Zimbra and Open Directory with SSL

Posted: October 17th, 2009 | Author: | Filed under: Collaboration, Zimbra | No Comments »

I have Zimbra Collaboration Suite installed for my personal network at home and wanted to integrate it to Open Directory for authentication purposes. The problem is though that Zimbra does not make this easy, especially when dealing with SSL certificates. Here’s what I did step by step (oooh baby)

Install Zimbra

1. Download and install the Zimbra package,

1.1 Next, verify your DNS is setup correctly. The server you’re installing Zimbra onto must have a DNS record, this record must be the server’s hostname as well as the domain’s MX.

1.2 the via SSH run
/opt/zimbra/libexec/zmsetup.pl as ROOT

1.3 Zimbra will assume that the machine’s hostname is also its TLD. Which 99% of the time is not the case. You can enter your TLD when it asks.

2. Enter admin password (3, 4) Enter License (19) Return (r)
If your Zimbra server is installed onto the Open Directory Master or Replica, change the LDAP port to be 390 (1,3)
Apply Changes (a)

3. Import the Open Directory’s LDAP SSL certificate into Zimbra as a trusted certificate.

  • Copy the appropriate OD’s ssl cert into the /tmp folder on the Zimbra Server. The default cert is located at /etc/certificates/Default.crt
  • if using self-signed cert X.509 these files would be /etc/certs/ca.crt
  • once copied run this command:
  • sudo keytool -import -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit -alias LDAPAUTH -file /tmp/Default.crt

  • erase the cert in /tmp
  • restart zimbra sudo -u zimbra /opt/zimbra/bin/zmcontrol stop and then start

    4. Navigate to https://servername:7071 in your web browser to enter the admin console of Zimbra

    5. Configure Zimbra to use the external LDAP as its domain authentication method

  • Expand domains arrow
  • Select your domain and click configure authentication
  • Select External LDAP
  • Enter IP and select SSL
  • for filter enter (&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%u))
  • enter the LDAP base
  • we are not using DN/Password, skip this step
  • test the configuration by using testuser/password credentials
  • 6. Configure Zimbra to use the external LDAP GAL

  • Select configure GAL
  • Select External
  • ServerType – LDAP, enter your Open Directory Master IP, select SSL
  • for filter enter (&(|(cn=*%s*)(sn=*%s*)))
  • for autocomplete enter (|(uid=%s*)(givenname=%s*)(mail=%s*))
  • enter the LDAP base – note the auto populated entry will be for the local ldap
  • we are not using DN/Password, skip this step
  • use GAL sync settings at default (click next)
  • test the configuration by searching for a partial match on the user name – ie: if the username is “testuser”, search for “test” or first or last name of the test user, this data was entered into the info box in workgroup manager
  • if test results are successful, click “Finish”
  • Provisioning Users

    For manual batch user provisioning of Open Directory users to Zimbra:

  • Enter all the accounts into a text file called userlist.txt with the following structure. Make sure you use the user’s shortname for the prefix in their email address
      ca user1@host.tld “”
      ca user2@host.tld “”
      ca user3@host.tld “”
  • Then dump that text file into the zmprov command as follows
    • sudo /opt/zimbra/zmprov < userlist.txt

    For manually provisioning Open Directory users to Zimbra:

  • SSH into Zimbra server
    • sudo /opt/zimbra/bin/zmprov ca user@domain.tld ""



    Leave a Reply