[Freeipa-users] Can FreeIPA v2 be used as Zimbra external LDAP authenticator?
Simo Sorce
simo at redhat.com
Fri May 27 23:42:22 UTC 2011
On Fri, 2011-05-27 at 17:26 -0600, David L. Willson wrote:
> Rob Crittenden: Thank you for your help!
>
> This is RESOLVED, and I want to make some notes here, because finding
> the magic combination of syntax has been... trying.
>
> Products affected:
>
> FreeIPA 2.0.1, Zimbra 7.1 OSE
>
> NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra
> Collaboration Server. I'm NOT removing my real values, because think
> docs work better when you just paste in what you really used.
>
> 0. From a shell prompt on the Zimbra server, import the CA
> certificate, and restart Zimbra services.
>
> $ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt
> $ mv ca.crt humperdinck_ca.crt
> $ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca
> -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass
> changeit -file humperdinck_ca.crt
> $ sudo su - zimbra
> $ zmcontrol stop && zmcontrol start
>
> 1. From the Zimbra admin console, connect a domain to the IPA server
> for external LDAP authentication.
>
> On the left, under Configuration, expand Domains, and select
> (click) the Domain you want to authenticate with IPA.
> In the toolbar, click "Configure Authentication"
> In the drop-down list-box, choose "External LDAP"
> Type your IPA server's FQDN in "LDAP Server name:", do NOT check
> "Use SSL", check "Enable StartTLS"
> LDAP Filter is exactly this, WITH parentheses, and NO spaces.
> (uid=%u)
> My LDAP Search Base is exactly this, with NO parentheses, and NO
> spaces. You'll need to change the domain components, of course.
> cn=accounts,dc=rmsel,dc=org
> Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to
> external server")
> Enter a username or full email and the matching password. (must be
> valid, NON-EXPIRED credentials)
> dlwillson
> **********
> Click Test. Celebrate.
>
> 2. If you're not celebrating, use the same credentials with kinit at
> the shell prompt on any Kerberos client machine to confirm validity.
> kinit dlwillson
> enter password
>
> 3. If the credentials are valid, use ldapsearch from the shell on your
> Zimbra server to test LDAP binding/searching.
> $ sudo su - zimbra
> $ ldapsearch --help
> $ ldapsearch -D
> "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w '**********'
> -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ
> "uid=dlwillson"
>
> 4. I hope you're celebrating by now, because if not, you're in for a
> rough time, perhaps.
>
> HTH, cheers, YMMV, YATLTL
Thank you for the very nice write-up.
I am curious if you are going to enable GSSAPI authentication in Zimbra
too (Zimbra support GSSAPI/Krb5 auth for IMAP and apparently should
support it for the web interface too at some point).
It would be awesome to get a similar writeup of how to configure it in
that case. I am sure many users would be delighted to be able to do SSO
against the mail server (ie no need to enter any password at all after
login).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list