External LDAP with GSSAPI authentication method

[schemers]

I really want to support Kerberos as an auth mech, I just haven't gotten to it, and we haven't had enough pressure from customers to do it.

I need to re-investigate the latest Kerberos support in JAAS and see how easy it would be to use it in a server-environment for username/pass verification. If someone can give me a simple call that looks something like:

boolean auth(String principal, String password, String[] kdcHostname, String realm);

then it should be trivial to add.

One potential solution (I can't recall if this is available) would be to compile OpenLDAP such that when users bind to it and give a password it uses Kerberos to verify the password. If this is possible, you could then configure Zimbra to talk to that external LDAP server for authentication.

Please file a bug in bugzilla request Kerberos support for auth and vote on it.

thanks, roland

[knabe]

We are currently evaluation Zimbra/Scalix/JES and a couple of other email/calendar solutions. We are very impressed with Zimbra. Adding Kerberos Auth would be very persuasive in moving Zimbra to the top of our list of possible products.

[schemers]

We've add support in 5.0 for:

- auth'ing a given username/password against a Kerberos server

- SASL/GSSAPI support for IMAP and POP

- the ability to use SASL/GSSAPI to bind to an external LDAP server for GAL information

[jkoyle]

I'm currently using external LDAP authentication to a locally replicated OpenLDAP/Kerberos/SASL setup running on a different port (2389). The trick to getting the default (redhat4) installed saslauthd to work properly was to force it to use the shared libs from the zimbra install by create the following files:

# cat /etc/ld.so.conf.d/zimbra.ld.conf
/opt/zimbra/lib
/opt/zimbra/sleepycat/lib
/opt/zimbra/openldap/lib
/opt/zimbra/cyrus-sasl/lib

Then re-run ldconfig.

Next, create the following file as well.

#cat /usr/lib/sasl2/slapd.conf
pwcheck_method: saslauthd

With those two changes in place things work perfectly.

John

[karlmdavis]

I've noticed that Kerberos auth was officially included in 5.0, but can't find any instructions on how to use it. Can anyone provide some directions on how to do that?

Thanks!
Karl

[mikelcu]

I second that question....

[shan]

For using kerberos authentication, you need to configure your domain this way:

zmprov md zimbraAuthKerberos5Realm zimbraAuthMech kerberos5

For POP/IMAP using kerberos, you need to put pop/imap service ketyab in /opt/zimbra/conf/krb5.keytab. Zimbra user needs to be able to read it.

You also need "unrestricted java policy jar", from Java SE Downloads. The two jar files replace Zimbra's packaged jar files under /opt/zimbra/java/jre/lib/security/.

For me, I am looking for the instructions to use SASL/GSSAPI to bind to an external LDAP server for GAL information.. The domain configuration on console seem only allow binding with a password or anonymous.

[knabe]

I have followed these instructions, Running Kerberos with Zimbra Collaboration Suite - Zimbra :: Wiki with the exception that my kerberos server is external, not local. I can login to the web interface with my kerberos password and get authenticated fine, but when I try to use either Mac's Mail or Thunderbird and GSSAPI/Kerberos5 authentication they are returning that "The mail server does not support GSSAPI authentication"