Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: alvarog_silva on July 02, 2015, 10:15:47 pm
-
Hi folks :D
I've been wondering if is it possible to authenticate users from ZIMBRA in the LDAP tree of Zentyal Server.
I do have a Zentyal 3.4.8, which I authenticate all users from my Zimbra 8 Mail server successfully working. But when it comes to Zentyal 4, I can't get it thorough, since latest Zentyal don't show username and password on the section 'LDAP Settings'.
If somebody have a clue on how to get it working on Zentyal 4, please share.
Thanks
PS: I've tried a lot of configuration on the Zimbra side, which includes setting a password for the user Administrator on Zentyal side. Either way I can't authenticate any users, since a the final process of configuration 'Configure Authentication', the 'test' to see if any user could get its credentials, fails.
-
I've checked this solution https://oitibs.com/zentyal-4-1-ldap-authentication/
But its not working either.
-
I am wondering if you have been able to resolve your issue. I wrote the article mentioned above and have not had any problems authenticating users against Zentyal 4.1. Are you getting any meaningful errors logged by Zimbra?
-
Hi
Actually I've been not able to solve this issue. I've tried the methods you described, among others actions I've found over the internet, but none of those solutions solved the issue.
Did you have this kind of scenario working 100%?
-
Can you telnet to port 389 from a machine on the same LAN segment?
-
Here is my exact setup with screenshots. This example is authenticating pfsense against Zentyal 4.1.3.
First you must ensure you have changed the password of the Administrator in "Users & Computers" > "Manage" . Next you will need to note you LDAP Settings located at "Users & Computers" > "LDAP Settings".
(https://forum.zentyal.org/index.php?action=dlattach;topic=25556.0;attach=5383;image)
Once you have taken note of those settings, head over to pfsense "System" > "User Manager" > "Servers" and add a server. Below you will note the connection settings. Note "ZENTYAL" highlighted in yellow is the netbios domain name of the Zentyal server. You can also use the format Administrator@zentyal.local.
(https://forum.zentyal.org/index.php?action=dlattach;topic=25556.0;attach=5381;image)
While I understand that this is not Zimbra specific (I dont use or support Zimbra), the configuration will hopefully get you moving in the right direction.
-
Also, you can refer to: http://wiki.zimbra.com/wiki/LDAP_Authentication (http://wiki.zimbra.com/wiki/LDAP_Authentication) and http://stackoverflow.com/questions/13932900/zimbra-login-authentication-error-with-external-ldap (http://stackoverflow.com/questions/13932900/zimbra-login-authentication-error-with-external-ldap)
Specifically "LDAP bind DN" which in the case above would be:
cn=Administrator,cn=Users,dc=zentyal,dc=local - DN format
Administrator@zentyal.local - UPN Format
-
Has anyone been able to get Apache to authenticate to the Zentyal 4.1 LDAP? I have tried everything I can find but have had no luck. I have other services working with it so I know it's working on the Zentyal server side. My other services use DOMAINNAME\Administrator style for the Bind DN but Apache gives a 500 internal server error when I use that. cn=Administrator,cn=Users,dc=domainname,dc=lan style gives me a Password Mismatch error in the Apache log.
-
What version of Apache?
It is important to note that if running Apache 2.4.x. the configuration directive AuthnProviderAlias no longer works with the updated version. AuthLDAPURL, AuthLDAPBindDN and AuthLDAPBindPassword must now be declared inside the virtual directory tags.
-
The following setup is working with Apache 2.4.6 authentication against Zentyal 4.1.3
<Location />
AuthType Basic
AuthName "LDAP Credentials Required"
AuthBasicProvider ldap
AuthLDAPURL "ldap://develop.zentyal.local:389/cn=Users,dc=zentyal,dc=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=Administrator,cn=Users,dc=zentyal,dc=local"
AuthLDAPBindPassword "[zentyal.admininstrator.password]"
Require ldap-group "cn=Users,dc=zentyal,dc=local"
</Location>
-
I still can't get this to work. With this setup I always get:
[Mon Jul 27 14:34:44.938751 2015] [auth_basic:error] [pid 29828:tid 140253874984704] [client 127.0.0.1:46336] AH01617: user jwilliams: authentication failure for "/test": Password MismatchNot sure if it's even getting to the LDAP server or if it can't supply the correct password. I am positive that both the Administrator Bind password is correct as well as the user password through the broswer. Here is my relevant Apache code. This is inside of the <VirtualHost *:80> container. I have tried a <Location> container instead of <Directory> but it doesn't make any difference.
Alias /test "/apachetest/"
<Directory /apachetest/>
Options Indexes FollowSymLinks Includes ExecCGI MultiViews
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
AuthName "DEI Internal Website"
AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan,?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=Administrator,cn=Users,dc=deidomain,dc=lan"
AuthLDAPBindPassword "password"
Require valid-user
</Directory>
-
First, what version of Apache are you running?
Second, I would suggest removing the alias until you get the authentication working.
-
I am using Apache 2.4.7. I have tried without the alias and get the exact same results but will go ahead and eliminate the alias for now. Any idea if the Apache error log means the Bind DN is failing or the user login is failing?
-
Update the following line with....
AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan?sAMAccountName?sub?(objectClass=*)" NONE
I am thinking that will get it done. If not please check and make sure you can telnet to port 389 from a machine on the same LAN
-
Hi everyone,
So, I tried all different methods to get it working, but didn't get any results at this time. I see that the Zimbra Server is 8.5.1, and has a updated version which is 8.6.0, and I'll update to see if works.
Thanks a lot for all the answers :D
I'll keep this post updated, so anyone whom may have this problem could get some help.
See ya
-
Still no luck with the NONE at the end. I am not able to telnet to port 389 using PuTTY. I get a Network Error: Software caused connection abort.
I can however use JXplorer (jxplorer.org (http://jxplorer.org)) to log in and browse the entire LDAP tree. ldapsearch also works fine from another Linux client. With JXplorer I can see that the Administrator user indeed has the sAMAccountName attribute and it is set to Administrator. The distinguishedName is set to "CN=Administrator Zentyal,CN=Users,CN=deidomain,CN=lan" though. When I set the Administrator password through the Zentyal GUI it will not save without having something in the Last Name field so I added the Zentyal part. Doubt that has anything to do with it. To log in with JXplorer I use the following settings:
(https://lh3.googleusercontent.com/9Lt5s23vy9BBelTNE5fHdhLAwJrbj0hT4k6ED_9Oj6s=w450-h340-no)
I use another service called LogicalDOC that also authenticates against this server with these same credentials. I'm pretty sure the Zentyal/Samba4 side is OK it's just a matter of the Apache settings.
-
:-\ :-\ :-\ :'( :'( :'( :'(
Until now, none of the methods described before works.
-
Alias /test "/apachetest/"
<Directory /apachetest/>
Options Indexes FollowSymLinks Includes ExecCGI MultiViews
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
AuthName "DEI Internal Website"
AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan,?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=Administrator,cn=Users,dc=deidomain,dc=lan"
AuthLDAPBindPassword "password"
Require valid-user
</Directory>
If you haven't fixed it right now, the answer for your problems should be simple, your AuthLDAPURL you are using is spelled wrong. Instead of
AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan,?sAMAccountName?sub?(objectClass=*)"
it should be [without the comma after your domain]
AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan?sAMAccountName?sub?(objectClass=*)"
Just like https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html (https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html) tells you! ;D And if you are not running LDAP on the same server (and point to localhost), you should also run secured connection via ldaps:// instead of ldap://! ;)
Until now, none of the methods described before works.
Is your domain ending really "local"? On a windows AD server this wouldn't cause any problems, but on a linux AD server that's a bad idea because of mDNS-Problems: http://wiki.ubuntuusers.de/samba_winbind#Die-TLD-der-Domain-ist-local-example-local. It would be better if you use another ending like lan or intranet if you want to avoid these problems.
What is the output of (only available on Windows), don't forget to replace youradminusername: ::)
dsquery user -name youradminusername
The credentials in the picture only work when Zimbra can convert them to UPN, but that's unlikely. Otherwise they simply would be wrong for LDAP-Authentification.
Which of these credential formats for your USER DN did you also try?
1. DN format
cn=myadmin,cn=Users,dc=zentyal,dc=local
2. DN format (short)
cn=myadmin,dc=zentyal,dc=local
3. UPN format
myadmin@zentyal.local
Can you also post your zimbra config?
-
I was wondering if anyone finally resolved this issue. I am having the same problem getting OpenVPN Access Server (OpenVPN-AS) to connect but I am also having a problem using the ldapsearch to test the connect and continually receive a error:
ldap bind: Invalid Credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
The command I used was:
ldapsearch -x -H ldaps://<FQDN> -D "cn=Administrator,cn=Users,dc=zentyal,dc=local" -b "cn=Users,dc=zentyal,dc=local" -W
Also used:
ldapsearch -x -h <IP Address> - p 389 -D "cn=Administrator,cn=Users,dc=zentyal,dc=local" -b "cn=Users,dc=zentyal,dc=local" -W
My connection to Zentyal for authenticating vpn users was working successfully before I upgraded to Zentyal 4.0 (currently on 4.2.2). Since I have not been able to perform any authentication. I have also change the "Administrator" password to confirm that I was using the same in the command.
I was hoping that someone could help me figure out where I have gone wrong.
-
Have you tried using UPN format?
-
mmarable,
Using the UPN format worked with the following statement format:
ldapsearch -x -h <IP Address> - p 389 -D "Administrator@zentyal.local" -b "cn=Users,dc=zentyal,dc=local" -W
But if I change the "Bind DN" in the configuration for OpenVPN Access Server to use the UPN format it doesn't appear to work.
It appears that the instructions for setup of the LDAP authentication has changed over time but I am not familiar with the method the "Bind DN" in the instructions are being established. If you have any insight in how I can translate what was used in the ldapsearch parameters above to the OpenVPN Access Server method I would appreciate it.
https://openvpn.net/index.php/access-server/docs/admin-guides/190-how-to-authenticate-users-with-active-directory.html (https://openvpn.net/index.php/access-server/docs/admin-guides/190-how-to-authenticate-users-with-active-directory.html)
-
Okay, so lets try it this way.
(https://forum.zentyal.org/index.php?action=dlattach;topic=25556.0;attach=5675)
In step 2 above, replace with your [Netbios Domain Name]\Administrator where netbios domain name is shown below in Zentyal under Domain>Settings.
(https://forum.zentyal.org/index.php?action=dlattach;topic=25556.0;attach=5677)
If you look back at the first page of this post you will see I have posted pics using this exact format in pfSense.
Hope this gets you going.
-
speedaemon,
Were you ever able to resolve your issue?
-
mmarable,
I did not resolve the issue. I did finally realize that the problem was related to the OpenVPN - Access Server and not a problem with Zentyal although the help you provided with the UPN format made the task easier to diagnose. I eventually had to setup a new OpenVPN-AS and shutdown the old server. It appeared to be a firewall issue but I couldn't track down the problem and since OpenVPN-AS creates it own firewall rules I didn't want to mess with it to deeply.
Thanks again
-
You bet. Glad you got it fixed