LDAP address book on Zentyal 3

[reano]

We're trying to set it up so that our mail clients (Outlook and mostly Thunderbird) can access the LDAP address book on our server, but we can't get it to work. In Thunderbird, we're supplying the Base DN details as found on the LDAP page in Zentyal Web Admin, but we keep on getting the "Unable to replicate" error on the mail client.

[reano]

Hi guys, any idea whether this is possible?

[christian]

Please tell us a bit more about your conf.
Are you using 389 or 390 port ?
Did you try to enable LDAP log and see what happens?

[reano]

Well I don't know - that's why I'm posting I'm using the default Zentyal 3.0 configuration in regards to LDAP.

[christian]

Well, you should at least know if:
- you are using port 389 or 390
- you looked at syslog before

[reano]

Oh, I thought you meant what port the server is listening on. That I don't know, but I can tell you that I'm using port 389 on the client.

In the syslog, the only entries related to LDAP/SLAPD I can find are:

Oct 30 13:37:50 lia slapd[4388]: <= bdb_equality_candidates: (mail) not indexed
Oct 30 13:37:50  slapd[4388]: last message repeated 2 times

In Thunderbird, my Base DN is set to dc=mydomainname,dc=local
And Bind DN is set to testuser@mydomainname.local
When I click on download, it asks for my password, which I then supply. That is then followed by the "unable to replicate" error.

[christian]

First, with Zentyal 3.à, because of SambaLDAP server listening on port 389, you have to use port 390 (client side) in order to access standard LDAP server.
Second, your bind DN is wrong. What you show is perhaps mail address but for sure not LDAP DN.

[reano]

Okay, if the Base DN is correct, what should the Bind DN be?
Thanks for the help so far

[christian]

well, it depends... you have multiple choices here:*
- access anonymously (do not set any DN)
- use user's DN
- use same unique DN for all clients

Choice should be based on ACL and access level you need. If goal is only to read, I suppose anonymous access should work. I'll give a look later.
In any case, DN shoul look like uid=something, ou=.../...dc=local

Are you running Microsoft Windows environment too?  (I'm asking bcause of this dc=local)

[reano]

Well, the workstations are Windows, yes. We also have a second server running on Windows Server that handles the SQL Server databases (it is not a domain controller, though).
I tried setting the Bind DN to ou=Users,dc=domainname,dc=local
Still no luck.

[christian]

So, strange to have select ".local" as top level domain name. I though it was a constraint due to existing Microsoft domain. Anyway...

DN can't be "ou=users,dc=domain,dc=local". At least "uid=something,ou=users,dc=domain,dc=local", with "something being existing uid.
Have a look at ldap content using ldap browser.

[reano]

I did try uid and ou in the same line, though.
uid = the user name, or am I misunderstanding?

[christian]

yes, uid is your LDAP login

[reano]

I created a user on the Zentyal box with username anonymous, password anonymous.

I want the users to be able to access the LDAP directory anonymously (read-only), so I set the following:
On the client PC with Thunderbird, I have my Base DN as: dc=domainname,dc=local . Bind DN blank.
That doesn't work. I then tried Base DN: uid=anonymous,ou=Users,dc=domainname,dc=local . Bind DN blank.
Still doesn't work.
I'm doing something wrong, aren't I?

[christian]

You don't need to create any "anonymous" user to get anonymous access. If you do not supply any bind DN, you will access anonymously.
If you still can't get any entry, I suggest you change LDAP log level and look at syslog to see what happen (as suggested in my first reply).
This is done by changing olcloglevel attribute value in cn=config (RootDSE) (default is "0", you can change it for "256")