King0770-Notes-Access GAL from Clients 6.0
If your users prefer to use client apps like Thunderbird, or Mac's Address book but still need to access the Zimbra's GAL, here's a proposed workaround.
- 1 Configure ZCS machine(Optional)
- 2 Configure Client
- 3 startTLS Requirement
Configure ZCS machine(Optional)
Disable LDAP anonymous connections
Example for a Zimbra server called mail.abccompany.com with a domain of abccompany.com
The settings would have something like this:
Server: mail.abccompany.com Search Base: ou=people,dc=abccompany,dc=com Port: 389 Scope: subtree
Authentication for a user with the address of firstname.lastname@example.org
uid=joe,ou=people,dc=abccompany,dc=com password: _zimbra_password_ Authentication Type: simple
Regarding External Authentication
Outside Company's Network
If a user has the need to access the GAL from outside the company network, most likely port 389 will need to be accessible.
Zimbra 6.0 (and 7.0) has the ability to require startTLS (SSL encryption) over ldap connections (not ldaps://).
The security value assigned to startTLS connections depends on the strength of the certificate that the server is using.
You can find the strength of the current cert by examining /var/log/zimbra.log when the ldap log level includes stats logging(256):
Aug 4 21:42:47 gort slapd: conn=726 fd=12 TLS established tls_ssf=128 ssf=128
This indicates the tls_ssf (startTLS security factor) is 128, so you would use that as the value for the key.
zmlocalconfig -e ldap_common_require_tls=128 zmcontrol stop zmcontrol start
Java can go as high as 128. But other java apps can go higher. If you set ldap_common_require_tls to 256, all java apps will fail. So you could see tls_ssf=256, in your log.
Just to be safe, just use 128 for ldap_common_require_tls.