Rob Crittenden: Thank you for your help! This is RESOLVED, and I want to make some notes here, because finding the magic combination of syntax has been... trying.
Products affected: FreeIPA 2.0.1, Zimbra 7.1 OSE NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra Collaboration Server. I'm NOT removing my real values, because think docs work better when you just paste in what you really used. 0. From a shell prompt on the Zimbra server, import the CA certificate, and restart Zimbra services. $ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt $ mv ca.crt humperdinck_ca.crt $ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file humperdinck_ca.crt $ sudo su - zimbra $ zmcontrol stop && zmcontrol start 1. From the Zimbra admin console, connect a domain to the IPA server for external LDAP authentication. On the left, under Configuration, expand Domains, and select (click) the Domain you want to authenticate with IPA. In the toolbar, click "Configure Authentication" In the drop-down list-box, choose "External LDAP" Type your IPA server's FQDN in "LDAP Server name:", do NOT check "Use SSL", check "Enable StartTLS" LDAP Filter is exactly this, WITH parentheses, and NO spaces. (uid=%u) My LDAP Search Base is exactly this, with NO parentheses, and NO spaces. You'll need to change the domain components, of course. cn=accounts,dc=rmsel,dc=org Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to external server" ) Enter a username or full email and the matching password. (must be valid, NON-EXPIRED credentials) dlwillson ********** Click Test. Celebrate. 2. If you're not celebrating, use the same credentials with kinit at the shell prompt on any Kerberos client machine to confirm validity. kinit dlwillson enter password 3. If the credentials are valid, use ldapsearch from the shell on your Zimbra server to test LDAP binding/searching. $ sudo su - zimbra $ ldapsearch --help $ ldapsearch -D "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w '**********' -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ "uid=dlwillson" 4. I hope you're celebrating by now, because if not, you're in for a rough time, perhaps. HTH, cheers, YMMV, YATLTL -- David
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users