Results 1 to 3 of 3

Thread: Remote access to Zimbra 8.0 LDAP through SASL

  1. #1
    Join Date
    Oct 2012
    Location
    Montana
    Posts
    9
    Rep Power
    3

    Default Remote access to Zimbra 8.0 LDAP through SASL

    Hello Forum,
    I am working with an "out of the box" installation of Z. 8.0 on Ubuntu 10.04. This is a licensed installation.
    I need to allow a remote, 3rd party, SPAM filter to query the Z. OpenLDAP server so it can verify user accounts.
    It appears, however, that there is some sort of configuration conflict between LDAP and SASL that is causing remote client
    authentication to fail.

    Example:
    If I run ldapsearch with the -x switch ( use simple authentication instead of SASL) I will get a successful
    response from the server:
    $ ldapsearch -v -x
    -H 'ldap://<server IP>:389'
    -D 'uid=testuser.one,ou=people,dc=mydomain,dc=org'
    -w '<password>'
    "mail=someuser@mydomain.org"

    If run the same ldapsearch without the -x switch then SASL is engaged and the authentication fails.
    Here is an example, with the debug switch, -d 3, to generate detailed information:
    $ ldapsearch -v -d 3
    -H 'ldap://<server IP>:389'
    -D 'uid=testuser.one,ou=people,dc=mydomain,dc=org'
    -w '<password>'
    "mail=someuser@mydomain.org"

    Result ( edited for brevity...):
    ...
    wait4msg ld 0x940b550 msgid 1 (infinite timeout)
    wait4msg continue ld 0x940b550 msgid 1 all 1
    ** ld 0x940b550 Connections:
    * host: <IP Address> port: 389 (default)
    refcnt: 2 status: Connected
    ...
    ldap_msgfree
    ldap_sasl_interactive_bind_s: server supports: SCRAM-SHA-1 GSSAPI DIGEST-MD5 OTP CRAM-MD5
    ldap_int_sasl_bind: SCRAM-SHA-1 GSSAPI DIGEST-MD5 OTP CRAM-MD5
    ldap_int_sasl_open: host=<IP Address>
    SASL/DIGEST-MD5 authentication started
    ...
    ldap_perror
    ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
    additional info: SASL(-1): generic failure: unable to canonify user and get auxprops

    End of example.

    Looking through the forum threads there does not seem to be much information on this
    problem and, with 8.0, nothing that is current. I suspect that this problem can be solved
    by adjusting the SASL and or LDAP configuration but I'm afraid to to this w/o advice since
    I'm not sure how that might affect the operation of the ZCS as a whole. I've not submitted
    a support request on this as yet; can anybody give me some pointers on how to fix?

    Thanks Much,
    -Dave

  2. #2
    Join Date
    Feb 2013
    Posts
    1
    Rep Power
    2

    Default

    Hi Dave,

    I have same issue, working in similar environment (email security gateway, trying to authenticate internal user account in Zimbra OpenLDAP). As you opened this thread few months ago, did you found solution for this issue?

    Marcony

  3. #3
    Join Date
    Oct 2012
    Location
    Montana
    Posts
    9
    Rep Power
    3

    Default

    Hello Marcony,
    yes I did resolve my difficulty with allowing outside queries to our Zimbra 8.0 LDAP service.
    First: Zimbras OpenLDAP implementation does not support SASL (according to customer support)
    but only TLS. If you use a client with OpenLDAP it will, by default, try to invoke SASL on the server
    side and fail. You have to specify either "plain authentication" or TLS for Zimbras OpenLDAP to
    follow through with the operation. Once I understood that I had two problems that we resolved:

    First I needed to procure and install a CA signed in certificate in Zimbra to satisfy the client side of TLS.
    Second: Our client ( an ISP running Red Condor / EdgeWave SPAM filtering ) needed to be tweaked to
    properly recognise the LDAP results they were getting from their queries.

    After that was fixed it has been running just fine.

    I hope this helps. I had to go through product support to get mine solved and that took a couple weeks!
    Best Regards.
    -D

Similar Threads

  1. [SOLVED] Postix SASL Authentication to Zimbra LDAP
    By gcakici in forum Administrators
    Replies: 1
    Last Post: 05-05-2011, 07:24 AM
  2. Zimbra HTTP remote access through DMZ
    By milesteg in forum Installation
    Replies: 6
    Last Post: 01-09-2009, 02:52 PM
  3. Remote DOS condition in Cyrus-SASL
    By lee in forum Announcements
    Replies: 1
    Last Post: 04-25-2006, 04:20 PM
  4. can't send mail using sasl (remote network)
    By skullbolix in forum Installation
    Replies: 3
    Last Post: 03-24-2006, 11:45 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •