1 Topic by yavuz.maslak

  • yavuz.maslak
  • Member
  • Offline
  • Registered: 2014-07-30
  • Posts: 159

Topic: how can i fix a ldap error

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: ubuntu14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):ldap
- Web server (Apache or Nginx):apache
- Manage mail accounts with iRedAdmin-Pro? 2.3.1
- Related log if you're reporting an issue:
====
i have a mail gateway appliance. it validate accounts on the iredmail with ldap source.
this feature also provides authentication remotely using ldap.
But i can not manage it. I get below error when i try to authenticate with postfix using my mailaddress and pass on it ;
Nov 16 21:57:28 mail slapd[7313]: conn=16799 fd=48 ACCEPT from IP=10.21.200.230:57188 (IP=0.0.0.0:389)
Nov 16 21:57:28 mail slapd[7313]: conn=16799 op=0 BIND dn="mail=yavuz.maslak@test.ipa.com.tr,ou=users,domainName=test.ipa.com.tr,o=domains,dc=ihlas,dc=local" method=128
Nov 16 21:57:28 mail slapd[7313]: conn=16799 op=0 BIND dn="mail=yavuz.maslak@test.ipa.com.tr,ou=Users,domainName=test.ipa.com.tr,o=domains,dc=ihlas,dc=local" mech=SIMPLE ssf=0
Nov 16 21:57:28 mail slapd[7313]: conn=16799 op=0 RESULT tag=97 err=0 text=
Nov 16 21:57:28 mail slapd[7313]: conn=16799 op=1 BIND anonymous mech=implicit ssf=0
Nov 16 21:57:28 mail slapd[7313]: conn=16799 op=1 BIND dn="" method=128
Nov 16 21:57:28 mail slapd[7313]: conn=16799 op=1 RESULT tag=97 err=48 text=anonymous bind disallowed
Nov 16 21:57:28 mail slapd[7313]: conn=16799 op=2 UNBIND

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: how can i fix a ldap error

yavuz.maslak wrote:

Nov 16 21:57:28 mail slapd[7313]: conn=16799 op=1 RESULT tag=97 err=48 text=anonymous bind disallowed

It's clear here. Your gateway appliance is trying to connect to LDAP server with authentication (a.k.a. ldap bind). Please update your appliance setting to use a proper bind dn and password for authentication.

3 Reply by yavuz.maslak (edited by yavuz.maslak 2015-11-22 05:37:26)

  • yavuz.maslak
  • Member
  • Offline
  • Registered: 2014-07-30
  • Posts: 159

Re: how can i fix a ldap error

the SMG says "The wording "Could not create a validated object" is actually coming from your OpenLDAP server and the Messaging Gateway is just showing it to you.  You shoudl check your OpenLDAP server logs and troubleshoot from that end."

Post's attachments

Screen Shot 2015-11-21 at 23.36.45.png
Screen Shot 2015-11-21 at 23.36.45.png 60.46 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: how can i fix a ldap error

I'm afraid that i don't understand what you really want, but here's the bottom line:

The OpenLDAP service configured by iRedMail requires authentication to query it, connect anonymously is not allowed. So, if your mail gateway appliance needs to query OpenLDAP, please configure a bind dn and password for authentication.

iRedMail creates 3 bind DNs, they have different permissions:

* cn=Manager,dc=xx,dc=xx: this is LDAP root dn, it has all permissions to read and write LDAP server. It's just like system account root, or MySQL root account.
* cn=vmail,dc=xx,dc=xx: This dn has read-only permission.
* cn=vmailadmin,dc=xx,dc=xx: This dn has read and write permission to access o=domains,dc=xx,dc=xx and o=domainadmins,dc=xx,dc=xx.

Hope it helps.

5 Reply by yavuz.maslak

  • yavuz.maslak
  • Member
  • Offline
  • Registered: 2014-07-30
  • Posts: 159

Re: how can i fix a ldap error

I use cn=Manager,dc=xx,dc=xx on the appliance for full permission.  When i try to authenticate, I get an error on the SMG appliance ; "Failed to connect to LDAP server. Check the Control Center and DDS logs for details. DDS error code: 800400 Additional information returned by LDAP server: Failure connecting to data source: openldap Reason: Could not create a validated object"

the configuration and query on the smg appliance on the picture ;



ZhangHuangbin wrote:

I'm afraid that i don't understand what you really want, but here's the bottom line:

The OpenLDAP service configured by iRedMail requires authentication to query it, connect anonymously is not allowed. So, if your mail gateway appliance needs to query OpenLDAP, please configure a bind dn and password for authentication.

iRedMail creates 3 bind DNs, they have different permissions:

* cn=Manager,dc=xx,dc=xx: this is LDAP root dn, it has all permissions to read and write LDAP server. It's just like system account root, or MySQL root account.
* cn=vmail,dc=xx,dc=xx: This dn has read-only permission.
* cn=vmailadmin,dc=xx,dc=xx: This dn has read and write permission to access o=domains,dc=xx,dc=xx and o=domainadmins,dc=xx,dc=xx.

Hope it helps.

Post's attachments

Screen Shot 2015-11-22 at 20.24.55.png
Screen Shot 2015-11-22 at 20.24.55.png 74.19 kb, 1 downloads since 2015-11-22 

You don't have the permssions to download the attachments of this post.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: how can i fix a ldap error

yavuz.maslak wrote:

Failed to connect to LDAP server.

Is the OpenLDAP service accessible from external network?

7 Reply by yavuz.maslak

  • yavuz.maslak
  • Member
  • Offline
  • Registered: 2014-07-30
  • Posts: 159

Re: how can i fix a ldap error

yes  it is accessible from outside and already the recipient validation checking works on it.

ZhangHuangbin wrote:
yavuz.maslak wrote:

Failed to connect to LDAP server.

Is the OpenLDAP service accessible from external network?

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: how can i fix a ldap error

I have no idea ...

*) OpenLDAP is accessible from external network.
*) You have bind dn/password set in your appliance for authenticated ldap query.

What's the new error message and debug log in your appliance?

9 Reply by yavuz.maslak

  • yavuz.maslak
  • Member
  • Offline
  • Registered: 2014-07-30
  • Posts: 159

Re: how can i fix a ldap error

when i check to test an authentication on the appliance, i get an error as the attachment.

is that query right ?

ZhangHuangbin wrote:

I have no idea ...

*) OpenLDAP is accessible from external network.
*) You have bind dn/password set in your appliance for authenticated ldap query.

What's the new error message and debug log in your appliance?

Post's attachments

Screen Shot 2015-12-01 at 21.24.30.png
Screen Shot 2015-12-01 at 21.24.30.png 107.65 kb, 1 downloads since 2015-12-01 

You don't have the permssions to download the attachments of this post.

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: how can i fix a ldap error

I'm afraid that I don't understand how your appliance uses LDAP bind/auth, i suggest you ask your vendor to get it working.