Rob Crittenden: Thank you for your help! 

This is RESOLVED, and I want to make some notes here, because finding the magic 
combination of syntax has been... trying. 

Products affected: 

FreeIPA 2.0.1, Zimbra 7.1 OSE 

NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra Collaboration 
Server. I'm NOT removing my real values, because think docs work better when 
you just paste in what you really used. 

0. From a shell prompt on the Zimbra server, import the CA certificate, and 
restart Zimbra services. 

$ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt 
$ mv ca.crt humperdinck_ca.crt 
$ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca -keystore 
/opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file 
humperdinck_ca.crt 
$ sudo su - zimbra 
$ zmcontrol stop && zmcontrol start 

1. From the Zimbra admin console, connect a domain to the IPA server for 
external LDAP authentication. 

On the left, under Configuration, expand Domains, and select (click) the Domain 
you want to authenticate with IPA. 
In the toolbar, click "Configure Authentication" 
In the drop-down list-box, choose "External LDAP" 
Type your IPA server's FQDN in "LDAP Server name:", do NOT check "Use SSL", 
check "Enable StartTLS" 
LDAP Filter is exactly this, WITH parentheses, and NO spaces. 
(uid=%u) 
My LDAP Search Base is exactly this, with NO parentheses, and NO spaces. You'll 
need to change the domain components, of course. 
cn=accounts,dc=rmsel,dc=org 
Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to external 
server" ) 
Enter a username or full email and the matching password. (must be valid, 
NON-EXPIRED credentials) 
dlwillson 
********** 
Click Test. Celebrate. 

2. If you're not celebrating, use the same credentials with kinit at the shell 
prompt on any Kerberos client machine to confirm validity. 
kinit dlwillson 
enter password 

3. If the credentials are valid, use ldapsearch from the shell on your Zimbra 
server to test LDAP binding/searching. 
$ sudo su - zimbra 
$ ldapsearch --help 
$ ldapsearch -D "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w 
'**********' -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ 
"uid=dlwillson" 

4. I hope you're celebrating by now, because if not, you're in for a rough 
time, perhaps. 

HTH, cheers, YMMV, YATLTL 

-- 
David 
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to