HomeBlogsdale's blog

Enable LDAP Authentication from Fedora to Zimbra

dale's picture
Submitted by dale on Tue, 10/28/2008 - 17:11
in

I have a Zimbra email server which contains a LDAP server housing all my users and their passwords. I would like to enable single signon for my linux machines. The only account details I'll be using from LDAP are the username and password.

The last time I did this, I did it the hard way and modified files in /etc/pam.d by hand. Using the authconfig command is much more convenient.
<!-- break -->
The following has been tested on Fedora 9.

Configure PAM

First This will configure pam.d/* and make some changes to /etc/ldap.conf and /etc/openldap/*.

authconfig --savebackup=knowngood
authconfig \
--enableldapauth \
--ldapserver=ldap.domain.com \
--ldapbasedn='dc=domain,dc=com' \
--enableldaptls \
--update

Configure LDAP Connection

The Zimbra LDAP server requires a privileged bind to LDAP before comparing the passwords. I didn't see how to specifiy this with authconfig, but it is easy to do by hand.

In my case, the hostname (ldap.domain.com) does not match the CN in the certificate (mail.domain.com). It's not the most secure fix, but this can be worked around with the tls_checkpeer option.

cat <<EOF >> /etc/ldap.conf
rootbinddn uid=zimbra,cn=admins,cn=zimbra
tls_checkpeer no
EOF

And finally, add the LDAP password to /etc/ldap.secret

echo $password > /etc/ldap.secret
chmod 600 /etc/ldap.secret

That password may be obtained like this:

[zimbra@zimbra ~]$ zmlocalconfig -m nokey -s zimbra_ldap_password

Create users on the local system with the same username as found in Zimbra and logins just work.

As configured above the password from /etc/shadow will continue to work if one exists.

See Also