Cool Solution - Setting up Zimbra with LDAP authentication

From Univention Wiki

Revision as of 06:59, 31 October 2016 by Hpeter (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Zimbra can currently not be installed on an UCS system, because it requires a newer version of glibc than the one available in UCS 4.1. Thus, we will only explain setting up LDAP authentication from an Ubuntu server running Zimbra against UCS LDAP.

You can obtain information on how to install Zimbra from the official documentation. We used the Open Source Edition for this article.

Accessing Zimbra

Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as admin@<domain> and use the password, which has been entered during the installation.

User login:

https://<IP of Zimbra server>/

Administrative user login:

https://<IP of Zimbra server>:7071

Configuration to use an external LDAP service

The following section describes, how to setup a LDAP connection over SSL (LDAPS) between a Zimbra Server and an UCS Server.
In order for Zimbra to accept the connection with the UCS Server, you first have to import the root certificate of your UCS server into your Zimbra server,
which is described below.

Note: We do not recommend using the unsecured LDAP connection, but if you insist, you can skip the following Import the UCS Server Certificate part and follow the note in the Configure the Connection section.

Import the UCS Server Certificate

To successfully import the UCS Server root certificate, we will first have to download it to the Zimbra server. Note: The certificate can be found on the homepage of your UCS server while not logged in. Click on the Administration tab, then right-click Root certificate and select "Save Link As..." to download it.

After you have downloaded the certificate onto your Zimbra server, you will have to login on a console with the zimbra account. You can achieve this, by logging in with a normal account and then switching to it with the command "su zimbra"

The certificate can then be imported with the following command:

/opt/zimbra/bin/zmcertmgr addcacert <certificate name>.crt

Then, Zimbra has to be restarted:

zmcontrol restart

Configure the Connection

We can now setup the LDAP connection in the Zimbra Administration.

For this you can login into it and then go to Configure -> Domains, right click on your domain and click Configure Authentication.
Here, choose External LDAP and click Next.
On the following page, provide the wizard with an IP or hostname to your LDAP server,

To setup LDAP authentication, open the Zimbra Administration, go to Configure -> Domains, right click on your domain and click Configure Authentication. Choose External LDAP and click Next.
On the following page, provide the wizard with an IP or hostname to your LDAP server, tick the "Use SSL" box and change the port to 7636.
Note: Untick the Use SSL box and set the port to 7389, if you want to create a LDAP connection without SSL.

LDAP filter defines which LDAP attribute is mapped to which user account setting. To use the uid as username the filter would look like this:


To use the uid as username, but only allow people with the objectClass "OrganizationalPerson" to authenticate, the filter would have to look like this:


You can find further information about this in the Zimbra Wiki.

Put your LDAP base into the field next to LDAP search base. You can obtain that information with

ucr get ldap/base

on your UCS Server and click next.

The next page asks for a bind user to bind to LDAP. We recommend to create a "Simple authentication account" via the UMC for this purpose. Check the box "Use DN/Password to bind to external server" and provide the Zimbra wizard with the DN of that account and it's password. Click next.

The following page shows you a summary of the settings you just applied and allows you to test the connection. You can try to login with LDAP credentials in the form at the bottom of the page. If the connection is successful a blue box saying "Authentication test succeeded" and the computed bind DN will appear.

If the test works and all settings are alright, click next and finish the wizard by pressing Finish.

Every user has to exist in Zimbra to be able to login even with LDAP setup. At least, the only need to have a last name and LDAP DN assgined to them, to fulfil this requirement.

Synching user data

In order for the LDAP authentication against an external LDAP service to be successful, the usernames in both LDAP directories must be identical.

System mails

In order to receive system mails, like those generated by cronjobs, it is necessary to set root@<server fqdn> and root@<maildomain> as aliases in the Zimbra administration page.

Known issues

Keytool-Error during certificate import

There exists a known error, which can occur during the import of the UCS Server Certificate, which looks like this:

ERROR: cacerts keytool(-delete -alias zcs-user-<Name of the Certificate>) returned non-zero(1):
Keytool-Error: java.lang.Exception: Alias <zcs-user-<Name of the Certificate>> does not exist

This error occurs, if the zmcertmgr can't remove an alias, because it has already been removed. It isn't a problem and can be ignored, as it doesn't block the following parts of the import process and as the alias has already been removed.

Personal tools