Difference between revisions of "Cool Solution - Setting up Zimbra with LDAP authentication"

From Univention Wiki

Jump to: navigation, search
Line 1: Line 1:
{{Version|UCS=4.1}} {{Cool Solutions Disclaimer}}
+
{{Version|UCS=4.1}}
Zimbra can currently not be installed on an UCS system, because it requires a newer version of glibc than the one available in UCS 4.1. Thus, we will only explain setting up LDAP authentication from a Ubuntu server running Zimbra against UCS LDAP.
+
{{Cool Solutions Disclaimer}}
 +
{{Review-Status}}
 +
 
 +
Zimbra can currently not be installed on an UCS system, because it requires a newer version of glibc than the one available in UCS 4.1. Thus, we will only explain setting up LDAP authentication from an Ubuntu server running Zimbra against UCS LDAP.
  
 
You can obtain information on how to install Zimbra from the [https://www.zimbra.com/documentation/ official documentation]. We used the Open Source Edition for this article.
 
You can obtain information on how to install Zimbra from the [https://www.zimbra.com/documentation/ official documentation]. We used the Open Source Edition for this article.
  
 
== Accessing Zimbra ==
 
== Accessing Zimbra ==
 
 
Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as '''admin@<domain>''' and use the password, which has been entered during the installation.
 
Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as '''admin@<domain>''' and use the password, which has been entered during the installation.
  
Line 19: Line 21:
  
 
== Configuration to use an external LDAP service ==
 
== Configuration to use an external LDAP service ==
 
+
To setup LDAP authentication, open the Zimbra Administration, go to Configure -> Domains, right click on your domain and click ''Configure Authentication''. Choose ''External LDAP'' and click ''Next''. On the following page, provide the wizard with an IP or hostname to your LDAP server and the port '''7389'''. ''LDAP filter'' defines which LDAP attribute is mapped to which user account setting. To use the uid as username the filter would look like this:
To setup LDAP authentication, open the Zimbra Administration, go to Configure -> Domains, right click on your domain and click ''Configure Authentication''. Choose ''External LDAP'' and click ''Next''. On the following page, provide the wizard with an IP or hostname to your LDAP server and the port 7389. ''LDAP filter'' defines which LDAP attribute is mapped to which user account setting. To use the uid as username the filter would look like this:
 
 
<pre>
 
<pre>
 
(uid=%u)
 
(uid=%u)
 
</pre>
 
</pre>
  
To use the uid as username but only allow people with the objectClass "OrganizationalPerson" to authenticate the filter would have to look like this:
+
To use the uid as username, but only allow people with the objectClass "OrganizationalPerson" to authenticate, the filter would have to look like this:
 
<pre>
 
<pre>
 
(&(uid=%u)(objectClass=OrganizationalPerson))
 
(&(uid=%u)(objectClass=OrganizationalPerson))
Line 36: Line 37:
 
ucr get ldap/base
 
ucr get ldap/base
 
</pre>
 
</pre>
on UCS.
+
on your UCS Server.
  
 
Click ''next''.
 
Click ''next''.
Line 48: Line 49:
  
 
Every user has to exist in Zimbra to be able to login even with LDAP setup. At least, the only need to have a last name and LDAP DN assgined to them, to fulfil this requirement.
 
Every user has to exist in Zimbra to be able to login even with LDAP setup. At least, the only need to have a last name and LDAP DN assgined to them, to fulfil this requirement.
 +
 +
=== Using LDAP over SSL ===
 +
We recommend creating the LDAP connect to your UCS server over SSL (ldaps). <br>
 +
In order to accomplish this, you will have to import the root certificate of your UCS server into your Zimbra server, in order for Zimbra to successfully establish a save connection with your UCS server.
 +
 +
To do this, we will first have to download the root certificate to the Zimbra server.
 +
'''Note:''' The certificate can be found on the homepage of your UCS server while not logged in. Click on the Administration tab, then right-click Root certificate and select "Save Link As..." to download it.
 +
 +
After you have downloaded the certificate onto your Zimbra server, you will have to login on a console with the '''zimbra''' account. <br>
 +
The certificate can then be imported with the following command:
 +
<pre>
 +
/opt/zimbra/bin/zmcertmgr addcacert <certificate name>.crt
 +
</pre>
 +
 +
After that, Zimbra has to be restarted:
 +
<pre>
 +
zmcontrol restart
 +
</pre>
 +
 +
Now, you will have to change your LDAP authentication settings. For this open the Zimbra Administration again and go to Configure -> Domains, right click on your domain and click ''Configure Authentication''. <br>
 +
Click ''Next'' and tick the "Use SSL" box and don't forget to set the port to '''7636'''. Now click ''Next'' again, confirm the bind user password and test the connection on the next page as done above again. <br>
 +
You are finished and can click on the ''Finish'' button if a blue box says "Authentication test succeeded".
  
 
=== Synching user data ===
 
=== Synching user data ===
 
 
In order for the LDAP authentication against an external LDAP service to be successful, the usernames in both LDAP directories must be identical.
 
In order for the LDAP authentication against an external LDAP service to be successful, the usernames in both LDAP directories must be identical.
  
 
== System mails ==
 
== System mails ==
 
 
In order to receive system mails, like those generated by cronjobs, it is necessary to set root@<server fqdn> and root@<maildomain> as aliases in the Zimbra administration page.
 
In order to receive system mails, like those generated by cronjobs, it is necessary to set root@<server fqdn> and root@<maildomain> as aliases in the Zimbra administration page.
  
 
[[Category:Howtos]]
 
[[Category:Howtos]]
 
[[Category:EN]]
 
[[Category:EN]]

Revision as of 11:31, 18 October 2016

Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


Zimbra can currently not be installed on an UCS system, because it requires a newer version of glibc than the one available in UCS 4.1. Thus, we will only explain setting up LDAP authentication from an Ubuntu server running Zimbra against UCS LDAP.

You can obtain information on how to install Zimbra from the official documentation. We used the Open Source Edition for this article.

Accessing Zimbra

Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as admin@<domain> and use the password, which has been entered during the installation.

User login:

https://<IP of Zimbra server>/

Administrative user login:

https://<IP of Zimbra server>:7071

Configuration to use an external LDAP service

To setup LDAP authentication, open the Zimbra Administration, go to Configure -> Domains, right click on your domain and click Configure Authentication. Choose External LDAP and click Next. On the following page, provide the wizard with an IP or hostname to your LDAP server and the port 7389. LDAP filter defines which LDAP attribute is mapped to which user account setting. To use the uid as username the filter would look like this:

(uid=%u)

To use the uid as username, but only allow people with the objectClass "OrganizationalPerson" to authenticate, the filter would have to look like this:

(&(uid=%u)(objectClass=OrganizationalPerson))

You can find further information about this in the Zimbra Wiki.

Put your LDAP base into the field next to LDAP search base. You can obtain that information with

ucr get ldap/base

on your UCS Server.

Click next.

The next page asks for a bind user to bind to LDAP. We recommend to create a "Simple authentication account" via the UMC for this purpose. Check the box "Use DN/Password to bind to external server" and provide the Zimbra wizard with the DN of that account and it's password. Click next.

The following page shows you a summary of the settings you just applied and allows you to test the connection. You can try to login with LDAP credentials in the form at the bottom of the page. If the connection is successful a blue box saying "Authentication test succeeded" and the computed bind DN will appear.

If the test works and all settings are alright, click next and finish the wizard by pressing Finish.

Every user has to exist in Zimbra to be able to login even with LDAP setup. At least, the only need to have a last name and LDAP DN assgined to them, to fulfil this requirement.

Using LDAP over SSL

We recommend creating the LDAP connect to your UCS server over SSL (ldaps).
In order to accomplish this, you will have to import the root certificate of your UCS server into your Zimbra server, in order for Zimbra to successfully establish a save connection with your UCS server.

To do this, we will first have to download the root certificate to the Zimbra server. Note: The certificate can be found on the homepage of your UCS server while not logged in. Click on the Administration tab, then right-click Root certificate and select "Save Link As..." to download it.

After you have downloaded the certificate onto your Zimbra server, you will have to login on a console with the zimbra account.
The certificate can then be imported with the following command:

/opt/zimbra/bin/zmcertmgr addcacert <certificate name>.crt

After that, Zimbra has to be restarted:

zmcontrol restart

Now, you will have to change your LDAP authentication settings. For this open the Zimbra Administration again and go to Configure -> Domains, right click on your domain and click Configure Authentication.
Click Next and tick the "Use SSL" box and don't forget to set the port to 7636. Now click Next again, confirm the bind user password and test the connection on the next page as done above again.
You are finished and can click on the Finish button if a blue box says "Authentication test succeeded".

Synching user data

In order for the LDAP authentication against an external LDAP service to be successful, the usernames in both LDAP directories must be identical.

System mails

In order to receive system mails, like those generated by cronjobs, it is necessary to set root@<server fqdn> and root@<maildomain> as aliases in the Zimbra administration page.

Personal tools