Results 1 to 6 of 6

Thread: Zimbra with Centos 6 as active directory problem

Threaded View

  1. #1
    Join Date
    Aug 2008
    Posts
    7
    Rep Power
    7

    Default Zimbra with Centos 6 as active directory problem

    Hello,
    I have been installing zimbra ver. zcs-7.1.3 under Centos 6 to act as Windows Domain Controller. I followed this steps UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

    zimbra installed fine and samba also but, when I try to query LDAP using getent group command, nothing happend and i got this error message on /var/log/messages

    domain nslcd[1321]: [5c55b5] failed to bind to LDAP server ldap://10.1.1.18/: Invalid credentials
    Oct 17 13:53:04 domain nslcd[1321]: [5c55b5] no available LDAP server found
    Oct 17 13:53:04 domain nslcd[1321]: [5c55b5] no available LDAP server found


    zimbra ldap root password is test1

    my nslcd.conf

    # This is the configuration file for the LDAP nameservice
    # switch library's nslcd daemon. It configures the mapping
    # between NSS names (see /etc/nsswitch.conf) and LDAP
    # information in the directory.
    # See the manual page nslcd.conf(5) for more information.

    # The uri pointing to the LDAP server to use for name lookups.
    # Multiple entries may be specified. The address that is used
    # here should be resolvable without using LDAP (obviously).
    uri ldap://10.1.1.18/

    #uri ldaps://127.0.0.1/
    #uri ldapi://%2fvar%2frun%2fldapi_sock/
    # Note: %2f encodes the '/' used as directory separator
    # uri ldap://127.0.0.1/

    # The LDAP version to use (defaults to 3
    # if supported by client library)
    #ldap_version 3

    # The distinguished name of the search base.
    base dc=test,dc=com

    # The distinguished name to bind to the server with.
    # Optional: default is to bind anonymously.
    binddn uid=zmposix,cn=appaccts,cn=zimbra

    # The credentials to bind with.
    # Optional: default is no credentials.
    # Note that if you set a bindpw you should check the permissions of this file.
    bindpw test1

    # The distinguished name to perform password modifications by root by.
    rootpwmoddn uid=zmposixroot,cn=appaccts,cn=zimbra

    # The default search scope.
    scope sub

    #scope one
    #scope base

    # Customize certain database lookups.
    base group ou=groups,dc=test,dc=com
    base passwd ou=people,dc=test,dc=com
    base shadow ou=people,dc=test,dc=com
    #scope group onelevel
    #scope hosts sub

    # Bind/connect timelimit.
    bind_timelimit 30

    # Search timelimit.
    timelimit 30


    # Idle timelimit. nslcd will close connections if the
    # server has not been contacted for the number of seconds.
    idle_timelimit 3600

    # Use StartTLS without verifying the server certificate.
    #ssl start_tls
    #tls_reqcert never

    # CA certificates for server certificate verification
    #tls_cacertdir /etc/ssl/certs
    #tls_cacertfile /etc/ssl/ca.cert

    # Seed the PRNG if /dev/urandom is not provided
    #tls_randfile /var/run/egd-pool

    # SSL cipher suite
    # See man ciphers for syntax
    #tls_ciphers TLSv1

    # Client certificate and key
    # Use these, if your server requires client authentication.
    #tls_cert
    #tls_key

    # NDS mappings
    #map group uniqueMember member

    # Mappings for Services for UNIX 3.5
    #filter passwd (objectClass=User)
    #map passwd uid msSFU30Name
    #map passwd userPassword msSFU30Password
    #map passwd homeDirectory msSFU30HomeDirectory
    #map passwd homeDirectory msSFUHomeDirectory
    #filter shadow (objectClass=User)
    #map shadow uid msSFU30Name
    #map shadow userPassword msSFU30Password
    #filter group (objectClass=Group)
    #map group uniqueMember msSFU30PosixMember

    # Mappings for Services for UNIX 2.0
    #filter passwd (objectClass=User)
    #map passwd uid msSFUName
    #map passwd userPassword msSFUPassword
    #map passwd homeDirectory msSFUHomeDirectory
    #map passwd gecos msSFUName
    #filter shadow (objectClass=User)
    #map shadow uid msSFUName
    #map shadow userPassword msSFUPassword
    #map shadow shadowLastChange pwdLastSet
    #filter group (objectClass=Group)

    #map group uniqueMember posixMember

    # Mappings for Active Directory
    #pagesize 1000
    #referrals off
    #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidN umber=*)(unixHomeDirectory=*))
    #map passwd uid sAMAccountName
    #map passwd homeDirectory unixHomeDirectory
    #map passwd gecos displayName
    #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidN umber=*)(unixHomeDirectory=*))
    #map shadow uid sAMAccountName
    #map shadow shadowLastChange pwdLastSet
    #filter group (objectClass=group)
    #map group uniqueMember member

    # Mappings for AIX SecureWay
    #filter passwd (objectClass=aixAccount)
    #map passwd uid userName
    #map passwd userPassword passwordChar
    #map passwd uidNumber uid
    #map passwd gidNumber gid
    #filter group (objectClass=aixAccessGroup)
    #map group cn groupName
    #map group uniqueMember member
    #map group gidNumber gid


    # The distinguished name of the search base.

    uid nslcd
    gid ldap
    # This comment prevents repeated auto-migration of settings.
    ------------------------------
    my pam_ldap.conf

    # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
    #
    # This is the configuration file for the LDAP nameservice
    # switch library and the LDAP PAM module.
    #
    # The man page for this file is pam_ldap(5)
    #
    # PADL Software
    # PADL Software Pty Ltd
    #

    # Your LDAP server. Must be resolvable without using LDAP.
    # Multiple hosts may be specified, each separated by a
    # space. How long nss_ldap takes to failover depends on
    # whether your LDAP client library supports configurable
    # network or connect timeouts (see bind_timelimit).
    host 10.1.1.18

    # The distinguished name of the search base.
    base dc=test,dc=com

    # Another way to specify your LDAP server is to provide an
    # uri with the server name. This allows to use
    # Unix Domain Sockets to connect to a local LDAP Server.
    uri ldap://10.1.1.18/

    #uri ldaps://127.0.0.1/
    #uri ldapi://%2fvar%2frun%2fldapi_sock/
    # Note: %2f encodes the '/' used as directory separator

    # The LDAP version to use (defaults to 3
    # if supported by client library)
    #ldap_version 3

    # The distinguished name to bind to the server with.
    # Optional: default is to bind anonymously.
    #binddn cn=proxyuser,dc=example,dc=com
    binddn uid=zmposix,cn=appaccts,cn=zimbra

    # The credentials to bind with.
    # Optional: default is no credential.
    bindpw test1


    # The distinguished name to bind to the server with
    # if the effective user ID is root. Password is
    # stored in /etc/ldap.secret (mode 600)
    #rootbinddn cn=manager,dc=example,dc=com
    rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra

    # The port.
    # Optional: default is 389.
    port 389

    # The search scope.
    #scope sub
    #scope one
    #scope base

    # Search timelimit
    timelimit 30

    # Bind/connect timelimit
    bind_timelimit 30

    # Reconnect policy: hard (default) will retry connecting to
    # the software with exponential backoff, soft will fail
    # immediately.
    bind_policy soft

    # Idle timelimit; client will close connections
    # (nss_ldap only) if the server has not been contacted
    # for the number of seconds specified below.
    #idle_timelimit 3600

    # Filter to AND with uid=%s
    #pam_filter objectclass=account

    # The user ID attribute (defaults to uid)
    #pam_login_attribute uid

    # Search the root DSE for the password policy (works
    # with Netscape Directory Server)
    #pam_lookup_policy yes

    # Check the 'host' attribute for access control
    # Default is no; if set to yes, and user has no
    # value for the host attribute, and pam_ldap is
    # configured for account management (authorization)
    # then the user will not be allowed to login.
    #pam_check_host_attr yes

    # Check the 'authorizedService' attribute for access
    # control
    # Default is no; if set to yes, and the user has no
    # value for the authorizedService attribute, and
    # pam_ldap is configured for account management
    # (authorization) then the user will not be allowed
    # to login.

    #pam_check_service_attr yes

    # Group to enforce membership of
    #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

    # Group member attribute
    #pam_member_attribute uniquemember

    # Specify a minium or maximum UID number allowed
    #pam_min_uid 0
    #pam_max_uid 0

    # Template login attribute, default template user
    # (can be overriden by value of former attribute
    # in user's entry)
    #pam_login_attribute userPrincipalName
    #pam_template_login_attribute uid
    #pam_template_login nobody

    # HEADS UP: the pam_crypt, pam_nds_passwd,
    # and pam_ad_passwd options are no
    # longer supported.
    #
    # Do not hash the password at all; presume
    # the directory server will do it, if
    # necessary. This is the default.
    #pam_password clear

    # Hash password locally; required for University of
    # Michigan LDAP server, and works with Netscape
    # Directory Server if you're using the UNIX-Crypt
    # hash mechanism and not using the NT Synchronization
    # service.
    #pam_password crypt

    # Remove old password first, then update in
    # cleartext. Necessary for use with Novell
    # Directory Services (NDS)
    #pam_password clear_remove_old
    #pam_password nds

    # RACF is an alias for the above. For use with
    # IBM RACF
    #pam_password racf

    # Update Active Directory password, by
    # creating Unicode password and updating
    # unicodePwd attribute.
    #pam_password ad

    # Use the OpenLDAP password change
    # extended operation to update the password.
    #pam_password exop

    # Redirect users to a URL or somesuch on password
    # changes.
    #pam_password_prohibit_message Please visit http://internal to change your password.

    # RFC2307bis naming contexts
    # Syntax:
    # nss_base_XXX base?scope?filter
    # where scope is {base,one,sub}
    # and filter is a filter to be &'d with the
    # default filter.
    # You can omit the suffix eg:
    # nss_base_passwd ou=People,
    # to append the default base DN but this
    # may incur a small performance impact.
    #nss_base_passwd ou=People,dc=example,dc=com?one
    #nss_base_shadow ou=People,dc=example,dc=com?one
    #nss_base_group ou=Group,dc=example,dc=com?one
    #nss_base_hosts ou=Hosts,dc=example,dc=com?one
    #nss_base_services ou=Services,dc=example,dc=com?one
    #nss_base_networks ou=Networks,dc=example,dc=com?one
    #nss_base_protocols ou=Protocols,dc=example,dc=com?one
    #nss_base_rpc ou=Rpc,dc=example,dc=com?one
    #nss_base_ethers ou=Ethers,dc=example,dc=com?one
    #nss_base_netmasks ou=Networks,dc=example,dc=com?ne
    #nss_base_bootparams ou=Ethers,dc=example,dc=com?one
    #nss_base_aliases ou=Aliases,dc=example,dc=com?one
    #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one

    nss_base_passwd ou=people,dc=test,dc=com?one
    nss_base_shadow ou=people,dc=test,dc=com?one

    nss_base_group ou=groups,dc=test,dc=com?one
    nss_base_hosts ou=machines,dc=test,dc=com?one

    # attribute/objectclass mapping
    # Syntax:
    #nss_map_attribute rfc2307attribute mapped_attribute
    #nss_map_objectclass rfc2307objectclass mapped_objectclass

    # configure --enable-nds is no longer supported.
    # NDS mappings
    #nss_map_attribute uniqueMember member

    # Services for UNIX 3.5 mappings
    #nss_map_objectclass posixAccount User
    #nss_map_objectclass shadowAccount User

    #nss_map_attribute uid msSFU30Name
    #nss_map_attribute uniqueMember msSFU30PosixMember
    #nss_map_attribute userPassword msSFU30Password
    #nss_map_attribute homeDirectory msSFU30HomeDirectory
    #nss_map_attribute homeDirectory msSFUHomeDirectory
    #nss_map_objectclass posixGroup Group
    #pam_login_attribute msSFU30Name
    #pam_filter objectclass=User
    #pam_password ad

    # configure --enable-mssfu-schema is no longer supported.
    # Services for UNIX 2.0 mappings
    #nss_map_objectclass posixAccount User
    #nss_map_objectclass shadowAccount user
    #nss_map_attribute uid msSFUName
    #nss_map_attribute uniqueMember posixMember
    #nss_map_attribute userPassword msSFUPassword
    #nss_map_attribute homeDirectory msSFUHomeDirectory
    #nss_map_attribute shadowLastChange pwdLastSet
    #nss_map_objectclass posixGroup Group
    #nss_map_attribute cn msSFUName
    #pam_login_attribute msSFUName
    #pam_filter objectclass=User
    #pam_password ad

    # RFC 2307 (AD) mappings
    #nss_map_objectclass posixAccount user
    #nss_map_objectclass shadowAccount user
    #nss_map_attribute uid sAMAccountName
    #nss_map_attribute homeDirectory unixHomeDirectory
    #nss_map_attribute shadowLastChange pwdLastSet
    #nss_map_objectclass posixGroup group
    #nss_map_attribute uniqueMember member
    #pam_login_attribute sAMAccountName
    #pam_filter objectclass=User
    #pam_password ad

    # configure --enable-authpassword is no longer supported
    # AuthPassword mappings
    #nss_map_attribute userPassword authPassword

    # AIX SecureWay mappings
    #nss_map_objectclass posixAccount aixAccount
    #nss_base_passwd ou=aixaccount,?one
    #nss_map_attribute uid userName
    #nss_map_attribute gidNumber gid
    #nss_map_attribute uidNumber uid
    #nss_map_attribute userPassword passwordChar

    #nss_map_objectclass posixGroup aixAccessGroup
    #nss_base_group ou=aixgroup,?one
    #nss_map_attribute cn groupName
    #nss_map_attribute uniqueMember member
    #pam_login_attribute userName
    #pam_filter objectclass=aixAccount
    #pam_password clear

    # Netscape SDK LDAPS
    #ssl on

    # Netscape SDK SSL options
    #sslpath /etc/ssl/certs

    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    #ssl start_tls
    #ssl on

    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    # Default is to use libldap's default behavior, which can be configured in
    # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
    # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
    #tls_checkpeer yes

    # CA certificates for server certificate verification
    # At least one of these are required if tls_checkpeer is "yes"
    #tls_cacertfile /etc/ssl/ca.cert
    #tls_cacertdir /etc/ssl/certs

    # Seed the PRNG if /dev/urandom is not provided
    #tls_randfile /var/run/egd-pool

    # SSL cipher suite
    # See man ciphers for syntax
    #tls_ciphers TLSv1

    # Client certificate and key
    # Use these, if your server requires client authentication.
    #tls_cert
    #tls_key

    # Disable SASL security layers. This is needed for AD.
    #sasl_secprops maxssf=0

    # Override the default Kerberos ticket cache location.
    #krb5_ccname FILE:/etc/.ldapcache

    # SASL mechanism for PAM authentication - use is experimental
    # at present and does not support password policy control

    #pam_sasl_mech DIGEST-MD5
    --------------------------------------------
    /etc/openldap/ldap.conf
    # LDAP Defaults
    #

    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.

    #BASE dc=example, dc=com
    #URI ldap://ldap.example.com ldap://ldap-master.example.com:666

    #SIZELIMIT 12
    #TIMELIMIT 15
    #DEREF never
    #
    URI ldaps://10.1.1.18/
    BASE dc=test,dc=com
    TLS_CACERTDIR /etc/openldap/cacerts

    ----------------------------------------
    /etc/hosts
    10.1.1.18 domain.test.com domain # Added by NetworkManager
    10.1.1.18 test.com test # Added by Me
    127.0.0.1 localhost.localdomain localhost
    --------------------------------------------
    DNS laso resolve to test.com



    what I missed?
    Thanks for help
    Last edited by gyt; 10-17-2011 at 07:55 AM.
    Thanks
    gyt

Similar Threads

  1. fatal: parameter "smtpd_recipient_restrictions"
    By Robin in forum Administrators
    Replies: 8
    Last Post: 12-22-2010, 04:48 AM
  2. Replies: 21
    Last Post: 02-04-2010, 09:06 AM
  3. Replies: 31
    Last Post: 12-15-2007, 08:05 PM
  4. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 10:38 AM
  5. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 12:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •