Loading...
 
LDAP / Active directory

LDAP / Active directory


LDAP connectivity test page?

United States

Does anyone have an example php ldap connectivity test page? Or is there any way to do a test or diagnostic connection to an LDAP server from within the Tiki application?

I'm trying to get a Tiki site (1.9.9) to authenticate off of a Zimbra site's OpenLDAP implementation. This particular tiki site is on an Ubuntu 6.06 vmware virtual machine - Apache/2.0.55 (Ubuntu) mod_python/3.1.4 Python/2.4.3 PHP/5.1.2 mod_ruby/1.2.5 Ruby/1.8.4(2005-12-24) mod_ssl/2.0.55 OpenSSL/0.9.8a. The Zimbra 5.0.2 site is on a separate Ubuntu 6.06 vmware virtual machine.

On the same vm as the Apache/Tiki site there is an OpenFire jabber server which is authenticating just fine off of the Zimbra's OpenLDAP server.

I've configured the Tiki as in http://doc.tikiwiki.org/tiki-index.php?page_ref_id=127 including making the change to userslib.php - but any login other than admin gets the 'invalid username or password' error.

When I check the OpenLDAP logs on the Zimbra server I can't find any evidence that the Tiki site is even connecting to the OpenLDAP server - yet I know connectivity works because the OpenFire jabber server on the same vm is authenticating just fine.

Any suggestions would be greatly appreciated.

Thank you,

Eric

United States
Eric, any chance you can post your config here for review? Is you openldap configured to allow anonymous bind? if not

United States

This is the Zimbra slapd.conf

Copy to clipboard
zimbra@zimbra:~/openldap/etc/openldap$ cat slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # #ucdata-path "/opt/zimbra/openldap/ucdata" include "/opt/zimbra/openldap/etc/openldap/schema/core.schema" include "/opt/zimbra/openldap/etc/openldap/schema/cosine.schema" include "/opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema" include "/opt/zimbra/openldap/etc/openldap/schema/amavisd.schema" include "/opt/zimbra/openldap/etc/openldap/schema/zimbra.schema" # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org # Set the number of threads to 8. Large thread values increase contention # and noticibly impact performance threads 8 # Sets the number of tool-threads to 1. This value should match the number # of real CPUs/cores on the box (i.e., do not include Hyper-Threading values). #tool-threads 1 pidfile "/opt/zimbra/openldap/var/run/slapd.pid" argsfile "/opt/zimbra/openldap/var/run/slapd.args" TLSCertificateFile /opt/zimbra/conf/slapd.crt TLSCertificateKeyFile /opt/zimbra/conf/slapd.key TLSVerifyClient never loglevel @@ldap_log_level@@ # Load dynamic backend modules: modulepath /opt/zimbra/openldap/libexec/openldap moduleload back_bdb.la moduleload back_monitor.la moduleload syncprov.la moduleload accesslog.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! access to dn.subtree="" by dn.children="cn=admins,cn=zimbra" write by * break access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # don't let user's change their own passwords, since we want # to enforce password policy access to attrs=userPassword by anonymous auth by dn.children="cn=admins,cn=zimbra" write access to dn.subtree="cn=zimbra" by dn.children="cn=admins,cn=zimbra" write # don't let anyone but admins access these attrs access to attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zimbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,zimbraIsAdminAccount,zimbraAuthLdapSearchBindPassword by dn.children="cn=admins,cn=zimbra" write by * none # objectClass access for Amavis access to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read by * read # objectClass=amavisAccount access for Amavis access to attrs=amavisAccount by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read access to attrs=mail by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read by * break # Allow access to zimbraAllowFromAddress for postfix for smtpd_sender_login_maps access to attrs=zimbraAllowFromAddress by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read # only allow access to these attrs basically GAL/Postfix related attrs access to filter=(!(zimbraHideInGal=TRUE)) attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * read access to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabled by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * read access to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read ####################################################################### # config database definition ####################################################################### database config rootpw {SSHA}*******ssha hash********** ####################################################################### # monitor database definition ####################################################################### database monitor rootdn "cn=config" access to dn.children="cn=monitor" by dn.children="cn=admins,cn=zimbra" read ####################################################################### # accesslog database definition ####################################################################### ###include /opt/zimbra/conf/master-accesslog.conf ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "" rootdn "cn=config" # number of entries to keep in memory cachesize 10000 # number of search results to keep in memory idlcachesize 10000 # check point whenever 64k data bytes written or # 5 minutes has elapsed whichever occurs first checkpoint 64 5 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory "/opt/zimbra/openldap-data" # Indices to maintain index objectClass eq index zimbraForeignPrincipal eq index zimbraId eq index zimbraVirtualHostname eq index zimbraVirtualIPAddress eq index zimbraAuthKerberos5Realm eq index zimbraMailCatchAllAddress eq,sub index zimbraMailDeliveryAddress eq,sub index zimbraMailForwardingAddress eq index zimbraMailAlias eq,sub index zimbraMailTransport eq index zimbraDomainName eq,sub index zimbraShareInfo sub index uid pres,eq # white pages index mail pres,eq,sub index cn pres,eq,sub index displayName pres,eq,sub index sn pres,eq,sub index gn pres,eq,sub # calendar resources index zimbraCalResSite eq,sub index zimbraCalResBuilding eq,sub index zimbraCalResFloor eq,sub index zimbraCalResRoom eq,sub index zimbraCalResCapacity eq # recommended for replication index entryUUID eq index entryCSN eq sizelimit unlimited timelimit unlimited #overlay syncprov #syncprov-checkpoint 100 10 #syncprov-sessionlog 500 ###include /opt/zimbra/conf/master-accesslog-overlay.conf zimbra@zimbra:~/openldap/etc/openldap$


