| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
08-22-2007, 11:29 PM
| | |  About external LDAP problem, urgent!
Hello, Dear all,
The objective to post this thread is to hope someone give me clear answer about external LDAP problem. my company is going to put this zimbra server in real production, however, the user intergration and authentication problem is making me a heavy headache.
What I really want is to authenciate user system logon, and email box logon by a same LDAP server, the LDAP that comes with zimbra is pretty good and powerful, but the main drawback is only can authenticate user logon mail box, I sheached on wiki LDAP Authentication - ZimbraWiki, and got a article guide how to make zimbra uses external LDAP to authenticate use, the all stops went really well, the test returned a successful result, however, logon process is always failed when I logon with username that created in external LDAP.
thus, I searched zimbra forum for this issue, lot of thread about this, but the answer confused me. it seems that we have to create an user account in both zimbra amdin console and external LDAP server, It was confirmed by testing on my server.
My doubt is the objective that zimbra work with external LDAP server, in my opnion, the objective is to centrolize user information , to simplify system upgrading and migratoin. but the fact is not what I expected.
Is there any ways to solve this problem? in my company , there will be more than 200 hundred staff moving to linux platform. if create and manage such many of users' information in two places , the task will be unimaginable!
by the way, several days before, I also tried to use samba and postfix extension, but failed in step 3. anyway I prefer to use external LDAP, it will be more flexible.
any idea? any reply will be appreicated very much! Thanks!  |
08-23-2007, 01:21 PM
| | |
Hi,
Are you creating the user accounts in Zimbra as well as the external LDAP server?
I realize this is some duplication of work, but here I've created scripts to create LDAP and Zimbra users at the same time to make it easier.
Zimbra will not create accounts on the fly, even if they're in LDAP. It stores much more information than simply a username and a password. |
08-23-2007, 11:19 PM
| | | Thanks, is it possible to share your script with me?!
Hello, p24t
I currently have to create user in both openLDAP and LDAP comes with Zimbra, but it is not what I want.
how is your script working? is it possible to teach me how to create it and use it? is it possible to share your script with me? many thanks to you in advance! |
08-24-2007, 06:21 AM
| | |
Unfortunately, my script is fairly customized.. it's a ruby script with a web interface, and it depends on ssh keys.
Essentially, I take the user information, and write a LDIF file to enter in the LDAP entry, which I use with ldapadd. Then I write a shell script file, which gets scp'd to the zimbra user, run the file, and delete it. If my user is already in LDAP, it updates the password, and still adds to Zimbra.
I'll post the code here for you, hopefully you can make some use of it. This is the part that gets the CGI user info from the web form. Code:
require 'cgi'
require 'md5'
require 'sha1'
require 'base64'
cgi = CGI.new
basedn = "cn=admin,dc=bog3d,dc=com" # my admin dn
host = '192.168.1.71' # my zimbra box IP
user, pass, fname, lname = cgi['user'], cgi['pass'], cgi['fname'], cgi['lname']
user.untaint
pass.untaint
fname.untaint
lname.untaint
command = "ldapsearch -x -h ldap.bog3d.com 'uid=#{user}' -b 'ou=people,dc=bog3d,dc=com'"
command.untaint
userinfo = `#{command}`
if answer = /numEntries/.match(userinfo)
puts "LDAP User #{user} exists. Updating password.<br>"
seed = sprintf "%x", (1000000000 * rand).to_i
ldapfile = File.new( "/tmp/#{seed}", 'w' )
ldapfile.write "dn: uid=#{user},ou=people,dc=bog3d,dc=com\n"
ldapfile.write "changetype: modify\n"
ldapfile.write "replace: userPassword\n"
salt = ((26 * rand).to_i + 65).chr + ((26 * rand).to_i + 65).chr
newpass = "{CRYPT}" + pass.crypt(salt)
ldapfile.write "userPassword: #{newpass}\n"
ldapfile.close
system "ldapmodify -x -h ldap.bog3d.com -f /tmp/#{seed} -D '#{basedn}' -w [password here]"
File.delete("/tmp/#{seed}")
else
puts "Adding entry for #{user} <br>"
seed = sprintf "%x", (1000000000 * rand).to_i
ldapfile = File.new( "/tmp/#{seed}", 'w' )
ldapfile.write "dn: uid=#{user},ou=people,dc=bog3d,dc=com\n"
ldapfile.write "objectClass: top\n"
ldapfile.write "objectClass: inetOrgPerson\n"
ldapfile.write "uid: #{user}\n"
ldapfile.write "cn: #{fname} #{lname}\n"
ldapfile.write "sn: #{lname}\n"
salt = ((26 * rand).to_i + 65).chr + ((26 * rand).to_i + 65).chr
newpass = "{CRYPT}" + pass.crypt(salt)
ldapfile.write "userPassword: #{newpass}\n"
ldapfile.close
system "ldapadd -h ldap.bog3d.com -x -f /tmp/#{seed} -D '#{basedn}' -w [password here]"
File.delete("/tmp/#{seed}")
puts "User added to LDAP.<br>"
end
seed = sprintf "%x", (1000000000 * rand).to_i
scriptfile = File.new( "/tmp/#{seed}", 'w' )
scriptfile.puts "zmprov ca #{user}@bexp3d.com #{pass} givenName #{fname} sn #{lname} displayName '#{fname} #{lname}'"
scriptfile.puts "zmprov aaa #{user}@bexp3d.com #{user}@bog3d.com"
scriptfile.close
system "scp /tmp/#{seed} zimbra@#{host}:~/log"
system "ssh zimbra@#{host} sh log/#{seed}"
system "ssh zimbra@#{host} rm log/#{seed}"
File.delete("/tmp/#{seed}")
puts "User added to Zimbra." |
08-24-2007, 06:32 PM
| | | thanks a lot!
Dear p24t,
Thanks for your script, I don't know how to use ruby, but know programming, so after reading your code, I got my mind opened. that's your script serve as a middle layer receive user information from web interfac, and then write to both places, zimbra's ldap and system embeded ldap. right? so , this means all user management work is on the web interface?
I 'd like to analysis in detail, if no other ways this method might be the only way should be applied. thanks! |
08-24-2007, 07:10 PM
| | |
The script takes 4 values from CGI: Code: cgi['user'], cgi['pass'], cgi['fname'], cgi['lname'] username, password, first name, last name (just to keep with proper SN syntax)
The if clause is if it finds the user already in ldap. The else if it's not. All the Code: ldapfile.write "..... are the LDIF information written to the file, and the file is called using ldapadd / ldapmodify.
After the if/else is the zimbra shell script. Just 2 lines, the "scriptfile.puts", and the file is scp'd to the Zimbra server, under the zimbra user, and I run and delete the script over ssh. I set up ssh keys between the web interface server and the zimbra user.
I had a migration script that used part of this too. There may be better ways to do this than using command line utilities, but this was quick and easy. My web interface for this little script is just a form with 4 boxes. I haven't written anything fancy for it yet. At some point I'll probably make a LDAP manager, since I use the LDAP for my *nix authentication as well. | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
