Results 1 to 8 of 8

Thread: Using Zimbra LDAP for System Auth

Hybrid View

  1. #1
    Join Date
    May 2006
    Posts
    26
    Rep Power
    9

    Post Using Zimbra LDAP for System Auth

    Has anybody out there used the Zimbra OpenLDAP service to do System authentication (like using PAM-LDAP, etc)? I have setup and configured FreeRADIUS to use the Zimbra LDAP successfully but have had very little luck in getting the system LDAP services (like NSS-PAM, or the other LDAP system utilities) to work because I keep getting schema errors. Anybody have experience with this? Not really looking for a huge manual on how to do this just wanting to know if somebody has done it and a quick summary of the best way to accomplish it. (without ruining Zimbra preferrably)

  2. #2
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Have you had a look at the wiki?

  3. #3
    Join Date
    May 2006
    Posts
    26
    Rep Power
    9

    Talking Have you looked in WIKI?

    Yeah I have. There is a lot of information regarding Zimbra users and LDAP and using replication LDAP servers but it really doesn't talk about using the Zimbra LDAP for PAM authentication or as a linux system authentication. Specifically I was looking at ldap-nss objects. Has anybody used the Zimbra LDAP server to authenticate system access to a server or FTP.

  4. #4
    Join Date
    Oct 2006
    Location
    Poland
    Posts
    32
    Rep Power
    9

    Default

    you would have to change zimbras LDAP structure to auth against it with nss_ldap. I am having another porblem, I did external LDAP authentication n ZIMBRA, the tests succeeds, but the user cannot log in .

  5. #5
    Join Date
    Oct 2006
    Posts
    2
    Rep Power
    8

    Default

    I've also been trying to authenticate against the Zimbra LDAP for Linux system authentication using pam_ldap, but I haven't been able to make it work yet

    I'm running Fedora Core 4, so I used the command-line utility "authconfig" to turn on user authentication over LDAP. I set the LDAP server address to test.mydomain.com:389, and left the base dn blank. What authconfig actually seems to be doing is then saving this information into /etc/ldap.conf and /etc/nsswitch.conf, and then restarting nscd. But this doesn't seem to be enough to get user authentication working. Every time I try to ssh in as one of my Zimbra users, sshd leaves an error message line in /var/log/messages like the following:

    Oct 29 16:31:32 test sshd[6395]: pam_ldap: error trying to bind as user "uid=joey,ou=people,dc=mydomain,dc=com" (Invalid credentials)

    I followed the instructions on this Zimbra wiki page to boost the logging from slapd, and this revealed that pam_ldap is able to bind anonymously, and it's able to search the directory and find the user, but it fails when it tries to bind as the user. Here's what this actually looks like in my slapd log file:

    Oct 30 12:29:39 test slapd[4463]: conn=39 op=0 BIND dn="" method=128
    Oct 30 12:29:39 test slapd[4463]: conn=39 op=0 RESULT tag=97 err=0 text=
    Oct 30 12:29:39 test slapd[4463]: conn=38 fd=12 closed
    Oct 30 12:29:39 test slapd[4463]: conn=39 op=1 SRCH base="" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joey))"
    Oct 30 12:29:39 test slapd[4463]: conn=39 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
    Oct 30 12:29:39 test slapd[4463]: conn=39 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
    Oct 30 12:29:40 test slapd[4463]: conn=40 fd=12 ACCEPT from IP=172.30.5.203:60701 (IP=172.30.5.203:389)
    Oct 30 12:29:40 test slapd[4463]: conn=40 op=0 BIND dn="" method=128
    Oct 30 12:29:40 test slapd[4463]: conn=40 op=0 RESULT tag=97 err=0 text=
    Oct 30 12:29:40 test slapd[4463]: conn=40 op=1 SRCH base="" scope=2 deref=0 filter="(uid=joey)"
    Oct 30 12:29:40 test slapd[4463]: conn=40 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
    Oct 30 12:29:40 test slapd[4463]: conn=40 op=2 BIND dn="uid=joey,ou=people,dc=mydomain,dc=com" method=128
    Oct 30 12:29:40 test slapd[4463]: conn=40 op=2 RESULT tag=97 err=49 text=
    Oct 30 12:29:40 test slapd[4463]: conn=40 op=3 BIND dn="" method=128
    Oct 30 12:29:40 test slapd[4463]: conn=40 op=3 RESULT tag=97 err=0 text=
    Oct 30 12:29:43 test slapd[4463]: conn=40 op=4 UNBIND
    Oct 30 12:29:43 test slapd[4463]: conn=40 fd=12 closed

    According to my google searches, "tag=97" means it's the result of a bind attempt, and "err=49" means invalid credentials, such as a bad password. I have no idea why it's not working, because other programs, such as Apache, JXplorer, and phpldapadmin, are able to bind just fine with the same username (uid=username,ou=people,dc=mydomain,dc=com) and password just fine.

