Results 1 to 9 of 9

Thread: Account Name different from Active Directory Username, 2nd

Hybrid View

  1. #1
    Join Date
    Sep 2009
    Posts
    19
    Rep Power
    6

    Default Account Name different from Active Directory Username, 2nd

    Hi all,

    from days I'm working to let zimbra users have the same password as 2008 AD Domain Controller
    I've read a lot of post but no one helped me
    the most intresting post i found on zimbra forum is:
    http://www.zimbra.com/forums/install...-username.html

    now I'm working on a test scenario:
    win2003 server DC of ps.dominio.it domain. all users are: name.surname@ps.dominio.it
    zimbra 6.05 FOSS (on Ubuntu 8.04 Server) hosts mail domain dominio.it, all email are surname@dominio.it
    I want enable Zimbra external AD authentication on 2003 DC.

    The only working test I made is:
    - new Zimbra domain ps.dominio.it, email name.surname@ps.dominio.it (that is not public), same as DC..
    - enable external AD authentication on DC
    any other test fails, also variants found in "account-name-different-active-directory-username" post
    (that uses ldap as external auth method, insted of AD)
    in particular, trying to configure ldap, I do not understand where set "LDAP bind DN template":
    does not exist anymore on zimbra 6?

    Any idea on howto map different zimbra username & domain from ones in AD?
    My sensation is that it is possible using external ldap auth, and using an ad-hoc ldap filter,
    but i'm not a ldap expert..

    Thanx in advance,
    bye, Luca.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by lk2oo3 View Post
    Any idea on howto map different zimbra username & domain from ones in AD?
    Surely the answer to your question is in post #5 in the thread you've linked to?
    Last edited by phoenix; 04-13-2010 at 06:50 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Sep 2009
    Posts
    19
    Rep Power
    6

    Default

    Hi Phoenix,
    thanks for the answer, but I do not understand what you mean

    i have only few users in the domain and the only thing i'm intrested in,
    is zimbra authentication from AD, by the mean of a mapping.

    if you can help, i'll be grateful
    Thanx, bye, Luca.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    In this thread, post number 5 gives you details of what you need to do to authenticate against an AD server when you have a different name than the one in AD - isn't that what you wanted?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Sep 2009
    Posts
    19
    Rep Power
    6

    Default

    I'have yet tested this solution.

    The authentication wizard in zimbra 6.05 does not have this request:
    LDAP bind DN template: %u@ad.YOURDOMAINNAME.com

    where I find this? perhaps it was part of zimbra 5.xx?

    Also, the wizard ends with the test fail.
    Maybe it depends on missing of "LDAP bind DN template" field ?

    thanks again

  6. #6
    Join Date
    Sep 2009
    Posts
    19
    Rep Power
    6

    Default

    ok, i've not been yet solved the problem:
    i've setted up a virtual environment with win2008server (but same result with win 2003 server) and a zimbra 6.05 install on ubuntu 8.04server
    and i'm trying to exactly do what suggested in
    http://www.zimbra.com/forums/install...-username.html
    but something went wrong. Usually this is the error message i receive:


    javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090E0B, comment: Error initializing SSL/TLS, data 0, v1771 ] X; remaining name ''
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.jav a:3106)

    today i made 2 kind of test:

    1. i installed softerra ldap browser on my windows pc and used it to connect to AD with same data i give to Zimbra LDAP wizard:
    Softerra successfully connects to 2008 server AD

    2. i installed ldap-utils on zimbra server:

    and i run this command to test connectivity from zimbra ubuntu server to 2008 server AD

    ldapsearch -x -b "dc=ps,dc=dominio,dc=it" -D administrator@ps.dominio.it -h cd.ps.dominio.it -w password "(objectCategory=CN=Person,CN=Schema,CN=Configurat ion,DC=ps,DC=dominio,DC=it)" |grep sAMAccountName | sed -e s/sAMAccountName\:\ //g > utenti.tmp

    the result is exactly the one it should be: a list of AD user in file utenti.tmp

    BUT

    if during domain authentication setup wizard i enable startTLS,
    why zimbra test fails this way??


    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1611)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:1035)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:124)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1139)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1123)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHa ndshake(StartTlsResponseImpl.java:344)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotia te(StartTlsResponseImpl.java:208)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotia te(StartTlsResponseImpl.java:161)
    at com.zimbra.cs.account.ldap.ZimbraLdapContext.tlsNe gotiate(ZimbraLdapContext.java:339)
    at com.zimbra.cs.account.ldap.ZimbraLdapContext.<init >(ZimbraLdapContext.java:468)
    at com.zimbra.cs.account.ldap.ZimbraLdapContext.<init >(ZimbraLdapContext.java:402)
    at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:120)
    at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:168)
    at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:53)
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:419)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:273)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:157)
    at com.zimbra.soap.SoapServlet.doWork(SoapServlet.jav a:291)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:212)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:727)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:181)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:820)
    at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:511)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1166)
    at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(Set HeaderFilter.java:79)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
    at org.mortbay.servlet.UserAgentFilter.doFilter(UserA gentFilter.java:81)
    at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter .java:132)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
    at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:388)
    at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:182)
    at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:765)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:418)
    at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:230)
    at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
    at org.mortbay.jetty.handler.rewrite.RewriteHandler.h andle(RewriteHandler.java:230)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
    at org.mortbay.jetty.handler.DebugHandler.handle(Debu gHandler.java:77)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
    at org.mortbay.jetty.Server.handle(Server.java:326)
    at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:543)
    at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:939)
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:755)
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:212)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:405)
    at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:409)
    at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:451)
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:285)
    at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:191)
    at sun.security.validator.Validator.validate(Validato r.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:1014)
    ... 51 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:280)
    ... 57 more
    and WHY
    if I disable startTLS, this is the error:

    javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ps.dominio.it:389 [Root exception is java.net.UnknownHostException: ps.dominio.it]]
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImp l(LdapNamingEnumeration.java:224)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Ld apNamingEnumeration.java:171)
    at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:122)
    at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:168)
    at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:53)
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:419)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:273)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:157)
    at com.zimbra.soap.SoapServlet.doWork(SoapServlet.jav a:291)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:212)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:727)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:181)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:820)
    at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:511)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1166)
    at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(Set HeaderFilter.java:79)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
    at org.mortbay.servlet.UserAgentFilter.doFilter(UserA gentFilter.java:81)
    at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter .java:132)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
    at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:388)
    at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:182)
    at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:765)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:418)
    at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:230)
    at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
    at org.mortbay.jetty.handler.rewrite.RewriteHandler.h andle(RewriteHandler.java:230)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
    at org.mortbay.jetty.handler.DebugHandler.handle(Debu gHandler.java:77)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
    at org.mortbay.jetty.Server.handle(Server.java:326)
    at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:543)
    at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:939)
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:755)
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:212)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:405)
    at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:409)
    at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:451)
    Caused by: javax.naming.CommunicationException: ps.dominio.it:389 [Root exception is java.net.UnknownHostException: ps.dominio.it]
    at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapR eferralContext.java:74)
    at com.sun.jndi.ldap.LdapReferralException.getReferra lContext(LdapReferralException.java:132)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreRef errals(LdapNamingEnumeration.java:339)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImp l(LdapNamingEnumeration.java:208)
    ... 39 more
    Caused by: java.net.UnknownHostException: ps.dominio.it
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.j ava:177)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.j ava:366)
    at java.net.Socket.connect(Socket.java:525)
    at sun.reflect.GeneratedMethodAccessor3.invoke(Unknow n Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.sun.jndi.ldap.Connection.createSocket(Connecti on.java:336)
    at com.sun.jndi.ldap.Connection.<init>(Connection.jav a:184)
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.jav a:118)
    at com.sun.jndi.ldap.LdapClientFactory.createPooledCo nnection(LdapClientFactory.java:46)
    at com.sun.jndi.ldap.pool.Connections.<init>(Connecti ons.java:97)
    at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Po ol.java:114)
    at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(Ld apPoolManager.java:310)
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClien t.java:1572)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:265 2)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapC txFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(LdapCtxFactory.java:134)
    at com.sun.jndi.url.ldap.ldapURLContextFactory.getObj ectInstance(ldapURLContextFactory.java:35)
    at javax.naming.spi.NamingManager.getURLObject(Naming Manager.java:584)
    at javax.naming.spi.NamingManager.processURL(NamingMa nager.java:364)
    at javax.naming.spi.NamingManager.processURLAddrs(Nam ingManager.java:344)
    at javax.naming.spi.NamingManager.getObjectInstance(N amingManager.java:316)
    at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapR eferralContext.java:93)
    ... 42 more
    It seems to me the problem is inside Zimbra,
    but is it possible that nobody have an idea on howto help me solve the problem?

