Results 1 to 2 of 2

Thread: Apache auth to Zimbra ldap - failing with no useful log info to say why

  1. #1
    Join Date
    Sep 2005
    Posts
    48
    Rep Power
    10

    Default Apache auth to Zimbra ldap - failing with no useful log info to say why

    I am trying to get Apache 2.2 on a remote Ubuntu 10.04 LTS machine to authenticate to Zimbra LDAP. Zimbra version is Release 7.0.0_GA_3077.UBUNTU10_64 UBUNTU10_64 FOSS edition.

    I have ldap access set up between the two machines and I can successfully query ldap from the machine with Apache on it using the following command...

    Code:
    ldapsearch -x -b 'ou=people,dc=onepointltd,dc=com' -H 'ldap://mail.onepointltd.com:389' -D 'uid=zimbra,cn=admins,cn=zimbra' -w somethingsecret
    However, when I install mod_authnz_ldap and follow these instructions it never authenticates. I get the following Apache error message

    Code:
    [Thu Aug 11 08:33:20 2011] [error] [client 78.105.1.254] user simon not found: /
    [Thu Aug 11 08:33:56 2011] [warn] [client 78.105.1.254] [1033] auth_ldap authenticate: user simon authentication failed; URI / [User not found][No such object]
    This is my .htaccess file...
    Code:
    AuthName "Subversion repository"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPURL ldap://mail.onepointltd.com:389/ou=people,dc=onepointltd,dc=com?uid?sub?(objectClass=organizationalPerson)
    AuthLDAPBindDN uid=zimbra,cn=admins,cn=zimbra
    AuthLDAPBindPassword somesecretthing
    AuthzLDAPAuthoritative off
    Require valid-user
    I have tried with and without the AuthzLDAPAuthoritative statement.

    I have tried increasing the log level of Apache to DEBUG but it still doesn't give any more information regarding the failed LDAP authentication.

    The UID "simon" definitely exists. If I grep the ldapsearch output for "simon" I get,
    Code:
    # simon, people, onepointltd.com
    dn: uid=simon,ou=people,dc=onepointltd,dc=com
    uid: simon
    # simon.blandford, people, onepointltd.com
    dn: uid=simon.blandford,ou=people,dc=onepointltd,dc=com
    uid: simon.blandford
    I've tried logging in as "simon" and "simon.blandford". Same result.

    I have increased the log level in /opt/zimbra/conf/log4j.properties.in on the Zimbra server to "DEBUG" for ldap and security.
    Code:
    log4j.logger.zimbra.ldap=DEBUG
    log4j.logger.zimbra.security=DEBUG
    Although I can see debug output go by when I tail the log for ldap. It shows no response to either a failed Apache attempt nor a successful ldapsearch query.

    I have tried booting with Appamor disabled in case Apache was being blocked from accessing remote LDAP but this makes no difference.

    Would appreciate any help or advice on either what the problem may be or how to get meaningful log output from somewhere.

  2. #2
    Join Date
    Sep 2005
    Posts
    48
    Rep Power
    10

    Default

    OK. I finally found a solution for this.

    LDAP authentication doesn't work with user or domain aliases, even though every other way of logging into Zimbra does.

    I normally log into Zimbra using both a user alias and domain alias. Either of which do not work when authenticating. I had changed the server domain from one.consultinglimited.com to onepointltd.com but this didn't change the fact that onepointltd.com is still an alias domain of one.consultinglimited.com.

    The following .htaccess file worked if I logged in using my original username, "simon.blandford", instead of just the alias, "simon".

    Code:
    AuthName "Subversion repository"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPURL ldap://mail.onepointltd.com:389/ou=people,dc=one,dc=consultinglimited,dc=com?uid?sub?(objectClass=organizationalPerson)
    AuthLDAPBindDN uid=zimbra,cn=admins,cn=zimbra
    AuthLDAPBindPassword thesecretzimbraldappassword
    AuthzLDAPAuthoritative off
    Require valid-user
    I would still like to know how to get this to work with user aliases because otherwise I have to explain this to all the users and there will inevitably be support calls when they forget to use their original un-aliased name.

Similar Threads

  1. Issues after upgrading from 6.0.10 to 7
    By rhorist in forum Administrators
    Replies: 8
    Last Post: 02-25-2011, 07:38 AM
  2. Error loading on Mac OS X 10.4.10 server PPC
    By qprcanada in forum Installation
    Replies: 7
    Last Post: 10-26-2007, 06:25 AM
  3. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  4. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM
  5. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 02:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •