King0770-Notes-Access GAL from Clients 6.0

Revision as of 18:07, 25 August 2010 by King0770 (talk | contribs)

If your users prefer to use client apps like Thunderbird, or Mac's Address book but still needs to access the Zimbra's GAL, here's a proposed workaround.

Configure ZCS machine(Optional)

Disable LDAP anonymous connections

/opt/zimbra/libexec/zmldapanon -d

Configure Client

Example for a Zimbra server called mail.abccompany.com with a domain of abccompany.com

The settings would have something like this:

Server: mail.abccompany.com
Search Base: ou=people,dc=abccompany,dc=com
Port: 389
Scope: subtree

Authentication for a user with the address of joe@abccompany.com

uid=joe,ou=people,dc=abccompany,dc=com
password: _zimbra_password_
Authentication Type: simple

Regarding External Authentication

If your users are using external authentication, you might elect to do one of the following:

a) Add one account (or multiple accounts) in a non-external-auth domain and users use those to query ldap directly for gal lookups.

b) A more sophisticated approach would be to use ldapmodify to update userPassword attributes to either something new or whatever is in the external directory.

Example ldif file: 

dn: uid=somebody,ou=people,dc=test,dc=test
changetype: modify
replace: userPassword
userPassword: {CRYPT}xxxxxxxxxx

Where xxxxxx is the encrypted password (assuming it's crypt).

Sample command: 

ldapmodify -x -D "uid=zimbra,cn=admins,cn=zimbra" -w zimbraPassword -H ldap://mail.abccompany.com -f /tmp/sample.ldif


===Outside Company's Network===
If a user has the need to access the GAL from outside the company network, most likely port 389 will need to be accessible.<br>

==startTLS Requirement==
Zimbra 6.0 has the ability to require startTLS (SSL encryption) over ldap connections (not ldaps://).<br>
The security value assigned to startTLS connections depends on the strength of the certificate that the server is using.<br>
You can find the strength of the current cert by examining /var/log/zimbra.log when the ldap log level includes stats logging(256):<br>
<code><pre>
Aug 4 21:42:47 gort slapd[32703]: conn=726 fd=12 TLS established tls_ssf=128 ssf=128

This indicates the tls_ssf (startTLS security factor) is 128, so you would use that as the value for the key.

zmlocalconfig -e ldap_common_require_tls=128

zmcontrol stop

zmcontrol start

Note:
Java can go as high as 128. But other java apps can to higher. If you set ldap_common_require_tls to 256, all java apps will fail. So you could see tls_ssf=256, in your log.
Just to be safe, just use 128 for ldap_common_require_tls.

Retrieved from "http://wiki.zimbra.com/index.php?title=King0770-Notes-Access_GAL_from_Clients_6.0&oldid=20656"
Jump to: navigation, search