On Fri, 2011-05-27 at 17:26 -0600, David L. Willson wrote:
> Rob Crittenden: Thank you for your help!
> This is RESOLVED, and I want to make some notes here, because finding
> the magic combination of syntax has been... trying.
> Products affected:
> FreeIPA 2.0.1, Zimbra 7.1 OSE
> NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra
> Collaboration Server. I'm NOT removing my real values, because think
> docs work better when you just paste in what you really used.
> 0. From a shell prompt on the Zimbra server, import the CA
> certificate, and restart Zimbra services.
> $ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt
> $ mv ca.crt humperdinck_ca.crt
> $ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca
> -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass
> changeit -file humperdinck_ca.crt
> $ sudo su - zimbra
> $ zmcontrol stop && zmcontrol start
> 1. From the Zimbra admin console, connect a domain to the IPA server
> for external LDAP authentication.
> On the left, under Configuration, expand Domains, and select
> (click) the Domain you want to authenticate with IPA.
> In the toolbar, click "Configure Authentication"
> In the drop-down list-box, choose "External LDAP"
> Type your IPA server's FQDN in "LDAP Server name:", do NOT check
> "Use SSL", check "Enable StartTLS"
> LDAP Filter is exactly this, WITH parentheses, and NO spaces.
> My LDAP Search Base is exactly this, with NO parentheses, and NO
> spaces. You'll need to change the domain components, of course.
> Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to
> external server")
> Enter a username or full email and the matching password. (must be
> valid, NON-EXPIRED credentials)
> Click Test. Celebrate.
> 2. If you're not celebrating, use the same credentials with kinit at
> the shell prompt on any Kerberos client machine to confirm validity.
> kinit dlwillson
> enter password
> 3. If the credentials are valid, use ldapsearch from the shell on your
> Zimbra server to test LDAP binding/searching.
> $ sudo su - zimbra
> $ ldapsearch --help
> $ ldapsearch -D
> "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w '**********'
> -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ
> 4. I hope you're celebrating by now, because if not, you're in for a
> rough time, perhaps.
> HTH, cheers, YMMV, YATLTL
Thank you for the very nice write-up.
I am curious if you are going to enable GSSAPI authentication in Zimbra
too (Zimbra support GSSAPI/Krb5 auth for IMAP and apparently should
support it for the web interface too at some point).
It would be awesome to get a similar writeup of how to configure it in
that case. I am sure many users would be delighted to be able to do SSO
against the mail server (ie no need to enter any password at all after
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list