dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2289b7e2fc
lemonldap-ng/doc/pages/documentation/current/applications/zimbra.html
Clément OUDOT b0bc316cfd Documentation update
2019-12-21 16:54:57 +01:00

230 lines
12 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:zimbra</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,zimbra"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="zimbra.html"/>
<link rel="contents" href="zimbra.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:zimbra","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#zimbra_preauth_key">Zimbra preauth key</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_application_in_menu">Zimbra application in menu</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_virtual_host">Zimbra virtual host</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_handler_parameters">Zimbra Handler parameters</a></div></li>
<li class="level2"><div class="li"><a href="#multi-domain_issues">Multi-domain issues</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="zimbra">Zimbra</h1>
<div class="level1">
<p>
<a href="zimbra_logo.png_documentation_2.0_applications_zimbra.html" class="media" title="applications:zimbra_logo.png"><img src="zimbra_logo.png" class="mediacenter" alt="" /></a>
</p>
</div>
<!-- EDIT1 SECTION "Zimbra" [1-60] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="http://www.zimbra.com/" class="urlextern" title="http://www.zimbra.com/" rel="nofollow">Zimbra</a> is open source server software for email and collaboration - email, group calendar, contacts, instant messaging, file storage and web document management. The Zimbra email and calendar server is available for Linux, Mac <abbr title="Operating System">OS</abbr> X and virtualization platforms. Zimbra syncs to smartphones (iPhone, BlackBerry) and desktop clients like Outlook and Thunderbird. Zimbra also features archiving and discovery for compliance. Zimbra can be deployed on-premises or as a hosted email solution.
</p>
<p>
Zimbra use a specific <a href="http://wiki.zimbra.com/index.php?title=Preauth" class="urlextern" title="http://wiki.zimbra.com/index.php?title=Preauth" rel="nofollow">preauthentication protocol</a> to provide <abbr title="Single Sign On">SSO</abbr> on its application. This protocol is implemented in an <abbr title="LemonLDAP::NG">LL::NG</abbr> specific Handler.
</p>
<div class="notetip">Zimbra can also be connected to <abbr title="LemonLDAP::NG">LL::NG</abbr> via <a href="../idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML protocol</a> (see <a href="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html" class="urlextern" title="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html" rel="nofollow">Zimbra blog</a>).
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [61-999] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
<p>
The integration with <abbr title="LemonLDAP::NG">LL::NG</abbr> is the following:
</p>
<ul>
<li class="level1"><div class="li"> A special <abbr title="Uniform Resource Locator">URL</abbr> is declared in application menu (like <a href="http://zimbra.example.com/zimbrasso" class="urlextern" title="http://zimbra.example.com/zimbrasso" rel="nofollow">http://zimbra.example.com/zimbrasso</a>)</div>
</li>
<li class="level1"><div class="li"> A Zimbra Handler is called</div>
</li>
<li class="level1"><div class="li"> Handler build the preauth request and redirect user on Zimbra preauth <abbr title="Uniform Resource Locator">URL</abbr></div>
</li>
<li class="level1"><div class="li"> Then Zimbra do the <abbr title="Single Sign On">SSO</abbr> by setting a cookie in user&#039;s browser</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Configuration" [1000-1340] -->
<h3 class="sectionedit4" id="zimbra_preauth_key">Zimbra preauth key</h3>
<div class="level3">
<p>
You need to get a preauth key from Zimbra server.
</p>
<p>
See <a href="http://wiki.zimbra.com/index.php?title=Preauth#Preparing_a_domain_for_preauth" class="urlextern" title="http://wiki.zimbra.com/index.php?title=Preauth#Preparing_a_domain_for_preauth" rel="nofollow">how to do this</a> on Zimbra wiki.
</p>
</div>
<!-- EDIT4 SECTION "Zimbra preauth key" [1341-1539] -->
<h3 class="sectionedit5" id="zimbra_application_in_menu">Zimbra application in menu</h3>
<div class="level3">
<p>
Choose for example <a href="http://zimbra.example.com/zimbrasso" class="urlextern" title="http://zimbra.example.com/zimbrasso" rel="nofollow">http://zimbra.example.com/zimbrasso</a> as <abbr title="Single Sign On">SSO</abbr> <abbr title="Uniform Resource Locator">URL</abbr> and <a href="../portalmenu.html#categories_and_applications" class="wikilink1" title="documentation:2.0:portalmenu">set it in application menu</a>.
</p>
</div>
<!-- EDIT5 SECTION "Zimbra application in menu" [1540-1721] -->
<h3 class="sectionedit6" id="zimbra_virtual_host">Zimbra virtual host</h3>
<div class="level3">
<p>
You just have to set &quot;Type: ZimbraPreAuth&quot; in virtualhost options and reload configuration in this handler.
</p>
</div>
<!-- EDIT6 SECTION "Zimbra virtual host" [1722-1861] -->
<h3 class="sectionedit7" id="zimbra_handler_parameters">Zimbra Handler parameters</h3>
<div class="level3">
<p>
Zimbra parameters are the following:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Preauthentication key</strong>: the one you grab from zmprov command</div>
</li>
<li class="level1"><div class="li"> <strong>Account session key</strong>: session field used as Zimbra user account (by default: uid)</div>
</li>
<li class="level1"><div class="li"> <strong>Account type</strong>: for Zimbra this can be name, id or foreignKey (by default: id)</div>
</li>
<li class="level1"><div class="li"> <strong>Preauthentication <abbr title="Uniform Resource Locator">URL</abbr></strong>: Zimbra preauthentication <abbr title="Uniform Resource Locator">URL</abbr>, either with full <abbr title="Uniform Resource Locator">URL</abbr> (ex: <a href="http://zimbra.lan/service/preauth" class="urlextern" title="http://zimbra.lan/service/preauth" rel="nofollow">http://zimbra.lan/service/preauth</a>), either only with path (ex: /service/preauth) (by default: /service/preauth)</div>
</li>
<li class="level1"><div class="li"> <strong>Local <abbr title="Single Sign On">SSO</abbr> <abbr title="Uniform Resource Locator">URL</abbr> pattern</strong>: regular expression to match the <abbr title="Single Sign On">SSO</abbr> <abbr title="Uniform Resource Locator">URL</abbr> (by default: ^/zimbrasso$)</div>
</li>
</ul>
<div class="noteimportant">Due to Handler <abbr title="Application Programming Interface">API</abbr> change in 1.9, you need to set these attributes in <code>lemonldap-ng.ini</code> and not in Manager, for example:
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>handler<span class="br0">&#93;</span></span>
<span class="re1">zimbraPreAuthKey</span> <span class="sy0">=</span><span class="re2"> XXXX</span>
<span class="re1">zimbraAccountKey</span> <span class="sy0">=</span><span class="re2"> uid</span>
<span class="re1">zimbraBy</span> <span class="sy0">=</span><span class="re2">id</span>
<span class="re1">zimbraUrl</span> <span class="sy0">=</span><span class="re2"> /service/preauth</span>
<span class="re1">zimbraSsoUrl</span> <span class="sy0">=</span><span class="re2"> ^/zimbrasso$</span></pre>
</div>
</div>
<!-- EDIT7 SECTION "Zimbra Handler parameters" [1862-2771] -->
<h3 class="sectionedit8" id="multi-domain_issues">Multi-domain issues</h3>
<div class="level3">
<p>
Some organizations have multiple zimbra domains:
</p>
<ol>
<li class="level1"><div class="li"> foo@domain1.com</div>
</li>
<li class="level1"><div class="li"> bar@domain2.com</div>
</li>
</ol>
<p>
However, the zimbra preauth key is:
</p>
<ul>
<li class="level1"><div class="li"> generated for one zimbra domain only</div>
</li>
<li class="level1"><div class="li"> declared globally for every LemonLDAP::NG virtual hosts.</div>
</li>
</ul>
<p>
Thus, if domain1 has been registered on LemonLDAP::NG, user bar won&#039;t be able to connect to zimbra because preauth key is different. If you accept to have the same preauth key for all zimbra domains, you can set the same preauth key using this procedure:
</p>
<p>
We are going to use the first key (the domain1 one) for every domain.
On Zimbra machine, generate the keys:
</p>
<pre class="code"> zmprov generateDomainPreAuthKey domain1.com
preAuthKey: 4e2816f16c44fab20ecdee39fb850c3b0bb54d03f1d8e073aaea376a4f407f0c
zmprov generateDomainPreAuthKey domain2.com
preAuthKey: 6b7ead4bd425836e8cf0079cd6c1a05acc127acd07c8ee4b61023e19250e929c</pre>
<p>
Then, connect to your zimbra LDAP server with your favourite tool (Apache Directory Studio can do the job).
Take care to connect with the super admin and password account.
</p>
<ul>
<li class="level1"><div class="li"> Expand the branch &quot;dc=com&quot;, then click the &quot;dc=domain1&quot; branch</div>
</li>
<li class="level1"><div class="li"> Get the value of zimbraPreAuthKey</div>
</li>
<li class="level1"><div class="li"> Expand the branch &quot;dc=com&quot;, then click the &quot;dc=domain2&quot; branch</div>
</li>
<li class="level1"><div class="li"> Replace the value of zimbraPreAuthKey you have previously copied</div>
</li>
<li class="level1"><div class="li"> Wait for all Zimbra servers to update, or restart the zcs server</div>
</li>
</ul>
<p>
That&#039;s it, all zimbra servers will be able to decipher the hmac because they share the same key!
</p>
</div>
<!-- EDIT8 SECTION "Multi-domain issues" [2772-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink