Difference between revisions of "Cool Solution - Setting up Zimbra with LDAP authentication"

From Univention Wiki

Jump to: navigation, search
m
(remove 2.4 cool solution, add 4.1 ldap setup via web interface)
Line 1: Line 1:
{{Version|UCS=2.4}}
+
{{Review-Status}}{{Version|UCS=4.1}} {{Cool Solutions Disclaimer}}
Zimbra ships all needed services and updates them when executing a regular Zimbra update. To simplifly matters, the shipped services will be used in a 64bit UCS Memberserver installation. Later on, the authentication against the DC Master using LDAP will be described. If required, Univention can provide support for replicating user data.
+
Zimbra can currently not be installed on an UCS system. Thus, we will only setting up LDAP authentication against UCS.
  
== Installing Zimbra ==
+
== Accessing Zimbra ==
 +
 
 +
Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as '''admin@<domain>''' and use the password, which has been entered during the installation.
  
First, the latest version of Zimbra must be downloaded. As of time of writing, the latest version is from August 4th, 2011. Zimbra will be installed in /opt:
+
User login:
 
<pre>
 
<pre>
cd /opt
+
http://<IP of Zimbra server>/
wget http://files2.zimbra.com/downloads/7.1.2_GA/zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420.tgz
 
tar -xzf zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420.tgz
 
cd zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420/
 
 
</pre>
 
</pre>
  
Next, the Apache webserver and postfix must be stopped and configured that both services do not automatically start when booting the system.
+
Administrative user login:
 
<pre>
 
<pre>
/etc/init.d/apache2 stop
+
http://<IP of Zimbra server>:7071
ucr set apache2/autostart=no
 
/etc/init.d/postfix stop
 
ucr set postfix/autostart=no
 
 
</pre>
 
</pre>
  
To satisfy all needed dependencies, the UCS unmaintained repository must be activated and the dependencies be installed:
+
== Configuration to use an external LDAP service ==
 +
 
 +
'''If you want to use SSL for an encrypted communication between Zimbra and the UCS LDAP follow these steps before starting with the actual setup.'''
 +
We recommend to follow these instructions to make the communication safer.
 +
You have to provide Zimbra with the certificate of the server you want it to connect to. In this case we have a self-signed UCS certificate by the UCS' own CA.
 +
Copy the certificate and the CA to the server running Zimbra
 
<pre>
 
<pre>
ucr set repository/online/unmaintained=yes
+
scp /etc/univention/ssl/ucsCA/CAcert.pem root@<zimbra server>:/opt/zimbra/ssl/zimbra/commercial/ca_commercial.crt
univention-install libidn11 curl fetchmail libgmp3c2 sysstat sqlite3
 
 
</pre>
 
</pre>
 
The interactive installation can now be started. During the installation some options can be changed, however, the default settings are mostly appropriate.
 
 
<pre>
 
<pre>
./install
+
scp /etc/univention/ssl/<system name>/cert.pem root@<zimbra server>:/opt/zimbra/ssl/zimbra/commercial/
 
</pre>
 
</pre>
 
+
Then make the certificate known to Zimbra by executing this command on the server running Zimbra.
It can occur that the installation script cannot find the MX record, this step can be skipped by pressing '''n''' on the keyboard. When the installation is finished, the administrator's password must be entered.
 
 
 
To start the Zimbra service automatically when booting the system, it must be configured to do so:
 
 
<pre>
 
<pre>
update-rc.d zimbra defaults
+
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/cert.pem
 
</pre>
 
</pre>
 
+
Zimbra needs to be restarted afterwards
Since Zimbra's LDAP libraries conflict with the LDAP libraries shipped with UCS, the global path for LDAP libraries must be altered. Open the file '''/etc/univention/templates/files/etc/profile''' with an editor and add the following line:
 
 
<pre>
 
<pre>
export LD_LIBRARY_PATH="/usr/lib"
+
service zimbra restart
 
</pre>
 
</pre>
  
For the change to take effect, the file must be re-written:
+
To setup LDAP authentication, open the Zimbra Administration, go to Configure -> Domains, right click on your domain and click ''Configure Authentication''. Choose ''External LDAP'' and click ''Next''. On the following page, provide the wizard with an IP or hostname to your LDAP server and the port. If you want to use SSL for an encrypted communication between Zimbra and UCS LDAP use port 7636 and check the box ''Use SSL'', otherwise use port 7389 and do not check the box. ''LDAP filter'' defines which LDAP attribute is mapped to which user account setting. To use the uid as username the filter would look like this:
 
<pre>
 
<pre>
ucr commit /etc/profile
+
(uid=%u)
 
</pre>
 
</pre>
  
'''WARNING:''' When updating the server, the changes can be reverted. If this is the case, the changes need to be made again!
+
To use the uid as username but only allow people with the objectClass "OrganizationalPerson" to authenticate the filter would have to look like this:
 
 
Finally, restart your server:
 
 
<pre>
 
<pre>
reboot
+
(&(uid=%u)(objectClass=OrganizationalPerson))
 
</pre>
 
</pre>
  
== Accessing Zimbra ==
+
You can find further information about this in the [[https://wiki.zimbra.com/wiki/LDAP_Authentication Zimbra Wiki]].
 
 
Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as '''admin@<domain>''' and use the password, which has been entered during the installation.
 
  
User login:
+
Put your LDAP base into the field next to ''LDAP search base''. You can obtain that information with
 
<pre>
 
<pre>
http://<IP of Zimbra server>/
+
ucr get ldap/base
 
</pre>
 
</pre>
 +
on UCS.
  
Administrative user login:
+
Click ''next''.
<pre>
+
 
http://<IP of Zimbra server>:7071
+
The next page asks for a bind user to bind to LDAP. We recommend to create a "Simple authentication account" via the UMC for this purpose. Check the box "Use DN/Password to bind to external server" and provide the Zimbra wizard with the DN of that account and it's password.
</pre>
+
Click ''next''.
  
== Configuration to use an external LDAP service ==
+
The following page shows you a summary of the settings you just applied and allows you to test the connection. You can try to login with LDAP credentials in the form at the bottom of the page. If the connection is successful a blue box saying "Authentication test succeeded" and the computed bind DN will appear.
  
By default, Zimbra uses its own LDAP server. However, it is possible to configure Zimbra to use an external LDAP service. It is important that in both LDAP directories the usernames are identical. During login, Zimbra tries to authenticate the user against the external LDAP service. If the authentication is successful, the user is considered as authenticated and can use Zimbra. When the LDAP authentication is properly configured, Zimbra will only authenticate against the external LDAP service and not its own.
+
If the test works and all settings are alright, click next and finish the wizard by pressing ''Finish''.  
  
To configure Zimbra to use an external LDAP service, log in as an administrative user and navigate to the administration page. Open the configuration page by navigating to '''Configuration''' -> '''Domains'''. Click on the button "Configure Authentication", located at the upper part of the page. A configuration wizard will open and the settings can now be edited (assuming the domain is ucs.test):
+
Every user has to exist in Zimbra to be able to login even with LDAP setup. At least, the only need to have a last name and LDAP DN assgined to them, to fulfil this requirement.
<pre>
 
Authentication Mechanism: External LDAP
 
LDAP URL: ldap://<FQDN des Masters>:389
 
LDAP-Filter: (uid=%u)
 
LDAP-Search-Base: dc=ucs,dc=test
 
Use DN/Password to bind to
 
external Server: Yes
 
Bind DN:
 
uid=Administrator,cn=users,dc=ucs,dc=test
 
</pre>
 
  
 
=== Synching user data ===
 
=== Synching user data ===

Revision as of 08:45, 26 April 2016

Note: This article is not yet reviewed.
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Zimbra can currently not be installed on an UCS system. Thus, we will only setting up LDAP authentication against UCS.

Accessing Zimbra

Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as admin@<domain> and use the password, which has been entered during the installation.

User login:

http://<IP of Zimbra server>/

Administrative user login:

http://<IP of Zimbra server>:7071

Configuration to use an external LDAP service

If you want to use SSL for an encrypted communication between Zimbra and the UCS LDAP follow these steps before starting with the actual setup. We recommend to follow these instructions to make the communication safer. You have to provide Zimbra with the certificate of the server you want it to connect to. In this case we have a self-signed UCS certificate by the UCS' own CA. Copy the certificate and the CA to the server running Zimbra

scp /etc/univention/ssl/ucsCA/CAcert.pem root@<zimbra server>:/opt/zimbra/ssl/zimbra/commercial/ca_commercial.crt
scp /etc/univention/ssl/<system name>/cert.pem root@<zimbra server>:/opt/zimbra/ssl/zimbra/commercial/

Then make the certificate known to Zimbra by executing this command on the server running Zimbra.

/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/cert.pem

Zimbra needs to be restarted afterwards

service zimbra restart

To setup LDAP authentication, open the Zimbra Administration, go to Configure -> Domains, right click on your domain and click Configure Authentication. Choose External LDAP and click Next. On the following page, provide the wizard with an IP or hostname to your LDAP server and the port. If you want to use SSL for an encrypted communication between Zimbra and UCS LDAP use port 7636 and check the box Use SSL, otherwise use port 7389 and do not check the box. LDAP filter defines which LDAP attribute is mapped to which user account setting. To use the uid as username the filter would look like this:

(uid=%u)

To use the uid as username but only allow people with the objectClass "OrganizationalPerson" to authenticate the filter would have to look like this:

(&(uid=%u)(objectClass=OrganizationalPerson))

You can find further information about this in the [Zimbra Wiki].

Put your LDAP base into the field next to LDAP search base. You can obtain that information with

ucr get ldap/base

on UCS.

Click next.

The next page asks for a bind user to bind to LDAP. We recommend to create a "Simple authentication account" via the UMC for this purpose. Check the box "Use DN/Password to bind to external server" and provide the Zimbra wizard with the DN of that account and it's password. Click next.

The following page shows you a summary of the settings you just applied and allows you to test the connection. You can try to login with LDAP credentials in the form at the bottom of the page. If the connection is successful a blue box saying "Authentication test succeeded" and the computed bind DN will appear.

If the test works and all settings are alright, click next and finish the wizard by pressing Finish.

Every user has to exist in Zimbra to be able to login even with LDAP setup. At least, the only need to have a last name and LDAP DN assgined to them, to fulfil this requirement.

Synching user data

In order for the LDAP authentication against an external LDAP service to be successful, the usernames in both LDAP directories must be identical.

System mails

In order to receive system mails, like those generated by cronjobs, it is necessary to set root@<server fqdn> and root@<maildomain> as aliases in the Zimbra administration page.

Personal tools