    After all, I think that many people may have the need to extend users authentication
    of Zimbra Mail Server with Windows AD Server,
    even when the two servers were installed by different people at different times
    and Zimbra installation users@domain cannot be exactly the same as AD.

    thanx again,
    luca.
    Last edited by lk2oo3; 05-13-2010 at 01:51 PM.

  7. #7
    Join Date
    Sep 2009
    Posts
    19
    Rep Power
    6

    Default

    So, finally, in some way I succeded to authenticate zimbra 6.05 to win2008 server AD via LDAP
    these are the settings that worked fine for me.
    Sure, it does not work with StartTLS or SSL enabled
    (i think the problem is some certificate misconfiguration)
    Referring to authentication wizard of domain dominio.it, these are the settings I done:

    1. on 2008 Server
    mail attribute in AD LDAP same as Zimbra account

    2. on zimbra:
    account creation without password

    3. on zimbra admin ui
    Authentication mechanism: External LDAP
    win2008Server: cd.ps.dominio.it
    LDAP URL: ldap://cd.ps.dominio.it:389
    ***Enable StartTLS No
    LDAP filter: (|(sAMAccountName=%u)(mail=%u@dominio.it)(mail=%n) )
    ***LDAP search base: cn=Users,dc=ps,dc=dominio,dc=it
    Use DN/Password to bind to external server: Yes
    Bind DN: zimbrauser@ps.dominio.it & password
    In which I signed with *** the only differences with
    http://www.zimbra.com/forums/install...-username.html

    Now, if it possible I would try to use StartTLS,
    but I 've read various post, with issues related to certificates..

    If someone have any suggestion on how make it work with self signed certificates, please help
    bye, Luca.
    Last edited by lk2oo3; 05-16-2010 at 02:30 AM.

  8. #8
    Join Date
    Dec 2010
    Location
    Austria
    Posts
    6
    Rep Power
    4

    Default

    I have a near same problem with different Usernames in Active Directory and Account name in zimbra.

    The Account Name in zimbra should be in the form of givenname.surname@domain.tld (since it is used as the primary email address which is used for calendar invitation)

    The Active Directory Name is shortname@domain.tld

    Is there a way to configure zimbra to authenticate with the shortname against the active directory?
    So the users can use the same shortname for there Windows Account Login and zimbra.

    thank you for any help

  9. #9
    Join Date
    Nov 2013
    Posts
    1
    Rep Power
    1

    Default Account Name diferent username in Active directory

    I have the same problem, the Active Directory users are shortname@domain.com but the zimbra acoounts are name.surname@dominio.com and the atributte mail in the Active Directory is the same as the zimbra account. I need auhtenticate my zimbra users against the Active Directory and I configure the external Active Directory with:
    Domain Name: domain.com
    AD server: ldap://myserver.domain.com:3268
    External Group LDAP Search Base: ou=Usuarios, dc=domain, dc=com
    External Group LDAP Search Filter: (|(samAccountName=%u)(mail=%u@dominio.com)(mail=%n ))

    Only it works if I create accounts in Zimbra with the shortname@dominio.com. ¿Can somebody help me¿

    thank you for any help

Similar Threads

  1. Zimbra + Active Directory + Free / Busy Interop.
    By gaurav.bhayana in forum Administrators
    Replies: 1
    Last Post: 03-16-2010, 03:41 AM
  2. GAL / External / Active Directory Setup Issue
    By dfriestedt in forum Installation
    Replies: 4
    Last Post: 06-19-2008, 03:39 PM
  3. Authentication mapping to Active Directory
    By Rubão in forum Administrators
    Replies: 2
    Last Post: 06-09-2008, 09:31 AM
  4. Replies: 0
    Last Post: 03-04-2008, 07:42 AM
  5. Replies: 3
    Last Post: 02-12-2008, 09:06 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •