Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 12771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAP (zimbra )

ZIDANE ISLAM

Hi,

We have a sophos XG authentication problem with zimbra ldap.
we are using SOPHOS XG with the latest updates version 17.06, with Zimbra version 8.8.8

We want to use Zimbra ldap for smtp authentication.

Here are the parameters we gave to Sophos XG to connect to Zimbra ldap :
Server type : LDAP Server
Bind DN : uid=zimbra,cn=admins,cn=zimbra
Connection Security : Simple
Base DN : ou=people,dc=example,dc=com
Authentication Attribute : UID

The problem is when sophos XG communicates with Zimbra ldap to search for an account, for some reason, it combines the Bind DN with the Base DN and we end up with this error on Zimbra logs :
"do_bind: invalid dn (uid=zimbra,cn=admins,cn=zimbra,ou=people,dc=example,dc=com)"

We tried to use quotes and without quotes, the same problem, the bind dn gets merged with the base dn to contact the ldap server.

The only way to authenticate is to use anonymous binding, which we wont use.

We did the same test with Sophos SG and all went well.

Regards.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Zidane,

    Can you PM me access_server.log and push a Test Connection to the LDAP server. If you can execute a packet capture and PM me a pcap file from the server side, it will be a useful step towards the investigation. 

    Thanks,

  • 0 in reply to sachingurung

    hi ,

    In the sophos XG logs /log/access_server.log the error appears :

    ERROR     May 06 10:21:17 [4144244544]: ldapauth_bind: bind failed: Invalid credentials
    ERROR     May 06 10:21:17 [4144244544]: ldapauth_test_auth:'10.10.10.10:389': bind failed for user: 'uid=zimbra,cn=admins,cn=zimbra,ou=people,dc=example,dc=com

    it's the same error with the server ldap , sophos combines the Bind DN with the Base DN .
    In sophos XG web admin when we click the button to get Base Dn he returne : " cn=accesslog "  this is wrong .

    we keep the same  the parameters
    Server type : LDAP Server
    Bind DN : uid=zimbra,cn=admins,cn=zimbra
    Connection Security : Simple
    Base DN : ou=people,dc=example,dc=com
    Authentication Attribute : UID
    Group Name Attribute : GID  
    Expiry Date Attribute : Date

    And test of  the Connection is failed  " Test connection failed due to incorrect credential " .



    thanks.

  • 0 in reply to ZIDANE ISLAM

    Hi,

    would recommend to do a tcpdump.

     

    tcpdump -ni any port 389 -b -s0 -w /log/dump.pcap

    Now try the test.

    Cancel the dump and download the file: https://community.sophos.com/kb/en-us/127647

    Open it with wireshark and look for the bindrequest and the response for the server. You should see a "Code" like 49.

    https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes/#rc-invalidCredentials

    And with it, a sub code.

    49a etc. Google this code, and you will get the correct answer.

     

    Cheers

  • 0 in reply to LuCar Toni

    Thanks for your reply ,

    We executed the tcpdump from sophos shell,That's right We have errors in file dump.pcap you can see them :

            "59","8","x.x.x.x","x.x.x.x","LDAP","137","bindRequest(1) "uid=zimbra,cn=admins,cn=zimbra,ou=people,dc=example,dc=com" 

             "60","8","x.x.x.x","x.x.x.x","TCP","62","ldap > 48623 [ACK] Seq=1 Ack=82 Win=29312 Len=0"

              "63","8","x.x.x.x","x.x.x.x","LDAP","63","unbindRequest(2) "

    we also installed a ldap client in centos  and try test with parameters:

    ldapsearch -H ldap://x.x.x.:389 -D "uid=zimbra,cn=admins,cn=zimbra" -b "ou=people,dc=example,dc=com" -x -w xxxxxx

    The result is successfully obtained without any problems .

    In last test we installed a new ldap 389-ds and we tested the connection between sophos and ldap the same problems and errors 

    Regards.

  • 0 in reply to ZIDANE ISLAM

    Can you share a wireshark screenshot of the Code 49 Packet?

  • 0 in reply to LuCar Toni

    Hello ,

    here is the screenshot of the Code 49 Packet

    In frame 49 : resultCode : invalidCredentials(49)

    Wath we do now ?

    thanks

Reply Children