domain record and user container in Zimbra ldap

Copy to clipboard
dn: dc=mydomain,dc=com zimbraId: **************** dc: mydomain zimbraDomainName: mydomain.com zimbraDomainType: local objectClass: dcObject objectClass: organization objectClass: zimbraDomain o: mydomain.com domain structuralObjectClass: organization entryUUID: ************************ creatorsName: uid=zimbra,cn=admins,cn=zimbra createTimestamp: 20070101201351Z zimbraGalMaxResults: 100 zimbraGalMode: zimbra description: My Domain zimbraDomainDefaultCOSId: ******************** zimbraMailStatus: enabled zimbraDomainStatus: active entryCSN: ****************** modifiersName: uid=zimbra,cn=admins,cn=zimbra modifyTimestamp: **************8 dn: ou=people,dc=mydomain,dc=com ou: people objectClass: organizationalRole cn: people structuralObjectClass: organizationalRole entryUUID: ******************** creatorsName: uid=zimbra,cn=admins,cn=zimbra createTimestamp: **************** entryCSN: *********************** modifiersName: uid=zimbra,cn=admins,cn=zimbra modifyTimestamp: **************


this is what a typical user record looks like in the Zimbra ldap

Copy to clipboard
dn: uid=john,ou=people,dc=mydomain,dc=com zimbraMailTransport: lmtp:zimbra.mydomain.com:7025 zimbraAccountStatus: active zimbraMailDeliveryAddress: john@mydomain.com givenName: John sn: Doe zimbraMailStatus: enabled zimbraId: ******* mail: john@mydomain.com displayName: John Doe uid: john objectClass: organizationalPerson objectClass: zimbraAccount objectClass: amavisAccount cn: John Doe zimbraCOSId: *************** zimbraMailHost: zimbra.mydomain.com structuralObjectClass: organizationalPerson entryUUID: ************ creatorsName: uid=zimbra,cn=admins,cn=zimbra createTimestamp: *********** zimbraPasswordModifiedTime: ************ userPassword:: ************hash***************** zimbraPrefSkin: steel zimbraPrefComposeFormat: html zimbraPrefGroupMailBy: message zimbraPrefMailItemsPerPage: 50 zimbraPrefCalendarApptReminderWarningTime: 15 zimbraLastLogonTimestamp: **************** entryCSN: ****************** modifiersName: uid=zimbra,cn=admins,cn=zimbra modifyTimestamp: ***************


In Tiki login config I set
Auth type: LDAP
host: ip address of the zimbra server
port: 389
create user if not in tiki: checked
just use tiki auth for admin: checked
scope: sub
base dn: dc=mydomain,dc=com
user dn: ou=people
user attribute: uid
user oc: organizationalPerson

the rest as I understand it aren't used right now but
group dn: ou=Groups (doesn't really exist in Zimbra ldap)
group attribute: cn
group oc: groupOfUniqueNames
member attribute: uniqueMember
member is dn: n
admin user: blank
admin password: blank

Zimbra does allow anonymous bind because I can connect with lat (LDAP Administrator Tool) anonymously and see the user list and attributes. My OpenFire jabber server is also doing an anonymous bind to the Zimbra LDAP and getting the list of users.

Thanks.


United States

Ahhhhh! Sorry - I fixed it - it was a stupid, stupid error.

In the Tiki config I had misspelled 'organizationalPerson' for the user oc. I checked it 20 times but never caught it until posting the config in response to this message.

Oh well - for anyone wanting to authenticate TikiWiki off of a Zimbra install's OpenLDAP this config works...

Auth type: LDAP
host: ip address of the zimbra server
port: 389
create user if not in tiki: checked
just use tiki auth for admin: checked
scope: sub
base dn: dc=mydomain,dc=com
user dn: ou=people
user attribute: uid
user oc: organizationalPerson
admin user: blank
admin password: blank

Thanks for helping me catch my own dumb error!

Eric


United States


That's great and good catch. Glad I could help biggrin

Question for my engineering side. Would this work if you used
oc: zimbraAccount

\\Greg


Upcoming Events

1)  18 Apr 2024 14:00 GMT-0000
Tiki Roundtable Meeting
2)  16 May 2024 14:00 GMT-0000
Tiki Roundtable Meeting
3)  20 Jun 2024 14:00 GMT-0000
Tiki Roundtable Meeting
4)  18 Jul 2024 14:00 GMT-0000
Tiki Roundtable Meeting
5)  15 Aug 2024 14:00 GMT-0000
Tiki Roundtable Meeting
6)  19 Sep 2024 14:00 GMT-0000
Tiki Roundtable Meeting
7) 
Tiki birthday
8)  17 Oct 2024 14:00 GMT-0000
Tiki Roundtable Meeting
9)  21 Nov 2024 14:00 GMT-0000
Tiki Roundtable Meeting
10)  19 Dec 2024 14:00 GMT-0000
Tiki Roundtable Meeting