Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: GAL not working with Active Directory

  1. #1
    Join Date
    Apr 2007
    Posts
    12
    Rep Power
    8

    Default GAL not working with Active Directory

    I haven't been able to get GAL lookups to work with Active Directory. My authentication with active directory works great.

    In the zimbraAdmin I configured my baseDN "dc=company,dc=corp" which matches my actual AD setup. I bind with my username, do a search and hit "test", and while it says it is successful, it never comes back with data.

    If I remove the baseDN I get a SOAP error, I tried putting () around basedn and got a java excpetion, I tried both and external searches, and I never get data back. I also get no data when searching GAL with the webclient.

    Is there somewhere I can look for logs on what may be going on, or has someone configured this recently and it worked? I'm running ZCS 4.5.4.

  2. #2
    Join Date
    Sep 2005
    Location
    Tucson - San Francisco - Moscow
    Posts
    127
    Rep Power
    10

    Default

    Quote Originally Posted by ardiederich View Post
    I haven't been able to get GAL lookups to work with Active Directory. My authentication with active directory works great.

    In the zimbraAdmin I configured my baseDN "dc=company,dc=corp" which matches my actual AD setup. I bind with my username, do a search and hit "test", and while it says it is successful, it never comes back with data.

    If I remove the baseDN I get a SOAP error, I tried putting () around basedn and got a java excpetion, I tried both and external searches, and I never get data back. I also get no data when searching GAL with the webclient.

    Is there somewhere I can look for logs on what may be going on, or has someone configured this recently and it worked? I'm running ZCS 4.5.4.
    Can you post a SOAP trace? (run zimbraAdmin as https://yourserver.com:7071/zimrbaAd...=false&debug=1)
    Bugzilla - Wiki - Downloads - Before posting... Search!
    P.S.: don't forget to vote on this bug
    add Samba LDAP entries to Exchange Migration Tool

  3. #3
    Join Date
    Apr 2007
    Posts
    12
    Rep Power
    8

    Default

    Quote Originally Posted by Greg View Post
    Can you post a SOAP trace? (run zimbraAdmin as https://yourserver.com:7071/zimbraAd...=false&debug=1)
    Sure. Note: This doesn't work in IE 6. There is a script error:
    Line: 45
    Char: 3
    Error: Invalid argument.
    Code: 0
    URL: https://yourserver.com:7071/zimbraAd...=false&debug=1

    In firefox 2.0 it works, though. My slightly obfuscated SOAP:

    HTML Code:
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
    <context xmlns="urn:zimbra">
    <userAgent name="ZimbraWebClient - FF2.0 (Win)" version="undefined"/>
    <sessionId id="37"/>
    <authToken>
    0_b5eb8141bf6f5b13229d3f2842d84756b2e8110f_69643d33363a35396434306663312d656530322d346433372d626239382d6664393431656136363739393b6578703d31333a313137383137333830393532363b61646d696e3d313a313b
    </authToken>
    <format type="js"/>
    </context>
    </soap:Header>
    <soap:Body>
    <CheckGalConfigRequest xmlns="urn:zimbraAdmin">
    <a n="zimbraGalMode">
    ldap
    </a>
    <a n="zimbraGalLdapURL">
    ldap://exampledc.example.corp:389
    </a>
    <a n="zimbraGalLdapSearchBase">
    dc=example,dc=corp
    </a>
    <a n="zimbraGalLdapFilter">
    ad
    </a>
    <a n="zimbraGalLdapBindDn">
    andrew.diederich@example.corp
    </a>
    <a n="zimbraGalLdapBindPassword">
    notmypassword
    </a>
    <query>
    *andrew*
    </query>
    </CheckGalConfigRequest>
    </soap:Body>
    </soap:Envelope>
    And the response:
    Code:
    Body: {
      CheckGalConfigResponse: {
        _jsns: "urn:zimbraAdmin",
        code: [
          0: {
            _content: "check.OK"
           }
         ],
        message: [
          0: {
            _content: ""
           }
         ]
       }
     },
    Header: {
      context: {
        _jsns: "urn:zimbra",
        sessionId: [
          0: {
            _content: "37",
            id: "37",
            type: "admin"
           }
         ]
       }
     },
    _jsns: "urn:zimbraSoap"
    That SOAP debugger is really neat, by the way. I like the Mark feature.
    Last edited by ardiederich; 05-02-2007 at 12:40 PM. Reason: Fixing code / html posting

  4. #4
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    Do you also have Exchange running? I seem to recall our default search filter for AD has a dependency on Exchange.

    One thing you might want to try is to configure your GAL as an external LDAP server, then enter a really simple search filter that you know should work and see if that works.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  5. #5
    Join Date
    Apr 2007
    Posts
    12
    Rep Power
    8

    Default

    Quote Originally Posted by schemers View Post
    Do you also have Exchange running? I seem to recall our default search filter for AD has a dependency on Exchange.
    No, we aren't using exchange. My hope is to use ZCS instead of exchange.

    One thing you might want to try is to configure your GAL as an external LDAP server, then enter a really simple search filter that you know should work and see if that works.
    That one does the trick. I used (&(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))) as the LDAP filter. I left (|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*)) as the autocomplete filter.

    The admin UI keeps deleting my LDAP filter when I go and configure GAL, which is unfortunate. I've just moved from 'both' to external, so I know which LDAP I'm getting data from.
    Last edited by ardiederich; 05-02-2007 at 04:11 PM. Reason: correctness

  6. #6
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    That is probably you best (well, only ) bet for now, then.

    I think there is already a bug filed that says our default AD filter assumes Exchange is installed so we need to update it.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  7. #7
    Join Date
    Apr 2007
    Posts
    12
    Rep Power
    8

    Default

    I spoke slightly too soon. I get the first & last names back from the search to Active Directory, but not other data -- phone, cell phone, email, etc. Is there a way to specify the data to come back?

    I've done a command line ldapsearch, and I am getting data back:

    ldapsearch -h exampledc.example.corp -x -b "dc=example,dc=corp" -D "andrew.diederich@example.corp" -W cn="*andrew*"

    Gets back info like:
    cn: Andrew Diederich
    ...
    telephoneNumber: (202)555-1212
    mail:
    Last edited by ardiederich; 05-02-2007 at 04:25 PM. Reason: more info added

  8. #8
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    The value of zimbraGalLdapAttrMap controls which gal attributes get requested, and how they get converted to our contact model. The default map can be obtained via zmprov:

    Code:
     /opt/zimbra/bin/zmprov gacf|grep zimbraGalLdapAttr
    zimbraGalLdapAttrMap: co=workCountry
    zimbraGalLdapAttrMap: company=company
    zimbraGalLdapAttrMap: description=notes
    zimbraGalLdapAttrMap: displayName,cn=fullName
    zimbraGalLdapAttrMap: givenName,gn=firstName
    zimbraGalLdapAttrMap: initials=initials
    zimbraGalLdapAttrMap: l=workCity
    zimbraGalLdapAttrMap: objectClass=objectClass
    zimbraGalLdapAttrMap: ou=department
    zimbraGalLdapAttrMap: physicalDeliveryOfficeName=office
    zimbraGalLdapAttrMap: postalCode=workPostalCode
    zimbraGalLdapAttrMap: sn=lastName
    zimbraGalLdapAttrMap: st=workState
    zimbraGalLdapAttrMap: street,streetAddress=workStreet
    zimbraGalLdapAttrMap: telephoneNumber=workPhone
    zimbraGalLdapAttrMap: title=jobTitle
    zimbraGalLdapAttrMap: whenChanged,modifyTimeStamp=modifyTimeStamp
    zimbraGalLdapAttrMap: whenCreated,createTimeStamp=createTimeStamp
    zimbraGalLdapAttrMap: zimbraCalResLocationDisplayName=zimbraCalResLocationDisplayName
    zimbraGalLdapAttrMap: zimbraCalResType=zimbraCalResType
    zimbraGalLdapAttrMap: zimbraId=zimbraId
    zimbraGalLdapAttrMap: zimbraMailDeliveryAddress,zimbraMailAlias,mail=email,email2,email3,email4,email5,email6
    zimbraGalLdapAttrMap: zimbraMailForwardingAddress=zimbraMailForwardingAddress
    The map is basically a set of rules that looks like:
    Code:
    a,b=c,d
    Where the attrs on the left-hand come from LDAP, and get mapped to the values on the right-hand side, which correspond to our contact model.

    For example the rule:

    zimbraGalLdapAttrMap: street,streetAddress=workStreet

    says if the LDAP result contains "street" map it to workStreet. If it doesn't contain "street" , then see if it contains "streetAddress" and map that to workStreet.

    If there are multiple values for a given attribute on the left-hand side, and multiple listed on the right-hand side, then it will map the values on the left to the values on the right, sequential. i.e if you have:

    a=b,c

    And the LDAP result contains two values for a (lets assume "a1", and "a2"), then "b" will get set to "a1" , and "c" will get set to "a2".

    You can add/remove mappings using zmprov:
    Code:
    /opt/zimbra/bin/zmprov                            
    prov> mcf
    usage:  modifyConfig(mcf) attr1 value1 [attr2 value2...]
    prov> mcf +zimbraGalLdapAttrMap x=y
    prov> mcf -zimbraGalLdapAttrMap x=y
    prov>
    The syntax "+zimbraGalLdapAttrMap" means to add an additional zimbraGalLdapAttrMap attribute to the config, while "-zimbraGalLdapAttrMap" means to remove an existing setting.

    Our contact model contains (roughly, some of these might not be displayed in the client) the following set of fields, which I grabbed from Contact.java in the ZimbraServer source:
    Code:
        public static final String A_birthday = "birthday";
        public static final String A_callbackPhone = "callbackPhone";
        public static final String A_carPhone = "carPhone";
        public static final String A_company = "company";
        public static final String A_companyPhone = "companyPhone";
        public static final String A_department = "department";
        public static final String A_dlist = "dlist";
        public static final String A_email = "email";
        public static final String A_email2 = "email2";
        public static final String A_email3 = "email3";
        public static final String A_fileAs = "fileAs";
        public static final String A_firstName = "firstName";
        public static final String A_fullName = "fullName";
        public static final String A_homeCity = "homeCity";
        public static final String A_homeCountry = "homeCountry";
        public static final String A_homeFax = "homeFax";
        public static final String A_homePhone = "homePhone";
        public static final String A_homePhone2 = "homePhone2";
        public static final String A_homePostalCode = "homePostalCode";
        public static final String A_homeState = "homeState";
        public static final String A_homeStreet = "homeStreet";
        public static final String A_homeURL = "homeURL";
        public static final String A_image = "image";
        public static final String A_initials = "initials";
        public static final String A_jobTitle = "jobTitle";
        public static final String A_lastName = "lastName";
        public static final String A_middleName = "middleName";
        public static final String A_mobilePhone = "mobilePhone";
        public static final String A_namePrefix = "namePrefix";
        public static final String A_nameSuffix = "nameSuffix";
        public static final String A_nickname = "nickname";
        public static final String A_notes = "notes";
        public static final String A_office = "office";
        public static final String A_otherCity = "otherCity";
        public static final String A_otherCountry = "otherCountry";
        public static final String A_otherFax = "otherFax";
        public static final String A_otherPhone = "otherPhone";
        public static final String A_otherPostalCode = "otherPostalCode";
        public static final String A_otherState = "otherState";
        public static final String A_otherStreet = "otherStreet";
        public static final String A_otherURL = "otherURL";
        public static final String A_pager = "pager";
        public static final String A_workCity = "workCity";
        public static final String A_workCountry = "workCountry";
        public static final String A_workFax = "workFax";
        public static final String A_workPhone = "workPhone";
        public static final String A_workPhone2 = "workPhone2";
        public static final String A_workPostalCode = "workPostalCode";
        public static final String A_workState = "workState";
        public static final String A_workStreet = "workStreet";
        public static final String A_workURL = "workURL";
        public static final String A_type = "type";
    So you'll want to look the AD attributes that you have set as the ones on the left-hand side of the rule, and then the above contact fields as the ones to map them to on the right hand.

    All this information needs to be put into the Wiki, I'll see if I can it updated with the info in this post.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  9. #9
    Join Date
    Apr 2007
    Posts
    12
    Rep Power
    8

    Default

    This is all excellent info, thanks. So, if I want to look at the mail addresses that have predefined maps, I do:

    /opt/zimbra/bin/zmprov gacf | grep zimbraGalLdapAttr | grep mail
    and I get
    zimbraGalLdapAttrMap: zimbraMailDeliveryAddress,zimbraMailAlias,mail=ema il,email2,email3,email4,email5,email6

    so what ZCS does is go from zimbraMailDeliveryAddress though mail, and as it finds results for those, maps them to email, email2, etc. So, my Active Directory value for mail should get mapped to the Zimbra value of email?

    What I'm seeing with packet sniffing from wireshark is the correct ldap responses are getting back to the linux server. e.g. I see a mail=me@example.com. What I see in the webmail UI, though, is just their FirstName LastName in the (cool) contact card resultset.

    Is there a way to debug the SOAP on the client, as well? That way I can see if the results are getting to the client, or are getting dropped on the server.

  10. #10
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    If you start the client with ?debug=1 you should get a popup window with the soap debug in it. Another option is to use Firefox and install Firebug, as it has some nice debugging tools.
    Bugzilla - Wiki - Downloads - Before posting... Search!

Similar Threads

  1. Replies: 1
    Last Post: 05-28-2008, 05:18 AM
  2. centos 5 zimbra 4.5.6 no statistics
    By rutman286 in forum Installation
    Replies: 9
    Last Post: 08-14-2007, 10:30 AM
  3. GAL with Active Directory
    By robrusso in forum Installation
    Replies: 1
    Last Post: 07-31-2006, 11:34 AM
  4. Active Directory GAL Problem
    By TheZog in forum Installation
    Replies: 5
    Last Post: 04-06-2006, 06:48 PM
  5. Active Directory GAL help
    By jmeier in forum Administrators
    Replies: 8
    Last Post: 11-30-2005, 01:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •