Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page [SOLVED] Connecting Zimbra 7 to Free IPA 2 for LDAP authentication

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-13-2011, 11:40 AM
New Member
  
Posts: 3
Default [SOLVED] Connecting Zimbra 7 to Free IPA 2 for LDAP authentication
Products affected:

FreeIPA 2.0.1, Zimbra 7.1 OSE

NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra Collaboration Server. I'm NOT removing my real values, because think docs work better when you just paste in what you really used.

0. From a shell prompt on the Zimbra server, import the CA certificate, and restart Zimbra services.

$ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt
$ mv ca.crt humperdinck_ca.crt
$ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file humperdinck_ca.crt
$ sudo su - zimbra
$ zmcontrol stop && zmcontrol start

1. From the Zimbra admin console, connect a domain to the IPA server for external LDAP authentication.

On the left, under Configuration, expand Domains, and select (click) the Domain you want to authenticate with IPA.
In the toolbar, click "Configure Authentication"
In the drop-down list-box, choose "External LDAP"
Type your IPA server's FQDN in "LDAP Server name:", do NOT check "Use SSL", check "Enable StartTLS"
LDAP Filter is exactly this, WITH parentheses, and NO spaces.
(uid=%u)
My LDAP Search Base is exactly this, with NO parentheses, and NO spaces. You'll need to change the domain components, of course.
cn=accounts,dc=rmsel,dc=org
Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to external server")
Enter a username or full email and the matching password. (must be valid, NON-EXPIRED credentials)
dlwillson
**********
Click Test. Celebrate.

2. If you're not celebrating, use the same credentials with kinit at the shell prompt on any Kerberos client machine to confirm validity.
kinit dlwillson
enter password

3. If the credentials are valid, use ldapsearch from the shell on your Zimbra server to test LDAP binding/searching.
$ sudo su - zimbra
$ ldapsearch --help
$ ldapsearch -D "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=or g" -w '**********' -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ "uid=dlwillson"

4. I hope you're celebrating by now, because if not, you're in for a rough time, perhaps.

HTH, cheers, YMMV, YATLTL
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.