[Freeipa-users] Can FreeIPA v2 be used as Zimbra external LDAP authenticator?

Fri May 27 23:42:22 UTC 2011

On Fri, 2011-05-27 at 17:26 -0600, David L. Willson wrote:
> Rob Crittenden: Thank you for your help!
> 
> This is RESOLVED, and I want to make some notes here, because finding
> the magic combination of syntax has been... trying.
> 
> Products affected:
> 
>     FreeIPA 2.0.1, Zimbra 7.1 OSE
> 
> NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra
> Collaboration Server. I'm NOT removing my real values, because think
> docs work better when you just paste in what you really used.
> 
> 0. From a shell prompt on the Zimbra server, import the CA
> certificate, and restart Zimbra services.
> 
>     $ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt
>     $ mv ca.crt humperdinck_ca.crt
>     $ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca
> -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass
> changeit -file humperdinck_ca.crt
>     $ sudo su - zimbra
>     $ zmcontrol stop && zmcontrol start
> 
> 1. From the Zimbra admin console, connect a domain to the IPA server
> for external LDAP authentication.
> 
>     On the left, under Configuration, expand Domains, and select
> (click) the Domain you want to authenticate with IPA.
>     In the toolbar, click "Configure Authentication"
>     In the drop-down list-box, choose "External LDAP"
>     Type your IPA server's FQDN in "LDAP Server name:", do NOT check
> "Use SSL", check "Enable StartTLS"
>     LDAP Filter is exactly this, WITH parentheses, and NO spaces.
>         (uid=%u)
>     My LDAP Search Base is exactly this, with NO parentheses, and NO
> spaces. You'll need to change the domain components, of course.
>         cn=accounts,dc=rmsel,dc=org
>     Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to
> external server")
>     Enter a username or full email and the matching password. (must be
> valid, NON-EXPIRED credentials)
>         dlwillson
>         **********
>     Click Test. Celebrate.
> 
> 2. If you're not celebrating, use the same credentials with kinit at
> the shell prompt on any Kerberos client machine to confirm validity.
>     kinit dlwillson
>     enter password
> 
> 3. If the credentials are valid, use ldapsearch from the shell on your
> Zimbra server to test LDAP binding/searching.
>     $ sudo su - zimbra
>     $ ldapsearch --help
>     $ ldapsearch -D
> "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w '**********'
> -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ
> "uid=dlwillson"
> 
> 4. I hope you're celebrating by now, because if not, you're in for a
> rough time, perhaps.
> 
> HTH, cheers, YMMV, YATLTL

Thank you for the very nice write-up.

I am curious if you are going to enable GSSAPI authentication in Zimbra
too (Zimbra support GSSAPI/Krb5 auth for IMAP and apparently should
support it for the web interface too at some point).

It would be awesome to get a similar writeup of how to configure it in
that case. I am sure many users would be delighted to be able to do SSO
against the mail server (ie no need to enter any password at all after
login).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York