https://wiki.zimbra.com/api.php?action=feedcontributions&user=Jarl&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-28T11:12:57ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI&diff=7566UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI2008-01-14T14:48:46Z<p>Jarl: /* Installing pam_ldap and nss_ldap */</p>
<hr />
<div>==Introduction==<br />
<br />
This document describes how you can configure Zimbra Collaboration Server (ZCS) and Samba to act as a primary domain controller (PDC) that uses LDAP (Lightweight Directory Access Protocol) as a central password database for authenticating users on Linux and Windows desktops. The motivation behind this document is the need to seamlessly integrate ZCS into corporate network environment based entirely on Open Source server software. This functionality is achieved by configuring Zimbra LDAP to act as a central user database for PAM (Pluggable Authentication Modules), NSS (Name Service Switch), and for Samba's ldapsam password backend. The document also describes Zimbra Admin Extensions that allow managing OS and Samba accounts, groups and domains through Zimbra Admin UI.<br />
<br />
The setup described in this document is not the only possible way to make Samba and Zimbra use the same user database for authentication. There are multiple other ways to achieve similar functionality, and it is recommended that you explore Zimbra WIKI at [http://wiki.zimbra.com/ http://wiki.zimbra.com] to see if another solution is a better fit for your needs. However, this solution is the only solution that allows network administrators to manage Windows user accounts and groups using Zimbra Admin UI. It is also highly recommended to get familiar with Zimbra, Samba, LDAP and PAM, before you start the installation. Particularly helpful are the following sources of information:<br />
<br />
* LDAP Authentication HOWTO http://ldots.org/ldap/<br />
* Authenticating with LDAP http://imaginator.com/~simon/ldap/<br />
* pam.d(5) man page (explains syntax of pam.d configuration files which you will have to edit during the installation) http://www.die.net/doc/linux/man/man5/pam.d.5.html<br />
* PAM FAQ http://www.kernel.org/pub/linux/libs/pam/FAQ<br />
* The Official Samba-3 HOWTO and Reference Guide http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/<br />
* Zimbra Documentation http://www.zimbra.com/products/documentation.html<br />
<br />
==Intended audience==<br />
<br />
This document is intended mainly for network administrators who are faced with the task of integrating multiple OpenSource software packages to support a corporate network. The author assumes that the reader has basic knowledge of Linux/Unix OS, is capable of using a text editor and is at least vaguely familiar with Zimbra, Samba, LDAP and PAM. If these four words sound foreign to you, please take some time to look at the aforementioned sources of helpful information, or even better – have them open in separate tabs in Firefox on your second monitor while you are following the directions in this document ;)<br />
<br />
==ToDo==<br />
* Write AJAX SMB client Zimlet to mail UI, http://freshmeat.net/projects/davenport/ sounds like a good option.<br />
* Add hooks to Zimbra Server to allow calling extensions when an account's password is changed and write an extension that will change Samba password hashes in LDAP<br />
* Make zimbra's password change update the NT password.<br />
* Fix creation of resources from the admin UI to work with the uidNumber attribute.<br />
* During new account creation, don't allow clicking of the finish button until user has filled out all required fields, including the posix and samba ones. Or maybe put in some reasonable default values so the finish button does not raise an error.<br />
<br />
==How this guide is organized:==<br />
<br />
'''Part 1 '''describes what software you need to download and install<br />
<br />
'''Part 2 '''describes how to configure Zimbra LDAP and Zimbra Admin to store information required by Linux password backend and allow managing Samba and Posix accounts via Zimbra Admin. <br />
<br />
'''Part 3 '''describes how to configure Samba server to use Zimbra LDAP as a source of user information and as a Primary Domain Controller<br />
<br />
'''Part 4 '''describes how to configure a Linux server to use Zimbra LDAP as a central source of user information.<br />
<br />
==Part 1==<br />
<br />
====Installing Zimbra====<br />
<br />
# First, Install Zimbra Collaboration Suite (it can be an Open Source or a Network Edition) following Zimbra Installation guides that you can download from the Zimbra website (http://www.zimbra.com/products/documentation.html). Make note of the root LDAP password that is selected during the installation, you will need it to configure ldapsam, pam_ldap and nss_ldap.<br />
# If you have an existing functioning ZCS server, you can use it instead of a new one, but make sure to back up all your data and that you know your LDAP root password (this password was created during ZCS installation). This setup works with single- as well as with multi-server Zimbra setups.<br />
# Download ZimbraPosixAccount, ZimbraSamba and ZimbraLDAPUtils extensions for your version of ZCS from the Zimbra Gallery ([http://gallery.zimbra.com/ http://gallery.zimbra.com]). Note that these extensions are different for ZCS 4.5.x and ZCS 5.x.<br />
<br />
====Installing Zimbra LDAP Utils extension====<br />
Note: if you are running ZCS 5.0 or higher, this extension is already installed in /opt/zimbra/lib/ext/ldaputils and you do not need to download it.<br />
<br />
# Download Zimbra LDAP utils server extension from Zimbra Gallery [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=54]<br />
# Log in to your Zimbra mail server, make sure you are root. If you have a multi-server setup, this is the server that runs the mailbox service. Create folder /opt/zimbra/lib/ext/zimbraldaputils. Make sure that the folder's owner is root:root and the access mod is 0755.<br />
# Extract zimbraldaputils.jar file from ZimbraLDAPUtils.zip and put it into /opt/zimbra/lib/ext/zimbraldaputils/<br />
# Restart mailbox server on the Zimbra mail server (this can be done by running zmmailboxctl restart as zimbra user).<br />
<br />
====Installing ZimbraPosixAccount and ZimbraSamba extensions for Zimbra Admin====<br />
Note: if you are running ZCS 5.0 or later, zimbra_posixaccount.zip and zimbra_samba.zip are already included in the installation, and you do not need to download them from the Gallery. You can find both extensions in /opt/zimbra/zimlets-admin-extra/<br />
<br />
# Download zimbra_posixaccount [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=52] Admin extension from Zimbra Gallery [http://gallery.zimbra.com] <br />
# Download zimbra_samba [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=53] Admin extension from Zimbra Gallery [http://gallery.zimbra.com] <br />
# Extract files from ZimbraPosixAccount.zip to a folder on your desktop computer, open zimbra_posixaccount folder and edit config_template.xml.<br />
# Edit <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> property in config_template.xml. This property is the path in your LDAP tree where all Linux and Samba user information will be stored. This can be the name of your primary email domain written in the ldap syntax. E.g. if your domain is mycompany.com, then <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> will be<br />
<br />
<font size="2"><font face="Courier New, monospace">dc=mycompany,dc=com</font></font><br />
<br />
in this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance, hence my <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> is<br />
<br />
<font size="2"><font face="Courier New, monospace">dc=gregzimbra1,dc=zimbra,dc=com</font></font><br />
<br />
# Edit <font size="2"><font face="Courier New, monospace">uidBase</font></font> property in config_template.xml. <font size="2"><font face="Courier New, monospace">uidBase</font></font> is the base for creating Linux user IDs for user accounts that will be stored in LDAP. The first account that you will create through Zimbra Admin UI will have user ID = <font size="2"><font face="Courier New, monospace">uidBase</font></font>+1. If you already have user accounts in your current password database (most likely /etc/passwd) it is recommended that you set this value higher than the maximum existing user account.<br />
# Edit <font size="2"><font face="Courier New, monospace">gidBase</font></font> property in config_template.xml. <font size="2"><font face="Courier New, monospace">gidBase</font></font> is the base for creating Linux group IDs for groups that will be stored in LDAP. The first group that you will create through Zimbra Admin UI will have group ID = <font size="2"><font face="Courier New, monospace">gidBase</font></font>+1.<br />
# Zip all the files that are in zimbra_posixaccount folder into zimbra_posixaccount.zip together with modified config_template.xml<br />
# Log in to Zimbra Admin (<nowiki>https://yourserver.com:7071/zimbraAdmin</nowiki>) as administrator, navigate to Admin Extensions and deploy zimbra_posixaccount extension using the zimbra_posixaccount .zip file (refer to ZCS Admin Guide for more information about installing Admin Extensions)<br />
# Extract files from ZimbraSamba.zip to a folder on your desktop computer and open config_template.xml (this file is in zimbra_samba folder along with other extension files).<br />
# Edit <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font>, <font size="2"><font face="Courier New, monospace">uidBase</font></font> and <font size="2"><font face="Courier New, monospace">gidBase</font></font> properties using the same values as you used in for zimbra_posixaccount.zip<br />
# Zip all the files zimbra_samba folder into zimbra_samba .zip together with modified config_template.xml and deploy zimbra_samba Admin Extension.<br />
# Reload your Zimbra Admin to initialize the extensions. When the extensions are loaded for the first time, they will check if OUs defined by <font size="2"><font face="Courier New, monospace">ldapMachineSuffix and ldapGroupSuffix </font></font><font size="3"><font face="Times New Roman, serif">properties</font></font><font size="2"></font>in config_template.xml files exist and create these OUs, if they do not exist.<br />
<br />
====Installing Samba====<br />
<br />
Install Samba 3 on a Linux/Unix box. I used Samba-3.0.24 which I installed through Synaptic Package Manager on my Ubuntu 6.10 machine running inside a VMWare. If you are building Samba from sources, make sure to enable ldap support. I do not recommend installing Samba on the same machine where you installed Zimbra – better to use a separate machine.<br />
<br />
====Installing pam_ldap and nss_ldap====<br />
<br />
You need to install and configure PAM and NSS on the machine where you installed Samba. You can also install it on any Linux desktop that should use Zimbra LDAP as a user database, e.g. Linux desktops where you want to be able to log in using the same username/password that is used for Zimbra Mail.<br />
<br />
You need to download and install pam_ldap and nss_ldap modules for your OS. I used Ubuntu Linux which has these modules available as Debian packages through Synaptic Package Manager. If you are using Synaptic Package Manager, make sure to enable community maintained repositories (see Settings->Repositories) and search for libpam-ldap and libnss-ldap packages. If you are using a different Linux, you might need to build these modules from the sources. You can find the Sources for pam_ldap and nss_ldap on [http://www.padl.com/ http://www.padl.com].<br />
<br />
If you are using Synaptic Package Manager to install libnss_ldap, you will be prompted for the following information:<br />
<br />
* LDAP server Uniform Resource Identifier – enter the LDAP URL of your Zimbra LDAP server. i.e. [ldap://zimbra.mydomain.com ldap://zimbra.mydomain.com/] (in my case<font size="2"><font face="Courier New, monospace"> ldap://gregzimbra1.zimbra.com/</font></font>)<br />
* LDAP search base – enter the same value that you used for <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> property in zimbra_posixaccount and zimbra_samba extensions. I.e.: dc=yourdomain,dc=com (in my case <font size="2"><font face="Courier New, monospace">dc=gregzimbra1,dc=zimbra,dc=com</font></font>)<br />
* LDAP account for root – enter<font size="2"><font face="Courier New, monospace"> uid=zimbra,cn=admins,cn=zimbra</font></font><br />
* LDAP root account password – enter the LDAP root password that you selected during Zimbra installation (told you make a note of it ;) )<br />
<br />
If you don't know the LDAP root account password, you can change it to a know value like this (as the zimbra user):<br />
zimbra@localhost:~$ zmldappasswd newpasswd<br />
<br />
If you are using Synaptic Package Manager to install libpam_ldap, you will be prompted for the following information:<br />
<br />
* LDAP Server – enter the hostname or IP address of your Zimbra LDAP server<br />
* root login account – enter <font size="2"><font face="Courier New, monospace">uid=zimbra,cn=admins,cn=zimbra</font></font><br />
* root login password - enter the LDAP root password that you selected during Zimbra installation<br />
<br />
<br />
In RHEL5/CentOS5 both <font face="Courier New, monospace">nss_ldap</font> and <font face="Courier New, monospace">pam_ldap</font> modules are included in a single <font face="Courier New, monospace">nss_ldap</font> rpm package which is a part of base install. They can be configured using <font face="Courier New, monospace">authconfig</font> command line utility. (See <b>Configuring pam_ldap and nss_ldap.</b>)<br />
<br />
==Part 2==<br />
<br />
====Configuring Zimbra LDAP====<br />
<br />
Please note: upgrading Zimbra will overwrite any changes made to /opt/zimbra/conf/slapd.conf.in <br />
this will break any read permission changes made (as below). <br />
Backup slapd.conf.in prior to upgrade, and restore immediately after.<br />
<br />
Before you can configure Zimbra LDAP you need to download nis.schema and samba.schema files.<br />
<br />
* If nis.schema file already exists in /opt/zimbra/openldap/etc/openldap/schema/ - skip to the next bullet, otherwise you need to download it. nis.schema file depends on your version of OpenLDAP. Therefore, the best way to get the correct nis.schema file is to download OpenLDAP source code from http://www.openldap.org/software/download/ for your version of OpenLDAP and take the nis.schema file from servers/slapd/schema folder in the source package. In this document I am using OpenLDAP 2.3.34 which is distributed with ZCS 4.5.4 for Ubuntu Linux.<br />
* samba.schema file depends on the version of Samba that you will be installing. Therefore, I recommend downloading Samba source package for the latest stable version of Samba available for your server's OS and taking samba.schema from examples/LDAP folder in the source package. In this document I am using Samba 3.0.24. In CentOS 5 it is here: /usr/share/doc/samba-3.0.23c/LDAP/samba.schema. <br />
<br />
Log in to the shell on your Zimbra LDAP server. If you have a multi-server setup this is the machine where ldap service is running. Copy samba.schema and nis.schema files to /opt/zimbra/openldap/etc/openldap/schema/ (or wherever your OpenLDAP schema files are if you are using a different LDAP server). They should be chowned to zimbra account.<br />
<br />
Next, edit /opt/zimbra/conf/slapd.conf.in file. Mind the .in suffix, the non-.in file is regenerated during restart. You need to add these the following two lines after the last “include” statement at the top of the file:<br />
<br />
<font face="Courier New, monospace"><font size="2">include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"</font></font><br />
<br />
<font face="Courier New, monospace"><font size="2">include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema"</font></font><br />
<br />
You may also want to add these ldap indexes at the end of the file:<br />
<br />
<nowiki>#indexes for PAM</nowiki><br />
<br />
index uidNumber eq<br />
index gidNumber eq<br />
index memberUID eq<br />
<br />
<br /><br />
<br />
<nowiki>#indexes for Samba</nowiki><br />
<br />
index sambaSID eq<br />
index sambaPrimaryGroupSID eq<br />
index sambaDomainName eq<br />
<br />
You may also want to add the 2 following ACLs to allow pam to read the user config without obliging it to use the binddn and its password. The password is in clear in the ldap.conf file on the client machine and this file must be readable by all which creates a security issue (on zimbra the binddn password and rootdn password seem to be the same).<br />
<br />
<nowiki># only allow access to these attrs basically GAL/Postfix related attrs</nowiki><br />
<pre><br />
access to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc=com"<br />
by * read<br />
<br />
access to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc=com"<br />
by * read<br />
</pre><br />
<br />
Note: the above lines may be too permissible, and could be more restrictive using attributes, but for now they will do.<br />
<br />
an example of slapd.conf.in file is in ZimbraSamba.zip in examples/conf folder.<br />
<br />
After you edited slapd.conf.in file and copied *.schema files to /opt/zimbra/openldap/etc/openldap/schema/, restart Zimbra services and make sure that they started successfully.<br />
<br />
Now run the following zmprov commands as user zimbra:<br />
<br />
>zmprov mcf +zimbraAccountExtraObjectClass posixAccount<br />
>zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount<br />
<br />
==Part 3==<br />
<br />
====Configuring Samba====<br />
<br />
There are many ways to configure Samba depending on what you needs are. In this example I will configure Samba to use Zimbra LDAP as password backend and to act as a primary domain controller for domain GREGZIMBRA1 and as a WINS server for my network. This configuration will allow Windows NT/XP/2000 workstations to join GREGZIMBRA1 domain as if it was an NT domain. Below is the /etc/samba/smb.conf file used in this example.<br />
<br />
[global]<br />
workgroup = GREGZIMBRA1<br />
netbios name = gregzimbra2<br />
os level = 33<br />
preferred master = yes<br />
enable privileges = yes<br />
server string = %h server (Samba, Ubuntu)<br />
wins support =yes <br />
dns proxy = no<br />
name resolve order = wins bcast hosts<br />
log file = /var/log/samba/log.%m<br />
log level = 3<br />
max log size = 1000<br />
syslog only = no<br />
syslog = 0<br />
panic action = /usr/share/samba/panic-action %d<br />
security = user<br />
encrypt passwords = true<br />
ldap passwd sync = yes<br />
passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/<br />
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"<br />
ldap suffix = dc=gregzimbra1,dc=zimbra,dc=com<br />
ldap group suffix = ou=groups<br />
ldap user suffix = ou=people<br />
ldap machine suffix = ou=machines<br />
obey pam restrictions = no<br />
passwd program = /usr/bin/passwd %u<br />
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .<br />
domain logons = yes<br />
logon path = \\gregzimbra2.zimbra.com\%U\profile<br />
logon home = \\gregzimbra2.zimbra.com\%U<br />
logon script = logon.cmd<br />
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u<br />
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u<br />
socket options = TCP_NODELAY<br />
domain master = yes<br />
local master = yes<br />
[homes]<br />
comment = Home Directories<br />
browseable =yes <br />
read only = No<br />
valid users = %S<br />
[netlogon]<br />
comment = Network Logon Service<br />
path = /var/lib/samba/netlogon<br />
guest ok = yes<br />
locking = no<br />
[profiles]<br />
comment = Users profiles<br />
path = /var/lib/samba/profiles<br />
read only = No<br />
[profdata]<br />
comment = Profile Data Share<br />
path = /var/lib/samba/profdata<br />
read only = No<br />
profile acls = Yes<br />
[printers]<br />
comment = All Printers<br />
browseable = no<br />
path = /tmp<br />
printable = yes<br />
public = no<br />
writable = no<br />
create mode = 0700<br />
[print$]<br />
comment = Printer Drivers<br />
path = /var/lib/samba/printers<br />
browseable = yes<br />
read only = yes<br />
guest ok = no<br />
<br />
I will not attempt to explain every line in this file, so if you are interested – read the official Samba HOWTO. The key elements that are important for this example are these lines:<br />
<br />
passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/<br />
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"<br />
ldap suffix = dc=gregzimbra1,dc=zimbra,dc=com<br />
ldap group suffix = ou=groups<br />
ldap user suffix = ou=people<br />
ldap machine suffix = ou=machines<br />
<br />
<br /><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/</font> - tells Samba to use ldap as the password backend and to contact Zimbra LDAP server at [ldap://gregzimbra1.zimbra.com/].</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap admin dn</font> - is the same value as the root LDAP account that you entered when you were installing pam_ldap.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap suffix</font> - is the name of your Zimbra domain, and it is the same value as the value of <font face="Courier New, monospace">ldapSuffix</font> property in config_template.xml files.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap group suffix</font> - is the same value as the value of <font face="Courier New, monospace">ldapGroupSuffix</font> in config_template.xml files.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap machine suffix</font> - is the same value as the value of <font face="Courier New, monospace">ldapMachineSuffix</font> in config_template.xml files. </span><br />
<br />
* the value of <font face="Courier New, monospace">ldap user suffix</font> must be <font face="Courier New, monospace">ou=people</font>, because this is where Zimbra account records are stored in LDAP.<br />
<br />
After you edited smb.conf file, you need to tell Samba what is the root password for ldap. On your Samba server, restart samba services (/usr/sbin/smbd and /usr/sbin/nmbd) run the following command (replace <font face="Courier New, monospace">test123</font> with your ldap root password).<br />
<br />
smbpasswd -w test123<br />
<br />
====Creating Samba domain using Zimbra Admin UI====<br />
<br />
Restart samba. Then, log in to Zimbra Admin an click on Samba Domains. You should see a domain entry in the list. When Samba started up with the new smb.conf file it should have looked up the domain entry in LDAP and created it if it could not find the entry.<br />
<br />
==Part 4==<br />
<br />
====Configuring pam_ldap and nss_ldap====<br />
<br />
Open file /etc/libnss-ldap.conf, make sure that <font size="2"><font face="Courier New, monospace">base</font></font> is set to the same value that you chose for <code><font size="2">ldapSuffix</font></code>. It should look like this (type your root LDAP password instead of <span style="font-style: normal"><font size="2"><font face="Courier New, monospace">test123</font></font><font size="3"><font face="Times New Roman, serif">)</font></font></span><nowiki>:</nowiki><br />
<br />
base dc=<code>gregzimbra1</code>,dc=zimbra,dc=com<br />
host gregzimbra1.zimbra.com<br />
binddn uid=zimbra,cn=admins,cn=zimbra<br />
bindpw test123<br />
rootbinddn uid=zimbra,cn=admins,cn=zimbra<br />
<br />
Make sure that <font size="2"><font face="Courier New, monospace">host</font></font> points to your Zimbra LDAP server. Next, copy /etc/libnss-ldap.conf to /etc/pam_ldap.conf, both modules have compatible syntax, so the same configuration file will work for both pam_ldap and nss_ldap.<br />
<br />
Edit /etc/libnss-ldap.secret and make sure it contains your root LDAP password. Then, copy /etc/libnss-ldap.secret to /etc/pam_ldap.secret<br />
<br />
If you have added the 2 ACL entries in your /opt/zimbra/conf/slapd.conf.in file, you are not obliged to use binddn and bindpw in your /etc/pam_ldap.conf file.<br />
<br />
Edit /etc/nsswitch.conf file. Replace these two lines:<br />
<br />
passwd: compat<br />
group: compat<br />
<br />
with these lines:<br />
<br />
passwd files ldap<br />
group files ldap<br />
<br />
this change will tell nsswitch to use ldap when it looks for uids and gids. It will first look at /etc/passwd and then at ldap. You may want to change these lines differently if you know what you are doing ;)<br />
<br />
Edit /etc/pam.d/common-account. It should look like the following:<br />
<br />
account sufficient pam_unix.so<br />
account sufficient pam_ldap.so<br />
<br />
Edit /etc/pam.d/common-auth. It should look like the following:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_unix.so<br />
<br />
Edit /etc/pam.d/common-password. It should look like the following:<br />
<br />
password sufficient pam_unix.so<br />
password sufficient pam_ldap.so<br />
<br />
Edit /etc/pam.d/common-session. It should look like the following:<br />
<br />
session sufficient pam_unix.so<br />
session sufficient pam_ldap.so<br />
<br />
You may want to first add to the session section the following line to automatically create a home directory when the user login for the first time<br />
session required pam_mkhomedir.so skel=/etc/skel umask=0077<br />
<br />
Now you need to test whether pam_ldap and nssswitch are working correctly. Log in to Zimbra Admin UI (<nowiki>https://yourserver.com:7071/zimbraAdmin</nowiki>) as Administrator and create a couple of new user accounts. On the New Account Wizard you should see two additional steps (after “Advanced” step): Posix Account and Samba Account<br />
<br />
<b>Configuring on RHEL5/CentOS5/Fedora7 using <font size="2"><font face="Courier New, monospace">authconfig</font></font></b><br />
<br />
As root run <font size="2"><font face="Courier New, monospace">authconfig --test</font></font>. It will display current settings for both <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> and <font size="2"><font face="Courier New, monospace">pam_ldap</font></font>. In most cases the following command will do the job (although some manual editing will still be needed):<br />
<br />
authconfig --enableldap --enableldapauth --disablenis --enablecache \<br />
--ldapserver=gregzimbra1.zimbra.com --ldapbasedn=dc=gregzimbra1,dc=zimbra,dc=com \<br />
--updateall<br />
<br />
The last parameter will update <font size="2"><font face="Courier New, monospace">/etc/ldap.conf, /etc/nsswitch.conf</font></font> and <font size="2"><font face="Courier New, monospace">/etc/pam.d/system-auth</font></font> configuration files. The only file which requires manual editing is <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font>.<br />
<br />
The <font size="2"><font face="Courier New, monospace"><b>base</b></font></font> line should be already there. It is inserted by <font size="2"><font face="Courier New, monospace">authconfig</font></font>. You should also see a <font size="2"><font face="Courier New, monospace"><b>uri</b></font></font> line with the address of your ldap server. The <font size="2"><font face="Courier New, monospace"><b>host, binddn, bindpw, rootbinddn</b></font></font> lines should be added as explained above and <font size="2"><font face="Courier New, monospace">/etc/ldap.secret</font></font> file should exist and contain a password.<br />
<br />
The issue with a single <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> configuration file for both <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> and <font size="2"><font face="Courier New, monospace">pam_ldap</font></font> is that <font size="2"><font face="Courier New, monospace"><b>host</b></font></font> and <font size="2"><font face="Courier New, monospace"><b>uri</b></font></font> can work together in Zimbra-specific configuration only if we also add <font size="2"><font face="Courier New, monospace"><b>bind_policy soft</b></font></font> option. The modified <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> should look like this:<br />
<br />
base dc=gregzimbra1,dc=zimbra,dc=com<br />
host gregzimbra1.zimbra.com<br />
binddn uid=zimbra,cn=admins,cn=zimbra<br />
bindpw test123<br />
rootbinddn uid=zimbra,cn=admins,cn=zimbra<br />
uri ldap://gregzimbra1.zimbra.com<br />
bind_policy soft<br />
<br />
nss_base_passwd ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_shadow ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_group ou=groups,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_hosts ou=machines,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
<br />
<br />
The last four lines are optional and are added to make the Zimbra <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> setup compatible with the Webmin’s <font size="2"><font face="Courier New, monospace"><i>LDAP Client</i></font></font> and <font size="2"><font face="Courier New, monospace"><i>LDAP Users and Groups</i></font></font> modules. {The latter module would allow you to add secondary groups to your Zimbra/Samba accounts etc.)<br />
<br />
Any additional lines added by authconfig would not hurt. However you shall have to re-check <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> every time you run <font size="2"><font face="Courier New, monospace">authconfig</font></font> with <font size="2"><font face="Courier New, monospace">–-update</font></font> or <font size="2"><font face="Courier New, monospace">-–updateall</font></font> switch. If it sees the <b>host</b> line, the command disables it and moves the host address value to <b>uri</b> line. This breaks <font size="2"><font face="Courier New, monospace">pam_ldap</font></font> an Zimbra might even fail to start.<br />
<br />
====Creating Linux and Samba groups using Zimbra Admin UI====<br />
<br />
Log in to Zimbra Admin UI. You should not have logged out of it anyway, because we are not done yet. Go to Posix Groups and click “New”. If you do not know what to type in <font size="2"><font face="Courier New, monospace">group type</font></font> field – type <font size="2"><font face="Courier New, monospace">2</font></font>, this is the default value.<br />
<br />
To test if PAM on your Samba server is reading the group information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:<br />
<br />
<font face="Courier New, monospace"><font size="2">>getent group</font></font><br />
<br />
you should see the group(s) that you just created in the list that is produced.<br />
<br />
====Creating Linux and Samba users using Zimbra Admin UI====<br />
<br />
Back to the Zimbra Admin UI :). Go to Accounts and hit New, fill in the information on the first screen and follow the wizard to the Posix Account screen. Fill in all the required fields on the Posix Account screen and click Next to go to Samba Account screen. Fill in the required fields and click Finish. To test if PAM on your Samba server is reading the user password information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:<br />
<br />
getent passwd<br />
<br />
you should see the Zimbra accounts that you just created in the list. Create a home folder for the new Zmbra user and try to change the current user to the newly created one. In this example, I create a user ubuntu2, and home folder /home/ubuntu2<br />
<br />
root@gregzimbra2:/home/ubuntu# su - ubuntu2<br />
ubuntu2@gregzimbra2:~$ <br />
<br />
Now test if Samba authenticates your new user correctly. In this example I went to the shell on my Zimbra server box and ran this command (as root):<br />
<br />
smbclient -U ubuntu2 //gregzimbra2.zimbra.com/ubuntu2<br />
<br />
It should prompt you for the password and then log in to ubuntu2's home folder on gregzimbra2 Samba server.<br />
<br />
Next, log in to Zimbra Admin UI, click on Aliases and remove root@.gregzimbra1.zimbra.com alias. Then run<br />
<br />
smbpasswd -a root<br />
<br />
====Creating Windows NT Domain groups====<br />
<br />
Next, create “Domain Admins” group using Zimbra Admin UI, on Samba tab select Special Windows group type “Domain Admins”. Then you need to grant privileges to this group. Run the following command as root on your Samba server. Put your domain name instead of GREGZIMBRA1. More information on this topic is available in Official Samba HOWTO Reference Guide ([http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/)].<br />
<br />
net rpc rights grant "GREGZIMBRA1\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege<br />
<br />
====Adding Windows NT/2000/XP machines to Samba domain====<br />
<br />
Log in to an Windows desktop as a local administrator and join the Samba domain the same way you would be joining a Windows domain. You might need to point your Windows box to your Samba WINS server depending on how your DHCP and DNS servers are configured. Use a member of “Domain Admins” group to join the domain. After you joined the domain, verify that the machine account was added to ldap directory by running <font size="2"><font face="Courier New, monospace">ldapsearch </font></font>command. I.e. if your windows desktop machine name is gregvmxp2:<br />
<br />
root@gregzimbra1:/home/ubuntu# /opt/zimbra/openldap/bin/ldapsearch -h gregzimbra1 | grep gregvmxp<br />
<nowiki># gregvmxp2$, machines, gregzimbra1.zimbra.com</nowiki><br />
dn: uid=gregvmxp2$,ou=machines,dc=gregzimbra1,dc=zimbra,dc=com<br />
uid: gregvmxp2$</div>Jarlhttps://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI&diff=7565UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI2008-01-14T14:24:21Z<p>Jarl: /* Installing pam_ldap and nss_ldap */</p>
<hr />
<div>==Introduction==<br />
<br />
This document describes how you can configure Zimbra Collaboration Server (ZCS) and Samba to act as a primary domain controller (PDC) that uses LDAP (Lightweight Directory Access Protocol) as a central password database for authenticating users on Linux and Windows desktops. The motivation behind this document is the need to seamlessly integrate ZCS into corporate network environment based entirely on Open Source server software. This functionality is achieved by configuring Zimbra LDAP to act as a central user database for PAM (Pluggable Authentication Modules), NSS (Name Service Switch), and for Samba's ldapsam password backend. The document also describes Zimbra Admin Extensions that allow managing OS and Samba accounts, groups and domains through Zimbra Admin UI.<br />
<br />
The setup described in this document is not the only possible way to make Samba and Zimbra use the same user database for authentication. There are multiple other ways to achieve similar functionality, and it is recommended that you explore Zimbra WIKI at [http://wiki.zimbra.com/ http://wiki.zimbra.com] to see if another solution is a better fit for your needs. However, this solution is the only solution that allows network administrators to manage Windows user accounts and groups using Zimbra Admin UI. It is also highly recommended to get familiar with Zimbra, Samba, LDAP and PAM, before you start the installation. Particularly helpful are the following sources of information:<br />
<br />
* LDAP Authentication HOWTO http://ldots.org/ldap/<br />
* Authenticating with LDAP http://imaginator.com/~simon/ldap/<br />
* pam.d(5) man page (explains syntax of pam.d configuration files which you will have to edit during the installation) http://www.die.net/doc/linux/man/man5/pam.d.5.html<br />
* PAM FAQ http://www.kernel.org/pub/linux/libs/pam/FAQ<br />
* The Official Samba-3 HOWTO and Reference Guide http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/<br />
* Zimbra Documentation http://www.zimbra.com/products/documentation.html<br />
<br />
==Intended audience==<br />
<br />
This document is intended mainly for network administrators who are faced with the task of integrating multiple OpenSource software packages to support a corporate network. The author assumes that the reader has basic knowledge of Linux/Unix OS, is capable of using a text editor and is at least vaguely familiar with Zimbra, Samba, LDAP and PAM. If these four words sound foreign to you, please take some time to look at the aforementioned sources of helpful information, or even better – have them open in separate tabs in Firefox on your second monitor while you are following the directions in this document ;)<br />
<br />
==ToDo==<br />
* Write AJAX SMB client Zimlet to mail UI, http://freshmeat.net/projects/davenport/ sounds like a good option.<br />
* Add hooks to Zimbra Server to allow calling extensions when an account's password is changed and write an extension that will change Samba password hashes in LDAP<br />
* Make zimbra's password change update the NT password.<br />
* Fix creation of resources from the admin UI to work with the uidNumber attribute.<br />
* During new account creation, don't allow clicking of the finish button until user has filled out all required fields, including the posix and samba ones. Or maybe put in some reasonable default values so the finish button does not raise an error.<br />
<br />
==How this guide is organized:==<br />
<br />
'''Part 1 '''describes what software you need to download and install<br />
<br />
'''Part 2 '''describes how to configure Zimbra LDAP and Zimbra Admin to store information required by Linux password backend and allow managing Samba and Posix accounts via Zimbra Admin. <br />
<br />
'''Part 3 '''describes how to configure Samba server to use Zimbra LDAP as a source of user information and as a Primary Domain Controller<br />
<br />
'''Part 4 '''describes how to configure a Linux server to use Zimbra LDAP as a central source of user information.<br />
<br />
==Part 1==<br />
<br />
====Installing Zimbra====<br />
<br />
# First, Install Zimbra Collaboration Suite (it can be an Open Source or a Network Edition) following Zimbra Installation guides that you can download from the Zimbra website (http://www.zimbra.com/products/documentation.html). Make note of the root LDAP password that is selected during the installation, you will need it to configure ldapsam, pam_ldap and nss_ldap.<br />
# If you have an existing functioning ZCS server, you can use it instead of a new one, but make sure to back up all your data and that you know your LDAP root password (this password was created during ZCS installation). This setup works with single- as well as with multi-server Zimbra setups.<br />
# Download ZimbraPosixAccount, ZimbraSamba and ZimbraLDAPUtils extensions for your version of ZCS from the Zimbra Gallery ([http://gallery.zimbra.com/ http://gallery.zimbra.com]). Note that these extensions are different for ZCS 4.5.x and ZCS 5.x.<br />
<br />
====Installing Zimbra LDAP Utils extension====<br />
Note: if you are running ZCS 5.0 or higher, this extension is already installed in /opt/zimbra/lib/ext/ldaputils and you do not need to download it.<br />
<br />
# Download Zimbra LDAP utils server extension from Zimbra Gallery [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=54]<br />
# Log in to your Zimbra mail server, make sure you are root. If you have a multi-server setup, this is the server that runs the mailbox service. Create folder /opt/zimbra/lib/ext/zimbraldaputils. Make sure that the folder's owner is root:root and the access mod is 0755.<br />
# Extract zimbraldaputils.jar file from ZimbraLDAPUtils.zip and put it into /opt/zimbra/lib/ext/zimbraldaputils/<br />
# Restart mailbox server on the Zimbra mail server (this can be done by running zmmailboxctl restart as zimbra user).<br />
<br />
====Installing ZimbraPosixAccount and ZimbraSamba extensions for Zimbra Admin====<br />
Note: if you are running ZCS 5.0 or later, zimbra_posixaccount.zip and zimbra_samba.zip are already included in the installation, and you do not need to download them from the Gallery. You can find both extensions in /opt/zimbra/zimlets-admin-extra/<br />
<br />
# Download zimbra_posixaccount [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=52] Admin extension from Zimbra Gallery [http://gallery.zimbra.com] <br />
# Download zimbra_samba [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=53] Admin extension from Zimbra Gallery [http://gallery.zimbra.com] <br />
# Extract files from ZimbraPosixAccount.zip to a folder on your desktop computer, open zimbra_posixaccount folder and edit config_template.xml.<br />
# Edit <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> property in config_template.xml. This property is the path in your LDAP tree where all Linux and Samba user information will be stored. This can be the name of your primary email domain written in the ldap syntax. E.g. if your domain is mycompany.com, then <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> will be<br />
<br />
<font size="2"><font face="Courier New, monospace">dc=mycompany,dc=com</font></font><br />
<br />
in this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance, hence my <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> is<br />
<br />
<font size="2"><font face="Courier New, monospace">dc=gregzimbra1,dc=zimbra,dc=com</font></font><br />
<br />
# Edit <font size="2"><font face="Courier New, monospace">uidBase</font></font> property in config_template.xml. <font size="2"><font face="Courier New, monospace">uidBase</font></font> is the base for creating Linux user IDs for user accounts that will be stored in LDAP. The first account that you will create through Zimbra Admin UI will have user ID = <font size="2"><font face="Courier New, monospace">uidBase</font></font>+1. If you already have user accounts in your current password database (most likely /etc/passwd) it is recommended that you set this value higher than the maximum existing user account.<br />
# Edit <font size="2"><font face="Courier New, monospace">gidBase</font></font> property in config_template.xml. <font size="2"><font face="Courier New, monospace">gidBase</font></font> is the base for creating Linux group IDs for groups that will be stored in LDAP. The first group that you will create through Zimbra Admin UI will have group ID = <font size="2"><font face="Courier New, monospace">gidBase</font></font>+1.<br />
# Zip all the files that are in zimbra_posixaccount folder into zimbra_posixaccount.zip together with modified config_template.xml<br />
# Log in to Zimbra Admin (<nowiki>https://yourserver.com:7071/zimbraAdmin</nowiki>) as administrator, navigate to Admin Extensions and deploy zimbra_posixaccount extension using the zimbra_posixaccount .zip file (refer to ZCS Admin Guide for more information about installing Admin Extensions)<br />
# Extract files from ZimbraSamba.zip to a folder on your desktop computer and open config_template.xml (this file is in zimbra_samba folder along with other extension files).<br />
# Edit <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font>, <font size="2"><font face="Courier New, monospace">uidBase</font></font> and <font size="2"><font face="Courier New, monospace">gidBase</font></font> properties using the same values as you used in for zimbra_posixaccount.zip<br />
# Zip all the files zimbra_samba folder into zimbra_samba .zip together with modified config_template.xml and deploy zimbra_samba Admin Extension.<br />
# Reload your Zimbra Admin to initialize the extensions. When the extensions are loaded for the first time, they will check if OUs defined by <font size="2"><font face="Courier New, monospace">ldapMachineSuffix and ldapGroupSuffix </font></font><font size="3"><font face="Times New Roman, serif">properties</font></font><font size="2"></font>in config_template.xml files exist and create these OUs, if they do not exist.<br />
<br />
====Installing Samba====<br />
<br />
Install Samba 3 on a Linux/Unix box. I used Samba-3.0.24 which I installed through Synaptic Package Manager on my Ubuntu 6.10 machine running inside a VMWare. If you are building Samba from sources, make sure to enable ldap support. I do not recommend installing Samba on the same machine where you installed Zimbra – better to use a separate machine.<br />
<br />
====Installing pam_ldap and nss_ldap====<br />
<br />
You need to install and configure PAM and NSS on the machine where you installed Samba. You can also install it on any Linux desktop that should use Zimbra LDAP as a user database, e.g. Linux desktops where you want to be able to log in using the same username/password that is used for Zimbra Mail.<br />
<br />
You need to download and install pam_ldap and nss_ldap modules for your OS. I used Ubuntu Linux which has these modules available as Debian packages through Synaptic Package Manager. If you are using Synaptic Package Manager, make sure to enable community maintained repositories (see Settings->Repositories) and search for libpam-ldap and libnss-ldap packages. If you are using a different Linux, you might need to build these modules from the sources. You can find the Sources for pam_ldap and nss_ldap on [http://www.padl.com/ http://www.padl.com].<br />
<br />
If you are using Synaptic Package Manager to install libnss_ldap, you will be prompted for the following information:<br />
<br />
* LDAP server Uniform Resource Identifier – enter the LDAP URL of your Zimbra LDAP server. i.e. [ldap://zimbra.mydomain.com ldap://zimbra.mydomain.com/] (in my case<font size="2"><font face="Courier New, monospace"> ldap://gregzimbra1.zimbra.com/</font></font>)<br />
* LDAP search base – enter the same value that you used for <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> property in zimbra_posixaccount and zimbra_samba extensions. I.e.: dc=yourdomain,dc=com (in my case <font size="2"><font face="Courier New, monospace">dc=gregzimbra1,dc=zimbra,dc=com</font></font>)<br />
* LDAP account for root – enter<font size="2"><font face="Courier New, monospace"> uid=zimbra,cn=admins,cn=zimbra</font></font>, note that this might have changed in version 5.0 to: uid=admin,ou=people,dc=yourdomain,dc=com<br />
* LDAP root account password – enter the LDAP root password that you selected during Zimbra installation (told you make a note of it ;) )<br />
<br />
If you don't know the LDAP root account password, you can change it to a know value like this (as the zimbra user):<br />
zimbra@localhost:~$ zmldappasswd -r newpasswd<br />
<br />
If you are using Synaptic Package Manager to install libpam_ldap, you will be prompted for the following information:<br />
<br />
* LDAP Server – enter the hostname or IP address of your Zimbra LDAP server<br />
* root login account – enter <font size="2"><font face="Courier New, monospace">uid=zimbra,cn=admins,cn=zimbra</font></font><br />
* root login password - enter the LDAP root password that you selected during Zimbra installation<br />
<br />
<br />
In RHEL5/CentOS5 both <font face="Courier New, monospace">nss_ldap</font> and <font face="Courier New, monospace">pam_ldap</font> modules are included in a single <font face="Courier New, monospace">nss_ldap</font> rpm package which is a part of base install. They can be configured using <font face="Courier New, monospace">authconfig</font> command line utility. (See <b>Configuring pam_ldap and nss_ldap.</b>)<br />
<br />
==Part 2==<br />
<br />
====Configuring Zimbra LDAP====<br />
<br />
Please note: upgrading Zimbra will overwrite any changes made to /opt/zimbra/conf/slapd.conf.in <br />
this will break any read permission changes made (as below). <br />
Backup slapd.conf.in prior to upgrade, and restore immediately after.<br />
<br />
Before you can configure Zimbra LDAP you need to download nis.schema and samba.schema files.<br />
<br />
* If nis.schema file already exists in /opt/zimbra/openldap/etc/openldap/schema/ - skip to the next bullet, otherwise you need to download it. nis.schema file depends on your version of OpenLDAP. Therefore, the best way to get the correct nis.schema file is to download OpenLDAP source code from http://www.openldap.org/software/download/ for your version of OpenLDAP and take the nis.schema file from servers/slapd/schema folder in the source package. In this document I am using OpenLDAP 2.3.34 which is distributed with ZCS 4.5.4 for Ubuntu Linux.<br />
* samba.schema file depends on the version of Samba that you will be installing. Therefore, I recommend downloading Samba source package for the latest stable version of Samba available for your server's OS and taking samba.schema from examples/LDAP folder in the source package. In this document I am using Samba 3.0.24. In CentOS 5 it is here: /usr/share/doc/samba-3.0.23c/LDAP/samba.schema. <br />
<br />
Log in to the shell on your Zimbra LDAP server. If you have a multi-server setup this is the machine where ldap service is running. Copy samba.schema and nis.schema files to /opt/zimbra/openldap/etc/openldap/schema/ (or wherever your OpenLDAP schema files are if you are using a different LDAP server). They should be chowned to zimbra account.<br />
<br />
Next, edit /opt/zimbra/conf/slapd.conf.in file. Mind the .in suffix, the non-.in file is regenerated during restart. You need to add these the following two lines after the last “include” statement at the top of the file:<br />
<br />
<font face="Courier New, monospace"><font size="2">include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"</font></font><br />
<br />
<font face="Courier New, monospace"><font size="2">include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema"</font></font><br />
<br />
You may also want to add these ldap indexes at the end of the file:<br />
<br />
<nowiki>#indexes for PAM</nowiki><br />
<br />
index uidNumber eq<br />
index gidNumber eq<br />
index memberUID eq<br />
<br />
<br /><br />
<br />
<nowiki>#indexes for Samba</nowiki><br />
<br />
index sambaSID eq<br />
index sambaPrimaryGroupSID eq<br />
index sambaDomainName eq<br />
<br />
You may also want to add the 2 following ACLs to allow pam to read the user config without obliging it to use the binddn and its password. The password is in clear in the ldap.conf file on the client machine and this file must be readable by all which creates a security issue (on zimbra the binddn password and rootdn password seem to be the same).<br />
<br />
<nowiki># only allow access to these attrs basically GAL/Postfix related attrs</nowiki><br />
<pre><br />
access to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc=com"<br />
by * read<br />
<br />
access to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc=com"<br />
by * read<br />
</pre><br />
<br />
Note: the above lines may be too permissible, and could be more restrictive using attributes, but for now they will do.<br />
<br />
an example of slapd.conf.in file is in ZimbraSamba.zip in examples/conf folder.<br />
<br />
After you edited slapd.conf.in file and copied *.schema files to /opt/zimbra/openldap/etc/openldap/schema/, restart Zimbra services and make sure that they started successfully.<br />
<br />
Now run the following zmprov commands as user zimbra:<br />
<br />
>zmprov mcf +zimbraAccountExtraObjectClass posixAccount<br />
>zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount<br />
<br />
==Part 3==<br />
<br />
====Configuring Samba====<br />
<br />
There are many ways to configure Samba depending on what you needs are. In this example I will configure Samba to use Zimbra LDAP as password backend and to act as a primary domain controller for domain GREGZIMBRA1 and as a WINS server for my network. This configuration will allow Windows NT/XP/2000 workstations to join GREGZIMBRA1 domain as if it was an NT domain. Below is the /etc/samba/smb.conf file used in this example.<br />
<br />
[global]<br />
workgroup = GREGZIMBRA1<br />
netbios name = gregzimbra2<br />
os level = 33<br />
preferred master = yes<br />
enable privileges = yes<br />
server string = %h server (Samba, Ubuntu)<br />
wins support =yes <br />
dns proxy = no<br />
name resolve order = wins bcast hosts<br />
log file = /var/log/samba/log.%m<br />
log level = 3<br />
max log size = 1000<br />
syslog only = no<br />
syslog = 0<br />
panic action = /usr/share/samba/panic-action %d<br />
security = user<br />
encrypt passwords = true<br />
ldap passwd sync = yes<br />
passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/<br />
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"<br />
ldap suffix = dc=gregzimbra1,dc=zimbra,dc=com<br />
ldap group suffix = ou=groups<br />
ldap user suffix = ou=people<br />
ldap machine suffix = ou=machines<br />
obey pam restrictions = no<br />
passwd program = /usr/bin/passwd %u<br />
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .<br />
domain logons = yes<br />
logon path = \\gregzimbra2.zimbra.com\%U\profile<br />
logon home = \\gregzimbra2.zimbra.com\%U<br />
logon script = logon.cmd<br />
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u<br />
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u<br />
socket options = TCP_NODELAY<br />
domain master = yes<br />
local master = yes<br />
[homes]<br />
comment = Home Directories<br />
browseable =yes <br />
read only = No<br />
valid users = %S<br />
[netlogon]<br />
comment = Network Logon Service<br />
path = /var/lib/samba/netlogon<br />
guest ok = yes<br />
locking = no<br />
[profiles]<br />
comment = Users profiles<br />
path = /var/lib/samba/profiles<br />
read only = No<br />
[profdata]<br />
comment = Profile Data Share<br />
path = /var/lib/samba/profdata<br />
read only = No<br />
profile acls = Yes<br />
[printers]<br />
comment = All Printers<br />
browseable = no<br />
path = /tmp<br />
printable = yes<br />
public = no<br />
writable = no<br />
create mode = 0700<br />
[print$]<br />
comment = Printer Drivers<br />
path = /var/lib/samba/printers<br />
browseable = yes<br />
read only = yes<br />
guest ok = no<br />
<br />
I will not attempt to explain every line in this file, so if you are interested – read the official Samba HOWTO. The key elements that are important for this example are these lines:<br />
<br />
passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/<br />
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"<br />
ldap suffix = dc=gregzimbra1,dc=zimbra,dc=com<br />
ldap group suffix = ou=groups<br />
ldap user suffix = ou=people<br />
ldap machine suffix = ou=machines<br />
<br />
<br /><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/</font> - tells Samba to use ldap as the password backend and to contact Zimbra LDAP server at [ldap://gregzimbra1.zimbra.com/].</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap admin dn</font> - is the same value as the root LDAP account that you entered when you were installing pam_ldap.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap suffix</font> - is the name of your Zimbra domain, and it is the same value as the value of <font face="Courier New, monospace">ldapSuffix</font> property in config_template.xml files.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap group suffix</font> - is the same value as the value of <font face="Courier New, monospace">ldapGroupSuffix</font> in config_template.xml files.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap machine suffix</font> - is the same value as the value of <font face="Courier New, monospace">ldapMachineSuffix</font> in config_template.xml files. </span><br />
<br />
* the value of <font face="Courier New, monospace">ldap user suffix</font> must be <font face="Courier New, monospace">ou=people</font>, because this is where Zimbra account records are stored in LDAP.<br />
<br />
After you edited smb.conf file, you need to tell Samba what is the root password for ldap. On your Samba server, restart samba services (/usr/sbin/smbd and /usr/sbin/nmbd) run the following command (replace <font face="Courier New, monospace">test123</font> with your ldap root password).<br />
<br />
smbpasswd -w test123<br />
<br />
====Creating Samba domain using Zimbra Admin UI====<br />
<br />
Restart samba. Then, log in to Zimbra Admin an click on Samba Domains. You should see a domain entry in the list. When Samba started up with the new smb.conf file it should have looked up the domain entry in LDAP and created it if it could not find the entry.<br />
<br />
==Part 4==<br />
<br />
====Configuring pam_ldap and nss_ldap====<br />
<br />
Open file /etc/libnss-ldap.conf, make sure that <font size="2"><font face="Courier New, monospace">base</font></font> is set to the same value that you chose for <code><font size="2">ldapSuffix</font></code>. It should look like this (type your root LDAP password instead of <span style="font-style: normal"><font size="2"><font face="Courier New, monospace">test123</font></font><font size="3"><font face="Times New Roman, serif">)</font></font></span><nowiki>:</nowiki><br />
<br />
base dc=<code>gregzimbra1</code>,dc=zimbra,dc=com<br />
host gregzimbra1.zimbra.com<br />
binddn uid=zimbra,cn=admins,cn=zimbra<br />
bindpw test123<br />
rootbinddn uid=zimbra,cn=admins,cn=zimbra<br />
<br />
Make sure that <font size="2"><font face="Courier New, monospace">host</font></font> points to your Zimbra LDAP server. Next, copy /etc/libnss-ldap.conf to /etc/pam_ldap.conf, both modules have compatible syntax, so the same configuration file will work for both pam_ldap and nss_ldap.<br />
<br />
Edit /etc/libnss-ldap.secret and make sure it contains your root LDAP password. Then, copy /etc/libnss-ldap.secret to /etc/pam_ldap.secret<br />
<br />
If you have added the 2 ACL entries in your /opt/zimbra/conf/slapd.conf.in file, you are not obliged to use binddn and bindpw in your /etc/pam_ldap.conf file.<br />
<br />
Edit /etc/nsswitch.conf file. Replace these two lines:<br />
<br />
passwd: compat<br />
group: compat<br />
<br />
with these lines:<br />
<br />
passwd files ldap<br />
group files ldap<br />
<br />
this change will tell nsswitch to use ldap when it looks for uids and gids. It will first look at /etc/passwd and then at ldap. You may want to change these lines differently if you know what you are doing ;)<br />
<br />
Edit /etc/pam.d/common-account. It should look like the following:<br />
<br />
account sufficient pam_unix.so<br />
account sufficient pam_ldap.so<br />
<br />
Edit /etc/pam.d/common-auth. It should look like the following:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_unix.so<br />
<br />
Edit /etc/pam.d/common-password. It should look like the following:<br />
<br />
password sufficient pam_unix.so<br />
password sufficient pam_ldap.so<br />
<br />
Edit /etc/pam.d/common-session. It should look like the following:<br />
<br />
session sufficient pam_unix.so<br />
session sufficient pam_ldap.so<br />
<br />
You may want to first add to the session section the following line to automatically create a home directory when the user login for the first time<br />
session required pam_mkhomedir.so skel=/etc/skel umask=0077<br />
<br />
Now you need to test whether pam_ldap and nssswitch are working correctly. Log in to Zimbra Admin UI (<nowiki>https://yourserver.com:7071/zimbraAdmin</nowiki>) as Administrator and create a couple of new user accounts. On the New Account Wizard you should see two additional steps (after “Advanced” step): Posix Account and Samba Account<br />
<br />
<b>Configuring on RHEL5/CentOS5/Fedora7 using <font size="2"><font face="Courier New, monospace">authconfig</font></font></b><br />
<br />
As root run <font size="2"><font face="Courier New, monospace">authconfig --test</font></font>. It will display current settings for both <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> and <font size="2"><font face="Courier New, monospace">pam_ldap</font></font>. In most cases the following command will do the job (although some manual editing will still be needed):<br />
<br />
authconfig --enableldap --enableldapauth --disablenis --enablecache \<br />
--ldapserver=gregzimbra1.zimbra.com --ldapbasedn=dc=gregzimbra1,dc=zimbra,dc=com \<br />
--updateall<br />
<br />
The last parameter will update <font size="2"><font face="Courier New, monospace">/etc/ldap.conf, /etc/nsswitch.conf</font></font> and <font size="2"><font face="Courier New, monospace">/etc/pam.d/system-auth</font></font> configuration files. The only file which requires manual editing is <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font>.<br />
<br />
The <font size="2"><font face="Courier New, monospace"><b>base</b></font></font> line should be already there. It is inserted by <font size="2"><font face="Courier New, monospace">authconfig</font></font>. You should also see a <font size="2"><font face="Courier New, monospace"><b>uri</b></font></font> line with the address of your ldap server. The <font size="2"><font face="Courier New, monospace"><b>host, binddn, bindpw, rootbinddn</b></font></font> lines should be added as explained above and <font size="2"><font face="Courier New, monospace">/etc/ldap.secret</font></font> file should exist and contain a password.<br />
<br />
The issue with a single <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> configuration file for both <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> and <font size="2"><font face="Courier New, monospace">pam_ldap</font></font> is that <font size="2"><font face="Courier New, monospace"><b>host</b></font></font> and <font size="2"><font face="Courier New, monospace"><b>uri</b></font></font> can work together in Zimbra-specific configuration only if we also add <font size="2"><font face="Courier New, monospace"><b>bind_policy soft</b></font></font> option. The modified <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> should look like this:<br />
<br />
base dc=gregzimbra1,dc=zimbra,dc=com<br />
host gregzimbra1.zimbra.com<br />
binddn uid=zimbra,cn=admins,cn=zimbra<br />
bindpw test123<br />
rootbinddn uid=zimbra,cn=admins,cn=zimbra<br />
uri ldap://gregzimbra1.zimbra.com<br />
bind_policy soft<br />
<br />
nss_base_passwd ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_shadow ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_group ou=groups,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_hosts ou=machines,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
<br />
<br />
The last four lines are optional and are added to make the Zimbra <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> setup compatible with the Webmin’s <font size="2"><font face="Courier New, monospace"><i>LDAP Client</i></font></font> and <font size="2"><font face="Courier New, monospace"><i>LDAP Users and Groups</i></font></font> modules. {The latter module would allow you to add secondary groups to your Zimbra/Samba accounts etc.)<br />
<br />
Any additional lines added by authconfig would not hurt. However you shall have to re-check <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> every time you run <font size="2"><font face="Courier New, monospace">authconfig</font></font> with <font size="2"><font face="Courier New, monospace">–-update</font></font> or <font size="2"><font face="Courier New, monospace">-–updateall</font></font> switch. If it sees the <b>host</b> line, the command disables it and moves the host address value to <b>uri</b> line. This breaks <font size="2"><font face="Courier New, monospace">pam_ldap</font></font> an Zimbra might even fail to start.<br />
<br />
====Creating Linux and Samba groups using Zimbra Admin UI====<br />
<br />
Log in to Zimbra Admin UI. You should not have logged out of it anyway, because we are not done yet. Go to Posix Groups and click “New”. If you do not know what to type in <font size="2"><font face="Courier New, monospace">group type</font></font> field – type <font size="2"><font face="Courier New, monospace">2</font></font>, this is the default value.<br />
<br />
To test if PAM on your Samba server is reading the group information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:<br />
<br />
<font face="Courier New, monospace"><font size="2">>getent group</font></font><br />
<br />
you should see the group(s) that you just created in the list that is produced.<br />
<br />
====Creating Linux and Samba users using Zimbra Admin UI====<br />
<br />
Back to the Zimbra Admin UI :). Go to Accounts and hit New, fill in the information on the first screen and follow the wizard to the Posix Account screen. Fill in all the required fields on the Posix Account screen and click Next to go to Samba Account screen. Fill in the required fields and click Finish. To test if PAM on your Samba server is reading the user password information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:<br />
<br />
getent passwd<br />
<br />
you should see the Zimbra accounts that you just created in the list. Create a home folder for the new Zmbra user and try to change the current user to the newly created one. In this example, I create a user ubuntu2, and home folder /home/ubuntu2<br />
<br />
root@gregzimbra2:/home/ubuntu# su - ubuntu2<br />
ubuntu2@gregzimbra2:~$ <br />
<br />
Now test if Samba authenticates your new user correctly. In this example I went to the shell on my Zimbra server box and ran this command (as root):<br />
<br />
smbclient -U ubuntu2 //gregzimbra2.zimbra.com/ubuntu2<br />
<br />
It should prompt you for the password and then log in to ubuntu2's home folder on gregzimbra2 Samba server.<br />
<br />
Next, log in to Zimbra Admin UI, click on Aliases and remove root@.gregzimbra1.zimbra.com alias. Then run<br />
<br />
smbpasswd -a root<br />
<br />
====Creating Windows NT Domain groups====<br />
<br />
Next, create “Domain Admins” group using Zimbra Admin UI, on Samba tab select Special Windows group type “Domain Admins”. Then you need to grant privileges to this group. Run the following command as root on your Samba server. Put your domain name instead of GREGZIMBRA1. More information on this topic is available in Official Samba HOWTO Reference Guide ([http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/)].<br />
<br />
net rpc rights grant "GREGZIMBRA1\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege<br />
<br />
====Adding Windows NT/2000/XP machines to Samba domain====<br />
<br />
Log in to an Windows desktop as a local administrator and join the Samba domain the same way you would be joining a Windows domain. You might need to point your Windows box to your Samba WINS server depending on how your DHCP and DNS servers are configured. Use a member of “Domain Admins” group to join the domain. After you joined the domain, verify that the machine account was added to ldap directory by running <font size="2"><font face="Courier New, monospace">ldapsearch </font></font>command. I.e. if your windows desktop machine name is gregvmxp2:<br />
<br />
root@gregzimbra1:/home/ubuntu# /opt/zimbra/openldap/bin/ldapsearch -h gregzimbra1 | grep gregvmxp<br />
<nowiki># gregvmxp2$, machines, gregzimbra1.zimbra.com</nowiki><br />
dn: uid=gregvmxp2$,ou=machines,dc=gregzimbra1,dc=zimbra,dc=com<br />
uid: gregvmxp2$</div>Jarlhttps://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI&diff=7564UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI2008-01-14T11:41:38Z<p>Jarl: /* Installing pam_ldap and nss_ldap */</p>
<hr />
<div>==Introduction==<br />
<br />
This document describes how you can configure Zimbra Collaboration Server (ZCS) and Samba to act as a primary domain controller (PDC) that uses LDAP (Lightweight Directory Access Protocol) as a central password database for authenticating users on Linux and Windows desktops. The motivation behind this document is the need to seamlessly integrate ZCS into corporate network environment based entirely on Open Source server software. This functionality is achieved by configuring Zimbra LDAP to act as a central user database for PAM (Pluggable Authentication Modules), NSS (Name Service Switch), and for Samba's ldapsam password backend. The document also describes Zimbra Admin Extensions that allow managing OS and Samba accounts, groups and domains through Zimbra Admin UI.<br />
<br />
The setup described in this document is not the only possible way to make Samba and Zimbra use the same user database for authentication. There are multiple other ways to achieve similar functionality, and it is recommended that you explore Zimbra WIKI at [http://wiki.zimbra.com/ http://wiki.zimbra.com] to see if another solution is a better fit for your needs. However, this solution is the only solution that allows network administrators to manage Windows user accounts and groups using Zimbra Admin UI. It is also highly recommended to get familiar with Zimbra, Samba, LDAP and PAM, before you start the installation. Particularly helpful are the following sources of information:<br />
<br />
* LDAP Authentication HOWTO http://ldots.org/ldap/<br />
* Authenticating with LDAP http://imaginator.com/~simon/ldap/<br />
* pam.d(5) man page (explains syntax of pam.d configuration files which you will have to edit during the installation) http://www.die.net/doc/linux/man/man5/pam.d.5.html<br />
* PAM FAQ http://www.kernel.org/pub/linux/libs/pam/FAQ<br />
* The Official Samba-3 HOWTO and Reference Guide http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/<br />
* Zimbra Documentation http://www.zimbra.com/products/documentation.html<br />
<br />
==Intended audience==<br />
<br />
This document is intended mainly for network administrators who are faced with the task of integrating multiple OpenSource software packages to support a corporate network. The author assumes that the reader has basic knowledge of Linux/Unix OS, is capable of using a text editor and is at least vaguely familiar with Zimbra, Samba, LDAP and PAM. If these four words sound foreign to you, please take some time to look at the aforementioned sources of helpful information, or even better – have them open in separate tabs in Firefox on your second monitor while you are following the directions in this document ;)<br />
<br />
==ToDo==<br />
* Write AJAX SMB client Zimlet to mail UI, http://freshmeat.net/projects/davenport/ sounds like a good option.<br />
* Add hooks to Zimbra Server to allow calling extensions when an account's password is changed and write an extension that will change Samba password hashes in LDAP<br />
* Make zimbra's password change update the NT password.<br />
* Fix creation of resources from the admin UI to work with the uidNumber attribute.<br />
* During new account creation, don't allow clicking of the finish button until user has filled out all required fields, including the posix and samba ones. Or maybe put in some reasonable default values so the finish button does not raise an error.<br />
<br />
==How this guide is organized:==<br />
<br />
'''Part 1 '''describes what software you need to download and install<br />
<br />
'''Part 2 '''describes how to configure Zimbra LDAP and Zimbra Admin to store information required by Linux password backend and allow managing Samba and Posix accounts via Zimbra Admin. <br />
<br />
'''Part 3 '''describes how to configure Samba server to use Zimbra LDAP as a source of user information and as a Primary Domain Controller<br />
<br />
'''Part 4 '''describes how to configure a Linux server to use Zimbra LDAP as a central source of user information.<br />
<br />
==Part 1==<br />
<br />
====Installing Zimbra====<br />
<br />
# First, Install Zimbra Collaboration Suite (it can be an Open Source or a Network Edition) following Zimbra Installation guides that you can download from the Zimbra website (http://www.zimbra.com/products/documentation.html). Make note of the root LDAP password that is selected during the installation, you will need it to configure ldapsam, pam_ldap and nss_ldap.<br />
# If you have an existing functioning ZCS server, you can use it instead of a new one, but make sure to back up all your data and that you know your LDAP root password (this password was created during ZCS installation). This setup works with single- as well as with multi-server Zimbra setups.<br />
# Download ZimbraPosixAccount, ZimbraSamba and ZimbraLDAPUtils extensions for your version of ZCS from the Zimbra Gallery ([http://gallery.zimbra.com/ http://gallery.zimbra.com]). Note that these extensions are different for ZCS 4.5.x and ZCS 5.x.<br />
<br />
====Installing Zimbra LDAP Utils extension====<br />
Note: if you are running ZCS 5.0 or higher, this extension is already installed in /opt/zimbra/lib/ext/ldaputils and you do not need to download it.<br />
<br />
# Download Zimbra LDAP utils server extension from Zimbra Gallery [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=54]<br />
# Log in to your Zimbra mail server, make sure you are root. If you have a multi-server setup, this is the server that runs the mailbox service. Create folder /opt/zimbra/lib/ext/zimbraldaputils. Make sure that the folder's owner is root:root and the access mod is 0755.<br />
# Extract zimbraldaputils.jar file from ZimbraLDAPUtils.zip and put it into /opt/zimbra/lib/ext/zimbraldaputils/<br />
# Restart mailbox server on the Zimbra mail server (this can be done by running zmmailboxctl restart as zimbra user).<br />
<br />
====Installing ZimbraPosixAccount and ZimbraSamba extensions for Zimbra Admin====<br />
Note: if you are running ZCS 5.0 or later, zimbra_posixaccount.zip and zimbra_samba.zip are already included in the installation, and you do not need to download them from the Gallery. You can find both extensions in /opt/zimbra/zimlets-admin-extra/<br />
<br />
# Download zimbra_posixaccount [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=52] Admin extension from Zimbra Gallery [http://gallery.zimbra.com] <br />
# Download zimbra_samba [http://gallery.zimbra.com/gallery.php?act=viewProd&productId=53] Admin extension from Zimbra Gallery [http://gallery.zimbra.com] <br />
# Extract files from ZimbraPosixAccount.zip to a folder on your desktop computer, open zimbra_posixaccount folder and edit config_template.xml.<br />
# Edit <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> property in config_template.xml. This property is the path in your LDAP tree where all Linux and Samba user information will be stored. This can be the name of your primary email domain written in the ldap syntax. E.g. if your domain is mycompany.com, then <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> will be<br />
<br />
<font size="2"><font face="Courier New, monospace">dc=mycompany,dc=com</font></font><br />
<br />
in this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance, hence my <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> is<br />
<br />
<font size="2"><font face="Courier New, monospace">dc=gregzimbra1,dc=zimbra,dc=com</font></font><br />
<br />
# Edit <font size="2"><font face="Courier New, monospace">uidBase</font></font> property in config_template.xml. <font size="2"><font face="Courier New, monospace">uidBase</font></font> is the base for creating Linux user IDs for user accounts that will be stored in LDAP. The first account that you will create through Zimbra Admin UI will have user ID = <font size="2"><font face="Courier New, monospace">uidBase</font></font>+1. If you already have user accounts in your current password database (most likely /etc/passwd) it is recommended that you set this value higher than the maximum existing user account.<br />
# Edit <font size="2"><font face="Courier New, monospace">gidBase</font></font> property in config_template.xml. <font size="2"><font face="Courier New, monospace">gidBase</font></font> is the base for creating Linux group IDs for groups that will be stored in LDAP. The first group that you will create through Zimbra Admin UI will have group ID = <font size="2"><font face="Courier New, monospace">gidBase</font></font>+1.<br />
# Zip all the files that are in zimbra_posixaccount folder into zimbra_posixaccount.zip together with modified config_template.xml<br />
# Log in to Zimbra Admin (<nowiki>https://yourserver.com:7071/zimbraAdmin</nowiki>) as administrator, navigate to Admin Extensions and deploy zimbra_posixaccount extension using the zimbra_posixaccount .zip file (refer to ZCS Admin Guide for more information about installing Admin Extensions)<br />
# Extract files from ZimbraSamba.zip to a folder on your desktop computer and open config_template.xml (this file is in zimbra_samba folder along with other extension files).<br />
# Edit <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font>, <font size="2"><font face="Courier New, monospace">uidBase</font></font> and <font size="2"><font face="Courier New, monospace">gidBase</font></font> properties using the same values as you used in for zimbra_posixaccount.zip<br />
# Zip all the files zimbra_samba folder into zimbra_samba .zip together with modified config_template.xml and deploy zimbra_samba Admin Extension.<br />
# Reload your Zimbra Admin to initialize the extensions. When the extensions are loaded for the first time, they will check if OUs defined by <font size="2"><font face="Courier New, monospace">ldapMachineSuffix and ldapGroupSuffix </font></font><font size="3"><font face="Times New Roman, serif">properties</font></font><font size="2"></font>in config_template.xml files exist and create these OUs, if they do not exist.<br />
<br />
====Installing Samba====<br />
<br />
Install Samba 3 on a Linux/Unix box. I used Samba-3.0.24 which I installed through Synaptic Package Manager on my Ubuntu 6.10 machine running inside a VMWare. If you are building Samba from sources, make sure to enable ldap support. I do not recommend installing Samba on the same machine where you installed Zimbra – better to use a separate machine.<br />
<br />
====Installing pam_ldap and nss_ldap====<br />
<br />
You need to install and configure PAM and NSS on the machine where you installed Samba. You can also install it on any Linux desktop that should use Zimbra LDAP as a user database, e.g. Linux desktops where you want to be able to log in using the same username/password that is used for Zimbra Mail.<br />
<br />
You need to download and install pam_ldap and nss_ldap modules for your OS. I used Ubuntu Linux which has these modules available as Debian packages through Synaptic Package Manager. If you are using Synaptic Package Manager, make sure to enable community maintained repositories (see Settings->Repositories) and search for libpam-ldap and libnss-ldap packages. If you are using a different Linux, you might need to build these modules from the sources. You can find the Sources for pam_ldap and nss_ldap on [http://www.padl.com/ http://www.padl.com].<br />
<br />
If you are using Synaptic Package Manager to install libnss_ldap, you will be prompted for the following information:<br />
<br />
* LDAP server Uniform Resource Identifier – enter the LDAP URL of your Zimbra LDAP server. i.e. [ldap://zimbra.mydomain.com ldap://zimbra.mydomain.com/] (in my case<font size="2"><font face="Courier New, monospace"> ldap://gregzimbra1.zimbra.com/</font></font>)<br />
* LDAP search base – enter the same value that you used for <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> property in zimbra_posixaccount and zimbra_samba extensions. I.e.: dc=yourdomain,dc=com (in my case <font size="2"><font face="Courier New, monospace">dc=gregzimbra1,dc=zimbra,dc=com</font></font>)<br />
* LDAP account for root – enter<font size="2"><font face="Courier New, monospace"> uid=zimbra,cn=admins,cn=zimbra</font></font><br />
* LDAP root account password – enter the LDAP root password that you selected during Zimbra installation (told you make a note of it ;) )<br />
<br />
If you don't know the LDAP root account password, you can change it to a know value like this (as the zimbra user):<br />
zimbra@localhost:~$ zmldappasswd -r newpasswd<br />
<br />
If you are using Synaptic Package Manager to install libpam_ldap, you will be prompted for the following information:<br />
<br />
* LDAP Server – enter the hostname or IP address of your Zimbra LDAP server<br />
* root login account – enter <font size="2"><font face="Courier New, monospace">uid=zimbra,cn=admins,cn=zimbra</font></font><br />
* root login password - enter the LDAP root password that you selected during Zimbra installation<br />
<br />
<br />
In RHEL5/CentOS5 both <font face="Courier New, monospace">nss_ldap</font> and <font face="Courier New, monospace">pam_ldap</font> modules are included in a single <font face="Courier New, monospace">nss_ldap</font> rpm package which is a part of base install. They can be configured using <font face="Courier New, monospace">authconfig</font> command line utility. (See <b>Configuring pam_ldap and nss_ldap.</b>)<br />
<br />
==Part 2==<br />
<br />
====Configuring Zimbra LDAP====<br />
<br />
Please note: upgrading Zimbra will overwrite any changes made to /opt/zimbra/conf/slapd.conf.in <br />
this will break any read permission changes made (as below). <br />
Backup slapd.conf.in prior to upgrade, and restore immediately after.<br />
<br />
Before you can configure Zimbra LDAP you need to download nis.schema and samba.schema files.<br />
<br />
* If nis.schema file already exists in /opt/zimbra/openldap/etc/openldap/schema/ - skip to the next bullet, otherwise you need to download it. nis.schema file depends on your version of OpenLDAP. Therefore, the best way to get the correct nis.schema file is to download OpenLDAP source code from http://www.openldap.org/software/download/ for your version of OpenLDAP and take the nis.schema file from servers/slapd/schema folder in the source package. In this document I am using OpenLDAP 2.3.34 which is distributed with ZCS 4.5.4 for Ubuntu Linux.<br />
* samba.schema file depends on the version of Samba that you will be installing. Therefore, I recommend downloading Samba source package for the latest stable version of Samba available for your server's OS and taking samba.schema from examples/LDAP folder in the source package. In this document I am using Samba 3.0.24. In CentOS 5 it is here: /usr/share/doc/samba-3.0.23c/LDAP/samba.schema. <br />
<br />
Log in to the shell on your Zimbra LDAP server. If you have a multi-server setup this is the machine where ldap service is running. Copy samba.schema and nis.schema files to /opt/zimbra/openldap/etc/openldap/schema/ (or wherever your OpenLDAP schema files are if you are using a different LDAP server). They should be chowned to zimbra account.<br />
<br />
Next, edit /opt/zimbra/conf/slapd.conf.in file. Mind the .in suffix, the non-.in file is regenerated during restart. You need to add these the following two lines after the last “include” statement at the top of the file:<br />
<br />
<font face="Courier New, monospace"><font size="2">include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"</font></font><br />
<br />
<font face="Courier New, monospace"><font size="2">include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema"</font></font><br />
<br />
You may also want to add these ldap indexes at the end of the file:<br />
<br />
<nowiki>#indexes for PAM</nowiki><br />
<br />
index uidNumber eq<br />
index gidNumber eq<br />
index memberUID eq<br />
<br />
<br /><br />
<br />
<nowiki>#indexes for Samba</nowiki><br />
<br />
index sambaSID eq<br />
index sambaPrimaryGroupSID eq<br />
index sambaDomainName eq<br />
<br />
You may also want to add the 2 following ACLs to allow pam to read the user config without obliging it to use the binddn and its password. The password is in clear in the ldap.conf file on the client machine and this file must be readable by all which creates a security issue (on zimbra the binddn password and rootdn password seem to be the same).<br />
<br />
<nowiki># only allow access to these attrs basically GAL/Postfix related attrs</nowiki><br />
<pre><br />
access to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc=com"<br />
by * read<br />
<br />
access to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc=com"<br />
by * read<br />
</pre><br />
<br />
Note: the above lines may be too permissible, and could be more restrictive using attributes, but for now they will do.<br />
<br />
an example of slapd.conf.in file is in ZimbraSamba.zip in examples/conf folder.<br />
<br />
After you edited slapd.conf.in file and copied *.schema files to /opt/zimbra/openldap/etc/openldap/schema/, restart Zimbra services and make sure that they started successfully.<br />
<br />
Now run the following zmprov commands as user zimbra:<br />
<br />
>zmprov mcf +zimbraAccountExtraObjectClass posixAccount<br />
>zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount<br />
<br />
==Part 3==<br />
<br />
====Configuring Samba====<br />
<br />
There are many ways to configure Samba depending on what you needs are. In this example I will configure Samba to use Zimbra LDAP as password backend and to act as a primary domain controller for domain GREGZIMBRA1 and as a WINS server for my network. This configuration will allow Windows NT/XP/2000 workstations to join GREGZIMBRA1 domain as if it was an NT domain. Below is the /etc/samba/smb.conf file used in this example.<br />
<br />
[global]<br />
workgroup = GREGZIMBRA1<br />
netbios name = gregzimbra2<br />
os level = 33<br />
preferred master = yes<br />
enable privileges = yes<br />
server string = %h server (Samba, Ubuntu)<br />
wins support =yes <br />
dns proxy = no<br />
name resolve order = wins bcast hosts<br />
log file = /var/log/samba/log.%m<br />
log level = 3<br />
max log size = 1000<br />
syslog only = no<br />
syslog = 0<br />
panic action = /usr/share/samba/panic-action %d<br />
security = user<br />
encrypt passwords = true<br />
ldap passwd sync = yes<br />
passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/<br />
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"<br />
ldap suffix = dc=gregzimbra1,dc=zimbra,dc=com<br />
ldap group suffix = ou=groups<br />
ldap user suffix = ou=people<br />
ldap machine suffix = ou=machines<br />
obey pam restrictions = no<br />
passwd program = /usr/bin/passwd %u<br />
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .<br />
domain logons = yes<br />
logon path = \\gregzimbra2.zimbra.com\%U\profile<br />
logon home = \\gregzimbra2.zimbra.com\%U<br />
logon script = logon.cmd<br />
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u<br />
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u<br />
socket options = TCP_NODELAY<br />
domain master = yes<br />
local master = yes<br />
[homes]<br />
comment = Home Directories<br />
browseable =yes <br />
read only = No<br />
valid users = %S<br />
[netlogon]<br />
comment = Network Logon Service<br />
path = /var/lib/samba/netlogon<br />
guest ok = yes<br />
locking = no<br />
[profiles]<br />
comment = Users profiles<br />
path = /var/lib/samba/profiles<br />
read only = No<br />
[profdata]<br />
comment = Profile Data Share<br />
path = /var/lib/samba/profdata<br />
read only = No<br />
profile acls = Yes<br />
[printers]<br />
comment = All Printers<br />
browseable = no<br />
path = /tmp<br />
printable = yes<br />
public = no<br />
writable = no<br />
create mode = 0700<br />
[print$]<br />
comment = Printer Drivers<br />
path = /var/lib/samba/printers<br />
browseable = yes<br />
read only = yes<br />
guest ok = no<br />
<br />
I will not attempt to explain every line in this file, so if you are interested – read the official Samba HOWTO. The key elements that are important for this example are these lines:<br />
<br />
passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/<br />
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"<br />
ldap suffix = dc=gregzimbra1,dc=zimbra,dc=com<br />
ldap group suffix = ou=groups<br />
ldap user suffix = ou=people<br />
ldap machine suffix = ou=machines<br />
<br />
<br /><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/</font> - tells Samba to use ldap as the password backend and to contact Zimbra LDAP server at [ldap://gregzimbra1.zimbra.com/].</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap admin dn</font> - is the same value as the root LDAP account that you entered when you were installing pam_ldap.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap suffix</font> - is the name of your Zimbra domain, and it is the same value as the value of <font face="Courier New, monospace">ldapSuffix</font> property in config_template.xml files.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap group suffix</font> - is the same value as the value of <font face="Courier New, monospace">ldapGroupSuffix</font> in config_template.xml files.</span><br />
<br />
* <span lang="en-US"><font face="Courier New, monospace">ldap machine suffix</font> - is the same value as the value of <font face="Courier New, monospace">ldapMachineSuffix</font> in config_template.xml files. </span><br />
<br />
* the value of <font face="Courier New, monospace">ldap user suffix</font> must be <font face="Courier New, monospace">ou=people</font>, because this is where Zimbra account records are stored in LDAP.<br />
<br />
After you edited smb.conf file, you need to tell Samba what is the root password for ldap. On your Samba server, restart samba services (/usr/sbin/smbd and /usr/sbin/nmbd) run the following command (replace <font face="Courier New, monospace">test123</font> with your ldap root password).<br />
<br />
smbpasswd -w test123<br />
<br />
====Creating Samba domain using Zimbra Admin UI====<br />
<br />
Restart samba. Then, log in to Zimbra Admin an click on Samba Domains. You should see a domain entry in the list. When Samba started up with the new smb.conf file it should have looked up the domain entry in LDAP and created it if it could not find the entry.<br />
<br />
==Part 4==<br />
<br />
====Configuring pam_ldap and nss_ldap====<br />
<br />
Open file /etc/libnss-ldap.conf, make sure that <font size="2"><font face="Courier New, monospace">base</font></font> is set to the same value that you chose for <code><font size="2">ldapSuffix</font></code>. It should look like this (type your root LDAP password instead of <span style="font-style: normal"><font size="2"><font face="Courier New, monospace">test123</font></font><font size="3"><font face="Times New Roman, serif">)</font></font></span><nowiki>:</nowiki><br />
<br />
base dc=<code>gregzimbra1</code>,dc=zimbra,dc=com<br />
host gregzimbra1.zimbra.com<br />
binddn uid=zimbra,cn=admins,cn=zimbra<br />
bindpw test123<br />
rootbinddn uid=zimbra,cn=admins,cn=zimbra<br />
<br />
Make sure that <font size="2"><font face="Courier New, monospace">host</font></font> points to your Zimbra LDAP server. Next, copy /etc/libnss-ldap.conf to /etc/pam_ldap.conf, both modules have compatible syntax, so the same configuration file will work for both pam_ldap and nss_ldap.<br />
<br />
Edit /etc/libnss-ldap.secret and make sure it contains your root LDAP password. Then, copy /etc/libnss-ldap.secret to /etc/pam_ldap.secret<br />
<br />
If you have added the 2 ACL entries in your /opt/zimbra/conf/slapd.conf.in file, you are not obliged to use binddn and bindpw in your /etc/pam_ldap.conf file.<br />
<br />
Edit /etc/nsswitch.conf file. Replace these two lines:<br />
<br />
passwd: compat<br />
group: compat<br />
<br />
with these lines:<br />
<br />
passwd files ldap<br />
group files ldap<br />
<br />
this change will tell nsswitch to use ldap when it looks for uids and gids. It will first look at /etc/passwd and then at ldap. You may want to change these lines differently if you know what you are doing ;)<br />
<br />
Edit /etc/pam.d/common-account. It should look like the following:<br />
<br />
account sufficient pam_unix.so<br />
account sufficient pam_ldap.so<br />
<br />
Edit /etc/pam.d/common-auth. It should look like the following:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_unix.so<br />
<br />
Edit /etc/pam.d/common-password. It should look like the following:<br />
<br />
password sufficient pam_unix.so<br />
password sufficient pam_ldap.so<br />
<br />
Edit /etc/pam.d/common-session. It should look like the following:<br />
<br />
session sufficient pam_unix.so<br />
session sufficient pam_ldap.so<br />
<br />
You may want to first add to the session section the following line to automatically create a home directory when the user login for the first time<br />
session required pam_mkhomedir.so skel=/etc/skel umask=0077<br />
<br />
Now you need to test whether pam_ldap and nssswitch are working correctly. Log in to Zimbra Admin UI (<nowiki>https://yourserver.com:7071/zimbraAdmin</nowiki>) as Administrator and create a couple of new user accounts. On the New Account Wizard you should see two additional steps (after “Advanced” step): Posix Account and Samba Account<br />
<br />
<b>Configuring on RHEL5/CentOS5/Fedora7 using <font size="2"><font face="Courier New, monospace">authconfig</font></font></b><br />
<br />
As root run <font size="2"><font face="Courier New, monospace">authconfig --test</font></font>. It will display current settings for both <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> and <font size="2"><font face="Courier New, monospace">pam_ldap</font></font>. In most cases the following command will do the job (although some manual editing will still be needed):<br />
<br />
authconfig --enableldap --enableldapauth --disablenis --enablecache \<br />
--ldapserver=gregzimbra1.zimbra.com --ldapbasedn=dc=gregzimbra1,dc=zimbra,dc=com \<br />
--updateall<br />
<br />
The last parameter will update <font size="2"><font face="Courier New, monospace">/etc/ldap.conf, /etc/nsswitch.conf</font></font> and <font size="2"><font face="Courier New, monospace">/etc/pam.d/system-auth</font></font> configuration files. The only file which requires manual editing is <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font>.<br />
<br />
The <font size="2"><font face="Courier New, monospace"><b>base</b></font></font> line should be already there. It is inserted by <font size="2"><font face="Courier New, monospace">authconfig</font></font>. You should also see a <font size="2"><font face="Courier New, monospace"><b>uri</b></font></font> line with the address of your ldap server. The <font size="2"><font face="Courier New, monospace"><b>host, binddn, bindpw, rootbinddn</b></font></font> lines should be added as explained above and <font size="2"><font face="Courier New, monospace">/etc/ldap.secret</font></font> file should exist and contain a password.<br />
<br />
The issue with a single <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> configuration file for both <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> and <font size="2"><font face="Courier New, monospace">pam_ldap</font></font> is that <font size="2"><font face="Courier New, monospace"><b>host</b></font></font> and <font size="2"><font face="Courier New, monospace"><b>uri</b></font></font> can work together in Zimbra-specific configuration only if we also add <font size="2"><font face="Courier New, monospace"><b>bind_policy soft</b></font></font> option. The modified <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> should look like this:<br />
<br />
base dc=gregzimbra1,dc=zimbra,dc=com<br />
host gregzimbra1.zimbra.com<br />
binddn uid=zimbra,cn=admins,cn=zimbra<br />
bindpw test123<br />
rootbinddn uid=zimbra,cn=admins,cn=zimbra<br />
uri ldap://gregzimbra1.zimbra.com<br />
bind_policy soft<br />
<br />
nss_base_passwd ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_shadow ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_group ou=groups,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
nss_base_hosts ou=machines,dc=gregzimbra1,dc=zimbra,dc=com?one<br />
<br />
<br />
The last four lines are optional and are added to make the Zimbra <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> setup compatible with the Webmin’s <font size="2"><font face="Courier New, monospace"><i>LDAP Client</i></font></font> and <font size="2"><font face="Courier New, monospace"><i>LDAP Users and Groups</i></font></font> modules. {The latter module would allow you to add secondary groups to your Zimbra/Samba accounts etc.)<br />
<br />
Any additional lines added by authconfig would not hurt. However you shall have to re-check <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> every time you run <font size="2"><font face="Courier New, monospace">authconfig</font></font> with <font size="2"><font face="Courier New, monospace">–-update</font></font> or <font size="2"><font face="Courier New, monospace">-–updateall</font></font> switch. If it sees the <b>host</b> line, the command disables it and moves the host address value to <b>uri</b> line. This breaks <font size="2"><font face="Courier New, monospace">pam_ldap</font></font> an Zimbra might even fail to start.<br />
<br />
====Creating Linux and Samba groups using Zimbra Admin UI====<br />
<br />
Log in to Zimbra Admin UI. You should not have logged out of it anyway, because we are not done yet. Go to Posix Groups and click “New”. If you do not know what to type in <font size="2"><font face="Courier New, monospace">group type</font></font> field – type <font size="2"><font face="Courier New, monospace">2</font></font>, this is the default value.<br />
<br />
To test if PAM on your Samba server is reading the group information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:<br />
<br />
<font face="Courier New, monospace"><font size="2">>getent group</font></font><br />
<br />
you should see the group(s) that you just created in the list that is produced.<br />
<br />
====Creating Linux and Samba users using Zimbra Admin UI====<br />
<br />
Back to the Zimbra Admin UI :). Go to Accounts and hit New, fill in the information on the first screen and follow the wizard to the Posix Account screen. Fill in all the required fields on the Posix Account screen and click Next to go to Samba Account screen. Fill in the required fields and click Finish. To test if PAM on your Samba server is reading the user password information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:<br />
<br />
getent passwd<br />
<br />
you should see the Zimbra accounts that you just created in the list. Create a home folder for the new Zmbra user and try to change the current user to the newly created one. In this example, I create a user ubuntu2, and home folder /home/ubuntu2<br />
<br />
root@gregzimbra2:/home/ubuntu# su - ubuntu2<br />
ubuntu2@gregzimbra2:~$ <br />
<br />
Now test if Samba authenticates your new user correctly. In this example I went to the shell on my Zimbra server box and ran this command (as root):<br />
<br />
smbclient -U ubuntu2 //gregzimbra2.zimbra.com/ubuntu2<br />
<br />
It should prompt you for the password and then log in to ubuntu2's home folder on gregzimbra2 Samba server.<br />
<br />
Next, log in to Zimbra Admin UI, click on Aliases and remove root@.gregzimbra1.zimbra.com alias. Then run<br />
<br />
smbpasswd -a root<br />
<br />
====Creating Windows NT Domain groups====<br />
<br />
Next, create “Domain Admins” group using Zimbra Admin UI, on Samba tab select Special Windows group type “Domain Admins”. Then you need to grant privileges to this group. Run the following command as root on your Samba server. Put your domain name instead of GREGZIMBRA1. More information on this topic is available in Official Samba HOWTO Reference Guide ([http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/)].<br />
<br />
net rpc rights grant "GREGZIMBRA1\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege<br />
<br />
====Adding Windows NT/2000/XP machines to Samba domain====<br />
<br />
Log in to an Windows desktop as a local administrator and join the Samba domain the same way you would be joining a Windows domain. You might need to point your Windows box to your Samba WINS server depending on how your DHCP and DNS servers are configured. Use a member of “Domain Admins” group to join the domain. After you joined the domain, verify that the machine account was added to ldap directory by running <font size="2"><font face="Courier New, monospace">ldapsearch </font></font>command. I.e. if your windows desktop machine name is gregvmxp2:<br />
<br />
root@gregzimbra1:/home/ubuntu# /opt/zimbra/openldap/bin/ldapsearch -h gregzimbra1 | grep gregvmxp<br />
<nowiki># gregvmxp2$, machines, gregzimbra1.zimbra.com</nowiki><br />
dn: uid=gregvmxp2$,ou=machines,dc=gregzimbra1,dc=zimbra,dc=com<br />
uid: gregvmxp2$</div>Jarlhttps://wiki.zimbra.com/index.php?title=Zimbra_with_Apache_using_mod_jk_-_mod_proxy_-_mod_proxy_ajp&diff=7558Zimbra with Apache using mod jk - mod proxy - mod proxy ajp2008-01-11T11:44:52Z<p>Jarl: /* For Zimbra 5.0 */</p>
<hr />
<div>These instructions will enable access to Zimbra and other web applications/pages through the same host/port.<br />
<br />
For example, if the Zimbra web interface is running at http://your.domain.com:8080/, and a separate instance of Apache is running at http://your.domain.com/, follow these steps to enable access to the Zimbra web interface through http://your.domain.com/zimbra/.<br />
<br />
== Disclaimer ==<br />
This procedure is not fully verified, so follow these directions at your own risk. Particularly, note that using ''mod_proxy'' requires you to '''secure your server first''', according to the Apache documentation. '''Please edit this page''' if something is wrong or incomplete.<br />
<br />
== Methods ==<br />
There are two different ways of accomplishing this:<br />
# Creating an HTTP proxy to the Zimbra web interface, using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html mod_proxy]. (This method is easier but is generally considered to be less secure.)<br />
# Configuring the Zimbra web interface for the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol] (AJP), and then using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk] to access it.<br />
<br />
== Prerequisites ==<br />
Zimbra and Apache should both be installed. ''mod_proxy_ajp'' requires Apache 2.1 or later.<br />
<br />
If you are installing Apache after installing Zimbra, you may first need to change the specific port numbers that the Zimbra web interface uses. For example, if you originally configured Zimbra to use port 80, you will need to change it to another port (such as 8080) in order for Apache to run on port 80. You can do this with the ''[[zmprov]]'' command.<br />
<br />
These instructions include the commands to use under Ubuntu Linux, which may need to be modified slightly under other distributions.<br />
<br />
== Using an HTTP proxy ==<br />
* Install and enable ''mod_proxy'' in Apache. Under Ubuntu, mod_proxy is installed by default, so just use this command to enable it:<br />
<pre>sudo a2enmod proxy</pre><br />
<br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location "/service"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/service<br />
ProxyPassReverse http://localhost:8080/service<br />
</Location><br />
<br />
<Location "/zimbra"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/zimbra<br />
ProxyPassReverse http://localhost:8080/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location "/zimbraAdmin"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra administrative web interface is using<br />
ProxyPass https://localhost:7071/zimbraAdmin<br />
ProxyPassReverse https://localhost:7071/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
<br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Using Apache JServ Protocol ==<br />
The application server ([http://www.mortbay.org/ Jetty] for Zimbra 5.0, or [http://tomcat.apache.org/ Tomcat] for Zimbra 4.5 and earlier) will be configured to bind to port 8009, and to serve requests on this port using the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol (AJP)]. (It will continue as well to bind to existing ports that are used for accessing Zimbra's web interfaces.)<br />
<br />
An Apache site for Zimbra will then be configured; Apache will send requests to the application server through port 8009 using AJP. This will be accomplished using either [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk].<br />
<br />
'''''Vote for AJP support in Zimbra:''''' If you would prefer to not have to edit several of Zimbra's configuration files by hand to get AJP to work, but would rather be able to turn it on easily from the administrative console/UI -- and you would like AJP to be "supported" by Zimbra -- vote for [http://bugzilla.zimbra.com/show_bug.cgi?id=23269 bug 23269].<br />
<br />
=== Configuring the application server ===<br />
<br />
==== For Zimbra 5.0 ====<br />
<br />
Edit the file ''/opt/zimbra/jetty/etc/jetty.xml.in'':<br />
* Search for these lines:<br />
<pre><br />
<!-- =========================================================== --><br />
<!-- Set connectors --><br />
<!-- =========================================================== --><br />
</pre><br />
* Below them, add the following:<br />
<pre><br />
<Call name="addConnector"><br />
<Arg><br />
<New id="ajp" class="org.mortbay.jetty.ajp.Ajp13SocketConnector"><br />
<Set name="port">8009</Set><br />
</New><br />
</Arg><br />
</Call><br />
</pre><br />
<br />
<br />
Next, edit the file ''/opt/zimbra/jetty/etc/service.web.xml.in'':<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* If the parameter value contains ''%%zimbraMailPort%%'' and ''%%zimbraMailSSLPort%%'', as above, then add port 8009 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071, 8009</param-value><br />
...<br />
</pre><br />
* If you wish to enable access to the Zimbra administrative web interface, then also perform the above step on any instance of ''allowed.ports'' in which the value contains ''7071''.<br />
<br />
*If you want to allow access to the admin interface via the standard ssl port ''443'' you will also need to edit /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in and add port ''443'' to the allowed ports like so.<br />
<pre><br />
<context-param><br />
<param-name>admin.allowed.ports</param-name><br />
<param-value>7071, 443</param-value><br />
</context-param><br />
</pre><br />
<br />
*If you are running in https/mixed modes or depend on redirects you will also have to change the following files to have Jetty correctly redirect authentication requests to the Apache SSL port rather than the Jetty SSL port.<br />
<br />
*Edit ''zimbraAdmin.web.xml.in'' and '' zimbra.web.xml.in''in the jetty/etc directory, replace the string ''%%zimbraMailSSLPort%%'' with ''443'' or your Apache SSL port, currently it's not possible to have users redirected to other ports than the Jetty default port after logging in in mixed mode since that requires changing ''%%zimbraMailPort%%'' but doing so brakes the install.<br />
<br />
*Also edit jetty.xml.in and change the ''confidentialPort'' to match the Apache SSL port:<br />
<pre><br />
<Set name="confidentialPort">443</Set><br />
</pre><br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart<br />
</pre><br />
<br />
==== For Zimbra 4.5 and earlier ====<br />
Edit the file ''/opt/zimbra/tomcat/conf/server.xml.in'':<br />
* Search for these lines in the file, and note the value of ''redirectPort'':<br />
<pre><br />
<!-- HTTPBEGIN --><br />
<Connector port="8080"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/><br />
<!-- HTTPEND --><br />
</pre><br />
* Then find this line:<br />
<pre><br />
<Engine name="Catalina" defaultHost="localhost"><br />
</pre><br />
* Just '''before''' this line, add the following:<br />
<pre><br />
<!-- AJPBEGIN --><br />
<Connector port="8009"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
protocol="AJP/1.3" /><br />
<!-- AJPEND --><br />
</pre><br />
Set ''redirectPort'' to the '''same value''' used in the existing lines for HTTP.<br />
<br />
<br />
Next, edit the files ''/opt/zimbra/tomcat/conf/service.web.xml.in'' and ''/opt/zimbra/tomcat/conf/zimbra.web.xml.in'' (and, if you would like to access the Zimbra administrative web interface, ''/opt/zimbra/tomcat/conf/zimbraAdmin.web.xml.in''):<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>8080, 8443, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* For each instance, add ports 80 and 443 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>8080, 8443, 7070, 7443, 7071, 80, 443</param-value><br />
...<br />
</pre><br />
<br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/tomcat restart<br />
</pre><br />
<br />
=== Configuring Apache ===<br />
<br />
==== Using mod_proxy_ajp ====<br />
''mod_proxy_ajp'' requires Apache 2.1 or later, but is installed by default.<br />
<br />
* Enable ''mod_proxy_ajp''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod proxy_ajp</pre><br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy_ajp.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location /service><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/service<br />
ProxyPassReverse ajp://localhost:8009/service<br />
</Location><br />
<br />
<Location /zimbra><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbra<br />
ProxyPassReverse ajp://localhost:8009/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location /zimbraAdmin><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbraAdmin<br />
ProxyPassReverse ajp://localhost:8009/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
==== Using mod_jk ====<br />
* Install ''mod_jk'' for Apache. Under Ubuntu, use the command:<br />
<pre>sudo apt-get install libapache2-mod-jk</pre><br />
* In the Apache configuration directory (''/etc/apache2'' in Ubuntu), create a file named ''workers.properties'' and add the following lines to it:<br />
<pre><br />
worker.list=zimbra<br />
worker.zimbra.type=ajp13<br />
worker.zimbra.host=localhost<br />
worker.zimbra.port=8009<br />
worker.zimbra.lbfactor=1<br />
</pre><br />
* Add configuration for ''mod_jk'' to Apache. Under Ubuntu, create a file named ''/etc/apache2/mods-available/jk.conf'' and add the following lines:<br />
<pre><br />
# Modify the following two paths, according to your distribution's filesystem layout<br />
JkWorkersFile /etc/apache2/workers.properties<br />
JkLogFile /var/log/apache2/jk.log<br />
JkShmFile /var/tmp/jk.shm<br />
JkLogLevel info<br />
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "<br />
JkRequestLogFormat "%w %V %T"<br />
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories<br />
<br />
JkMount /zimbra zimbra<br />
JkMount /zimbra/ zimbra<br />
JkMount /zimbra/* zimbra<br />
JkMount /service zimbra<br />
JkMount /service/ zimbra<br />
JkMount /service/* zimbra<br />
<br />
# Add the following lines to enable access to the Zimbra administrative web interface<br />
JkMount /zimbraAdmin zimbra<br />
JkMount /zimbraAdmin/ zimbra<br />
JkMount /zimbraAdmin/* zimbra<br />
</pre><br />
(Alternatively, you can add the previous block to either ''apache2.conf'', ''httpd.conf'', or a new file in ''conf.d/''.)<br />
* Enable ''mod_jk''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod jk</pre><br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Known Issues ==<br />
When using the Documents Wiki (zmwiki), the links on the wiki page use the port that Zimbra is configured for (i.e., 8080). Currently, you must copy the link to the address bar in your browser, and change the port number in the address.<br />
<br />
== Credits ==<br />
Thanks to everyone at the [http://zimbra.com/forums/ Forums] for posting about their problems and efforts in trying to run Zimbra with Apache using mod_jk. Also, thanks to the original [[Using_Tomcat_with_Apache_(mod_jk)]] entry (a lot has been borrowed from it). This how-to is a result of their efforts.<br />
<br />
== See Also ==<br />
*[[Using_Tomcat_with_Apache_(mod_jk)]]<br />
*[[ZimbraApache]]<br />
*[[Hosting_other_sites_with_Zimbra]]<br />
<br />
[[Category:MTA]]</div>Jarlhttps://wiki.zimbra.com/index.php?title=Zimbra_with_Apache_using_mod_jk_-_mod_proxy_-_mod_proxy_ajp&diff=7539Zimbra with Apache using mod jk - mod proxy - mod proxy ajp2008-01-09T18:12:00Z<p>Jarl: /* For Zimbra 5.0 */</p>
<hr />
<div>These instructions will enable access to Zimbra and other web applications/pages through the same host/port.<br />
<br />
For example, if the Zimbra web interface is running at http://your.domain.com:8080/, and a separate instance of Apache is running at http://your.domain.com/, follow these steps to enable access to the Zimbra web interface through http://your.domain.com/zimbra/.<br />
<br />
== Disclaimer ==<br />
This procedure is not fully verified, so follow these directions at your own risk. Particularly, note that using ''mod_proxy'' requires you to '''secure your server first''', according to the Apache documentation. '''Please edit this page''' if something is wrong or incomplete.<br />
<br />
== Methods ==<br />
There are two different ways of accomplishing this:<br />
# Creating an HTTP proxy to the Zimbra web interface, using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html mod_proxy]. (This method is easier but is generally considered to be less secure.)<br />
# Configuring the Zimbra web interface for the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol] (AJP), and then using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk] to access it.<br />
<br />
== Prerequisites ==<br />
Zimbra and Apache should both be installed. ''mod_proxy_ajp'' requires Apache 2.1 or later.<br />
<br />
If you are installing Apache after installing Zimbra, you may first need to change the specific port numbers that the Zimbra web interface uses. For example, if you originally configured Zimbra to use port 80, you will need to change it to another port (such as 8080) in order for Apache to run on port 80. You can do this with the ''[[zmprov]]'' command.<br />
<br />
These instructions include the commands to use under Ubuntu Linux, which may need to be modified slightly under other distributions.<br />
<br />
== Using an HTTP proxy ==<br />
* Install and enable ''mod_proxy'' in Apache. Under Ubuntu, mod_proxy is installed by default, so just use this command to enable it:<br />
<pre>sudo a2enmod proxy</pre><br />
<br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location "/service"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/service<br />
ProxyPassReverse http://localhost:8080/service<br />
</Location><br />
<br />
<Location "/zimbra"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/zimbra<br />
ProxyPassReverse http://localhost:8080/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location "/zimbraAdmin"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra administrative web interface is using<br />
ProxyPass https://localhost:7071/zimbraAdmin<br />
ProxyPassReverse https://localhost:7071/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
<br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Using Apache JServ Protocol ==<br />
The application server ([http://www.mortbay.org/ Jetty] for Zimbra 5.0, or [http://tomcat.apache.org/ Tomcat] for Zimbra 4.5 and earlier) will be configured to bind to port 8009, and to serve requests on this port using the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol (AJP)]. (It will continue as well to bind to existing ports that are used for accessing Zimbra's web interfaces.)<br />
<br />
An Apache site for Zimbra will then be configured; Apache will send requests to the application server through port 8009 using AJP. This will be accomplished using either [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk].<br />
<br />
'''''Vote for AJP support in Zimbra:''''' If you would prefer to not have to edit several of Zimbra's configuration files by hand to get AJP to work, but would rather be able to turn it on easily from the administrative console/UI -- and you would like AJP to be "supported" by Zimbra -- vote for [http://bugzilla.zimbra.com/show_bug.cgi?id=23269 bug 23269].<br />
<br />
=== Configuring the application server ===<br />
<br />
==== For Zimbra 5.0 ====<br />
<br />
Edit the file ''/opt/zimbra/jetty/etc/jetty.xml.in'':<br />
* Search for these lines:<br />
<pre><br />
<!-- =========================================================== --><br />
<!-- Set connectors --><br />
<!-- =========================================================== --><br />
</pre><br />
* Below them, add the following:<br />
<pre><br />
<Call name="addConnector"><br />
<Arg><br />
<New id="ajp" class="org.mortbay.jetty.ajp.Ajp13SocketConnector"><br />
<Set name="port">8009</Set><br />
</New><br />
</Arg><br />
</Call><br />
</pre><br />
<br />
<br />
Next, edit the file ''/opt/zimbra/jetty/etc/service.web.xml.in'':<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* If the parameter value contains ''%%zimbraMailPort%%'' and ''%%zimbraMailSSLPort%%'', as above, then add port 8009 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071, 8009</param-value><br />
...<br />
</pre><br />
* If you wish to enable access to the Zimbra administrative web interface, then also perform the above step on any instance of ''allowed.ports'' in which the value contains ''7071''.<br />
<br />
*If you want to allow access to the admin interface via the standard ssl port ''443'' you will also need to edit /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in and add port ''443'' to the allowed ports like so.<br />
<pre><br />
<context-param><br />
<param-name>admin.allowed.ports</param-name><br />
<param-value>7071, 443</param-value><br />
</context-param><br />
</pre><br />
<br />
*If you are running in https/mixed modes or depend on redirects you will also have to change the following files to have Jetty correctly redirect authentication requests to the Apache SSL port rather than the Jetty SSL port.<br />
<br />
*Edit ''webapps/zimbraAdmin/WEB-INF/web.xml'' and ''webapps/zimbra/WEB-INF/web.xml'', replace the string ''%%zimbraMailSSLPort%%'' with ''443'' or your Apache SSL port, currently it's not possible to have users redirected to other ports than the Jetty default port after logging in in mixed mode since that requires changing ''%%zimbraMailPort%%'' but doing so brakes the install.<br />
<br />
*Also edit jetty.xml.in and change the ''confidentialPort'' to match the Apache SSL port:<br />
<pre><br />
<Set name="confidentialPort">443</Set><br />
</pre><br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart<br />
</pre><br />
<br />
==== For Zimbra 4.5 and earlier ====<br />
Edit the file ''/opt/zimbra/tomcat/conf/server.xml.in'':<br />
* Search for these lines in the file, and note the value of ''redirectPort'':<br />
<pre><br />
<!-- HTTPBEGIN --><br />
<Connector port="8080"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/><br />
<!-- HTTPEND --><br />
</pre><br />
* Then find this line:<br />
<pre><br />
<Engine name="Catalina" defaultHost="localhost"><br />
</pre><br />
* Just '''before''' this line, add the following:<br />
<pre><br />
<!-- AJPBEGIN --><br />
<Connector port="8009"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
protocol="AJP/1.3" /><br />
<!-- AJPEND --><br />
</pre><br />
Set ''redirectPort'' to the '''same value''' used in the existing lines for HTTP.<br />
<br />
<br />
Next, edit the files ''/opt/zimbra/tomcat/conf/service.web.xml.in'' and ''/opt/zimbra/tomcat/conf/zimbra.web.xml.in'' (and, if you would like to access the Zimbra administrative web interface, ''/opt/zimbra/tomcat/conf/zimbraAdmin.web.xml.in''):<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>8080, 8443, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* For each instance, add ports 80 and 443 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>8080, 8443, 7070, 7443, 7071, 80, 443</param-value><br />
...<br />
</pre><br />
<br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/tomcat restart<br />
</pre><br />
<br />
=== Configuring Apache ===<br />
<br />
==== Using mod_proxy_ajp ====<br />
''mod_proxy_ajp'' requires Apache 2.1 or later, but is installed by default.<br />
<br />
* Enable ''mod_proxy_ajp''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod proxy_ajp</pre><br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy_ajp.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location /service><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/service<br />
ProxyPassReverse ajp://localhost:8009/service<br />
</Location><br />
<br />
<Location /zimbra><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbra<br />
ProxyPassReverse ajp://localhost:8009/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location /zimbraAdmin><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbraAdmin<br />
ProxyPassReverse ajp://localhost:8009/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
==== Using mod_jk ====<br />
* Install ''mod_jk'' for Apache. Under Ubuntu, use the command:<br />
<pre>sudo apt-get install libapache2-mod-jk</pre><br />
* In the Apache configuration directory (''/etc/apache2'' in Ubuntu), create a file named ''workers.properties'' and add the following lines to it:<br />
<pre><br />
worker.list=zimbra<br />
worker.zimbra.type=ajp13<br />
worker.zimbra.host=localhost<br />
worker.zimbra.port=8009<br />
worker.zimbra.lbfactor=1<br />
</pre><br />
* Add configuration for ''mod_jk'' to Apache. Under Ubuntu, create a file named ''/etc/apache2/mods-available/jk.conf'' and add the following lines:<br />
<pre><br />
# Modify the following two paths, according to your distribution's filesystem layout<br />
JkWorkersFile /etc/apache2/workers.properties<br />
JkLogFile /var/log/apache2/jk.log<br />
JkShmFile /var/tmp/jk.shm<br />
JkLogLevel info<br />
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "<br />
JkRequestLogFormat "%w %V %T"<br />
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories<br />
<br />
JkMount /zimbra zimbra<br />
JkMount /zimbra/ zimbra<br />
JkMount /zimbra/* zimbra<br />
JkMount /service zimbra<br />
JkMount /service/ zimbra<br />
JkMount /service/* zimbra<br />
<br />
# Add the following lines to enable access to the Zimbra administrative web interface<br />
JkMount /zimbraAdmin zimbra<br />
JkMount /zimbraAdmin/ zimbra<br />
JkMount /zimbraAdmin/* zimbra<br />
</pre><br />
(Alternatively, you can add the previous block to either ''apache2.conf'', ''httpd.conf'', or a new file in ''conf.d/''.)<br />
* Enable ''mod_jk''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod jk</pre><br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Known Issues ==<br />
When using the Documents Wiki (zmwiki), the links on the wiki page use the port that Zimbra is configured for (i.e., 8080). Currently, you must copy the link to the address bar in your browser, and change the port number in the address.<br />
<br />
== Credits ==<br />
Thanks to everyone at the [http://zimbra.com/forums/ Forums] for posting about their problems and efforts in trying to run Zimbra with Apache using mod_jk. Also, thanks to the original [[Using_Tomcat_with_Apache_(mod_jk)]] entry (a lot has been borrowed from it). This how-to is a result of their efforts.<br />
<br />
== See Also ==<br />
*[[Using_Tomcat_with_Apache_(mod_jk)]]<br />
*[[ZimbraApache]]<br />
*[[Hosting_other_sites_with_Zimbra]]<br />
<br />
[[Category:MTA]]</div>Jarlhttps://wiki.zimbra.com/index.php?title=Zimbra_with_Apache_using_mod_jk_-_mod_proxy_-_mod_proxy_ajp&diff=7538Zimbra with Apache using mod jk - mod proxy - mod proxy ajp2008-01-09T16:38:53Z<p>Jarl: /* For Zimbra 5.0 */</p>
<hr />
<div>These instructions will enable access to Zimbra and other web applications/pages through the same host/port.<br />
<br />
For example, if the Zimbra web interface is running at http://your.domain.com:8080/, and a separate instance of Apache is running at http://your.domain.com/, follow these steps to enable access to the Zimbra web interface through http://your.domain.com/zimbra/.<br />
<br />
== Disclaimer ==<br />
This procedure is not fully verified, so follow these directions at your own risk. Particularly, note that using ''mod_proxy'' requires you to '''secure your server first''', according to the Apache documentation. '''Please edit this page''' if something is wrong or incomplete.<br />
<br />
== Methods ==<br />
There are two different ways of accomplishing this:<br />
# Creating an HTTP proxy to the Zimbra web interface, using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html mod_proxy]. (This method is easier but is generally considered to be less secure.)<br />
# Configuring the Zimbra web interface for the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol] (AJP), and then using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk] to access it.<br />
<br />
== Prerequisites ==<br />
Zimbra and Apache should both be installed. ''mod_proxy_ajp'' requires Apache 2.1 or later.<br />
<br />
If you are installing Apache after installing Zimbra, you may first need to change the specific port numbers that the Zimbra web interface uses. For example, if you originally configured Zimbra to use port 80, you will need to change it to another port (such as 8080) in order for Apache to run on port 80. You can do this with the ''[[zmprov]]'' command.<br />
<br />
These instructions include the commands to use under Ubuntu Linux, which may need to be modified slightly under other distributions.<br />
<br />
== Using an HTTP proxy ==<br />
* Install and enable ''mod_proxy'' in Apache. Under Ubuntu, mod_proxy is installed by default, so just use this command to enable it:<br />
<pre>sudo a2enmod proxy</pre><br />
<br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location "/service"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/service<br />
ProxyPassReverse http://localhost:8080/service<br />
</Location><br />
<br />
<Location "/zimbra"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/zimbra<br />
ProxyPassReverse http://localhost:8080/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location "/zimbraAdmin"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra administrative web interface is using<br />
ProxyPass https://localhost:7071/zimbraAdmin<br />
ProxyPassReverse https://localhost:7071/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
<br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Using Apache JServ Protocol ==<br />
The application server ([http://www.mortbay.org/ Jetty] for Zimbra 5.0, or [http://tomcat.apache.org/ Tomcat] for Zimbra 4.5 and earlier) will be configured to bind to port 8009, and to serve requests on this port using the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol (AJP)]. (It will continue as well to bind to existing ports that are used for accessing Zimbra's web interfaces.)<br />
<br />
An Apache site for Zimbra will then be configured; Apache will send requests to the application server through port 8009 using AJP. This will be accomplished using either [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk].<br />
<br />
'''''Vote for AJP support in Zimbra:''''' If you would prefer to not have to edit several of Zimbra's configuration files by hand to get AJP to work, but would rather be able to turn it on easily from the administrative console/UI -- and you would like AJP to be "supported" by Zimbra -- vote for [http://bugzilla.zimbra.com/show_bug.cgi?id=23269 bug 23269].<br />
<br />
=== Configuring the application server ===<br />
<br />
==== For Zimbra 5.0 ====<br />
<br />
Edit the file ''/opt/zimbra/jetty/etc/jetty.xml.in'':<br />
* Search for these lines:<br />
<pre><br />
<!-- =========================================================== --><br />
<!-- Set connectors --><br />
<!-- =========================================================== --><br />
</pre><br />
* Below them, add the following:<br />
<pre><br />
<Call name="addConnector"><br />
<Arg><br />
<New id="ajp" class="org.mortbay.jetty.ajp.Ajp13SocketConnector"><br />
<Set name="port">8009</Set><br />
</New><br />
</Arg><br />
</Call><br />
</pre><br />
<br />
<br />
Next, edit the file ''/opt/zimbra/jetty/etc/service.web.xml.in'':<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* If the parameter value contains ''%%zimbraMailPort%%'' and ''%%zimbraMailSSLPort%%'', as above, then add port 8009 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071, 8009</param-value><br />
...<br />
</pre><br />
* If you wish to enable access to the Zimbra administrative web interface, then also perform the above step on any instance of ''allowed.ports'' in which the value contains ''7071''.<br />
<br />
*If you want to allow access to the admin interface via the standard ssl port ''443'' you will also need to edit /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in and add port ''443'' to the allowed ports like so.<br />
<pre><br />
<context-param><br />
<param-name>admin.allowed.ports</param-name><br />
<param-value>7071, 443</param-value><br />
</context-param><br />
</pre><br />
<br />
*If you are running in mixed-mode or depend on redirects to https you will also have to change the following files to have Jetty correctly redirect authentication requests to the Apache SSL port rather than the Jetty SSL port.<br />
<br />
*Edit ''webapps/zimbraAdmin/WEB-INF/web.xml'' and ''webapps/zimbra/WEB-INF/web.xml'', replace the string ''%%zimbraMailSSLPort%%'' with ''443'' or your Apache SSL port.<br />
<br />
*Also edit jetty.xml.in and change the ''confidentialPort'' to match the apach SSL port:<br />
<pre><br />
<Set name="confidentialPort">443</Set><br />
</pre><br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart<br />
</pre><br />
<br />
==== For Zimbra 4.5 and earlier ====<br />
Edit the file ''/opt/zimbra/tomcat/conf/server.xml.in'':<br />
* Search for these lines in the file, and note the value of ''redirectPort'':<br />
<pre><br />
<!-- HTTPBEGIN --><br />
<Connector port="8080"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/><br />
<!-- HTTPEND --><br />
</pre><br />
* Then find this line:<br />
<pre><br />
<Engine name="Catalina" defaultHost="localhost"><br />
</pre><br />
* Just '''before''' this line, add the following:<br />
<pre><br />
<!-- AJPBEGIN --><br />
<Connector port="8009"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
protocol="AJP/1.3" /><br />
<!-- AJPEND --><br />
</pre><br />
Set ''redirectPort'' to the '''same value''' used in the existing lines for HTTP.<br />
<br />
<br />
Next, edit the files ''/opt/zimbra/tomcat/conf/service.web.xml.in'' and ''/opt/zimbra/tomcat/conf/zimbra.web.xml.in'' (and, if you would like to access the Zimbra administrative web interface, ''/opt/zimbra/tomcat/conf/zimbraAdmin.web.xml.in''):<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>8080, 8443, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* For each instance, add ports 80 and 443 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>8080, 8443, 7070, 7443, 7071, 80, 443</param-value><br />
...<br />
</pre><br />
<br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/tomcat restart<br />
</pre><br />
<br />
=== Configuring Apache ===<br />
<br />
==== Using mod_proxy_ajp ====<br />
''mod_proxy_ajp'' requires Apache 2.1 or later, but is installed by default.<br />
<br />
* Enable ''mod_proxy_ajp''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod proxy_ajp</pre><br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy_ajp.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location /service><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/service<br />
ProxyPassReverse ajp://localhost:8009/service<br />
</Location><br />
<br />
<Location /zimbra><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbra<br />
ProxyPassReverse ajp://localhost:8009/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location /zimbraAdmin><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbraAdmin<br />
ProxyPassReverse ajp://localhost:8009/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
==== Using mod_jk ====<br />
* Install ''mod_jk'' for Apache. Under Ubuntu, use the command:<br />
<pre>sudo apt-get install libapache2-mod-jk</pre><br />
* In the Apache configuration directory (''/etc/apache2'' in Ubuntu), create a file named ''workers.properties'' and add the following lines to it:<br />
<pre><br />
worker.list=zimbra<br />
worker.zimbra.type=ajp13<br />
worker.zimbra.host=localhost<br />
worker.zimbra.port=8009<br />
worker.zimbra.lbfactor=1<br />
</pre><br />
* Add configuration for ''mod_jk'' to Apache. Under Ubuntu, create a file named ''/etc/apache2/mods-available/jk.conf'' and add the following lines:<br />
<pre><br />
# Modify the following two paths, according to your distribution's filesystem layout<br />
JkWorkersFile /etc/apache2/workers.properties<br />
JkLogFile /var/log/apache2/jk.log<br />
JkShmFile /var/tmp/jk.shm<br />
JkLogLevel info<br />
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "<br />
JkRequestLogFormat "%w %V %T"<br />
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories<br />
<br />
JkMount /zimbra zimbra<br />
JkMount /zimbra/ zimbra<br />
JkMount /zimbra/* zimbra<br />
JkMount /service zimbra<br />
JkMount /service/ zimbra<br />
JkMount /service/* zimbra<br />
<br />
# Add the following lines to enable access to the Zimbra administrative web interface<br />
JkMount /zimbraAdmin zimbra<br />
JkMount /zimbraAdmin/ zimbra<br />
JkMount /zimbraAdmin/* zimbra<br />
</pre><br />
(Alternatively, you can add the previous block to either ''apache2.conf'', ''httpd.conf'', or a new file in ''conf.d/''.)<br />
* Enable ''mod_jk''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod jk</pre><br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Known Issues ==<br />
When using the Documents Wiki (zmwiki), the links on the wiki page use the port that Zimbra is configured for (i.e., 8080). Currently, you must copy the link to the address bar in your browser, and change the port number in the address.<br />
<br />
== Credits ==<br />
Thanks to everyone at the [http://zimbra.com/forums/ Forums] for posting about their problems and efforts in trying to run Zimbra with Apache using mod_jk. Also, thanks to the original [[Using_Tomcat_with_Apache_(mod_jk)]] entry (a lot has been borrowed from it). This how-to is a result of their efforts.<br />
<br />
== See Also ==<br />
*[[Using_Tomcat_with_Apache_(mod_jk)]]<br />
*[[ZimbraApache]]<br />
*[[Hosting_other_sites_with_Zimbra]]<br />
<br />
[[Category:MTA]]</div>Jarlhttps://wiki.zimbra.com/index.php?title=Zimbra_with_Apache_using_mod_jk_-_mod_proxy_-_mod_proxy_ajp&diff=7537Zimbra with Apache using mod jk - mod proxy - mod proxy ajp2008-01-09T14:05:10Z<p>Jarl: /* For Zimbra 5.0 */</p>
<hr />
<div>These instructions will enable access to Zimbra and other web applications/pages through the same host/port.<br />
<br />
For example, if the Zimbra web interface is running at http://your.domain.com:8080/, and a separate instance of Apache is running at http://your.domain.com/, follow these steps to enable access to the Zimbra web interface through http://your.domain.com/zimbra/.<br />
<br />
== Disclaimer ==<br />
This procedure is not fully verified, so follow these directions at your own risk. Particularly, note that using ''mod_proxy'' requires you to '''secure your server first''', according to the Apache documentation. '''Please edit this page''' if something is wrong or incomplete.<br />
<br />
== Methods ==<br />
There are two different ways of accomplishing this:<br />
# Creating an HTTP proxy to the Zimbra web interface, using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html mod_proxy]. (This method is easier but is generally considered to be less secure.)<br />
# Configuring the Zimbra web interface for the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol] (AJP), and then using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk] to access it.<br />
<br />
== Prerequisites ==<br />
Zimbra and Apache should both be installed. ''mod_proxy_ajp'' requires Apache 2.1 or later.<br />
<br />
If you are installing Apache after installing Zimbra, you may first need to change the specific port numbers that the Zimbra web interface uses. For example, if you originally configured Zimbra to use port 80, you will need to change it to another port (such as 8080) in order for Apache to run on port 80. You can do this with the ''[[zmprov]]'' command.<br />
<br />
These instructions include the commands to use under Ubuntu Linux, which may need to be modified slightly under other distributions.<br />
<br />
== Using an HTTP proxy ==<br />
* Install and enable ''mod_proxy'' in Apache. Under Ubuntu, mod_proxy is installed by default, so just use this command to enable it:<br />
<pre>sudo a2enmod proxy</pre><br />
<br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location "/service"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/service<br />
ProxyPassReverse http://localhost:8080/service<br />
</Location><br />
<br />
<Location "/zimbra"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/zimbra<br />
ProxyPassReverse http://localhost:8080/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location "/zimbraAdmin"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra administrative web interface is using<br />
ProxyPass https://localhost:7071/zimbraAdmin<br />
ProxyPassReverse https://localhost:7071/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
<br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Using Apache JServ Protocol ==<br />
The application server ([http://www.mortbay.org/ Jetty] for Zimbra 5.0, or [http://tomcat.apache.org/ Tomcat] for Zimbra 4.5 and earlier) will be configured to bind to port 8009, and to serve requests on this port using the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol (AJP)]. (It will continue as well to bind to existing ports that are used for accessing Zimbra's web interfaces.)<br />
<br />
An Apache site for Zimbra will then be configured; Apache will send requests to the application server through port 8009 using AJP. This will be accomplished using either [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk].<br />
<br />
'''''Vote for AJP support in Zimbra:''''' If you would prefer to not have to edit several of Zimbra's configuration files by hand to get AJP to work, but would rather be able to turn it on easily from the administrative console/UI -- and you would like AJP to be "supported" by Zimbra -- vote for [http://bugzilla.zimbra.com/show_bug.cgi?id=23269 bug 23269].<br />
<br />
=== Configuring the application server ===<br />
<br />
==== For Zimbra 5.0 ====<br />
<br />
Edit the file ''/opt/zimbra/jetty/etc/jetty.xml.in'':<br />
* Search for these lines:<br />
<pre><br />
<!-- =========================================================== --><br />
<!-- Set connectors --><br />
<!-- =========================================================== --><br />
</pre><br />
* Below them, add the following:<br />
<pre><br />
<Call name="addConnector"><br />
<Arg><br />
<New id="ajp" class="org.mortbay.jetty.ajp.Ajp13SocketConnector"><br />
<Set name="port">8009</Set><br />
</New><br />
</Arg><br />
</Call><br />
</pre><br />
<br />
<br />
Next, edit the file ''/opt/zimbra/jetty/etc/service.web.xml.in'':<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* If the parameter value contains ''%%zimbraMailPort%%'' and ''%%zimbraMailSSLPort%%'', as above, then add port 8009 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071, 8009</param-value><br />
...<br />
</pre><br />
* If you wish to enable access to the Zimbra administrative web interface, then also perform the above step on any instance of ''allowed.ports'' in which the value contains ''7071''.<br />
<br />
*If you want to allow access to the admin interface via the standard ssl port ''443'' you will also need to edit /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in and add port ''443'' to the allowed ports like so.<br />
<pre><br />
<context-param><br />
<param-name>admin.allowed.ports</param-name><br />
<param-value>7071, 443</param-value><br />
</context-param><br />
</pre><br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart<br />
</pre><br />
<br />
==== For Zimbra 4.5 and earlier ====<br />
Edit the file ''/opt/zimbra/tomcat/conf/server.xml.in'':<br />
* Search for these lines in the file, and note the value of ''redirectPort'':<br />
<pre><br />
<!-- HTTPBEGIN --><br />
<Connector port="8080"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/><br />
<!-- HTTPEND --><br />
</pre><br />
* Then find this line:<br />
<pre><br />
<Engine name="Catalina" defaultHost="localhost"><br />
</pre><br />
* Just '''before''' this line, add the following:<br />
<pre><br />
<!-- AJPBEGIN --><br />
<Connector port="8009"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
protocol="AJP/1.3" /><br />
<!-- AJPEND --><br />
</pre><br />
Set ''redirectPort'' to the '''same value''' used in the existing lines for HTTP.<br />
<br />
<br />
Next, edit the files ''/opt/zimbra/tomcat/conf/service.web.xml.in'' and ''/opt/zimbra/tomcat/conf/zimbra.web.xml.in'' (and, if you would like to access the Zimbra administrative web interface, ''/opt/zimbra/tomcat/conf/zimbraAdmin.web.xml.in''):<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>8080, 8443, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* For each instance, add ports 80 and 443 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>8080, 8443, 7070, 7443, 7071, 80, 443</param-value><br />
...<br />
</pre><br />
<br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/tomcat restart<br />
</pre><br />
<br />
=== Configuring Apache ===<br />
<br />
==== Using mod_proxy_ajp ====<br />
''mod_proxy_ajp'' requires Apache 2.1 or later, but is installed by default.<br />
<br />
* Enable ''mod_proxy_ajp''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod proxy_ajp</pre><br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy_ajp.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location /service><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/service<br />
ProxyPassReverse ajp://localhost:8009/service<br />
</Location><br />
<br />
<Location /zimbra><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbra<br />
ProxyPassReverse ajp://localhost:8009/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location /zimbraAdmin><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbraAdmin<br />
ProxyPassReverse ajp://localhost:8009/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
==== Using mod_jk ====<br />
* Install ''mod_jk'' for Apache. Under Ubuntu, use the command:<br />
<pre>sudo apt-get install libapache2-mod-jk</pre><br />
* In the Apache configuration directory (''/etc/apache2'' in Ubuntu), create a file named ''workers.properties'' and add the following lines to it:<br />
<pre><br />
worker.list=zimbra<br />
worker.zimbra.type=ajp13<br />
worker.zimbra.host=localhost<br />
worker.zimbra.port=8009<br />
worker.zimbra.lbfactor=1<br />
</pre><br />
* Add configuration for ''mod_jk'' to Apache. Under Ubuntu, create a file named ''/etc/apache2/mods-available/jk.conf'' and add the following lines:<br />
<pre><br />
# Modify the following two paths, according to your distribution's filesystem layout<br />
JkWorkersFile /etc/apache2/workers.properties<br />
JkLogFile /var/log/apache2/jk.log<br />
JkShmFile /var/tmp/jk.shm<br />
JkLogLevel info<br />
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "<br />
JkRequestLogFormat "%w %V %T"<br />
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories<br />
<br />
JkMount /zimbra zimbra<br />
JkMount /zimbra/ zimbra<br />
JkMount /zimbra/* zimbra<br />
JkMount /service zimbra<br />
JkMount /service/ zimbra<br />
JkMount /service/* zimbra<br />
<br />
# Add the following lines to enable access to the Zimbra administrative web interface<br />
JkMount /zimbraAdmin zimbra<br />
JkMount /zimbraAdmin/ zimbra<br />
JkMount /zimbraAdmin/* zimbra<br />
</pre><br />
(Alternatively, you can add the previous block to either ''apache2.conf'', ''httpd.conf'', or a new file in ''conf.d/''.)<br />
* Enable ''mod_jk''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod jk</pre><br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Known Issues ==<br />
When using the Documents Wiki (zmwiki), the links on the wiki page use the port that Zimbra is configured for (i.e., 8080). Currently, you must copy the link to the address bar in your browser, and change the port number in the address.<br />
<br />
== Credits ==<br />
Thanks to everyone at the [http://zimbra.com/forums/ Forums] for posting about their problems and efforts in trying to run Zimbra with Apache using mod_jk. Also, thanks to the original [[Using_Tomcat_with_Apache_(mod_jk)]] entry (a lot has been borrowed from it). This how-to is a result of their efforts.<br />
<br />
== See Also ==<br />
*[[Using_Tomcat_with_Apache_(mod_jk)]]<br />
*[[ZimbraApache]]<br />
*[[Hosting_other_sites_with_Zimbra]]<br />
<br />
[[Category:MTA]]</div>Jarlhttps://wiki.zimbra.com/index.php?title=Zimbra_with_Apache_using_mod_jk_-_mod_proxy_-_mod_proxy_ajp&diff=7531Zimbra with Apache using mod jk - mod proxy - mod proxy ajp2008-01-08T16:10:13Z<p>Jarl: /* Using mod_jk */</p>
<hr />
<div>These instructions will enable access to Zimbra and other web applications/pages through the same host/port.<br />
<br />
For example, if the Zimbra web interface is running at http://your.domain.com:8080/, and a separate instance of Apache is running at http://your.domain.com/, follow these steps to enable access to the Zimbra web interface through http://your.domain.com/zimbra/.<br />
<br />
== Disclaimer ==<br />
This procedure is not fully verified, so follow these directions at your own risk. Particularly, note that using ''mod_proxy'' requires you to '''secure your server first''', according to the Apache documentation. '''Please edit this page''' if something is wrong or incomplete.<br />
<br />
== Methods ==<br />
There are two different ways of accomplishing this:<br />
# Creating an HTTP proxy to the Zimbra web interface, using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html mod_proxy]. (This method is easier but is generally considered to be less secure.)<br />
# Configuring the Zimbra web interface for the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol] (AJP), and then using Apache's [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk] to access it.<br />
<br />
== Prerequisites ==<br />
Zimbra and Apache should both be installed. ''mod_proxy_ajp'' requires Apache 2.1 or later.<br />
<br />
If you are installing Apache after installing Zimbra, you may first need to change the specific port numbers that the Zimbra web interface uses. For example, if you originally configured Zimbra to use port 80, you will need to change it to another port (such as 8080) in order for Apache to run on port 80. You can do this with the ''[[zmprov]]'' command.<br />
<br />
These instructions include the commands to use under Ubuntu Linux, which may need to be modified slightly under other distributions.<br />
<br />
== Using an HTTP proxy ==<br />
* Install and enable ''mod_proxy'' in Apache. Under Ubuntu, mod_proxy is installed by default, so just use this command to enable it:<br />
<pre>sudo a2enmod proxy</pre><br />
<br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location "/service"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/service<br />
ProxyPassReverse http://localhost:8080/service<br />
</Location><br />
<br />
<Location "/zimbra"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra user web interface is using<br />
ProxyPass http://localhost:8080/zimbra<br />
ProxyPassReverse http://localhost:8080/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location "/zimbraAdmin"><br />
# Modify to your setup, but do NOT skip these lines --<br />
# you MUST configure access controls securely!<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
Allow from 192.168.0.5<br />
Allow from your.domain.com<br />
<br />
# Replace this URL with the host/port that the<br />
# Zimbra administrative web interface is using<br />
ProxyPass https://localhost:7071/zimbraAdmin<br />
ProxyPassReverse https://localhost:7071/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
<br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Using Apache JServ Protocol ==<br />
The application server ([http://www.mortbay.org/ Jetty] for Zimbra 5.0, or [http://tomcat.apache.org/ Tomcat] for Zimbra 4.5 and earlier) will be configured to bind to port 8009, and to serve requests on this port using the [http://en.wikipedia.org/wiki/Apache_JServ_Protocol Apache JServ Protocol (AJP)]. (It will continue as well to bind to existing ports that are used for accessing Zimbra's web interfaces.)<br />
<br />
An Apache site for Zimbra will then be configured; Apache will send requests to the application server through port 8009 using AJP. This will be accomplished using either [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp] or [http://en.wikipedia.org/wiki/Mod_jk mod_jk].<br />
<br />
'''''Vote for AJP support in Zimbra:''''' If you would prefer to not have to edit several of Zimbra's configuration files by hand to get AJP to work, but would rather be able to turn it on easily from the administrative console/UI -- and you would like AJP to be "supported" by Zimbra -- vote for [http://bugzilla.zimbra.com/show_bug.cgi?id=23269 bug 23269].<br />
<br />
=== Configuring the application server ===<br />
<br />
==== For Zimbra 5.0 ====<br />
<br />
Edit the file ''/opt/zimbra/jetty/etc/jetty.xml.in'':<br />
* Search for these lines:<br />
<pre><br />
<!-- =========================================================== --><br />
<!-- Set connectors --><br />
<!-- =========================================================== --><br />
</pre><br />
* Below them, add the following:<br />
<pre><br />
<Call name="addConnector"><br />
<Arg><br />
<New id="ajp" class="org.mortbay.jetty.ajp.Ajp13SocketConnector"><br />
<Set name="port">8009</Set><br />
</New><br />
</Arg><br />
</Call><br />
</pre><br />
<br />
<br />
Next, edit the file ''/opt/zimbra/jetty/etc/service.web.xml.in'':<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* If the parameter value contains ''%%zimbraMailPort%%'' and ''%%zimbraMailSSLPort%%'', as above, then add port 8009 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071, 8009</param-value><br />
...<br />
</pre><br />
* If you wish to enable access to the Zimbra administrative web interface, then also perform the above step on any instance of ''allowed.ports'' in which the value contains ''7071''.<br />
<br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart<br />
</pre><br />
<br />
==== For Zimbra 4.5 and earlier ====<br />
Edit the file ''/opt/zimbra/tomcat/conf/server.xml.in'':<br />
* Search for these lines in the file, and note the value of ''redirectPort'':<br />
<pre><br />
<!-- HTTPBEGIN --><br />
<Connector port="8080"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/><br />
<!-- HTTPEND --><br />
</pre><br />
* Then find this line:<br />
<pre><br />
<Engine name="Catalina" defaultHost="localhost"><br />
</pre><br />
* Just '''before''' this line, add the following:<br />
<pre><br />
<!-- AJPBEGIN --><br />
<Connector port="8009"<br />
acceptCount="1024"<br />
enableLookups="false" redirectPort="8443"<br />
protocol="AJP/1.3" /><br />
<!-- AJPEND --><br />
</pre><br />
Set ''redirectPort'' to the '''same value''' used in the existing lines for HTTP.<br />
<br />
<br />
Next, edit the files ''/opt/zimbra/tomcat/conf/service.web.xml.in'' and ''/opt/zimbra/tomcat/conf/zimbra.web.xml.in'' (and, if you would like to access the Zimbra administrative web interface, ''/opt/zimbra/tomcat/conf/zimbraAdmin.web.xml.in''):<br />
* Search for instances of the ''allowed.ports'' parameter, which will look like this:<br />
<pre><br />
<init-param><br />
<param-name>allowed.ports</param-name><br />
<param-value>8080, 8443, 7070, 7443, 7071</param-value><br />
</init-param><br />
</pre><br />
* For each instance, add ports 80 and 443 to the end of the list, like this:<br />
<pre><br />
...<br />
<param-value>8080, 8443, 7070, 7443, 7071, 80, 443</param-value><br />
...<br />
</pre><br />
<br />
<br />
Finally, restart the application server. Under Ubuntu, type:<br />
<pre><br />
sudo -u zimbra /opt/zimbra/bin/tomcat restart<br />
</pre><br />
<br />
=== Configuring Apache ===<br />
<br />
==== Using mod_proxy_ajp ====<br />
''mod_proxy_ajp'' requires Apache 2.1 or later, but is installed by default.<br />
<br />
* Enable ''mod_proxy_ajp''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod proxy_ajp</pre><br />
* Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named ''/etc/apache2/sites-available/zimbra'':<br />
<pre><br />
<IfModule mod_proxy_ajp.c><br />
ProxyRequests On<br />
ProxyVia On<br />
<br />
<Location /service><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/service<br />
ProxyPassReverse ajp://localhost:8009/service<br />
</Location><br />
<br />
<Location /zimbra><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbra<br />
ProxyPassReverse ajp://localhost:8009/zimbra<br />
</Location><br />
<br />
# Only include this section to enable access to<br />
# the Zimbra administrative web interface<br />
<Location /zimbraAdmin><br />
Order allow,deny<br />
Allow from all<br />
ProxyPass ajp://localhost:8009/zimbraAdmin<br />
ProxyPassReverse ajp://localhost:8009/zimbraAdmin<br />
</Location><br />
<br />
</IfModule><br />
</pre><br />
* Enable the site. Under Ubuntu, use the command:<br />
<pre>sudo a2ensite zimbra</pre><br />
(Instead of creating a site, you could also add the previous configuration block to either ''apache2.conf'', ''httpd.conf'', or to a new file in ''conf.d/''.)<br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
==== Using mod_jk ====<br />
* Install ''mod_jk'' for Apache. Under Ubuntu, use the command:<br />
<pre>sudo apt-get install libapache2-mod-jk</pre><br />
* In the Apache configuration directory (''/etc/apache2'' in Ubuntu), create a file named ''workers.properties'' and add the following lines to it:<br />
<pre><br />
worker.list=zimbra<br />
worker.zimbra.type=ajp13<br />
worker.zimbra.host=localhost<br />
worker.zimbra.port=8009<br />
worker.zimbra.lbfactor=1<br />
</pre><br />
* Add configuration for ''mod_jk'' to Apache. Under Ubuntu, create a file named ''/etc/apache2/mods-available/jk.conf'' and add the following lines:<br />
<pre><br />
# Modify the following two paths, according to your distribution's filesystem layout<br />
JkWorkersFile /etc/apache2/workers.properties<br />
JkLogFile /var/log/apache2/jk.log<br />
JkShmFile /var/tmp/jk.shm<br />
JkLogLevel info<br />
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "<br />
JkRequestLogFormat "%w %V %T"<br />
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories<br />
<br />
JkMount /zimbra zimbra<br />
JkMount /zimbra/ zimbra<br />
JkMount /zimbra/* zimbra<br />
JkMount /service zimbra<br />
JkMount /service/ zimbra<br />
JkMount /service/* zimbra<br />
<br />
# Add the following lines to enable access to the Zimbra administrative web interface<br />
JkMount /zimbraAdmin zimbra<br />
JkMount /zimbraAdmin/ zimbra<br />
JkMount /zimbraAdmin/* zimbra<br />
</pre><br />
(Alternatively, you can add the previous block to either ''apache2.conf'', ''httpd.conf'', or a new file in ''conf.d/''.)<br />
* Enable ''mod_jk''. Under Ubuntu, use the command:<br />
<pre>sudo a2enmod jk</pre><br />
* Restart Apache. Under Ubuntu, use the command:<br />
<pre>sudo /etc/init.d/apache2 force-reload</pre><br />
<br />
== Known Issues ==<br />
When using the Documents Wiki (zmwiki), the links on the wiki page use the port that Zimbra is configured for (i.e., 8080). Currently, you must copy the link to the address bar in your browser, and change the port number in the address.<br />
<br />
== Credits ==<br />
Thanks to everyone at the [http://zimbra.com/forums/ Forums] for posting about their problems and efforts in trying to run Zimbra with Apache using mod_jk. Also, thanks to the original [[Using_Tomcat_with_Apache_(mod_jk)]] entry (a lot has been borrowed from it). This how-to is a result of their efforts.<br />
<br />
== See Also ==<br />
*[[Using_Tomcat_with_Apache_(mod_jk)]]<br />
*[[ZimbraApache]]<br />
*[[Hosting_other_sites_with_Zimbra]]<br />
<br />
[[Category:MTA]]</div>Jarl