So here we are again with another
Zimbra Migration Challenge, this time the customer’s
requirement was to enable External Authentication for a Domain, the catch: it had to be done in group of users. This way the IT Department could minimize the support calls when the user’s were facing with de
Enter Password dialog.
The External Authentication Directory is a Samba 4 (Active Directory) LDAP, that has been working for almost a year now, so it was time to consolidate the users and password.
As you can see in the diagram, the flow of the authentication is:
- Zimbra was configured to authenticate against the
LDAP Proxypass the authentication request to the local
LDAP Proxyto do a
Pass-Trough authenticationto the corresponding
Samba4or the internal Zimbra LDAP validate the user.
So how did we do this? Glad you ask ;)
1. Setup the Proxy LDAP
CentOS 6.5 and the standard packages that you can install with
The first thing we did was to make
OpenLDAP use the old
/etc/openldap/slapd.conf configuration file instead of the new
2. Populate the Proxy LDAP
We need to populate the Proxy LDAP with the users information, for this we took a copy a of the Zimbra LDAP information and pasted here, but first you need to configure the LDAP Server.
Note: The full version of the files are available at https://gist.github.com/pbruna/7229c3e99dd4bf57b73c
2.1. Configure the LDAP DB
No magic here, just the standard setup.
1 2 3 4 5
2.2. Configure the LDAP SASL Authentication
This is new, well for me at least. We are going to tell OpenLDAP to pass the authentication to the local
1 2 3
OpenLDAP talks with
saslauthd using a mutex, so open
/usr/lib64/sasl2/slapd.conf and add:
Finally add the ldap user to the saslauth group:
2.3. Clear Text Passwords
For all of this to work we are going to need that OpenLDAP stores the
userPassword as without any hashing.
2.4. Import users
Start the LDAP service with, grab the LDIF you exported from the Zimbra LDAP and load it:
No, i didn’t tell you how to export the
ldif file from Zimbra, but you can find a step by step howto in our knowledge base: Populating Proxy LDAP with Zimbra users
3. Lets configure the Meta Backends
We are going to use the
Meta Backends like an
IPTABLES NAT, like this:
- When we search for the ldap base
ou=zimbra,dc=localthe search will be
Zimbra LDAP Server,
- When we search for the base
ou=samba4,dc=localthe search will be
Samba 4 LDAP Server.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
3.1. Add the Meta Backends to the LDAP config
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
3.2. Configure salsauthd
The key configurations of this are:
ldap_search_base: ou=%d,dc=local, the
%dis the text after the
@. If we use firstname.lastname@example.org,
%d = example.com
ldap_filter: (|(uid=%U)(SAMACCOUNTNAME=%U)), we search matching the
SAMACCOUNTNAMEvalue with the username.
%U = itlinux, if we keep with the last example.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
3.3. Restart the services
3.4. Magic and the CLEARTEXT Password
We are going to use the
userPassword field to let the
LDAP Proxy decide to which backend redirect the authentication, like this:
1 2 3 4 5 6 7
The flow of this is:
- LDAP Proxy receives an authentication request,
- LDAP Proxy check the
userPasswordfield and notice that has to pass the authentication to
saslauthdreceives the authentication request with the param
pbruna@samba4 => [%U: pbruna, %d: samba4]
salsauthdnow knows that has to make a search in
ou=samba4,dc=localwith the filter
- This search is going to hit the
Meta Backendthat points to the
Samba4 LDAP Server.
Samba4 LDAP Serverauthenticate the user.
4. Zimbra Configuration
This is by far the easiest part, just go and configure a Domain to use External LDAP authentication and point it to the
LDAP Proxy server: https://wiki.zimbra.com/wiki/LDAP_Authentication
And that is all!!
5.1 How to set the userPassword field
Remember that the
userPassword field is show in
base64 when you do a
ldapsearch, so if you see this:
and need to be sure that its ok, just decoded with:
- As always to the amazing people of Zimbra for such a wonderful product, and for keeping it Open Source.
- To the people of LDAP Tool Box project from where we got all the information to do this. A must read Pass-Trough authentication with SASL
- To Daniel Eugenin for all the help setting up OpenLDAP.
And to You for keep reading!!!!