FreeIPA with Kerberos
Sine the version 8.0 of Zimbra, it's now possible to delegate authentication to a Kerberos server. Here we are going to see how it's possible to make the Kerberos authentication against the OpenSource version of IdM 1 from Red Hat : FreeIPA.
FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools. 2
Configure Zimbra with FreeIPA
Integration of the Zimbra Server into the Kerberos Domain
First of all, the Zimbra needs to be part of the FreeIPA domain :
ipa-client-install --enable-dns-updates --domain=DOMAIN.TLD --server=FREEIPA.DOMAIN.TLD
Make sure before starting the client installation to point your /etc/resolv.conf to your FreeIPA server to resolve the LDAP/Kerberos records. Follow the wizard to integrate it.
Once it's done, you can verify that you can obtain a Kerberos ticket by connecting with a FreeIPA account.
you can verify the Kerberos ticket by typing :
klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@DOMAIN.TLD Valid starting Expires Service principal 12/18/15 23:26:10 12/19/15 23:26:10 krbtgt/DOMAIN.TLD@DOMAIN.TLD
we can now pass to the next step and configure Zimbra.
First of all we need to verify in the Kerberos configuration that the system will make a DNS lookup on the KDC. To verify this, you need to check that the dns_lookup_kdc option is set to ture in the krb5.conf
Finally, with the zimbra user you just have to enter the following commands :
zmprov md domain.tld zimbraAuthMech kerberos5 zmprov md domain.tld zimbraAuthKerberos5Realm DOMAIN.TLD
1. In the first line we modify the authentication method. 2. The second line is the Realm of your Kerberos domain. It's really important to respect the case and has to be in uppercase.
Once it's done, you just have to restart the Zimbra in order to take into account the krb5.conf if he has been modified.
Your Zimbra server is now connected to FreeIPA.
References :FreeIPA Website