External LDAP authentication with zimbraAuthLdapExternalDn: Difference between revisions

No edit summary
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=How to configure auto-provisioning (autoprov) with AD=
{{BC|Community Sandbox}}
{{KB|{{Unsupported}}|{{ZCS XXX}}|{{ZCS XXX}}|}}
__FORCETOC__
<div class="col-md-12 ibox-content">
= How to configure external LDAP authentication with zimbraAuthLdapExternalDn=
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}


<!-- Wiki/Article Body -->
<!-- Wiki/Article Body -->


=== Zimbra auto-provisioining ===
=== External LDAP authentication ( zimbraAuthLdapExternalDn ) ===
----
----


; '''This article explains how to configure automatic user provisioning, if Zimbra is configured to use external LDAP (Active Directory). ''' : ''More information on how to configure Zimbra with AD can be found: [[https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory  here]]''
''More information on how to configure Zimbra with AD can be found: [[https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory  here]]''




Line 13: Line 16:
==== Solution ====
==== Solution ====
----
----
'''1. Create a file with the following entries:'''


$ vim /tmp/autoprov.txt
The idea behind this type of authentication is to use a zimbra user that does not exists in AD, but at the same time to be able to login to his WebUI using already existing AD user.


md example.com zimbraAutoProvAccountNameMap "samAccountName"
'''How to steps:'''
md example.com zimbraAutoProvAttrMap description=description
md example.com zimbraAutoProvAttrMap cn=displayName
md example.com zimbraAutoProvAttrMap givenName=givenName
md example.com zimbraAutoProvAttrMap sn=displayName
md example.com zimbraAutoProvAuthMech LDAP
md example.com zimbraAutoProvBatchSize 40
md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=example,DC=com"
md example.com zimbraAutoProvLdapAdminBindPassword secret
md example.com zimbraAutoProvLdapBindDn "Administrator@example.com"
md example.com zimbraAutoProvLdapSearchBase "OU=zimbrausers,dc=example,dc=com"
md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389"
md example.com zimbraAutoProvMode EAGER
md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned.  Your email address is ${ACCOUNT_ADDRESS}."
md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
ms server.example.com zimbraAutoProvPollingInterval "1m"
ms server.example.com +zimbraAutoProvScheduledDomains "example.com"


1. Create user test@example.com


The options are self-explanatory. The ones that you might want to change according to your environment are:
[[File:Ext1.jpeg]]
:zimbraAutoProvLdapAdminBindDn
:zimbraAutoProvLdapAdminBindPassword
:zimbraAutoProvLdapSearchBase
:zimbraAutoProvLdapURL


For the last two entries starting with '''ms''', you have to use your server's fqdn.
----
'''2. Execute the file:'''
$ zmprov < /tmp/autoprov.txt
:prov> md example.com zimbraAutoProvAccountNameMap "samAccountName"
:prov> md example.com zimbraAutoProvAttrMap description=description
:prov> md example.com zimbraAutoProvAttrMap cn=displayName
:prov> md example.com zimbraAutoProvAttrMap givenName=givenName
:prov> md example.com zimbraAutoProvAttrMap sn=displayName
:prov> md example.com zimbraAutoProvAuthMech LDAP
:prov> md example.com zimbraAutoProvBatchSize 40
:prov> md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=azmo,DC=com"
:prov> md example.com zimbraAutoProvLdapAdminBindPassword Zimbra1
:prov> md example.com zimbraAutoProvLdapBindDn "Administrator@example.com"
:prov> md example.com zimbraAutoProvLdapSearchBase "OU=zimbrausers,dc=azmo,dc=com"
:prov> md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
:prov> md example.com zimbraAutoProvLdapURL "ldap://192.168.56.70:389"
:prov> md example.com zimbraAutoProvMode EAGER
:prov> md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned.  Your email address is ${ACCOUNT_ADDRESS}."
:prov> md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
:prov> md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
:prov> ms nine.example.com zimbraAutoProvPollingInterval "1m"
:prov> ms nine.example.com +zimbraAutoProvScheduledDomains "example.com"


With the red we see where to write the bindDN of the account we will use for the setup. More information on the syntax of this value can be found in '''/opt/zimbra/docs/externalldapauth.txt'''. Excerpt from that file:
Account attribute zimbraAuthLdapExternalDn
          Unlike (A) and (B), which are domain settings, this is an account level setting.
          This overrides the bind template and/or search setting, and directly contains the DN for the user in the external ldap server.
      zimbraAuthLdapBindDn and zimbraAuthLdapSearchFilter can contain expansion variables that are to be substituted by components in the account name:
          %n = username with @ (or without, if no @ was specified)
          %u = username with @ removed
          %d = domain as foo.com
          %D = domain as dc=foo,dc=com
          e.g. for user pshao@zimbra.com
          %n => pshao@zimbra.com
          %u => pshao
          %d => zimbra.com
          %D => dc=zimbra,dc=com
      '''example for zimbraAuthLdapBindDn:''' uid=%u,ou=people,%D  (whatever LDAP DIT structure they are using)


The configuration work without the need of restarts.


----
----
'''3.''' To test, create a user in AD, and then follow the entries in /opt/zimbra/log/mailbox.log file. To be able to see more, enable [[https://wiki.zimbra.com/wiki/Using_log4j_to_Configure_mailboxd_Logging debug]].
2. Create a user in AD. We will be using that user for the authentication of user ''test''.  
:Ideally you have to see the following output in normal logging mode:
 
*before adding entries
2015-07-09 03:22:00,484 INFO  [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com
2015-07-09 03:22:00,490 INFO  [AutoProvision] [] autoprov - 0 external LDAP entries returned as search result
2015-07-09 03:22:00,490 INFO  [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022200.488Z


*after adding new entries
[[File:Ext2.jpeg]]
2015-07-09 03:26:00,546 INFO  [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com
2015-07-09 03:26:00,553 INFO  [AutoProvision] [] autoprov - 1 external LDAP entries returned as search result
2015-07-09 03:26:00,553 INFO  [AutoProvision] [] autoprov - auto creating account in EAGER mode: test@example.com, dn="CN=test,OU=zimbrausers,DC=example,DC=com"
2015-07-09 03:26:00,558 INFO  [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022600.550Z
2015-07-09 03:26:00,565 INFO  [AutoProvision] [] autoprov - Sleeping for 60000 milliseconds.




----
----
'''4.''' If we login with the test@example.com, we can see that there is an e-mail sent as per our attributes:
3. View of the AD user from Softerra LDAP browser.
:md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned.  Your email address is ${ACCOUNT_ADDRESS}."
:md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
:md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
 
[[File:Autoprov.jpeg|1,010px]]


[[File:Ext3.jpeg]]




----
----
4. After the above steps are completed we can test the configuration by logging with the zimbra user that does not exists in AD. Here is a little excerpt from mailbox.log during the authentication of user ''test'':


==== More information ====
2015-09-23 18:10:06,259 DEBUG [qtp1937601231-102:http://127.0.0.1:80/service/soap/AuthRequest] [name=test@azmo.com;oip=192.168.56.1;ua=zclient/8.0.9_GA_6191;] account - auth with explicit  dn of CN=test2,CN=zimbra,DC=azmo,DC=com
 
2015-09-23 18:10:06,283 DEBUG [qtp1937601231-102:http://127.0.0.1:80/service/soap/AuthRequest] [name=test@azmo.com;oip=192.168.56.1;ua=zclient/8.0.9_GA_6191;] ldap - OPEN_CONN - millis=[23], resp=[0 (success)], usage=[LDAP_AUTH_EXTERNAL], conn=[7], url=[ldap://192.168.56.40:389], connType=[PLAIN], bindDN=[CN=test2,CN=zimbra,DC=azmo,DC=com]
More information for the attributes can be found in '''/opt/zimbra/docs/autoprov.txt''' file.
 
There is a [[https://bugzilla.zimbra.com/show_bug.cgi?id=82587 bug]] regarding auto-provisioning and zimbra versions prior  ZCS 8.0.8. If you have zimbra 8.0.7 and lower, the auto-provisioning works only the first time. Then it stops, due to the difference in the ''zimbraAutoProvLastPolledTimestamp'' format in zimbra and in AD. This attribute need to be set to null, to be able to have the autoprov automatically pulling the entries.
 


Summary of the logging:
* test@azmo.com - the user we log into WebUI.
* CN=test2,CN=zimbra,DC=azmo,DC=com - the user we use to bind to, when authenticating against AD
* 192.168.56.40 - AD server
----
----
==== Troubleshooting ====
'''1.''' Some of the exceptions thrown during the configuration are clear, but some are not and the following information will help with troubleshooting:
'''LDAP errors and exceptions'''
Exception: [LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data <span style="color:#FF0000"> 52e </span>, v893]
Raw: [LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data xxx, vece ]
There are several values that can indicate what LDAP function is causing the issue. Here are some general references for Microsoft Active Directory:
The AD-specific error code is the one after ''data'' and before ''vece'' or ''v893'' in the actual error string returned to the binding process.
{| border="1" style="border-collapse: collapse;"
|-
| 525 || user not found
|-
| 52e || invalid credentials
|-
| 530 || not permitted to logon at this time
|-
| 531 || not permitted to logon at this workstation
|-
| 532 || password expired
|-
| 533 || account disabled
|-
| 534 || The user has not been granted the requested logon type at this machine
|-
| 701 || account expired
|-
| 773 || user must reset password
|-
| 775 || user account locked
|-
| 8350 || DN format is incorrect
|}


----
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0| 31/05/2016}}
{{NeedSME|SME1|SME2|COPY EDITOR}}

Latest revision as of 09:35, 18 October 2016

  1. Zimbra Tech Center
  2. Community Sandbox
  3. External LDAP authentication with zimbraAuthLdapExternalDn

How to configure external LDAP authentication with zimbraAuthLdapExternalDn

   KB 22350        Last updated on 2016-10-18  




5.00
(one vote)


External LDAP authentication ( zimbraAuthLdapExternalDn )

More information on how to configure Zimbra with AD can be found: [here]


Solution

The idea behind this type of authentication is to use a zimbra user that does not exists in AD, but at the same time to be able to login to his WebUI using already existing AD user.

How to steps:

1. Create user test@example.com

Ext1.jpeg


With the red we see where to write the bindDN of the account we will use for the setup. More information on the syntax of this value can be found in /opt/zimbra/docs/externalldapauth.txt. Excerpt from that file: 

Account attribute zimbraAuthLdapExternalDn
         Unlike (A) and (B), which are domain settings, this is an account level setting.
         This overrides the bind template and/or search setting, and directly contains the DN for the user in the external ldap server.
     zimbraAuthLdapBindDn and zimbraAuthLdapSearchFilter can contain expansion variables that are to be substituted by components in the account name:
         %n = username with @ (or without, if no @ was specified)
         %u = username with @ removed
         %d = domain as foo.com
         %D = domain as dc=foo,dc=com
         e.g. for user pshao@zimbra.com
         %n => pshao@zimbra.com
         %u => pshao
         %d => zimbra.com
         %D => dc=zimbra,dc=com
     example for zimbraAuthLdapBindDn: uid=%u,ou=people,%D  (whatever LDAP DIT structure they are using)


2. Create a user in AD. We will be using that user for the authentication of user test.

Ext2.jpeg


3. View of the AD user from Softerra LDAP browser.

Ext3.jpeg


4. After the above steps are completed we can test the configuration by logging with the zimbra user that does not exists in AD. Here is a little excerpt from mailbox.log during the authentication of user test: 

2015-09-23 18:10:06,259 DEBUG [qtp1937601231-102:http://127.0.0.1:80/service/soap/AuthRequest] [name=test@azmo.com;oip=192.168.56.1;ua=zclient/8.0.9_GA_6191;] account - auth with explicit   dn of CN=test2,CN=zimbra,DC=azmo,DC=com
2015-09-23 18:10:06,283 DEBUG [qtp1937601231-102:http://127.0.0.1:80/service/soap/AuthRequest] [name=test@azmo.com;oip=192.168.56.1;ua=zclient/8.0.9_GA_6191;] ldap - OPEN_CONN - millis=[23], resp=[0 (success)], usage=[LDAP_AUTH_EXTERNAL], conn=[7], url=[ldap://192.168.56.40:389], connType=[PLAIN], bindDN=[CN=test2,CN=zimbra,DC=azmo,DC=com]

Summary of the logging:

  • test@azmo.com - the user we log into WebUI.
  • CN=test2,CN=zimbra,DC=azmo,DC=com - the user we use to bind to, when authenticating against AD
  • 192.168.56.40 - AD server
Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 31/05/2016
Article ID: https://wiki.zimbra.com/index.php?title=External_LDAP_authentication_with_zimbraAuthLdapExternalDn Date Modified: 2016-10-18



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 COPY EDITOR Last edit by Teodor Vizirov
Retrieved from "http://wiki.zimbra.com/index.php?title=External_LDAP_authentication_with_zimbraAuthLdapExternalDn&oldid=63038"
Jump to: navigation, search