Cool Solution - Setting up Zimbra with LDAP authentication

From Univention Wiki

Revision as of 10:58, 18 April 2013 by Grandjean (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 2.4

Zimbra ships all needed services and updates them when executing a regular Zimbra update. To simplifly matters, the shipped services will be used in a 64bit UCS Memberserver installation. Later on, the authentication against the DC Master using LDAP will be described. If required, Univention can provide support for replicating user data.

Installing Zimbra

First, the latest version of Zimbra must be downloaded. As of time of writing, the latest version is from August 4th, 2011. Zimbra will be installed in /opt:

cd /opt
wget http://files2.zimbra.com/downloads/7.1.2_GA/zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420.tgz
tar -xzf zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420.tgz
cd zcs-7.1.2_GA_3268.DEBIAN5_64.20110804120420/

Next, the Apache webserver and postfix must be stopped and configured that both services do not automatically start when booting the system.

/etc/init.d/apache2 stop
ucr set apache2/autostart=no
/etc/init.d/postfix stop
ucr set postfix/autostart=no

To satisfy all needed dependencies, the UCS unmaintained repository must be activated and the dependencies be installed:

ucr set repository/online/unmaintained=yes
univention-install libidn11 curl fetchmail libgmp3c2 sysstat sqlite3

The interactive installation can now be started. During the installation some options can be changed, however, the default settings are mostly appropriate.

./install

It can occur that the installation script cannot find the MX record, this step can be skipped by pressing n on the keyboard. When the installation is finished, the administrator's password must be entered.

To start the Zimbra service automatically when booting the system, it must be configured to do so:

update-rc.d zimbra defaults

Since Zimbra's LDAP libraries conflict with the LDAP libraries shipped with UCS, the global path for LDAP libraries must be altered. Open the file /etc/univention/templates/files/etc/profile with an editor and add the following line:

export LD_LIBRARY_PATH="/usr/lib"

For the change to take effect, the file must be re-written:

ucr commit /etc/profile

WARNING: When updating the server, the changes can be reverted. If this is the case, the changes need to be made again!

Finally, restart your server:

reboot

Accessing Zimbra

Zimbra can be accessed by opening either webaddress in your browser. At this time, a login is only possible as the administrative user. To log in, open on of the two addresses and login as admin@<domain> and use the password, which has been entered during the installation.

User login:

http://<IP of Zimbra server>/

Administrative user login:

http://<IP of Zimbra server>:7071

Configuration to use an external LDAP service

By default, Zimbra uses its own LDAP server. However, it is possible to configure Zimbra to use an external LDAP service. It is important that in both LDAP directories the usernames are identical. During login, Zimbra tries to authenticate the user against the external LDAP service. If the authentication is successful, the user is considered as authenticated and can use Zimbra. When the LDAP authentication is properly configured, Zimbra will only authenticate against the external LDAP service and not its own.

To configure Zimbra to use an external LDAP service, log in as an administrative user and navigate to the administration page. Open the configuration page by navigating to Configuration -> Domains. Click on the button "Configure Authentication", located at the upper part of the page. A configuration wizard will open and the settings can now be edited (assuming the domain is ucs.test):

Authentication Mechanism: External LDAP
LDAP URL: ldap://<FQDN des Masters>:389
LDAP-Filter: (uid=%u)
LDAP-Search-Base: dc=ucs,dc=test
Use DN/Password to bind to
external Server: Yes
Bind DN:
uid=Administrator,cn=users,dc=ucs,dc=test

Synching user data

In order for the LDAP authentication against an external LDAP service to be successful, the usernames in both LDAP directories must be identical.

System mails

In order to receive system mails, like those generated by cronjobs, it is necessary to set root@<server fqdn> and root@<maildomain> as aliases in the Zimbra administration page.

Personal tools