Zimbra 8 as LDAP account provider

Hi
I try to test lasted of the Nethserver user and group integrate with Zimbra 8

This is configure

cat /etc/sssd/sssd.conf
[sssd]
domains = mydomain.com, legacy
config_file_version = 2
services = nss, pam

[domain/mydomain.com]
use_fully_qualified_names = True
id_provider = ldap
ldap_uri = ldap://1xx.xxx.xx.xx:389
ldap_search_base =ou=people,dc=mydomain,dc=com
ldap_user_search_base = ou=people,dc=mydomain,dc=com
##ldap_group_search_base = dc=mydomain,dc=com
ldap_tls_reqcert = never
cache_credentials = True
ldap_default_bind_dn = uid=zimbra,cn=admins,cn=zimbra
ldap_default_authtok = xxxxxxxx
default_shell = /usr/libexec/openssh/sftp-server

[domain/legacy]
use_fully_qualified_names = False
id_provider = ldap
ldap_uri = ldap://1xx.xxx.xx.xx:389
ldap_search_base = ou=people,dc=mydomain,dc=com
##ldap_user_search_base = ou=people,dc=mydomain,dc=com
##ldap_group_search_base = dc=mydomain,dc=com
ldap_tls_reqcert = never
cache_credentials = True
ldap_default_bind_dn = uid=zimbra,cn=admins,cn=zimbra
ldap_default_authtok = xxxxxxxx
default_shell = /usr/libexec/openssh/sftp-server

There are a logs on /var/log/sssd/sssd_mydomain.com.log

(Tue Feb 14 16:31:40 2017) [sssd[be[mydomain.com]]] [dp_module_run_constructor] (0x0010): Module [ldap] constructor failed [22]: Invalid argument
(Tue Feb 14 16:31:40 2017) [sssd[be[mydomain.com]]] [dp_target_init] (0x0010): Unable to load module ldap
(Tue Feb 14 16:31:40 2017) [sssd[be[mydomain.com]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Feb 14 16:31:40 2017) [sssd[be[mydomain.com]]] [main] (0x0010): Could not initialize backend [1432158209]
(Tue Feb 14 16:31:40 2017) [sssd[be[mydomain.com]]] [dp_module_run_constructor] (0x0010): Module [ldap] constructor failed [22]: Invalid argument
(Tue Feb 14 16:31:40 2017) [sssd[be[mydomain.com]]] [dp_target_init] (0x0010): Unable to load module ldap
(Tue Feb 14 16:31:40 2017) [sssd[be[mydomain.com]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Feb 14 16:31:40 2017) [sssd[be[mydomain.com]]] [main] (0x0010): Could not initialize backend [1432158209]
(Tue Feb 14 16:31:42 2017) [sssd[be[mydomain.com]]] [dp_module_run_constructor] (0x0010): Module [ldap] constructor failed [22]: Invalid argument
(Tue Feb 14 16:31:42 2017) [sssd[be[mydomain.com]]] [dp_target_init] (0x0010): Unable to load module ldap
(Tue Feb 14 16:31:42 2017) [sssd[be[mydomain.com]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Feb 14 16:31:42 2017) [sssd[be[mydomain.com]]] [main] (0x0010): Could not initialize backend [1432158209]
(Tue Feb 14 16:31:46 2017) [sssd[be[mydomain.com]]] [dp_module_run_constructor] (0x0010): Module [ldap] constructor failed [22]: Invalid argument
(Tue Feb 14 16:31:46 2017) [sssd[be[mydomain.com]]] [dp_target_init] (0x0010): Unable to load module ldap
(Tue Feb 14 16:31:46 2017) [sssd[be[mydomain.com]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Feb 14 16:31:46 2017) [sssd[be[mydomain.com]]] [main] (0x0010): Could not initialize backend [1432158209]

Please help and how to back to use local user and group

Could you attach the output of

account-provider-test dump

This is mine:


{
   "startTls" : "1",
   "bindUser" : "dummy",
   "userDN" : "dc=directory,dc=nh",
   "port" : 389,
   "isAD" : "",
   "host" : "192.168.3.7",
   "groupDN" : "dc=directory,dc=nh",
   "isLdap" : "1",
   "ldapURI" : "ldap://192.168.3.7",
   "baseDN" : "dc=directory,dc=nh",
   "bindPassword" : "****",
   "bindDN" : "cn=dummy,dc=directory,dc=nh"
}

Hi @davidep
This is attach the output of account-provider-test dump

[root@test ~]#account-provider-test dump
{
“startTls” : “”,
“bindUser” : null,
“userDN” : “dc=mydomain,dc=com”,
“port” : 389,
“isAD” : “”,
“host” : “127.0.0.1”,
“groupDN” : “dc=mydomain,dc=com”,
“isLdap” : “”,
“ldapURI” : “ldap://127.0.0.1”,
“baseDN” : “dc=mydomain,dc=com”,
“bindPassword” : “”,
“bindDN” : “”
{
“startTls” : “”,
“bindUser” : “zimbra”,
“userDN” : “ou=people,dc=mydomain,dc=com”,
“port” : “389”,
“isAD” : “”,
“host” : “1xx.xxx.xxx.xxx”,
“groupDN” : “dc=mydomain,dc=com”,
“isLdap” : “1”,
“ldapURI” : “ldap://1xx.xxx.xxx.xxx:389”,
“baseDN” : “dc=mydomain,dc=com”,
“bindPassword” : “xxxxxxxxxx”,
“bindDN” : “uid=zimbra,cn=admins,cn=zimbra”
}
[root@test ~]# {

“startTls” : “”,
“bindUser” : null,
“userDN” : “dc=mydomain,dc=com”,
“port” : 389,
“isAD” : “”,
“host” : “127.0.0.1”,
“groupDN” : “dc=mydomain,dc=com”,
“isLdap” : “”,
“ldapURI” : “ldap://127.0.0.1”,
“baseDN” : “dc=mydomain,dc=com”,
“bindPassword” : “”,
“bindDN” : “”
Thank you

I see the output repeated three times, it is confusing me :confused:

Please answer these questions:

  1. Did you install the local LDAP provider after configuring zimbra as remote LDAP provider?

  2. If you go to “Accounts provider” page, can you set the provider to “none”? Do you see any custom setting under the “Advanced settings” panel?

Perhaps the DB key sssd has some props that need to be cleaned. Could you paste the output of

config show sssd

If you have a local account provider these commands could fix the configuration:

config delprop sssd StartTls BaseDN BindDN BindPassword UserDN
config setprop sssd Provider none
/etc/e-smith/events/actions/nethserver-directory-sssd ev

1.Please answer these questions:

Did you install the local LDAP provider after configuring zimbra as remote LDAP provider?

No

If you go to “Accounts provider” page, can you set the provider to “none”? Do you see any custom setting under the “Advanced settings” panel?

Yes, LDAP with Advanced settings

Hi

Does someone have experience on LDAP Sever as LDAP account provider?

Thank you

I still don’t understand your goal:

  • do you want to import Zimbra accounts to the local LDAP?
  • do you want to connect Zimbra as a remote LDAP provider?

Please refer to

http://docs.nethserver.org/en/v7/accounts.html

Hi

I want to connect Zimbra as a remote LDAP provider

Thank you

Go to “Accounts provider” page and set “none”, then save the settings.

Repeat the binding procedure:

  • specify the Zimbra LDAP IP address,
  • fill the Advanced settings section properly (I don’t know what are the right parameters for Zimbra)

Ref http://docs.nethserver.org/en/v7/accounts.html#bind-to-a-remote-ldap-server

Hi

Thank you and try but still have problem in Advanced settings,

Here is Zimbra LDAP

“bindDN” : “uid=zimbra,cn=admins,cn=zimbra”
“bindPassword” : “*******”

dc=mydomain,dc=com
ou=people,dc=mydomain,dc=com
uid=group01,ou=people,dc=mydomain,dc=com
objectClass
zimbraDistributionList
zimbraMailRecipient
uid=user1,ou=people,dc=mydomain,dc=com
objectClass
inetOrgPerson
zimbraAccount

but it is not work, please help again

I’m sorry but I don’t know what are the right settings for Zimbra!

The requirements on NS side is performing an LDAP simple bind, with (or without) SSL/TLS.

Perhaps someone else can chime in! /cc @alefattorini

Hi @davidep

I try to test

ldapsearch -h 1xx.xxx.xxx.xxx -D “uid=zimbra,cn=admins,cn=zimbra” -w **** -b “ou=people,dc=mydomain,dc=com”

it works without problem.

Thank you

Perhaps you need to set STARTTLS disabled!

UserDN and GroupDN should not start with uid=…

They are the search base for users and groups, respectively! Following your command above, I would left them blank, though…

Hi @davidep

[root@nethserver ~]# config show sssd
sssd=service
AdDns=
BaseDN=ou=people,dc=mydomain,dc=com
BindDN=uid=zimbra,cn=admins,cn=zimbra
BindPassword=******
GroupDN=
LdapURI=ldap://1xx.xxx.xxx.xxx:389
Provider=ldap
StartTls=disabled
status=enabled

[root@nethserver ~]# account-provider-test dump
{
“startTls” : “”,
“bindUser” : “zimbra”,
“userDN” : “ou=people,dc=mydomain,dc=com”,
“port” : “389”,
“isAD” : “”,
“host” : “1xx.xxx.xxx.xxx”,
“groupDN” : “ou=people,dc=mydomain,dc=com”,
“isLdap” : “1”,
“ldapURI” : “ldap://1xx.xxx.xxx.xxx:389”,
“baseDN” : “ou=people,dc=mydomain,dc=com”,
“bindPassword” : “*******”,
“bindDN” : “uid=zimbra,cn=admins,cn=zimbra”

“bindUser” : “zimbra”, is it correct ?

It should not harm, it is not used by Server Manager.

BTW, you can run without “dump”:

account-provider-test

Does it spit out something?

What is the error from Server Manager? Do you see some ERROR in /var/log/messages?

1 Like

Hi Davidep,
[root@nethserver ~]# account-provider-test
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mydomain,dc=com> with scope baseObject
# filter: (objectClass=*)
# requesting: ALL
#

# people, mydomain.com
dn: ou=people,dc=mydomain,dc=com
objectClass: organizationalRole
ou: people
cn: people

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@nethserver ~]# tail -f /var/log/messages
Feb 21 08:01:01 nethserver systemd: Starting Session 94 of user root.
Feb 21 08:01:01 nethserver systemd: Removed slice user-0.slice.
Feb 21 08:01:01 nethserver systemd: Stopping user-0.slice.
Feb 21 08:11:48 nethserver sshd[10935]: Failed password for root from 1xx.xxx.xxx.xxx port 54165 ssh2
Feb 21 08:11:51 nethserver sshd[10935]: Accepted password for root from 1xx.xxx.xxx.xxx port 54165 ssh2
Feb 21 08:11:51 nethserver systemd: Created slice user-0.slice.
Feb 21 08:11:51 nethserver systemd: Starting user-0.slice.
Feb 21 08:11:51 nethserver systemd: Started Session 95 of user root.
Feb 21 08:11:51 nethserver systemd-logind: New session 95 of user root.
Feb 21 08:11:51 nethserver systemd: Starting Session 95 of user root.

Maybe issues in ssh port on Zimbra Server, I change port SSH to tcp/ 2xxx, is it effect ?

Thank you

SSH is not involved here.

We can see the connection and bind are fine but no entries are returned. That actually means either no entries exist at all, or there is no read privilege granted.

In previous post we disabled STARTTLS. I suggest set it to “default” and repeat the experiment. As alternative, use ldaps:// instead of ldap://

Ooops. I didn’t notice it! So, no entries are returned because the account-provider-test has a limited search scope.

However, the connection and bind are fine and no ERROR messages are returned from Server Manager. I’d say everything is OK.

Did you try it? Protecting your password with encryption is always a good idea!

:thinking: this could be the problem… If Zimbra is not RFC2307 compliant we cannot use it as account provider…

…on the other hand our LDAP search filter in Server Manager could be wrong…

@Ya_Ley, can you make another test? In a previous post I saw you have a user1 account in Zimbra. Please paste here the output of the following commands:

getent passwd user1@$(hostname -d)
getent passwd user1

Found in forums that related SSSD
https://forums.zimbra.org/viewtopic.php?t=14182

2 Likes

A post was split to a new topic: Which is the best account provider?