OpenDirectory as Zimbra LDAP Server

[misleb]

Has anyone tried using OpenDirectory as the main Zimbra LDAP source? Not just for authentication, but for everything. Users, zimbra server data... everything. I'd really like to have all my users consolidated in one directory. It makes me uncomfortable to have two different directories with redundant information.

As far as I can tell, it should just be a matter of copying over the Zimbra schema files, loading them in the OS X openldap server, and then telling zmsetup.pl to use the OpenDirectory server as its master LDAP server. Although I found that when I changed the LDAP server in the Main Menu, I no longer had the "apply" option so I could never cause zmsetup.pl to actually try and write its initial data to the OpenDirectory server.

Another potential problem is that OS X stores user's in ou=users and Zimbra uses ou=people. Can this be changed?

-matthew

[jeffreyheinen]

Short answer: kinda... but stopped because it dosn't look like a good idea.

Long answer: I am looking at implementation of ZCS into my OpenDirectory/Mac-heavy environment here at work. I've looked into a few directions, but have not had a lot of luck with either.

I have considered slaving Zimbra to the OpenDirectory directly. However, I think that would be a very bad idea. The structure is too different. I did find a blog post of someone that would rewrite the schema into a new sub-tree via a cron job and a script.

Everything I have read and observed shows that ZCS really wants to live as it's own beast. It would be much happier on it's own server(s), with it's own services. And you would be much happier when it comes time to update ZCS and it attempts to rebuild your LDAP.

The other path is going with yet another service to manage auth/identity/SSO system like
Crowd, the benefit for me is that we are already using the sister products, Jira and Confluence. Because Crowd handles OpenDirectory LDAP well, setting it up would allow OpenDirectory to be the source of auth data for just about everything. Crowd has a SOAP API, so it would be a matter of getting both it and Zimbra to work together.

Sadly, I'm rather new to SOAP/XML-RPC so I'm still trying to wrap my head about the concept and what would be the best implementation path. It is also a commercial product, so going that route would require us to make purchase. So, we are willing to deal with different databases short term, and prepare for a good solution for the long term.

[misleb]

Quote:

Originally Posted by jeffreyheinen

I have considered slaving Zimbra to the OpenDirectory directly. However, I think that would be a very bad idea. The structure is too different.

What do you mean by "structure," exactly? Do you mean schema? That is to be expected. I mean, Zimbra uses different attributes, but I would think there would be some overlap. Accounting for this should be a simple matter of copying the zimbra schema files and extending OpenDirectory with them (they both use OpenLDAP, after all)

But if you mean stucture in the sense of container names, I agree, Zimbra uses ou=People and OpenDirectory uses ou=Users. That that is the only major differnce I can find. And I'm wondering if there is a fix for this. Shouldn't be too hard to tell Zimbra to look in ou=users,dc=domain,dc=edu. I just need to know how.

I'm also a little concerned about how Zimbra authenticates to its "internal" LDAP directory. The docs say it stores SHA1 hash, but OpenDirectory uses PasswordManager to store authentication info. The userPassword attribute is just a stub in OD as far as I can tell.

I did see a post on AFP548 about someone who claims to have nearly completed the integration, but he hasn't posted his results or instructions. Here: AFP548 - Changing the world one server at a time.

I dunno, maybe it it isn't really so important to have everything in one directory... it just seems more elegant to me. Like if I ever have to script LDAP operations, it would be nice to only require one LDAP bind. I already have a custom app that uses LDAP information, and with Zimbra it would require two connections to get the full user attributes.

-matthew

[misleb]

Ok, I've gone and done it. It took like 15 hours to get everything (well, almost) figured out, but I finally got Zimbra to use OpenDirectory to store information. I even managed to get them to put users in the same container (via an LDAP alias ou=people -> cn=users). In a test environment, of course...

Unfortunately, Zimbra users don't show up in Workgroup Manager and Workgroup Manager users don't show up in ZImbra. Any attempts to "create" a conflicting user just causes an error. So without auto provisioning and some support in Zimbra for "extending" existing user objects, this is completely pointless. Of course, I don't even know if it would be possible to extend an existing user because apparently you can't modify objectClass on existing objects.

I guess it is back to having multiple LDAP directories.

Say what you want about Groupwise or Exchange, but at least they integrate smoothly with their corresponding directories. :-P

-matthew