Zentyal 4.1.2 and Zimbra 8 - LDAP Authentication

[jwilliams1976]

Still no luck with the NONE at the end. I am not able to telnet to port 389 using PuTTY. I get a Network Error: Software caused connection abort.

I can however use JXplorer (jxplorer.org) to log in and browse the entire LDAP tree. ldapsearch also works fine from another Linux client. With JXplorer I can see that the Administrator user indeed has the sAMAccountName attribute and it is set to Administrator. The distinguishedName  is set to "CN=Administrator Zentyal,CN=Users,CN=deidomain,CN=lan" though. When I set the Administrator password through the Zentyal GUI it will not save without having something in the Last Name field so I added the Zentyal part. Doubt that has anything to do with it. To log in with JXplorer I use the following settings:



I use another service called LogicalDOC that also authenticates against this server with these same credentials. I'm pretty sure the Zentyal/Samba4 side is OK it's just a matter of the Apache settings.

[alvarog_silva]

 

Until now, none of the methods described before works.

[Panzerfather]

Code: [Select]

Alias /test "/apachetest/"
<Directory /apachetest/>
Options Indexes FollowSymLinks Includes ExecCGI MultiViews
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
    AuthName "DEI Internal Website"
AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan,?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "cn=Administrator,cn=Users,dc=deidomain,dc=lan"
AuthLDAPBindPassword "password"
    Require valid-user
</Directory>


If you haven't fixed it right now, the answer for your problems should be simple, your AuthLDAPURL you are using is spelled wrong. Instead of

AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan,?sAMAccountName?sub?(objectClass=*)"

it should be [without the comma after your domain]

AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan?sAMAccountName?sub?(objectClass=*)"

Just like https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html tells you! And if you are not running LDAP on the same server (and point to localhost), you should also run secured connection via ldaps:// instead of ldap://!

Until now, none of the methods described before works.

Is your domain ending really "local"? On a windows AD server this wouldn't cause any problems, but on a linux AD server that's a bad idea because of mDNS-Problems: http://wiki.ubuntuusers.de/samba_winbind#Die-TLD-der-Domain-ist-local-example-local. It would be better if you use another ending like lan or intranet if you want to avoid these problems.

What is the output of (only available on Windows), don't forget to replace youradminusername:

dsquery user -name youradminusername

The credentials in the picture only work when Zimbra can convert them to UPN, but that's unlikely. Otherwise they simply would be wrong for LDAP-Authentification.

Which of these credential formats for your USER DN did you also try?

1. DN format
cn=myadmin,cn=Users,dc=zentyal,dc=local

2. DN format (short)
cn=myadmin,dc=zentyal,dc=local

3. UPN format
myadmin@zentyal.local

Can you also post your zimbra config?

[speedaemon]

I was wondering if anyone finally resolved this issue.  I am having the same problem getting OpenVPN Access Server (OpenVPN-AS) to connect but I am also having a problem using the ldapsearch to test the connect and continually receive a error:

ldap bind: Invalid Credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE

The command I used was:

ldapsearch -x -H ldaps://<FQDN> -D "cn=Administrator,cn=Users,dc=zentyal,dc=local" -b "cn=Users,dc=zentyal,dc=local" -W

Also used:

ldapsearch -x -h <IP Address> - p 389 -D "cn=Administrator,cn=Users,dc=zentyal,dc=local" -b "cn=Users,dc=zentyal,dc=local" -W

My connection to Zentyal for authenticating vpn users was working successfully before I upgraded to Zentyal 4.0 (currently on 4.2.2).  Since I have not been able to perform any authentication.  I have also change the "Administrator" password to confirm that I was using the same in the command.

I was hoping that someone could help me figure out where I have gone wrong.

[mmarable]

Have you tried using UPN format?

[speedaemon]

mmarable,

Using the UPN format worked with the following statement format:

ldapsearch -x -h <IP Address> - p 389 -D "Administrator@zentyal.local" -b "cn=Users,dc=zentyal,dc=local" -W

But if I change the "Bind DN" in the configuration for OpenVPN Access Server  to use the UPN format it doesn't appear to work.

It appears that the instructions for setup of the LDAP authentication has changed over time but I am not familiar with the method the "Bind DN" in the instructions are being established.  If you have any insight in how I can translate what was used in the ldapsearch parameters above to the OpenVPN Access Server method I would appreciate it. 

https://openvpn.net/index.php/access-server/docs/admin-guides/190-how-to-authenticate-users-with-active-directory.html

[mmarable]

Okay, so lets try it this way.



In step 2 above, replace with your [Netbios Domain Name]\Administrator where netbios domain name is shown below in Zentyal under Domain>Settings.



If you look back at the first page of this post you will see I have posted pics using this exact format in pfSense.

Hope this gets you going.

[mmarable]

speedaemon,

Were you ever able to resolve your issue?

[speedaemon]

mmarable,

I did not resolve the issue.  I did finally realize that the problem was related to the OpenVPN - Access Server and not a problem with Zentyal although the help you provided with the UPN format made the task easier to diagnose.  I eventually had to setup a new OpenVPN-AS and shutdown the old server.  It appeared to be a firewall issue but I couldn't track down the problem and since OpenVPN-AS creates it own firewall rules I didn't want to mess with it to deeply.

Thanks again

[mmarable]

You bet. Glad you got it fixed