Unable to bind to LDAP in Mail module

[jjdejong@…]

slapd seems to be running on the wrong port. ps reports slapd running on port 390, with a weird host IP address:

17681 ?        Ssl    0:00 /usr/sbin/slapd -d 0 -h ldap://0.0.0.0:390/ ldapi://%2fvar%2frun%2fslapd%2fldapi/????x-mod=0777 -u openldap -g openldap -F /etc/ldap/slapd.d/

Thus postfix can't connect when trying to send mail. My mail.log is full of:

postfix/cleanup[17581]: warning: dict_ldap_connect: Unable to bind to server ldap://127.0.0.1:389 with dn cn=

Changing parameter SLAPD_SERVICES in /etc/default/slapd and bouncing slapd doesn't seem to fix things.

[jjdejong@…]

Finally, changing the port in /etc/init/ebox.slapd.conf and bouncing the Users and Groups module changed the port. But the postfix ldap bind error remains.

[jjdejong@…]

All ldap searches fail with "Error 32: no such object". Something is broken with the openldap configuration.

[jamor@…]

Hello Jjdejong,

do you refer to all LDap searches or only to mail-related ones?

[jamor@…]

Hello again,

i just shaw that this is already fixed in [dac07ce408] . The slapd was running as intended, it was the mail module which was not synchronized to this changes, so I advise you to change back the port.

The fix is not released yet, but if you want to hotfix your self, here is the overview of the commit ->  http://git.zentyal.org/zentyal.git/commit/dac07ce408285c46891bb438969d21cb2c78d14d

Regards,

Javier

[jjdejong@…]

OK, I changed the port back to 390 and updated /etc/postfix/main.cf. I still get this when attempting to send email (the port is correct now):

warning: dict_ldap_connect: Unable to bind to server ldap://127.0.0.1:390 with dn cn=zentyal,dc=mydomain,dc=local: 2 (Protocol error) warning: ldap:valiases lookup error for "xxx" warning: E52DA43404CF: virtual_alias_maps map lookup problem for xxx -- deferring delivery

Plus ldapsearch using port 390 doesnt work either:

ldapsearch -x -h localhost:390 -b "dc=mydomain,dc=local" uid=*

Returns "32 No such object"

[jjdejong@…]

Anonymous connection to LDAP structure in Zentyal 2.2 - base DN visible

[jjdejong@…]

Anonymous connection to LDAP structure in Zentyal 2.3 - base DN NOT visible

[jamor@…]

Answer from jjdejong:

Hola Javier,

I couldn't check this fix, because now I can't manage to reinstall the
zentyal-users package - apt-get spits configuration errors. I guess I
need to uninstall a few other packages and wipe the configuration files.

But the purpose of my email is to question why a non-standard port is
being used for LDAP - none of the standard tools works now with the
default settings, like ldapsearch, ldapadd, etc.

--JJJ

[jamor@…]

Hello Jjdejon,

the reason is that we are shipping samba4 which uses its own LDAP implementation. We found that was easier to us move the openldap port than the samba4 LDAP port.

Another thing, you don't need to use  https://trac.zentyal.org , the SSL version is for developers with zentyal certificates, you can access almost all sections using plain HTTP ,  http://trac.zentyal.org

Regards,

Javier

[jjdejong@…]

Thank you for your explanation. However, we got out of sync, so I'm reopening this - my last post is #comment:5, not my offline comment reported in #comment:6.

See the screenshots of Apache Directory Studio showing the differences in connecting to a Zentyal 2.2 LDAP server, and a 2.3 LDAP server.

[jamor@…]

Hello Jjdejong,

the difference is due to that in 2.3 version you need to bind to access the directory data. You can see the root DN and the password in 'Users and Group -> LDAP Settings'.

In your commentary you said that you updated main.cf but as you see in the changeset there were more files. If you want to try this fix you should modify them all or you can wait to the next release of zentyal-mail.

Regards,

Javier