box will yeild anything helpful but I will do it tonight.

    One more thing, this is really buggin me, why with /usr/bin/ldapsearch (Centos 5.2 and openldap 2.3.27-8) do I only get a;

    search:2
    result: 32 No such object

    But with /opt/zimbra/openldap/bin/ldapsearch, I get;

    search:2
    result:0 Success

    # numResponses:81
    # numEntries:80

    Yet, my Centos client can auth against Zimbra.

    *** From my Zimbra box, /usr/bin/ldapsearch doesn't work either, but /opt/zimbra/opneldap/bin/ldapsearch works.

    *** Whats your /etc/ldap.conf look like?
    Last edited by aurfalien; 03-03-2009 at 01:23 PM.

  8. #8
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    I'm not familiar with getent, and looking at the manpages I found through google still leaves me unclear on how it operates. However it looks like it just searches on local databases, which suggests that the heavy lifting of connecting to Zimbra LDAP and authenticating is being done by somebody else. (Not that you have to authenticate to browse Zimbra LDAP, as noted above. See also http://www.zimbra.com/forums/adminis...ap-browse.html and the associated bugzilla entry.)

    What are your arguments for getent? And in what sense is your linux box authenticating against Zimbra LDAP? (I.e., using it to control logging in to linux, or are you running Zimbra Desktop, etc?)

    Another thing, to guard against mistakes in use of ldapsearch or weird configuration, you might try a self-contained LDAP browser such as Apache Directory Studio. You can even install it on your Zimbra machine and point it to 127.0.0.1. Likewise you could use

    ldapsearch -H ldap://127.0.0.1 -x

    on the Zimbra box to force ldapsearch to go out over the network.

  9. #9
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    One more thing, I cannot guarantee this will be safe, but you could try using ps -w aux to see how zimbra runs slapd. Then shut down zimbra and run the same slapd command but with a -d 255. This will keep it from forking and will present you with (voluminous) realtime debugging info.

    Then try browsing ldap using various client hosts and methods, and compare the debugging output. This is how I discovered that my problem (referenced above) was not authentication but failure of external clients to contact slapd at all.

    However, that was for an independent copy of slapd that I'm using for testing on a non-Zimbra machine. I've read scary warnings against messing with Zimbra's LDAP database. You definitely don't want to write to it.

  10. #10
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default

    I set up Zimbra to be an auth source for client boxes following the Unix Zimbra integration article somewhere on this site.

    I use getent passwd or getent group to query Zimbra LDAP users and groups. This is once I config the workstations /etc/ldap.conf file.

    So when not auth'd against Zimbra LDAP, getent passwd returns local users in /etc/passwd and when auth'd against Zimbra LDAP, getent passwd return /etc/passwd and users in Zimbra LDAP.

    Whats your /etc/ldap.conf file look like thats on your client boxes?
    Last edited by aurfalien; 03-03-2009 at 01:35 PM.

Similar Threads

  1. Couple of Issues with Web Client
    By soxfan in forum Users
    Replies: 9
    Last Post: 09-13-2008, 02:58 PM
  2. Source Access Issues
    By jholder in forum Announcements
    Replies: 0
    Last Post: 08-25-2008, 09:54 PM
  3. strange problem with Sent folder
    By fchassaing in forum Users
    Replies: 0
    Last Post: 10-24-2007, 09:57 AM
  4. Exchange 2003 Migration Issues
    By JordanPWilliams in forum Migration
    Replies: 10
    Last Post: 07-27-2007, 11:51 AM
  5. Strange Outbound Issues
    By klarsen in forum Administrators
    Replies: 4
    Last Post: 07-06-2006, 10:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •