Rob Crittenden: Thank you for your help!
This is RESOLVED, and I want to make some notes here, because finding the magic
combination of syntax has been... trying.
FreeIPA 2.0.1, Zimbra 7.1 OSE
NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra Collaboration
Server. I'm NOT removing my real values, because think docs work better when
you just paste in what you really used.
0. From a shell prompt on the Zimbra server, import the CA certificate, and
restart Zimbra services.
$ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt
$ mv ca.crt humperdinck_ca.crt
$ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca -keystore
/opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file
$ sudo su - zimbra
$ zmcontrol stop && zmcontrol start
1. From the Zimbra admin console, connect a domain to the IPA server for
external LDAP authentication.
On the left, under Configuration, expand Domains, and select (click) the Domain
you want to authenticate with IPA.
In the toolbar, click "Configure Authentication"
In the drop-down list-box, choose "External LDAP"
Type your IPA server's FQDN in "LDAP Server name:", do NOT check "Use SSL",
check "Enable StartTLS"
LDAP Filter is exactly this, WITH parentheses, and NO spaces.
My LDAP Search Base is exactly this, with NO parentheses, and NO spaces. You'll
need to change the domain components, of course.
Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to external
Enter a username or full email and the matching password. (must be valid,
Click Test. Celebrate.
2. If you're not celebrating, use the same credentials with kinit at the shell
prompt on any Kerberos client machine to confirm validity.
3. If the credentials are valid, use ldapsearch from the shell on your Zimbra
server to test LDAP binding/searching.
$ sudo su - zimbra
$ ldapsearch --help
$ ldapsearch -D "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w
'**********' -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ
4. I hope you're celebrating by now, because if not, you're in for a rough
HTH, cheers, YMMV, YATLTL
Freeipa-users mailing list