Difference between revisions of "Cool Solution - Setting up Zimbra with LDAP authentication"

From Univention Wiki

Jump to: navigation, search
(Updated for UCS 4.3 and 4.4)
Tag: Replaced
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Review-Status}}{{Version|UCS=4.1}} {{Cool Solutions Disclaimer}}
+
This Cool Solution has been discontinued in favor of the [https://www.univention.com/products/univention-app-center/app-catalog/zimbra/ Connector for Zimbra] in our App Center.
Zimbra can currently not be installed on an UCS system. Thus, we will only explain setting up LDAP authentication against UCS.
 
 
 
== Accessing Zimbra ==
 
 
 
Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as '''admin@<domain>''' and use the password, which has been entered during the installation.
 
 
 
User login:
 
<pre>
 
http://<IP of Zimbra server>/
 
</pre>
 
 
 
Administrative user login:
 
<pre>
 
http://<IP of Zimbra server>:7071
 
</pre>
 
 
 
== Configuration to use an external LDAP service ==
 
 
 
=== Importing the UCS' certificate into Zimbra for encrypted ldap queries ===
 
 
 
'''If you want to use SSL for an encrypted communication between Zimbra and the UCS LDAP follow these steps before starting with the actual setup.'''
 
 
 
We recommend to follow these instructions to make the communication safer.
 
You have to provide Zimbra with the certificate of the server you want it to connect to. In this case we have a self-signed UCS certificate by the UCS' own CA.
 
Copy the certificate and the CA to the server running Zimbra
 
<pre>
 
scp /etc/univention/ssl/ucsCA/CAcert.pem root@<zimbra server>:/opt/zimbra/ssl/zimbra/commercial/ca_commercial.crt
 
</pre>
 
<pre>
 
scp /etc/univention/ssl/<system name>/cert.pem root@<zimbra server>:/opt/zimbra/ssl/zimbra/commercial/
 
</pre>
 
Then make the certificate known to Zimbra by executing this command on the server running Zimbra.
 
<pre>
 
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/cert.pem
 
</pre>
 
Zimbra needs to be restarted afterwards
 
<pre>
 
service zimbra restart
 
</pre>
 
 
 
=== Configuring LDAP authentication ===
 
To setup LDAP authentication, open the Zimbra Administration, go to Configure -> Domains, right click on your domain and click ''Configure Authentication''. Choose ''External LDAP'' and click ''Next''. On the following page, provide the wizard with an IP or hostname to your LDAP server and the port. If you want to use SSL for an encrypted communication between Zimbra and UCS LDAP use port 7636 and check the box ''Use SSL'', otherwise use port 7389 and do not check the box. ''LDAP filter'' defines which LDAP attribute is mapped to which user account setting. To use the uid as username the filter would look like this:
 
<pre>
 
(uid=%u)
 
</pre>
 
 
 
To use the uid as username but only allow people with the objectClass "OrganizationalPerson" to authenticate the filter would have to look like this:
 
<pre>
 
(&(uid=%u)(objectClass=OrganizationalPerson))
 
</pre>
 
 
 
You can find further information about this in the [https://wiki.zimbra.com/wiki/LDAP_Authentication Zimbra Wiki].
 
 
 
Put your LDAP base into the field next to ''LDAP search base''. You can obtain that information with
 
<pre>
 
ucr get ldap/base
 
</pre>
 
on UCS.
 
 
 
Click ''next''.
 
 
 
The next page asks for a bind user to bind to LDAP. We recommend to create a "Simple authentication account" via the UMC for this purpose. Check the box "Use DN/Password to bind to external server" and provide the Zimbra wizard with the DN of that account and it's password.
 
Click ''next''.
 
 
 
The following page shows you a summary of the settings you just applied and allows you to test the connection. You can try to login with LDAP credentials in the form at the bottom of the page. If the connection is successful a blue box saying "Authentication test succeeded" and the computed bind DN will appear.
 
 
 
If the test works and all settings are alright, click next and finish the wizard by pressing ''Finish''.
 
 
 
Every user has to exist in Zimbra to be able to login even with LDAP setup. At least, the only need to have a last name and LDAP DN assgined to them, to fulfil this requirement.
 
 
 
=== Synching user data ===
 
 
 
In order for the LDAP authentication against an external LDAP service to be successful, the usernames in both LDAP directories must be identical.
 
 
 
== System mails ==
 
 
 
In order to receive system mails, like those generated by cronjobs, it is necessary to set root@<server fqdn> and root@<maildomain> as aliases in the Zimbra administration page.
 
 
 
[[Category:Howtos]]
 
[[Category:EN]]
 

Latest revision as of 16:02, 22 May 2019

This Cool Solution has been discontinued in favor of the Connector for Zimbra in our App Center.

Personal tools