Zimbra is open source server software for email and collaboration - email, group calendar, contacts, instant messaging, file storage and web document management. The Zimbra email and calendar server is available for Linux, Mac OS X and virtualization platforms. Zimbra syncs to smartphones (iPhone, BlackBerry) and desktop clients like Outlook and Thunderbird. Zimbra also features archiving and discovery for compliance. Zimbra can be deployed on-premises or as a hosted email solution.
Zimbra use a specific preauthentication protocol to provide SSO on its application. This protocol is implemented in an LL::NG specific Handler.
The integration with LL::NG is the following:
You need to get a preauth key from Zimbra server.
See how to do this on Zimbra wiki.
Choose for example http://zimbra.example.com/zimbrasso as SSO URL and set it in application menu.
You will configure Zimbra virtual host like other protected virtual host but you will use Zimbra Handler instead of default Handler.
PerlModule Lemonldap::NG::Handler::Specific::ZimbraPreAuth <VirtualHost *> ServerName zimbra.example.com # Load Zimbra Handler PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::ZimbraPreAuth ... </VirtualHost>
Go to the Manager and create a new virtual host for Zimbra.
Just configure the access rules.
Zimbra parameters are the following:
lemonldap-ng.ini
and not in Manager, for example:
[handler] zimbraPreAuthKey = XXXX zimbraAccountKey = uid zimbraBy =id zimbraUrl = /service/preauth zimbraSsoUrl = ^/zimbrasso$
Some organizations have multiple zimbra domains:
However, the zimbra preauth key is:
Thus, if domain1 has been registered on LemonLDAP::NG, user bar won't be able to connect to zimbra because preauth key is different. If you accept to have the same preauth key for all zimbra domains, you can set the same preauth key using this procedure:
We are going to use the first key (the domain1 one) for every domain. On Zimbra machine, generate the keys:
zmprov generateDomainPreAuthKey domain1.com preAuthKey: 4e2816f16c44fab20ecdee39fb850c3b0bb54d03f1d8e073aaea376a4f407f0c zmprov generateDomainPreAuthKey domain2.com preAuthKey: 6b7ead4bd425836e8cf0079cd6c1a05acc127acd07c8ee4b61023e19250e929c
Then, connect to your zimbra LDAP server with your favourite tool (Apache Directory Studio can do the job). Take care to connect with the super admin and password account.
That's it, all zimbra servers will be able to decipher the hmac because they share the same key!