External LDAP with GSSAPI authentication method

[izvictor]

hello,
We have downloaded the ZIMBRA open source release the beta version zcs-3.2.0_M2_224.RHEL4
In our network we are using one LDAP for user information storage and a KERBEROS server for user password.
Zimbra installed with no problems.
For GAL Configuration we have chosen the external LDAP and it works fine, but for the Authentication configuration we have some problems,
in fact because of the fact that LDAP is searching the user's password in kerberos using GSSAPI protocol, when setting up external authentication we always got the 'bad credentials error'.
to make a LDAP search on command line we proceed like folowing:

(getting a kerberos ticket)
$kinit user
Password for user@REALM:******

(making a ldapsearch)
ldapsearch -H ldap://ldapserver -b "dc=company,...,dc=fr" "uid=user" -Y GSSAPI
and we have the user's info.

is there a method configure ZIMBRA to interact with our LDAP server to authenticate users?
thank you in advance,
Victor.

[izvictor]

sorry to bother you again guys , I still haven't found the solution for my problem, is Zimbra adapted for my external LDAP ...
any ideas ore suggestions would be helpfull.
Thanks

[phoenix]

Did you have a look th these instructions in the wiki, does that answer your question?

[izvictor]

Did you have a look th these instructions in the wiki, does that answer your question?

Hi phoenix,
thanks for the suggestion , but unfortunately thereis not to much help on the wiki, in fact the External Authetication is not even edited and the GAL Configuration works just fine for me.
As far as I know there must be a Kerberos Module in JAVA , maybe I could change the source code the verify the password with kerberos?
Thanks in advance Victor

[KevinH]

The only way to do this today would be to put the passwords in LDAP and let s bind against that.

[izvictor]

The only way to do this today would be to put the passwords in LDAP and let s bind against that.

That's bad,
One last question , does ZIMBRA support JAAS module for authentication or is it possible to integrate it to overpass the normal LDAP Authentication?
Thanks
Victor.

[izvictor]

The only way to do this today would be to put the passwords in LDAP and let s bind against that.

Me again
Is there any tools to migrate kerberos user's password to LDAP? knowinf that the user exists on LDAP and Kerberos
thanks
Victor

[KevinH]

No JASS or easy migration I know of. You could always just set a dummy password and check the change PWD on first login, then the user's would all get a new password. Of course this is not sync'd with the rest of your system.

[tommytune]

izvictor, why is that bad, do you really see some type of advantage by using kerberos? Use the same password and the user should be fine when yo ubind against ldap

[izvictor]

izvictor, why is that bad, do you really see some type of advantage by using kerberos? Use the same password and the user should be fine when yo ubind against ldap

The problem is that we already had an authentification server before ZIMBRA was developped and it's kind of difficult to ask every user to change his password so we could update LDAP. In addition kerberos is used in our institution also as a key distribution center for the login sessions on computers. We are trying tu use a centralized authentification , but any way I think we will continue using CYRUS IMAP POSTFIX for our mails.
thanks for the post reply, hope in near future ZIMBRA will integrate Kerberos authentification or saslauthd authentification