Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Active Directory based GAL

  1. #1
    Join Date
    Nov 2005
    Posts
    11
    Rep Power
    10

    Default Active Directory based GAL

    Okidoki,

    Its all working:
    Auth through AD -> GREAT (took 10 seconds)
    Zimbra MAIL -> FINE
    AS/AV -> GREAT

    BUT, it seems my main admin guy wants to admin everything through AD. So, he wants the GAL through AD.

    We support it of course, but when we set it as such (GAL through AD), nothing comes back.

    I ran an ethereal trace and it seems LDAP searches are being done very well, and the server is politely answering success but returning empty sets since it just cannot find what im looking for.
    So, this AD deployment is organizationally engineered it is pretty deep since this is a pretty big company (about 17 enterprises depend on a holding, which manages all IT for them... they are my client).
    Now the LDAP query seems to do the right thing (tries three different searches, tries with both base and sub scopes), but still nothing comes back from the AD.

    So, am i missing something? Is this common when attempting to set up an AD GAL?

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    I think your going to need to wait for the next release for a fix. At this time we don't handle org based AD deployments very well. The next release is more flexible so it should work for you. BTW: How many users are on the system your trying to deploy here?

  3. #3
    Join Date
    Nov 2005
    Posts
    11
    Rep Power
    10

    Default Users

    Well... right now we have about 1000 but growing. The thing is not the number of accounts but geographic and network distribution. This thing spans throughout all of Mexico and off-shores in costa rica and the U.S. one to 100 accounts per site, about 50 sites. So thats why the AD got to be that complex, not that i implemented it or recomended it -ugh.

    So, by the way, if zimbra does this through ldap anyhow, you think id be better off right now to engineer another search string and go through pure LDAP? Can you share some info on how are you planning to fix this? Would someone describe the problem in terms of the ldap search string and why it isnt working?

    Im also a pretty snappy (meaning old and cynical) hacker and this zimbra thing has me itching. Im finally implementing a devel box today to start hacking on it... so, I wanna be in your radar.

    I think ive talked to you recently in an email.... mhm... cool.

  4. #4
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    I think Kevin was referring to authentication being more flexible in the next release, not GAL.

    We've had other people get GAL working with AD without any trouble. I'd also suggest trying external LDAP with your search string, maybe something really trivial that you know works, like:

    Code:
    (|(cn=*%s*)(sn=*%s*)(gn=*%s*))
    which will search for the user-entered string in the cn/sn/gn attributes. Also, you should ask your AD admin if security policies allow for the query to be made un-authenticated. If not, you'll need to setup a service account in AD that has permission to perform the search and then enter it in the GAL wizard setup.

    If you want to see the search string we use for AD, type in:

    Code:
    /opt/zimbra/bin/zmprov gacf|grep zimbraGalLdapFilterDef
    The line that starts with "ad:" is the one we use for AD, and the one that starts with "zimbra:" is the one we use for internal GAL searching.

    You can also use zmprov to do a GAL search:
    Code:
    /opt/zimbra/bin/zmprov sg zimbra.com roland
    Which can be more convenient for debugging then going through the UI.

    roland

  5. #5
    Join Date
    Sep 2005
    Posts
    8
    Rep Power
    10

    Post Weird - GAL search through AD returns empty on new version

    Greetings,

    I just upgraded to the new beta 2 release, and noticed the GAL searches to AD return empty now (it worked fine before)... Tried to reconfigure GAL through the admin interface and the tests finished successfuly even throwing back an empty result...

    I've always mapped the AD access as a normal LDAP server (not selecting AD on the combo box), applying the following filter:

    (&(|(displayName=*%s*)(department=*%s*)(telephoneN umber=*%s*)(mail=*%s*))(&(!(objectclass=computer)) (!(objectclass=organizationalUnit))(!(objectclass= volume))(!(objectclass=group))(!(objectclass=conne ctionPoint))))

    (This is the same filter I use for another bunch of LDAP/AD integrated apps)

    Just want to know if there is some place to start in the code i can look at or something to find and try fixing the problem...

    Thanks!

  6. #6
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    I seem to recall seeing a bug go by recently WRT the client-side GAL. If you want to verify the server-side is working you can try zmprov:

    /opt/zimbra/bin/zmprov sg {your.domain} {query-string}

    I'll try and find out the status on the bug...

    roland

  7. #7
    Join Date
    Sep 2005
    Posts
    8
    Rep Power
    10

    Post

    Hello Roland,

    zmprov command line GAL search returns empty (back to prompt).

    ldapsearch with same parameters return the expected results.

    I'm still playing with it, any news I'll post them here at once.

    Thanks guys,

  8. #8
    Join Date
    Sep 2005
    Posts
    8
    Rep Power
    10

    Talking

    After searching with ldapsearch... zmprov started working... and so all the rest...

    It's all fine now but... Don't ask me.. I'm clueless...


  9. #9
    Join Date
    Sep 2005
    Location
    Los Angeles
    Posts
    51
    Rep Power
    10

    Default

    let me guess you user ldapsearch -x
    do you have anything funke in you slapd.conf. did you modify it

    also version 1 (didnt try version2 yes) could not handle multiple context's nor could it handle multiple trees, i been told that this version does.

    can you confirm ?

  10. #10
    Join Date
    Sep 2005
    Posts
    8
    Rep Power
    10

    Post

    Well I did a couple of (from command history):

    ./ldapsearch -b "ou=Departments,dc=company,dc=com" -D "cn=LDAP Query,cn=Users,dc=company,dc=com" -h dc.company.com -w password '(&(|(displayName=*Some_Name*)(department=*%s*)(te lephoneNum ber=*%s*)(mail=*%s*))(&(!(objectclass=computer))(! (objectclass=organizationalUnit))(!(objectclass=vo lume))(!(objectclass=group))(!(objectclass=connect ionPoint))))'

    (the %s are there cuz it was a lazy copy/paste from zimbra conf, doesn't affect the results anyway)

    Then I went to zimbra admin reconfigure GAL for the 10000th time to test the search (expecting an empty result of course), and hey.. it worked now.

    After that came back to the shell prompt and tried zmprov search again.. it worked.

    About slapd.conf... Looks normal and nothing touched there or anywhere on the default installation...

    I can't confirm the multi tree/context support, but would be nice to know hows that possible, if available...

Similar Threads

  1. Replies: 1
    Last Post: 05-28-2008, 05:18 AM
  2. GAL not working with Active Directory
    By ardiederich in forum Installation
    Replies: 13
    Last Post: 02-12-2008, 08:01 PM
  3. centos 5 zimbra 4.5.6 no statistics
    By rutman286 in forum Installation
    Replies: 9
    Last Post: 08-14-2007, 10:30 AM
  4. GAL with Active Directory
    By robrusso in forum Installation
    Replies: 1
    Last Post: 07-31-2006, 11:34 AM
  5. Active Directory GAL Problem
    By TheZog in forum Installation
    Replies: 5
    Last Post: 04-06-2006, 06:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •