Results 1 to 7 of 7

Thread: Looking for experienced opinions please

  1. #1
    sdrury is offline Special Member
    Join Date
    Aug 2008
    Location
    Brisbane, Australia
    Posts
    168
    Rep Power
    7

    Question Looking for experienced opinions please

    I know there are many possible ways to set up ZCS and am looking for experienced advice.

    I have installed ZCS FOSS a few times now in a test environment to build my knowledge up on how the system works and integrates with Ubuntu server 8.04.

    Now I an looking at setting up a production server utilising Ubuntu 8.04LTS x64 and ZCS FOSS x64. The installation side is no problems, I have mastered this now!

    My company's setup will be like this:
    - 12 domains of which some users could receive email from multiple domains
    - 150 users approx
    - Authentication via Active Directory server

    What is the best way to set up the domains? Should they just be added separately or can virtual hosts be used? I haven't found a definitive answer to this question or how the virtual host are used. I understand it is easy to setup aliases to cover mail to users not from their default domain.

    Also I don't mind if all users can see each other via the GAL, but have noticed on a test system that I could only see others in my domain - is there a way to make the GAL show users from other domains as well? (not super important though)

    Look forward to your advice.

    Regards,
    Sean.

  2. #2
    emmaylots is offline Loyal Member
    Join Date
    May 2008
    Location
    Nigeria
    Posts
    92
    Rep Power
    7

    Default

    Helloo,
    My advice: set up the domains seperately, using the Admin console.

  3. #3
    sdrury is offline Special Member
    Join Date
    Aug 2008
    Location
    Brisbane, Australia
    Posts
    168
    Rep Power
    7

    Default

    Thanks for that - with the GAL setup can users be looked up across those domains?

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    GAL:

    If you want to allow everyone on your box to see everyone:
    zmprov mcf zimbraGalInternalSearchBase ROOT
    (May also do that for zimbraGalSyncInternalSearchBase if you use ZCO/ZD/etc)

    On individual domains (inherited from global), by default zimbraGalInternalSearchBase & zimbraGalSyncInternalSearchBase are set to DOMAIN. Thus if you're using multiple domains and still want to leave the GAL enabled, people can only search within their domain for privacy. Say you had multiple domains but managed by one IT department - you might give them the ability to search ROOT so they could find members easier.

    (If you're using external LDAP/AD auth that's zimbraGalLdapSearchBase & zimbraGalSyncLdapSearchBase.)

    If you want to allow lookup in domain.com and any sub.domain.com:
    -set that attribute to SUBDOMAINS

    Notice in the below example that for all intensive purposes sub.domain.com can be set to DOMAIN or SUBDOMAINS and there's no difference. That's because SUBDOMAINS isn't intended for the sub to view the parent, just the parent to see the sub. Do read on to understand how that works:

    zmprov cd domain.com
    zmprov cd subdomain.com
    zmprov ca usermain@domain1.com usermain
    zmprov ca usersub@sub.domain.com usersub
    zmprov md domain1.com zimbraGalInternalSearchBase SUBDOMAINS
    zmprov md sub.domain1.com zimbraGalInternalSearchBase SUBDOMAINS
    (or mcf to do it globally)

    Login to usermain
    Type 'u' in a new mail (assuming you have auto complete from GAL enabled) and you'll get back:
    usermain@domain.com
    usersub@sub.domain.com

    Login to usersub
    Type 'u' and you'll get back just:
    usersub@sub.domain.com

    Get it?

    And you'll continue to get nothing but usersub@sub.domain.com unless you make an alpha.sub.domain.com & useralphasub@alpha.sub.domain.com

    At which point logging in as usersub and typing 'u' will return:
    usersub@sub.domain.com
    useralphasub@alpha.sub.domain.com

    Usermain would then return 3 values:
    usermain@domain.com
    usersub@sub.domain.com
    useralphasub@alpha.sub.domain.com

    (When testing refresh your browser every time you set zimbraGalInternalSearchBase.)

    So what can be done if you can't use ROOT for all, but just want domainA.com & domainB.com to see each other?

    You could use both internal & 'external' GAL lookups against yourself so that A<>B and B<>A (use the GAL wizard):

    DomainA:
    GAL: both
    Server type: LDAP
    LDAP url: ldap://serverwithldapservice.domain.com:389
    LDAP filter: (uid=%u) parenthesis included
    Autocomplete filter: It should autofill with externalLdapAutoComplete, but doesn't always do so the first round of setting up; though it will show up after you apply. (but you could add it now if wanted/if it requires you to in an error at the end)
    LDAP search base: dc=domainB,dc=com ("" might coax search across all domains)
    Bind DN: shouldn't need to bother - but you could always do something like cn=admin,dc=domain,dc=com

    DomainB:
    GAL: both
    Server type: LDAP
    LDAP url: ldap://serverwithldapservice.domain.com:389 ssl 636 if desired
    LDAP filter: (uid=%n) parenthesis included
    Autocomplete filter: ignore unless you can't click finish/test gives error/error in mailbox.log then enter externalLdapAutoComplete
    LDAP search base: dc=domainA,dc=com
    Bind DN: ignore

    LDAP Filter notes:
    (uid=%u) - The user has a uid attribute value in the external directory equal to the user portion of the Zimbra user account.
    (uid=%n) - Entire Zimbra user account is used to identify user in the external directory.
    or even (&(|(cn=*%s*)(sn=*%s*)(gn=*%s*)(mail=*%s*)(zimbraM ailDeliveryAddress=*%s*) (zimbraMailAlias=*%s*)(zimbraMailAddress=*%s*))(|( objectclass=zimbraAccount)(objectclass=zimbraDistr ibutionList)))

    A few RFE's you can vote for:
    Bug 7426 - option to search gal across domains
    Bug 21750 - search for resources across domains
    Bug 13801 - Add support for multiple GALs per domain

    In 5.0.3-: Bug 21873 - GAL autocomplete should handle multiple tokens

    ---
    Virtual hosts:

    Say you have domainA & domainB:

    If you point users at just one address (say it's mail.domainA.com) you just set:
    zmprov mcf zimbraDefaultDomainName domainA.com
    and users can login with username/pass.

    However, user's in domainB.com on the other hand will have to type the full login username@domainB.com/pass.

    To solve that you can create a virtual host. This becomes the default domain for a user login so web-client users can log in without having to specify the domain name as part of their user name.

    Admin console GUI > Domains > Virtual Hosts tab. The virtual host requires a valid DNS configuration with an A record.
    OR
    zmprov md domainB.com zimbraVirtualHostname webmail.domainB.com
    Users enter the virtual host name as the URL address (webmail.domainB.com) where they enter just their username/pass.
    The authentication request searches for a domain with that virtual host name and authentication is completed against that domain.

    See also zimbraPublicService[Protocol + Hostname + Port] for REST URL generation, used on shares etc.

    Now, if you have a multi server setup you can deploy a login load balancer for the Zimbra server so that all users can log in from any mailstore server instead of having to remember which server their mailbox is on. (See the multi-server docs)

  5. #5
    sdrury is offline Special Member
    Join Date
    Aug 2008
    Location
    Brisbane, Australia
    Posts
    168
    Rep Power
    7

    Default

    Thankyou Mike - that's exactly the info I was looking for.

  6. #6
    sdrury is offline Special Member
    Join Date
    Aug 2008
    Location
    Brisbane, Australia
    Posts
    168
    Rep Power
    7

    Default

    I am using AD and have tried the following:

    zimbra@mail:~$ zmprov mcf zimbraGalLdapSearchBase ROOT
    ERROR: service.INVALID_REQUEST (invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'zimbraGalLdapSearchBase' not allowed])
    zimbra@mail:~$

    What does this mean?

    Sean.

  7. #7
    sdrury is offline Special Member
    Join Date
    Aug 2008
    Location
    Brisbane, Australia
    Posts
    168
    Rep Power
    7

    Default

    Anyone know why I'm getting the above error message?

    Regards,
    Sean.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Opinions on stability
    By SwiftNet in forum Users
    Replies: 5
    Last Post: 04-02-2006, 06:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •