Results 1 to 6 of 6

Thread: external LDAP authentication in M2

Hybrid View

  1. #1
    Join Date
    Nov 2005
    Posts
    3
    Rep Power
    10

    Default external LDAP authentication in M2

    Hi,
    In M1 running on FC4 I had external LDAP authentication working splendidly with only the following bind DN template:

    uid=%u,ou=People,o=Company

    When I upgraded to M2, it continued to work. Later when I reinstalled M2 from scratch (to resolve a separate issue) I attempted to add the same external LDAP config. It seems the input fields have changed a bit. I've tried every possible permutation of the above (uid=%u,ou=People,o=Company) with the filter, search base and bind DN input fields, and still no luck.

    It seems like the interface has changed and does not allow for the same 'bind DN template' that was working in the M1 release. Can't seem to figure it out - any help would be greatly appreciated!


    thanks! -Jim

  2. #2
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    Hi. We switched to a filter because the bind template was too restrictive and didn't work well with sites that had multiple orgs.

    If your bind template was indeed:

    uid=%u,ou=People,o=Company

    Then you should be able to do something like:

    search filter: (uid=%u)
    search base: ou=People,o=Company

    I just tried the following on my dev box and it worked:

    search filter: (uid=%u)
    search base: ou=people,dc=slapshot,dc=liquidsys,dc=com

    Let me know if that works for you...

    roland

  3. #3
    Join Date
    Nov 2005
    Posts
    3
    Rep Power
    10

    Default external ldap - tried

    Hi, thanks for the quick response. I tried, with and without parenthesis around the uid=%u filter with the search string ou=People, o=Company - but still no luck.
    Just wondering - it seemed like after the upgrade, the template functionality was still there but on the fresh install it is not (at least thru the UI) - is there any way to revert to the template functionality, or configure it manually through command line/conf file?

    I've copied the error message output below:

    thanks again! -Jim

    Code:
    javax.naming.AuthenticationException: empty search
    	at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthenticate(LdapUtil.java:262)
    	at com.zimbra.cs.account.ldap.Check.checkAuthConfig(Check.java:152)
    	at com.zimbra.cs.service.admin.CheckAuthConfig.handle(CheckAuthConfig.java:53)
    	at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:249)
    	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:163)
    	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:84)
    	at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:226)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
    	at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:148)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
    	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:526)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:738)
    	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
    	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
    	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
    	at java.lang.Thread.run(Thread.java:595)

  4. #4
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    It is saying AuthenticationException. On the wizard step after you enter the filter/base, are you clicking on the authentication box? You should only fill in that info if you need to pre-auth to the directory to do the search filter you entered in. i.e., if you can do an anonymous bind and run the search filter you typed in, then you should not check that box.

    roland

  5. #5
    Join Date
    Nov 2005
    Posts
    3
    Rep Power
    10

    Default

    Hi, the box is not checked. Should I be using this pre-authentication to bind to the OpenLDAP server now that we are using a filter as opposed to bind template? thanks again, Jim

  6. #6
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    my bad. In looking at the source code, "empty search" gets returned when the search filter didn't match anything. Are you sure the search filter and base are correct?

    For example, going against the internal Zimbra OpenLDAP server, the search filter/base is:

    search filter: (uid=%u)
    search base: ou=people,dc=slapshot,dc=liquidsys,dc=com

    when I type in my test username to the wizard ("user1"), the search done on the LDAP server would be:

    (uid=user1)

    under the ou=people,dc=slapshot,dc=liquidsys,dc=com directory, which would match the entry:

    uid=user1,ou=people,dc=slapshot,dc=liquidsys,dc=co m

    We then take that DN and the supplied password, and auth using that.

    One thing to try would be to use ldapsearch to see if you can find the entry:
    Code:
    ldapsearch -x -b ou=people,dc=slapshot,dc=liquidsys,dc=com  '(uid=user1)'
    This binds without auth, does the search, and returns a single entry. If that fails, then your LDAP search might not let you do the search un-authenticated, in which case you'll need to either change ACLs, or create a special account used to do the search.

    If that doesn't work, you can ultimately fallback to the previous mechanism, by unseetting zimbraAuthLdapSearchFilter on the domain, and setting zimbraAuthLdapBindDn instead, but it is probably better to get it working.

    It might also help if you could run:
    Code:
    zmprov gd {yourdomain} | grep zimbraAuth
    So we can see all the zimbraAuth settings on the domain.

    roland

Similar Threads

  1. External LDAP with GSSAPI authentication method
    By izvictor in forum Installation
    Replies: 17
    Last Post: 03-11-2009, 09:14 AM
  2. Disable local authentication with an external ldap
    By turmace in forum Administrators
    Replies: 4
    Last Post: 05-17-2007, 03:13 AM
  3. External LDAP Problem
    By facerw in forum Installation
    Replies: 7
    Last Post: 05-08-2007, 05:29 AM
  4. External LDAP Authentication Issue
    By xtreme-one in forum Installation
    Replies: 10
    Last Post: 02-16-2007, 07:52 PM
  5. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 03:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •