King0770-Notes-Access GAL from Clients 6.0: Difference between revisions

m (Adding category)
No edit summary
 
(14 intermediate revisions by one other user not shown)
Line 1: Line 1:
If your users prefer to use client apps like Thunderbird, or Mac's Address book but still needs to access the Zimbra's GAL, here's a proposed workaround.<br>
{{Archive}}If your users prefer to use client apps like Thunderbird, or Mac's Address book but still need to access the Zimbra's GAL, here's a proposed workaround.<br>


==Configure Client==
==Configure ZCS machine(Optional)==
 
<br>


===Disable LDAP anonymous connections===
===Disable LDAP anonymous connections===
Line 10: Line 8:
</pre></code>
</pre></code>


<br>
==Configure Client==


===Example for a Zimbra server called mail.abccompany.com===
===Example for a Zimbra server called mail.abccompany.com with a domain of abccompany.com===
The settings would have something like this:<br>
The settings would have something like this:<br>


Line 28: Line 26:
Authentication Type: simple
Authentication Type: simple
</pre></code>
</pre></code>
====Regarding External Authentication====
See, https://bugzilla.zimbra.com/show_bug.cgi?id=50248


===Outside Company's Network===
===Outside Company's Network===
If a user has the need to access the GAL from outside the company network, most likely port 389 will need to be accessible.<br>
If a user has the need to access the GAL from outside the company network, most likely port 389 will need to be accessible.<br>
==startTLS Requirement==
Zimbra 6.0 (and 7.0) has the ability to require startTLS (SSL encryption) over ldap connections (not ldaps://).<br>
The security value assigned to startTLS connections depends on the strength of the certificate that the server is using.<br>
You can find the strength of the current cert by examining /var/log/zimbra.log when the ldap log level includes stats logging(256):<br>
<code><pre>
Aug 4 21:42:47 gort slapd[32703]: conn=726 fd=12 TLS established tls_ssf=128 ssf=128
</pre></code>
This indicates the tls_ssf (startTLS security factor) is 128, so you would use that as the value for the key.<br>
<code><pre>
zmlocalconfig -e ldap_common_require_tls=128
zmcontrol stop
zmcontrol start
</pre></code>
<strong>Note:</strong><br>
Java can go as high as 128. But other java apps can go higher. If you set ldap_common_require_tls to 256, all java apps will fail. So you could see tls_ssf=256, in your log.<br>
Just to be safe, just use 128 for ldap_common_require_tls.<br>


[[Category:Community Sandbox]]
[[Category:Community Sandbox]]
[[Category:LDAP]]

Latest revision as of 19:44, 25 March 2015

If your users prefer to use client apps like Thunderbird, or Mac's Address book but still need to access the Zimbra's GAL, here's a proposed workaround.

Configure ZCS machine(Optional)

Disable LDAP anonymous connections

/opt/zimbra/libexec/zmldapanon -d

Configure Client

Example for a Zimbra server called mail.abccompany.com with a domain of abccompany.com

The settings would have something like this:

Server: mail.abccompany.com
Search Base: ou=people,dc=abccompany,dc=com
Port: 389
Scope: subtree

Authentication for a user with the address of joe@abccompany.com

uid=joe,ou=people,dc=abccompany,dc=com
password: _zimbra_password_
Authentication Type: simple

Regarding External Authentication

See, https://bugzilla.zimbra.com/show_bug.cgi?id=50248

Outside Company's Network

If a user has the need to access the GAL from outside the company network, most likely port 389 will need to be accessible.

startTLS Requirement

Zimbra 6.0 (and 7.0) has the ability to require startTLS (SSL encryption) over ldap connections (not ldaps://).
The security value assigned to startTLS connections depends on the strength of the certificate that the server is using.
You can find the strength of the current cert by examining /var/log/zimbra.log when the ldap log level includes stats logging(256):

Aug 4 21:42:47 gort slapd[32703]: conn=726 fd=12 TLS established tls_ssf=128 ssf=128

This indicates the tls_ssf (startTLS security factor) is 128, so you would use that as the value for the key.

zmlocalconfig -e ldap_common_require_tls=128

zmcontrol stop

zmcontrol start

Note:
Java can go as high as 128. But other java apps can go higher. If you set ldap_common_require_tls to 256, all java apps will fail. So you could see tls_ssf=256, in your log.
Just to be safe, just use 128 for ldap_common_require_tls.

Jump to: navigation, search