Zimbra, Samba, Unix SSO

[drock]

Hello,
I am looking very heavily on using zimbra over MS Exchange for a new organization (thats right, I have the rare opportunity of setting up an enterprise... from SCRATCH!).
I am currently utilizing LDAP and SMBLDAP-TOOLS as a back end to my samba domain. This same LDAP server is also used for UNIX authentication. Thus, my windows and unix accounts are fully SSO (Single Sign On) compliant.
I would like to maintain SSO compliancy and integrate zimbra as well. After reading through some of the posts on the forums (specifically the one about integrating samba), I sort of have an understanding on how to do this, but have some questions:

1. Does zimbra only store passwords in plain-text? Can I opt to use crypt or SSHA?
2. Can I change the zimbra password with external tools?

I am going to load a fresh box to do testing. I am assuming (from the documentation) that I should load ZIMBRA first and then use ZIMBRA's back-end LDAP database to store SMB and POSIX info. Correct?

Cheers,
Dave

[KevinH]

Well we handle postfix info you'd just need to add your samba info and anything else you need to the LDAP directory. Or you can use your current LDAP directory and just have Zimbra auth against that.

[antonmb]

Would like to bump this.

With Greg's help, I was able to get Zimbra and Samba to integrate, however, am facing the same problem with SSO.

Right now, the idea is that when users use the CTRL+ALT+DEL function to change their passwords, it currently only changes their Samba password and not the Zimbra one. Of course the solution is to create a script that will be invoked to synchronize the zimbra password.

I went through the Zimbra LDAP dir but could not find the hashes there. Where does Zimbra store its passwords?

[dijichi2]

zimbra stores the passwords in ldap, but the attributes are probably hidden from anonymous binds - try binding as the rootdn.

windows does the password change inband with smb I think, then binds as the mapped user to ldap and depending on your samba settings changes the posix and lanmanager hashes, in other words this is a samba issue not a zimbra issue. possibly.

[Greg]

I just figured out the solution for this. It turns out to be easier than I thought. The thing is that zimbra stores passwords in the same attribute as pam_ldap, so if you add this line to smb.conf

ldap passwd sync = yes

samba will synchronize the passwords for you
here's some reading about how this works: http://us1.samba.org/samba/docs/man/...tml#ldappwsync