FreeIPA with Kerberos

   KB 22445        Last updated on 2015-12-18  

(0 votes)

Sine the version 8.0 of Zimbra, it's now possible to delegate authentication to a Kerberos server. Here we are going to see how it's possible to make the Kerberos authentication against the OpenSource version of IdM [1] from Red Hat : FreeIPA.

About FreeIPA

FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools. [2]

Configure Zimbra with FreeIPA

Integration of the Zimbra Server into the Kerberos Domain

First of all, the Zimbra needs to be part of the FreeIPA domain :

ipa-client-install --enable-dns-updates --domain=DOMAIN.TLD --server=FREEIPA.DOMAIN.TLD

Make sure before starting the client installation to point your /etc/resolv.conf to your FreeIPA server to resolve the LDAP/Kerberos records. Follow the wizard to integrate it.

Once it's done, you can verify that you can obtain a Kerberos ticket by connecting with a FreeIPA account.

kinit admin

you can verify the Kerberos ticket by typing :

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DOMAIN.TLD

Valid starting     Expires            Service principal
12/18/15 23:26:10  12/19/15 23:26:10  krbtgt/DOMAIN.TLD@DOMAIN.TLD

we can now pass to the next step and configure Zimbra.

Zimbra configuraiton

First of all we need to verify in the Kerberos configuration that the system will make a DNS lookup on the KDC. To verify this, you need to check that the dns_lookup_kdc option is set to ture in the krb5.conf

Finally, with the zimbra user you just have to enter the following commands :

zmprov md domain.tld  zimbraAuthMech kerberos5
zmprov md domain.tld zimbraAuthKerberos5Realm DOMAIN.TLD

1. In the first line we modify the authentication method. 2. The second line is the Realm of your Kerberos domain. It's really important to respect the case and has to be in uppercase.

Once it's done, you just have to restart the Zimbra in order to take into account the krb5.conf if he has been modified.

zmcontrol restart

Your Zimbra server is now connected to FreeIPA.

References :

Verified Against: ZCS 8.0, ZCS 8.5, ZCS 8.6 Date Created: 12/18/2015
Article ID: Date Modified: 2015-12-18

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search