Moving LDAP

[supradave]

I recently installed Zimbra and have been asked to provide an LDAP server that we can authenticate against.

I'm using Ubuntu 10.04 for my LDAP server and would like to import the LDAP database from Zimbra (zmslapcat) and import it into the Ubuntu LDAP. I haven't spent that much time with the new LDAP configuration and want to know how to create the appropriate schema from my Zimbra data.

Code:

slapadd -v -d 6 -l ldap.bak 
send_ldap_result: err=0 matched="" text=""
hdb_db_open: "dc=example,dc=com"
slapadd: line 1: database #1 (dc=example,dc=com) not configured to hold "cn=zimbra"; no database configured for that naming context

Code:

dn: cn=zimbra
objectClass: organizationalRole
description: Zimbra Systems Application Data
cn: zimbra
structuralObjectClass: organizationalRole
entryUUID: 
creatorsName: cn=config
createTimestamp: 20100513184745Z
entryCSN: 
modifiersName: cn=config
modifyTimestamp: 20100513184745Z

Or can I get some pointer to somewhere else that may be able to help? Then I'll come back and figure out how to get a production server to use the remote LDAP (ahhh!).

[LMStone]

Quote:

Originally Posted by supradave

I recently installed Zimbra and have been asked to provide an LDAP server that we can authenticate against.

I'm using Ubuntu 10.04 for my LDAP server and would like to import the LDAP database from Zimbra (zmslapcat) and import it into the Ubuntu LDAP. I haven't spent that much time with the new LDAP configuration and want to know how to create the appropriate schema from my Zimbra data.

Code:

slapadd -v -d 6 -l ldap.bak 
send_ldap_result: err=0 matched="" text=""
hdb_db_open: "dc=example,dc=com"
slapadd: line 1: database #1 (dc=example,dc=com) not configured to hold "cn=zimbra"; no database configured for that naming context

Code:

dn: cn=zimbra
objectClass: organizationalRole
description: Zimbra Systems Application Data
cn: zimbra
structuralObjectClass: organizationalRole
entryUUID: 
creatorsName: cn=config
createTimestamp: 20100513184745Z
entryCSN: 
modifiersName: cn=config
modifyTimestamp: 20100513184745Z

Or can I get some pointer to somewhere else that may be able to help? Then I'll come back and figure out how to get a production server to use the remote LDAP (ahhh!).

There is a wiki article: LDAP Authentication - Zimbra :: Wiki

Hope that helps,
Mark

[supradave]

Thanks for that. I'll keep that in mind when I get to that step. I need to know how to import in the current Zimbra LDAP db into the remote LDAP db.

[LMStone]

Quote:

Originally Posted by supradave

Thanks for that. I'll keep that in mind when I get to that step. I need to know how to import in the current Zimbra LDAP db into the remote LDAP db.

Zimbra adds their own schema file to LDAP. I don't believe you can use their schema legally except within Zimbra itself. You'll therefore need to strip out from the dumped ldif all of the Zimbra schema-specific items before importing the remainder of the ldif file into your separate LDAP server.

Again, why not just start with an external LDAP server and have Zimbra auth against it?

I guess I'm not clearly understanding the use case here...

All the best,
Mark

[supradave]

I would like to take my user base in Zimbra, allow authentication from other servers from the non-Zimbra LDAP.

So my dn's are

Code:

dn: uid=supradave,ou=people,dc=example,dc=com

It shouldn't be too hard to import just that and the userPassword?

[LMStone]

If I understand what you are trying to do correctly, I think you might be making things harder on yourself than they need to be.

Why not just have users auth against Zimbra's LDAP directly? You can always set up a Zimbra LDAP replica to lighten the load if needed on your main Zimbra LDAP server.

Search the forums for "Samba" and you'll see how others have used a Zimbra server to create a competitor to Microsoft Small Business Server. In that case, Zimbra;s LDAP becomes the backend for an entire Active Directory replacement.

In your proposed use case, wouldn't you have to re-export the Zimbra LDAP every time a user changed a password or you added/deleted/changed an a mailbox user (and then re-import it into the other LDAP server)?

Please let me know if I am missing anything!

Hope that helps,
Mark

[dave_kempe]

yeah I tried this recently and gave up after ldap refused to start once enabling the nis schema. Interested to see how you go. I only gave up after 20mins of trying though - I am sure it is possible.