Integrating PWM password manager with Zimbra

Revision as of 20:23, 24 October 2013 by Mnichols (talk | contribs)
Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0

Introduction

PWM is an open source Password Manager for multiple directories. The goal of this wiki is to provide the steps required to allow pwm to manage passwords in the Zimbra OpenLDAP implementation.

This article is based on pwm 1.7 with Zimbra Network Edition 8.0.5.

Installation Instructions for PWM are here: https://code.google.com/p/pwm/

These instructions assume pwm is installed on a stand-alone CentOS 6.4 server. The base installation of pwm requires apache and tomcat and by default is listening on port 8080.

To Do

  • Document configuration for multiple domains

Extend the Zimbra Schema to include the pwm attributes

This information is based on the article: http://wiki.zimbra.com/wiki/Installing_custom_ldap_schema

Create a file with the pwm schema extensions which will be converted into an LDIF-format for use with ZCS, as the zimbra user: 

 mkdir -p /tmp/ldap/schema
 cd /tmp/ldap/schema

With your favorite editor, create /tmp/ldap/schema/pwm.schema with the following contents 

#
attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.1
       NAME 'pwmEventLog'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.2
       NAME 'pwmResponseSet'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.3
       NAME 'pwmLastPwdUpdate'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.4
       NAME 'pwmGUID'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectclass ( 1.3.6.1.4.1.591242.1.2010.04.16.1
       NAME 'pwmUser'
       AUXILIARY
       MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) )

Create a file called "test.conf" with the following contents 

 include /opt/zimbra/openldap/etc/openldap/schema/core.schema
 include /opt/zimbra/openldap/etc/openldap/schema/cosine.schema
 include /opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema
 include /tmp/ldap/schema/samba.schema

Then execute 

 cd /tmp/ldap
 /opt/zimbra/openldap/sbin/slaptest -f /tmp/ldap/test.conf -F /tmp/ldap

This will create a new "cn=config" directory in /tmp/ldap. If you examine its contents, you'll see: 

 ls cn\=config
 cn=schema  cn=schema.ldif  olcDatabase={0}config.ldif  olcDatabase={-1}frontend.ldif

Note the cn=schema directory. This directory will contain the converted files, so let's go there: 

 cd cn\=config/cn\=schema
 ls
 cn={0}core.ldif  cn={1}cosine.ldif  cn={2}inetorgperson.ldif  cn={3}pwm.ldif

As you can see, there is now a pwm.ldif file, which is what has been converted from the pwm schema file. We'll need to renumber the cn={3}pwm.ldif file as noted above because ZCS reserves the first 10 slots. To do this, we need to rename it and then modify it. For example, to put the pwm schema in slot number 12: 

 mv cn\=\{3\}pwm.ldif cn\=\{11\}pwm.ldif

Then modify it so that the following lines are changed from: 

 dn: cn={3}pwm
 objectClass: olcSchemaConfig
 cn: {3}pwm

to 

 dn: cn={11}pwm
 objectClass: olcSchemaConfig
 cn: {11}pwm

To finish, we need to copy the new file in to the ZCS OpenLDAP schema directory, as the zimbra user: 

 ldap stop
 cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}pwm.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/
 ldap start

After you have installed the new schema, restart Zimbra services and make sure that they started successfully.

Create a pwmadmin account to execute directory updates in Zimbra's OpenLDAP

Now you will need to create a new users for the local pwm process to use to access the information from the LDAP server. You can generate the hash of the password for use with creating the user in ldap with the /opt/zimbra/openldap/slappasswd command. For example, if I wanted to use the password "somepassword" , I would run: 

/opt/zimbra/openldap/sbin/slappasswd -s somepassword

This will return the SSHA hash needed for the user entry. Create a text file called /tmp/pwmadmin-user.ldif that looks similar to the following. Write down the password (somepassword), as you will need this information later to configure pwm. 

dn: uid=pwmadmin,cn=admins,cn=zimbra
uid: pwmadmin
objectClass: zimbraAccount
objectClass: organizationalPerson
cn: pwmadmin
sn: pwmadmin
zimbraAccountStatus: active
zimbraIsSystemResource: TRUE
zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B
description: The pwm admin account
userPassword: {SSHA}QWkRtX5CQPDVzzhJKH9kDoLE5rP/hBu8

Now add the new users to the LDAP master. If you have multiple ldap servers, they will be replicated out. You will be prompted for a password, use the password from zmlocalconfig -s ldap_root_password 

ldapadd -f /tmp/pwmadmin-user.ldif -x -H ldapi:/// -D cn=config -W

Modify the OpenLDAP permissions to allow the pwmadmin account to update information.

Now, you need to adjust the LDAP acls so that the new user can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}mdb,cn=config in both sections.

In this example I will use the domain zm-train.com, which is the name of my zimbra domain running inside a VMware instance, hence my ldapSuffix is 

dc=zm-train,dc=com

Be sure to replace dc=zm-train,dc=com with your actual domain 

dn: olcDatabase={2}mdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,pwmResponseSet,pwmLastPwdUpdate,pwmGUID,pwmUser,pwmEventLog  by anonymous auth  by dn.children="cn=admins,cn=zimbra" write  by self write

dn: olcDatabase={2}mdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}
-
add: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write by * read
dn: olcDatabase={2}mdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {10}
-
add: olcAccess
olcAccess: {10}to dn.subtree="dc=zm-train,dc=com"  by dn.children="cn=admins,cn=zimbra" write by * none
-
delete: olcAccess
olcAccess: {13}
-
olcAccess: {13}to dn.subtree="ou=people,dc=zm-train,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by self write by anonymous auth  by * none

Now apply this ACL modification to the LDAP server: 

ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W

Configure pwm to work against the Zimbra OpenLDAP instance

Verified Against: Zimbra Collaboration Server Date Created: 10/26/2013
Article ID: https://wiki.zimbra.com/index.php?title=Integrating_PWM_password_manager_with_Zimbra Date Modified: 2013-10-24



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Retrieved from "http://wiki.zimbra.com/index.php?title=Integrating_PWM_password_manager_with_Zimbra&oldid=53220"
Jump to: navigation, search