    My only guess is that it may have something to do with password hashing. In the ldap.conf file, Fedora was setting the "pam_password" directive to "crypt", which apparently hashes the password in {crypt} format before sending it to the LDAP directory. However, Zimbra's LDAP is storing the passwords as {SSHA}. I tried changing the line in ldap.conf to "pam_password clear" to make it send the password in cleartext, but this doesn't work either.

    On the up side, I was able to successfully add the posixAccount object class to my users easily enough. I think that Linux requires this class to be there in order to retrieve things like uid number, group membership, and home directory. The posixAccount class (and the related posixGroup class) are statted out in the file /opt/zimbra/openldap/etc/openldap/schemas/nis.schema, but they're not active by default. I had to edit the file /opt/zimbra/conf/slapd.conf.in, and add a line to include that schema file. Then I was able to add the class posixAccount to my users, and fill in their uidNumber, gidNumber, homeDirectory, etc. However, it doesn't help me out because I still can't get PAM LDAP to bind to the directory.

    Has anybody else made any progress on this? On my production server I'm currently managing users and groups in Fedora Directory Server, and having Zimbra, apache, wildfire, and ssh authenticate against that. But I would like to have everything authenticate against Zimbra's directory server instead, so that users can change their passwords through Zimbra, and so that I can simplify user management.

  6. #6
    Join Date
    Oct 2006
    Posts
    2
    Rep Power
    8

    Default Progress!

    I was finally able to get Fedora Core 4 to authenticate against Zimbra's LDAP. The problem was that the permissions in /opt/zimbra/conf/slapd.conf.in blocked access to the newly added posixAccount attributes, for anyone except admin users.

    There are two ways to solve this. You could change /etc/ldap.conf so that it connects up as an admin LDAP user who does have access, or you can change /opt/zimbra/conf/slapd.conf.in so that anonymous users (or the user you've set up PAM to bind as) can view the attributes. I decided to change slapd.conf since I already had to edit it to add nis.schema. I added the following:

    Code:
    access to attrs=uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass
            by * read
    I haven't experimented with this thoroughly yet, but this was enough to let my user connect. It may be that you only need to provide access to some of these, possibly just uidNumber, gidNumber, and homeDirectory.

    So, now that I can authenticate against the Zimbra LDAP server, I need to see about automating the task of adding posix attributes and posix group memberships for users after I create them.
    Last edited by thataaron; 11-06-2006 at 04:01 PM.

  7. #7
    Join Date
    Nov 2006
    Location
    Pisa - Italy - Europe - Heart
    Posts
    15
    Rep Power
    8

    Default

    Quote Originally Posted by webguyinternet View Post
    I have setup and configured FreeRADIUS to use the Zimbra LDAP successfully
    Hello, I am trying to configure freeradius to use zimbra LDAP but with no success.
    I would like to use zimbra server even as a radius server for a captive portal so user can access internet and/or read mail with the same user and password.

    Zimbra version is 4.5.6.

    Could you post how you configured freeradius?

    Thank you.

    Mario

  8. #8
    Join Date
    Oct 2006
    Posts
    45
    Rep Power
    9

    Default

    Mario,

    I currently have the following configuration to allow FreeRadius to authenticate off Zimbra:

    Code:
            ldap {
                    server = "zimbra"
                    identity = "uid=zimbra,cn=admins,cn=zimbra"
                    password = "ZIMBRA_LDAP_PASSWD"
                    basedn = "dc=MY,dc=DOMAIN"
                    filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                    access_attr = "homeDirectory"
            }
    Note that there may be a little more, the config file is full of comments, but I believe this is the relevant section.

    You also need to ensure that your authorize and authenticate sections both refer to LDAP as well. I can email you my config file if this would be useful.

    However I do have a question. With the current Samba and Posix extensions for Zimbra to allow this, it appears as though group membership is stored in the ou=groups,dc=MY,dc=DOMAIN tree, rather than under the ou=people,dc=MY,dc=DOMAIN as I would have expected.

    Is there any way to be able to configure Radius to verify whether the uid is a member of a particular group. Given it is in a different hierarchy, this might be difficult?

    Cheers,
    David

Similar Threads

  1. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  2. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 11:45 AM
  3. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM
  4. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 09:47 AM
  5. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 06:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •