Zimbra multidomain

**volga629** · April 25, 2019, 2:22pm

Hello Everyone,
I am trying authenticate zimbra 2FA deployment in multi domain setup where user name user@domain.com.
I got setup in zimbra external authentication filter as

(&(mail=%u@%d)(objectclass=OrganizationalPerson))

and in configuration interface I used predefined fields for uid=%u and all users show up no issues, but log in not working zimbra give this error

SoapEngine - handler exception: authentication failed for [user@domain.com], external LDAP auth failed, LDAP error:  - unable to ldap authenticate: Invalid user.

Any help thank you

**barrydegraaff** · April 26, 2019, 5:28am

Hello,

Did you use the automated installer? It that can be found at

as that will take care of the problem.

Or just use the ldap filter from the ‘manual’ readme:

github.com

Zimbra-Community/zimbra-foss-2fa/blob/master/README-MANUAL-INSTALL.md

# Manual Install Guide Zimbra Open Source Two Factor Authentication with PrivacyIDEA

[![2FA install steps](https://img.youtube.com/vi/PDhrvFGMtjQ/0.jpg)](https://www.youtube.com/watch?v=PDhrvFGMtjQ)

Install guide: https://www.youtube.com/watch?v=PDhrvFGMtjQ

The installation takes around 1GB of space.

1. Install docker-ce (you cannot use your distro's docker) see:
   https://docs.docker.com/install/linux/docker-ce/centos/
   https://docs.docker.com/install/linux/docker-ce/ubuntu/
   
   Enable docker on server startup: `systemctl enable docker`
   Start docker now: `systemctl start docker`

   Make sure to have NTP running on your Host (Zimbra server) or wherever your docker containers run, so they all get the correct time. 
   
       yum install -y ntpdate
       ntpdate 0.us.pool.ntp.org
       which ntpdate  #remember the full path

This file has been truncated. show original

(uid=%u)

The readme includes a video guide as well.
Thanks!

**volga629** · April 26, 2019, 1:06pm

Hello Barry,
In multi domain I used manual setup step by step, the whole goal is allow login with username@domainname.com which (uid=%u) is not allowing

Is I am missing something in setup ?

**barrydegraaff** · April 26, 2019, 1:53pm

Yeah, (uid=%u) will work on a multi domain setup.

It is a bit hard to explain, but the way LDAP works in Zimbra, is that the username string is cut into pieces and the ldap filter combined with the ldap search base should resolve to a users.

You should really try the automated set-up.

**volga629** · April 29, 2019, 4:38pm

I changed filter (uid=%u) and same issue. And test of external ldap succeed in web ui, but when trying login as external user
in mailobx.log
external LDAP auth failed, LDAP error: - unable to ldap authenticate: Invalid user.

I wonder if I need use accountname_with_domain =

**volga629** · April 30, 2019, 4:05pm

I tried with automated setup for one domain in multi domain zimbra and it same error. Audit logs are says that everything is OK, but zimbra is not recognized it.

**cornelinux** · May 1, 2019, 9:25am

Does the request appear in privacyIDEA? Do you see anything in the audit log?

**volga629** · May 1, 2019, 12:21pm

Some reason right now I don’t see request in audit.log
But I see zimbra connected to port 1389

root@camail00 ~> [~]# lsof -i :1389

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 13320 zimbra 790u IPv6 47664271 0t0 TCP camail00.domain.prod:48710->172.18.0.2:iclpv-dm (ESTABLISHED)

**volga629** · May 1, 2019, 12:23pm

The only warning in log

[2019-04-30 13:50:50,555][280][139779579479872][WARNING][privacyidea.lib.utils:557] Proxy 127.0.0.1 not allowed to set IP to lan ip.

**volga629** · May 3, 2019, 12:11pm

I don’t think zimbra communicate with privacyidea container. This message in log about invalid user is more likely come from web form which is some sort of bug in js which cause soap do not recognize the user.

**volga629** · May 7, 2019, 11:52pm

Hello Everyone, I can’t resolve the issue by myself. Any help thank you.