LDAP + Zimbra authentication

Question

I'm trying to configure external LDAP authentication from my LDAP box through Zimbra. Both servers are running on CentOS.

The Zimbra wiki has documentation but it's still leaving me puzzled.

http://wiki.zimbra.com/wiki/LDAP_Authentication#Configuring_external_LDAP_authentication

This is what my ldapsearch consist of:

ldapsearch -x -D cn=Manager,dc=domain,dc=com -y pass -H ldap://ldap.domain.com -b dc=domain,dc=com '(&(objectClass=JammMailAlias)(mail=marketing@domain.com))'

Any idea what the right filter would be? I'm pulling my hair trying to figure this out.

Here's the output of the ldapsearch above:

$ ldapsearch -x -D cn=Manager,dc=domain,dc=com -y pass -H ldap://ldap.domain.com -b dc=domain,dc=com '(&(objectClass=JammMailAlias)(mail=marketing@domain.com))'
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (&(objectClass=JammMailAlias)(mail=marketing@domain.com))
# requesting: ALL
#

# marketing@domain.com, domain.com, hosting, domain.com
dn: mail=marketing@domain.com,jvd=domain.com,o=hosting,dc=domain,dc=com
objectClass: JammMailAlias
objectClass: top
mail: marketing@domain.com
cn: Marketing Team
accountActive: TRUE
maildrop: bob
maildrop: john
maildrop: amy

lastChange: 1277317208

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Here's an ldapsearch for a user:

$ ldapsearch -x -D cn=Manager,dc=domain,dc=com -y pass -H ldap://ldap.domain.com -b dc=domain,dc=com '(&(objectClass=JammMailAccount)(mail=hfranco@domain.com))'
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (&(objectClass=JammMailAccount)(mail=hfranco@domain.com))
# requesting: ALL
#

# hfranco@domain.com, domain.com, hosting, domain.com
dn: mail=hfranco@domain.com,jvd=domain.com,o=hosting,dc=domain,dc=com
objectClass: JammMailAccount
objectClass: top
mail: hfranco@domain.com
cn: Hank Franco
homeDirectory: /home/domains/domain.com/hfranco
delete: FALSE
lastChange: 1218909596
mailbox: domain.com/hfranco/
userPassword:: e01ENX1zWlQzcEk4M2FNOFV3U3gzK0NqaUtRPT0=
accountActive: TRUE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Answer 1

Something like (uid=%u) should work, or given your ldapsearch example, perhaps (&(objectClass=JammMailAlias)(mail=%u@domain.com))

Zimbra replaces the %u with the username that is attempting to authenticate, and then does a search/bind as that user to authenticate.

Edit:

In your setup, you should be able to use (mail=%u@domain.com) as your search filter.

You can test this by running something like ldapsearch -x -D cn=Manager,dc=domain,dc=com -y pass -H ldap://ldap.domain.com -b dc=domain,dc=com '(mail=hfranco@domain.com)' - it should return just the one entry above.