Zimbra Integration
Issue #89
resolved
Am attempting to configure the Zimbra integration, against ZCS 8.0.4, and authentication works fine but no search results are returned. If I disable it via "$config['ENABLE_LDAP_AUTH'] = 0;" and login back in then all records are returned. If I enable it again then again I see "Empty search result".
If I check /var/log/maillog I see the following when LDAP is enabled:
May 9 16:19:10 archive01 piler-webui[4550]: sphinx query: 'SELECT id FROM main1 WHERE MATCH('@to ') ORDER BY sent DESC LIMIT 0,1000 OPTION max_matches=1000' in 0.00 s, 0 hits
yet with LDAP disabled one sees the following when just pressing the search buttton:
May 9 16:20:30 archive01 piler-webui[4550]: sphinx query: 'SELECT id FROM main1 WHERE MATCH('') ORDER BY sent DESC LIMIT 0,1000 OPTION max_matches=1000' in 0.00 s, 88 hits
Thanks
Comments (14)
-
repo owner
-
reporter
I should add that on both searches it was with my own account that is assigned the role of Auditor. So I would have expected that whether authenticating internally, or via LDAP, it should yield the same result.
Version: piler-0.1.23
-
repo owner
Well, the idea is that regular users can be authenticated against ldap, while a few auditors can be in the local piler database. However the master branch has an addition if you need several auditors that a group of (ldap) users can be appointed as auditors.
Do you need this feature or is it ok to create a local user for auditor purposes?
Btw. when you login with your ldap account, can you see your own email address(es) on the user settings page?
-
reporter
At present some local auditor accounts is fine.
Yes, can see my email address on the settings page.
What is odd though is that I have changed my role to a new user and logged back in again. If I click on search then no results are returned. If I use a keyword like Piler then results are returned, but on clicking the subject its returns "no permission for XX", yet the messages were authored by myself.
-
reporter
Interestingly if I sign out and sign back in again with the local Piler password, instead of LDAP, then I am able to just press search and get results and no permission issues. The stranger part is that the list of messages returned it different from when I authenticated to Zimbra!
-
repo owner
Hmm, what bothers me is that when you are a regular user then the search filter is
MATCH('@to ')
however it should be:
``` MATCH('@to yourXemailXaddress')
(@-symbol and dots are rewritten as capital X letters in the email address)
The bitbucket formatting diminishes some characters, but you get the idea...
Btw. in doubt always check the search query in the maillog
-
reporter
The "no permission for XX" is a concern though as that precludes us from using Zimbra authentication.
-
repo owner
ok, please show me your config-site.php (no password is needed to reveal)
-
reporter
$config['SITE_NAME'] = 'archive.lab.somedomain.com'; $config['SITE_URL'] = 'http://archive.lab.somedomain.com/'; $config['DIR_BASE'] = '/var/www/archive.lab.somedomain.com/'; $config['ENABLE_SYSLOG'] = 1; $config['SMTP_DOMAIN'] = 'archive.lab.somedomain.com'; $config['SMTP_FROMADDR'] = 'no-reply@archive.lab.somedomain.com'; $config['ADMIN_EMAIL'] = 'admin@archive.lab.somedomain.com'; $config['ENABLE_LDAP_AUTH'] = 1; $config['LDAP_HOST'] = 'zimbra01.lab.somedomain.com'; $config['LDAP_HELPER_DN'] = 'uid=zimbra,cn=admins,cn=zimbra'; $config['LDAP_HELPER_PASSWORD'] = 'XXXXXXXXXXXXXXXX'; $config['LDAP_MAIL_ATTR'] = 'mail'; $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'zimbraAccount'; $config['LDAP_BASE_DN'] = ''; $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'zimbraDistributionList'; $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'zimbraMailForwardingAddress'; $config['DB_DRIVER'] = 'mysql'; $config['DB_PREFIX'] = ''; $config['DB_HOSTNAME'] = 'localhost'; $config['DB_USERNAME'] = 'piler'; $config['DB_PASSWORD'] = 'XXXXXXXXXXXXXXXXXXXX'; $config['DB_DATABASE'] = 'piler'; $config['SMARTHOST'] = 'zimbra01.lab.somedomain.com'; $config['SMARTHOST_PORT'] = 25; -
repo owner
The config looks fine, let's dig a bit deeper to the problem. Please login (via ldap) as a regular user, then click on search (without any search conditions). See the maillog, and note the search query. Then use a keyword like 'piler', and do the same again. Please show me these tow queries along with the message headers (From/To/Cc) of the message when you get a "no permission for XX" error message.
Is it possible that you wrote the message with a different address not listed in the search query?
-
repo owner
I just wonder if there's any news about the matter?
-
repo owner
- changed status to resolved
No news is good news, so I set this issue resolved. Btw. in the meantime the latest master branch has fixed the backslash issue in ldap queries. This might help.
-
reporter
Hi, am about to build another system, with Zimbra integration, so will run through using the latest master branch. Thank you.
-
repo owner
ok, if you encounter any problem, then just let me know.
- Log in to comment
If you enable the ldap auth then the gui authenticates against the ldap server, and grants user rights and assigns the retrieved email addresses to the user.
It appears that at May 9 16:19:10 the user has no email addresses assigned for some reason. Could you run the ldap query against zimbra for the login? The query is also logged. You should find email addresses in the results.
Then later you tried as an auditor user since there's no search filter applied. Obviously you could see all emails.
Btw. could please show your config-site.php (omit any passwords), and what version do you use?