King0770-Notes-Access GAL from Clients 6.0
If your users prefer to use client apps like Thunderbird, or Mac's Address book but still needs to access the Zimbra's GAL, here's a proposed workaround.
Configure ZCS machine(Optional)
Disable LDAP anonymous connections
/opt/zimbra/libexec/zmldapanon -d
Configure Client
Example for a Zimbra server called mail.abccompany.com with a domain of abccompany.com
The settings would have something like this:
Server: mail.abccompany.com
Search Base: ou=people,dc=abccompany,dc=com
Port: 389
Scope: subtree
Authentication for a user with the address of joe@abccompany.com
uid=joe,ou=people,dc=abccompany,dc=com
password: _zimbra_password_
Authentication Type: simple
Regarding External Authentication
If your users are using external authentication, you might elect to do one of the following:
a) Add one account (or multiple accounts) in a non-external-auth domain and users use those to query ldap directly for gal lookups.
b) A more sophisticated approach would be to use ldapmodify to update userPassword attributes to either something new or whatever is in the external directory.
Example ldif file:
dn: uid=somebody,ou=people,dc=test,dc=test
changetype: modify
replace: userPassword
userPassword: {CRYPT}xxxxxxxxxx
Where xxxxxx is the encrypted password (assuming it's crypt).
Sample command:
ldapmodify -x -D "uid=zimbra,cn=admins,cn=zimbra" -w zimbraPassword -H ldap://mail.abccompany.com -f /tmp/sample.ldif
===Outside Company's Network===
If a user has the need to access the GAL from outside the company network, most likely port 389 will need to be accessible.<br>
==startTLS Requirement==
Zimbra 6.0 has the ability to require startTLS (SSL encryption) over ldap connections (not ldaps://).<br>
The security value assigned to startTLS connections depends on the strength of the certificate that the server is using.<br>
You can find the strength of the current cert by examining /var/log/zimbra.log when the ldap log level includes stats logging(256):<br>
<code><pre>
Aug 4 21:42:47 gort slapd[32703]: conn=726 fd=12 TLS established tls_ssf=128 ssf=128
This indicates the tls_ssf (startTLS security factor) is 128, so you would use that as the value for the key.
zmlocalconfig -e ldap_common_require_tls=128
zmcontrol stop
zmcontrol start
Note:
Java can go as high as 128. But other java apps can to higher. If you set ldap_common_require_tls to 256, all java apps will fail. So you could see tls_ssf=256, in your log.
Just to be safe, just use 128 for ldap_common_require_tls.