Zimbra + AD Eager don't work!

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Despair
Posts: 22
Joined: Wed Feb 01, 2017 11:18 am

Zimbra + AD Eager don't work!

Post by Despair »

Hello.
I trying to configure Zimbra with Eager autentufication, and can't do it. LAZY-mode works, and I don't understand what I doing wrong

For configure I do:

Code: Select all

md dom.ru zimbraAutoProvAccountNameMap "sAMAccountName"
md dom.ru zimbraAutoProvAttrMap "sn=sn"
md dom.ru +zimbraAutoProvAttrMap "description=description"
md dom.ru +zimbraAutoProvAttrMap "cn=displayName"
md dom.ru +zimbraAutoProvAttrMap "givenName=givenName"
md dom.ru zimbraAutoProvLdapAdminBindDn "CN=vmail,OU=users,DC=my-domain,DC=local"
md dom.ru zimbraAutoProvLdapAdminBindPassword "password"
md dom.ru zimbraAutoProvLdapBindDn "%u@%d"
md dom.ru zimbraAutoProvLdapSearchBase "ou=My-Domain,dc=my-domain,dc=local"
md dom.ru zimbraAutoProvLdapSearchFilter "(memberOf=cn=vmail,ou=My-Domain,dc=my-domain,dc=local)"
md dom.ru zimbraAutoProvLdapURL "ldap://10.0.0.100:3268"
md dom.ru zimbraAutoProvMode "EAGER"
ms mail.dom.ru zimbraAutoProvPollingInterval "10m"
ms mail.dom.ru zimbraAutoProvScheduledDomains "dom.ru"
After that in log-file (/opt/zimbra/log/mailbox.log) I see

Code: Select all

2017-02-01 16:17:41,749 INFO  [AutoProvision] [] autoprov - Auto provisioning accounts on domain dom.ru
2017-02-01 16:17:41,830 WARN  [AutoProvision] [] autoprov - Unable to auto provision accounts for domain dom.ru
com.zimbra.cs.ldap.LdapException: LDAP error:  - unable to get connection: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1.
ExceptionId:AutoProvision:1485944261829:fe01dc8ffcc38eaa
Code:ldap.LDAP_ERROR
        at com.zimbra.cs.ldap.LdapException.LDAP_ERROR(LdapException.java:90)
        at com.zimbra.cs.ldap.unboundid.UBIDLdapException.mapToLdapException(UBIDLdapException.java:74)
        at com.zimbra.cs.ldap.unboundid.UBIDLdapException.mapToExternalLdapException(UBIDLdapException.java:84)
        at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.mapToLdapException(UBIDLdapContext.java:225)
        at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.getConnection(UBIDLdapContext.java:199)
        at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.<init>(UBIDLdapContext.java:171)
        at com.zimbra.cs.ldap.unboundid.UBIDLdapClient.getExternalContextImpl(UBIDLdapClient.java:106)
        at com.zimbra.cs.ldap.LdapClient.getExternalContext(LdapClient.java:169)
        at com.zimbra.cs.account.ldap.AutoProvision.searchAutoProvDirectory(AutoProvision.java:641)
        at com.zimbra.cs.account.ldap.AutoProvisionEager.searchAccounts(AutoProvisionEager.java:250)
        at com.zimbra.cs.account.ldap.AutoProvisionEager.createAccountBatch(AutoProvisionEager.java:152)
        at com.zimbra.cs.account.ldap.AutoProvisionEager.handleBatch(AutoProvisionEager.java:132)
        at com.zimbra.cs.account.ldap.AutoProvisionEager.handleScheduledDomains(AutoProvisionEager.java:103)
        at com.zimbra.cs.account.ldap.LdapProvisioning.autoProvAccountEager(LdapProvisioning.java:1008)
        at com.zimbra.cs.account.AutoProvisionThread.run(AutoProvisionThread.java:150)
Caused by: LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1.', diagnosticMessage='80090308: LdapErr: DSID-0C0903A8, comment: AcceptSe
curityContext error, data 52e, v1db1.')
        at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:1894)
        at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:988)
        at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1399)
        at com.zimbra.cs.ldap.unboundid.UBIDLdapOperation$GetConnection.execute(UBIDLdapOperation.java:186)
        at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.getConnection(UBIDLdapContext.java:190)
        ... 10 more
2017-02-01 16:17:41,833 INFO  [AutoProvision] [] autoprov - Sleeping for 600000 milliseconds.
I understanding that

Code: Select all

(resultCode=49 (invalid credentials)
is an autentificate error, but user vmail is in AD in Users group. Users for mail in group My-Domain. Name of domain my-domain.local and mail-domain is dom.ru

Please help
Despair
Posts: 22
Joined: Wed Feb 01, 2017 11:18 am

Re: Zimbra + AD Eager don't work!

Post by Despair »

I Found in Internet next info about zimbra:
In Eager-mode zimbra can't see subcatalogs, it see only catalog from config (example: md domain.ru zimbraAutoProvLdapSearchBase "ou=corpuser,dc=domain,dc=org" Zimbra can see only "corpuser", and don't see subcatalogs).
It's realy true? If it so - I'm very sad, and it's look like that i can use only Lazy-mode
Despair
Posts: 22
Joined: Wed Feb 01, 2017 11:18 am

Re: Zimbra + AD Eager don't work!

Post by Despair »

I solved a problem with authentification, but still not solved complitely my task.
Now Zimbra connecting to AD, but not recive any logins for autoprovision.
In /opt/zimbra/mailbox.log I see:

Code: Select all

2017-02-03 12:24:20,518 INFO  [AutoProvision] [] autoprov - Auto provisioning accounts on domain dom.ru
2017-02-03 12:24:20,521 INFO  [AutoProvision] [] autoprov - 0 external LDAP entries returned as search result
2017-02-03 12:24:20,521 INFO  [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20170203062420.520Z
2017-02-03 12:24:20,524 INFO  [AutoProvision] [] autoprov - Sleeping for 600000 milliseconds.


I can't understand what I doing wrong...

Now it configured:

Code: Select all

md dom.ru zimbraAutoProvAccountNameMap "sAMAccountName"
md dom.ru zimbraAutoProvAttrMap "sn=sn"
md dom.ru +zimbraAutoProvAttrMap "description=description"
md dom.ru +zimbraAutoProvAttrMap "cn=displayName"
md dom.ru +zimbraAutoProvAttrMap "givenName=givenName"
md dom.ru zimbraAutoProvLdapAdminBindDn "cn=vmail,cn=users,DC=my-domain,DC=local"
md dom.ru zimbraAutoProvLdapAdminBindPassword "Zaq1Xsw2"
md dom.ru zimbraAutoProvLdapBindDn "%u@%d"
md dom.ru zimbraAutoProvLdapSearchBase "ou=My-Domain,dc=my-domain,dc=local"
md dom.ru zimbraAutoProvLdapSearchFilter "(memberOf=cn=vmail,cn=users,ou=My-Domain,dc=my-domain,dc=local)"
md dom.ru zimbraAutoProvLdapURL "ldap://10.0.0.100:3268"
md dom.ru zimbraAutoProvMode "EAGER"
ms mail.dom.ru zimbraAutoProvPollingInterval "10m"
ms mail.dom.ru zimbraAutoProvScheduledDomains "dom.ru"
Despair
Posts: 22
Joined: Wed Feb 01, 2017 11:18 am

Re: Zimbra + AD Eager don't work!

Post by Despair »

Problem solved.
It was wrong filter

Code: Select all

md dom.ru zimbraAutoProvLdapSearchFilter "(memberOf=cn=vmail,cn=users,ou=My-Domain,dc=my-domain,dc=local)"
Need write

Code: Select all

md dom.ru zimbraAutoProvLdapSearchFilter "(cn=%u)"
Netx question is how to filter group from AD, who dont must have any e-mails...
Post Reply