Zimbra Collaboration Server 7.2 Authentication and GAL lookups against FreeIPA

This document is written as an integration document to configure IPA as an Authentication Source as well as a Directory source for an already existing Zimbra installation.
This document is not intended as a walkthrough on how to install and configure Zimbra Collaboration Server.
This document was written and tested using Red Hat Enterprise Linux 6.2 x86_64 running Zimbra Collaboration Server 7.2 (Network Edition)
For the purpose of this document, the following information is given

Servers: 
IPA Server = ds01.example.com
Zimbra Server = zimbra03.example.com



IMPORTANT
Please note, that by adding FreeIPA as the external authentication backend, the username "admin" will clash as both IPA and Zimbra use an admin account.
you MUST set the following so that, should LDAP authentication fail for what ever reason, you will be able to still login with the local admin account.
If you do not do this and you lose LDAP authentication, you will not be able to log in as the Zimbra Admin user. 
[root@zimbra03 ~]# su -l zimbra
[zimbra@zimbra03 ~]$ zmprov modifydomain example.com zimbraAuthFallbackToLocal TRUE
[zimbra@zimbra03 ~]$


Prerequisite:

We will need to create a bind account for Zimbra to authenticate to IPA as a service account.
To do this, create an ldif file detailing your service account. I used the following, saved as zimbra.ldif 
dn: uid=zimbra,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: zimbra
userPassword: woofwoofimasecretpasswordthatisreallydifficult
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
Save your file, and then import it on your IPA server 
[root@ds01 ~]# ldapmodify -h ds01.example.com -p 389 -x -D "cn=Directory  Manager" -w redhat123 -f zimbra.ldif
adding new entry "uid=zimbra,cn=sysaccounts,cn=etc,dc=example,dc=com"
[root@ds01 ~]#
Your service account is now imported


Zimbra Authentication with FreeIPA

Step 1 :
Log into the Zimbra admin console https://zimbra03.example.com:7071/zimbraAdmin/
See attached screenshot.
1-AdminConsoleCrop.png

Step 2 :
Once logged in as the admin user, on the left select domains, then click the domain you wish to add authentication to, and click the Authentication button above it.
See attached screenshot.
2-ZimbraDomainsCrop.png


Step 3 :
Select "External LDAP"
Enter your IPA server's host name (mine is ds01.example.com)
Under LDAP Filter, enter "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%u))" without the quotes
Under LDAP Search Base, enter "cn=users,cn=accounts,dc=example,dc=com" without the quotes
Then click Next.
See attached screenshot.
3-AuthenticationConfigurationCrop.png


Step 4 :
Place a tick in the box next to "Use DN/Password to bind to external server:" and enter your service account details.
Note: the correct value to use is as it appears as the output from your ldapmodify command above.
Click Next
See attached screenshot.
4-AuthenticationConfigurationBindAccCrop.png


Step 5 :
Here you have the chance to verify your settings to make sure they are working.
Create a test user and enter the username and password in the fields available, and then click the test button
See attached screenshot.
5-AuthenticationConfigurationTestUserCrop.png


Step 6 :
If everything is behaving as it should, you will see a green message, stating that the authentication process completed suggessfully.
Click next and then finally click finish.
See attached screenshot.
6-AuthenticationConfigurationAuthSuccessCrop.png


The authentication process is now completed.
See attached screenshot.
7-AuthenticationConfigurationFinishedCrop.png


Step 6 :
Now verify your work and mail-enable your test user

Inside the admin console, on the left, select accounts, then click new, account Fill in the relevant details, where the account name matches the username within IPA

Under the "Password" section, enter the External LDAP Account as it would appear from an ldapsearch. My testuser appears as follows uid=testuser,cn=users,cn=accounts,dc=example,dc=com

Click Finish once you have filled in all the details you wish to enter.
9-AccountsCreateUserCrop.png

In a new window, open your browser to http://zimbra03.example.com/ enter your IPA username and password and login

Once you have logged in, you will see a new empty mailbox with the test username in the top right corner.
See attached screenshot.
12-WebMailConsoleCrop.png


Zimbra Global Address List lookups against FreeIPA

Step 1 :
In the admin console, on the left select domains, then click the domain you wish to edit
Click the "Configure GAL" button and enter the following details

Step 2 :
IMPORTANT, the default port for the ldap search seems to be spefic for Active Directory. Please change the port number to 389

Enter the address of your IPA server under "External Server Name" and set the port to 389

Under "Search Filter", enter "(&(|(cn=*%s*)(sn=*%s*)))" without the quotes.
Under "Autocomplete Filter", enter "(|(uid=%s*)(givenname=%s*)(mail=%s*))" without the quotes.
Under "LDAP Search base", enter "dc=example,dc=com" without the quotes.

Then click next
See attached screenshot.
13-GALConfigurationCrop.png


Step 3 :
Place a tick in the box where is says "Use DN/Password to bind to external server"
Use the service account you created earlier as the bind account. Enter the following "uid=zimbra,cn=sysaccounts,cn=etc,dc=example,dc=com" without the quotes

Enter your service account password.
Click Next
See attached screenshot.
14-GALConfigurationBindAccCrop.png

Step 4:
By default, there will be a tick alongside "Use GAL search settings for GAL sync", leave this as is and click next.
15-GALConfigurationGALSyncCrop.png

Step 5:
Enter the username or other name for your test user, and click the test button.
See attached screenshot
16-GALConfigurationTestUserCrop.png

If your search is successful, click Finish.
17-GALConfigurationTestSuccessCrop.png


Your IPA GAL is now implemented.
You can verify the Global Address list by creating a new email and clicking the "To:" button which will allow you to search for your FreeIPA user accounts.

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the  history_uint_new table First you need to de
Đọc thêm

Configuring DHCP Relay service on the FortiGate unit

Configuring DHCP Relay service on the FortiGate unit If the clients are configured to obtain a IP address using DHCP relay, configure the FortiGate server as below: To configure DHCP relay on the FortiGate unit   1. Go to System > Network > Interfaces and select Interface want to configure DHCP relay.   2. Enable DHCP Server in the interface and choose Advanced   3. For Mode, select Relay.   4. In Type select Regular.   5. Select OK.   6. If a router is installed between the FortiGate unit and the DHCP server, define a static route to the DHCP server. Note : Sometimes it is required to specify more than one DHCP relay IP, to allow for the coverage of additional LAN subnets. Although the Web Based Manager (GUI) does not provide an option to configure this, it is possible to set up to 8 IPs from the CLI.       config system interface             edit <REQUIRED_INTERFACE_HERE>               set dhcp-relay-ip <FIRST_IP> <SECOND_IP> ....<EIGHTH_IP&
Đọc thêm

WAN link load balancing

Hình ảnh
W A N link load balancing In the same way that incoming traffic can be load balanced, outgoing or WAN traffic can also be load balanced and for the same three reasons. 1 .  Reduce the places in the work flow where a single point of failure can bring the process to a halt. 2 .  Expand the capacity of the resources to handle the required workload. 3 .  Have it configured so that the process of balancing the workload is automatic. Often, it can be just as important for an organizations members to be able to access the Internet as it is for the denizens of the Internet to access the Web facing resources. There is now a  WA N Load Balancing  feature located in the  N e t w o r k  section of the GUI (“WAN LLB”). As part of the new WAN Load Balancing feature, the FortiOS 5.2  R ou t e r > Static > Settings  GUI page has been removed. WAN Load Balancing should be used instead of the 5.2  E C M P Load Balancing Method  settings. The 5.2  L i n k Health Monitor  definitions
Đọc thêm