Cool Solution - Setting up Zimbra with LDAP authentication
From Univention Wiki
As Zimbra ships all needed services and updates them when executing a regular Zimbra update, so, to simplifly matters, the shipped services will be used in a 64bit UCS Memberserver installation. Later on, the authentication against the DC Master using LDAP will be described. If required, Univetion can provide support for replicating user data.
First, the latest version of Zimbra must be downloaded. As of time of writing, the latest version is from August 4th, 2011. Zimbra will be installed in /opt:
cd /opt wget http://files2.zimbra.com/downloads/7.1.2_GA/zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420.tgz tar -xzf zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420.tgz cd zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420/
Next, the Apache webserver and postfix must be stopped and configured that both services do not automatically start when booting the system.
/etc/init.d/apache2 stop ucr set apache2/autostart=no /etc/init.d/postfix stop ucr set postfix/autostart=no
To satisfy all needed dependencies, the UCS unmaintained repository must be activated and the dependencies be installed:
ucr set repository/online/unmaintained=yes univention-install libidn11 curl fetchmail libgmp3c2 sysstat sqlite3
The interactive installation can now be started. During the installation some options can be changed, however, the default settings are mostly appropriate.
It can occur that the installation script cannot find the MX record, this step can be skipped by pressing n on the keyboard. When the installation is finished, the administrator's password must be entered.
To start the Zimbra service automatically when booting the system, it must be configured to do so:
update-rc.d zimbra defaults
Since Zimbra's LDAP libraries conflict with the LDAP libraries shipped with UCS, the global path for LDAP libraries must be altered. Open the file /etc/univention/templates/files/etc/profile with an editor and add the following line:
For the change to take effect, the file must be re-written:
ucr commit /etc/profile
WARNING: When updating the server, the changes can be reverted. If this is the case, the changes need to be made again!
Finally, restart your server:
Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as admin@<domain> and use the password, which has been entered during the installation.
http://<IP of Zimbra server>/
Administrative user login:
http://<IP of Zimbra server>:7071
Configuration to use an external LDAP service
By default, Zimbra uses its own LDAP server. However, it is possible to configure Zimbra to use an external LDAP service. It is important that in both LDAP directories the usernames are identical. During login, Zimbra tries to authenticate the user against the external LDAP service. If the authentication is successful, the user is considered as authenticated and can use Zimbra. When the LDAP authentication is properly configured, Zimbra will only authenticate against the external LDAP service and not its own.
To configure Zimbra to use an external LDAP service, log in as an administrative user and navigate to the administration page. Open the configuration page by navigating to Configuration -> Domains. Click on the button "Configure Authentication", located at the upper part of the page. A configuration wizard will open and the settings can now be edited (assuming the domain is ucs.test):
Authentication Mechanism: External LDAP LDAP URL: ldap://<FQDN des Masters>:389 LDAP-Filter: (uid=%u) LDAP-Search-Base: dc=ucs,dc=test Use DN/Password to bind to external Server: Yes Bind DN: uid=Administrator,cn=users,dc=ucs,dc=test
Synching user data
In order for the LDAP authentication against an external LDAP service to be successful, the usernames in both LDAP directories must be identical.
In order to receive system mails, like those generated by cronjobs, it is necessary to set root@<server fqdn> and root@<maildomain> as aliases in the Zimbra administration page.