On Fri, 2011-05-27 at 17:26 -0600, David L. Willson wrote: > Rob Crittenden: Thank you for your help! > > This is RESOLVED, and I want to make some notes here, because finding > the magic combination of syntax has been... trying. > > Products affected: > > FreeIPA 2.0.1, Zimbra 7.1 OSE > > NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra > Collaboration Server. I'm NOT removing my real values, because think > docs work better when you just paste in what you really used. > > 0. From a shell prompt on the Zimbra server, import the CA > certificate, and restart Zimbra services. > > $ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt > $ mv ca.crt humperdinck_ca.crt > $ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca > -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass > changeit -file humperdinck_ca.crt > $ sudo su - zimbra > $ zmcontrol stop && zmcontrol start > > 1. From the Zimbra admin console, connect a domain to the IPA server > for external LDAP authentication. > > On the left, under Configuration, expand Domains, and select > (click) the Domain you want to authenticate with IPA. > In the toolbar, click "Configure Authentication" > In the drop-down list-box, choose "External LDAP" > Type your IPA server's FQDN in "LDAP Server name:", do NOT check > "Use SSL", check "Enable StartTLS" > LDAP Filter is exactly this, WITH parentheses, and NO spaces. > (uid=%u) > My LDAP Search Base is exactly this, with NO parentheses, and NO > spaces. You'll need to change the domain components, of course. > cn=accounts,dc=rmsel,dc=org > Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to > external server") > Enter a username or full email and the matching password. (must be > valid, NON-EXPIRED credentials) > dlwillson > ********** > Click Test. Celebrate. > > 2. If you're not celebrating, use the same credentials with kinit at > the shell prompt on any Kerberos client machine to confirm validity. > kinit dlwillson > enter password > > 3. If the credentials are valid, use ldapsearch from the shell on your > Zimbra server to test LDAP binding/searching. > $ sudo su - zimbra > $ ldapsearch --help > $ ldapsearch -D > "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w '**********' > -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ > "uid=dlwillson" > > 4. I hope you're celebrating by now, because if not, you're in for a > rough time, perhaps. > > HTH, cheers, YMMV, YATLTL
Thank you for the very nice write-up. I am curious if you are going to enable GSSAPI authentication in Zimbra too (Zimbra support GSSAPI/Krb5 auth for IMAP and apparently should support it for the web interface too at some point). It would be awesome to get a similar writeup of how to configure it in that case. I am sure many users would be delighted to be able to do SSO against the mail server (ie no need to enter any password at all after login). Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
