Results 1 to 7 of 7

Thread: GALsync LDAP query in AD; mailnickname=Bug?

  1. #1
    Join Date
    Jan 2009
    Posts
    66
    Rep Power
    6

    Default GALsync LDAP query in AD; mailnickname=Bug?

    I'm testing a 7.1.2 OSE on Ubuntu 10.04.3 LTS server, with multi-server+multi-domain setup.

    I've noticed, when testing the GALsync setup, that one of my domains tests fine (this domain has an existing exchange server), i.e. when I type something into the test field, it does retrieve some results.

    However, on another two domains (which have never had exchange installed before), when I type something into the test field, even though it says passed, no results are returned.

    According to the output of "zmprov gcf zimbraGalLdapFilterDef | grep ad:", the filter used is:

    Code:
    (&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(!(msExchHideFromAddressLists=TRUE))(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
    So to troubleshoot, I started by building an LDAP query manually, using this:
    Code:
    (&(|(displayName=*)(cn=*)(sn=*)(givenName=*)(mail=*))(!(msExchHideFromAddressLists=TRUE))(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
    As expected, this works fine in the 1st domain, and returns an empty set for the other two.

    So by trial and error, I found that if I delete these two clauses (not one, not the other, but both), the query works:
    Code:
    	(!(msExchHideFromAddressLists=TRUE))
    	(mailnickname=*)
    i.e. the query is now just:
    Code:
    (&(|(displayName=*)(cn=*)(sn=*)(givenName=*)(mail=*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
    The values for attribute mailnickname are not populated in my other two domains, so that would explain why the result set is empty, but anybody know why:
    1) mailnickname needs to be populated
    2) why does the query still not work, by removing just the mailnickname clause?
    3) what's a better solution, to populate the mailnickname, or change the zimbraGalLdapFilterDef filter?
    4) from some googling, it seems that mailnickname is strictly an MS Exchange attribute, so for non-exchange environments, this would be a bug to be using as a filter?

    For better readability, I reformatted the default query so it looks like this (braces matching; you can't use the query like this, so have to replace \t and \n with null):
    Code:
    (&
    	(|(displayName=*)(cn=*)(sn=*)(givenName=*)(mail=*))
    	(!(msExchHideFromAddressLists=TRUE))
    	(mailnickname=*)
    	(|
    		(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
    		(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))
    		(&(objectCategory=person)(objectClass=contact))
    		(objectCategory=group)
    		(objectCategory=publicFolder)
    		(objectCategory=msExchDynamicDistributionList)
    	)
    )
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

  2. #2
    Join Date
    Jan 2009
    Posts
    66
    Rep Power
    6

    Default

    I found this old bug: https://bugzilla.zimbra.com/show_bug.cgi?id=11562

    According to the last updates, it wasn't fixed in 7.1.1 or 7.1.2, but is fixed in 7.1.3?

    So looks like the correct fix is to remove the mailnickname clause from the filter, will test...
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

  3. #3
    Join Date
    Jan 2009
    Posts
    66
    Rep Power
    6

    Default

    To followup, I configured one of the domains as follows:
    1) Configure GAL
    2) changed Server type from AD to LDAP
    3) without touching anything else, changed the LDAP filter to:
    Code:
    (&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
    4) without touching anything else, changed the Autocomplete filter to:
    Code:
    (&(|(displayName=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(mail=%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
    4) testing on the next few panels now work (i.e. I can retrieve results)

    Note that if I leave "(!(msExchHideFromAddressLists=TRUE))" in the query, it still fails to retrieve anything. So in the end I had to, as per my testing, take out both the mailnickname and msExchHideFromAddressLists clauses out.
    Last edited by ypong; 09-21-2011 at 11:42 PM.
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

  4. #4
    Join Date
    Jan 2009
    Posts
    66
    Rep Power
    6

    Default

    Finally, I modifed the queries to excluded disabled accounts:
    LDAP filter:
    Code:
    (&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(&(objectCategory=person)(objectClass=contact)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
    Autocomplete filter:
    Code:
    (&(|(displayName=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(mail=%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(&(objectCategory=person)(objectClass=contact)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
    Not sure if I can take "(!(userAccountControl:1.2.840.113556.1.4.803:=2)) " and put it further outside as part of the initial &, so I don't need to write that clause three times... more testing...
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

  5. #5
    Join Date
    Dec 2011
    Posts
    29
    Rep Power
    3

    Thumbs up Thank you very much!!!

    Quote Originally Posted by ypong View Post
    finally, i modifed the queries to excluded disabled accounts:
    Ldap filter:
    Code:
    (&(|(displayname=*%s*)(cn=*%s*)(sn=*%s*)(givenname=*%s*)(mail=*%s*))(|(&(objectcategory=person)(objectclass=user)(!(homemdb=*))(!(msexchhomeservername=*))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(objectcategory=person)(objectclass=user)(|(homemdb=*)(msexchhomeservername=*))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(objectcategory=person)(objectclass=contact)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(objectcategory=group)(objectcategory=publicfolder)(objectcategory=msexchdynamicdistributionlist)))
    autocomplete filter:
    Code:
    (&(|(displayname=%s*)(cn=%s*)(sn=%s*)(givenname=%s*)(mail=%s*))(|(&(objectcategory=person)(objectclass=user)(!(homemdb=*))(!(msexchhomeservername=*))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(objectcategory=person)(objectclass=user)(|(homemdb=*)(msexchhomeservername=*))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(objectcategory=person)(objectclass=contact)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(objectcategory=group)(objectcategory=publicfolder)(objectcategory=msexchdynamicdistributionlist)))
    not sure if i can take "(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)) " and put it further outside as part of the initial &, so i don't need to write that clause three times... More testing...
    wow!!! I have been working on this all day. I thought i had something configured wrong. This did the trick!!! Thank you!

  6. #6
    Join Date
    Jan 2009
    Posts
    66
    Rep Power
    6

    Default

    no worries, glad I could help. I've certainly learnt a lot from the community too.
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

  7. #7
    Join Date
    Nov 2011
    Posts
    11
    Rep Power
    3

    Default

    I'm using for both:
    Code:
    (&(objectClass=person)(|(useraccountcontrol=66048)(useraccountcontrol=512))(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(sAMAccountName=%s*)(mail=*%s*)))
    but I don't have Exchange.

Similar Threads

  1. LDAP Query from Zimlet
    By uxbod in forum Developers
    Replies: 0
    Last Post: 10-22-2010, 02:27 AM
  2. LDAP Cannot bind on migration to new server
    By neekster in forum Migration
    Replies: 23
    Last Post: 03-09-2009, 02:08 AM
  3. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  4. HELP external AD or ldap query returns empty
    By JohnnieDrama in forum Installation
    Replies: 0
    Last Post: 05-28-2007, 09:09 AM
  5. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •