Zimbra is open source server software for email and collaboration - email, group calendar, contacts, instant messaging, file storage and web document management. The Zimbra email and calendar server is available for Linux, Mac OS X and virtualization platforms. Zimbra syncs to smartphones (iPhone, BlackBerry) and desktop clients like Outlook and Thunderbird. Zimbra also features archiving and discovery for compliance. Zimbra can be deployed on-premises or as a hosted email solution.

Zimbra use a specific preauthentication protocol to provide SSO on its application. This protocol is implemented in an LL::NG specific Handler.

Zimbra can also be connected to LL::NG via SAML protocol (see Zimbra blog).
For now, Zimbra isn't supported by Nginx handler. You have to use Apache.


The integration with LL::NG is the following:

  • A special URL is declared in application menu (like http://zimbra.example.com/zimbrasso)
  • A Zimbra Handler is called
  • Handler build the preauth request and redirect user on Zimbra preauth URL
  • Then Zimbra do the SSO by setting a cookie in user's browser

Zimbra preauth key

You need to get a preauth key from Zimbra server.

See how to do this on Zimbra wiki.

Zimbra application in menu

Zimbra virtual host


You will configure Zimbra virtual host like other protected virtual host but you will use Zimbra Handler instead of default Handler.

PerlModule Lemonldap::NG::Handler::Specific::ZimbraPreAuth
<VirtualHost *>
        ServerName zimbra.example.com
       # Load Zimbra Handler
       PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::ZimbraPreAuth


Zimbra Handler cannot be used in Nginx for the moment.

Zimbra virtual host in Manager

Go to the Manager and create a new virtual host for Zimbra.

Just configure the access rules.

Zimbra Handler parameters

Zimbra parameters are the following:

  • Preauthentication key: the one you grab from zmprov command
  • Account session key: session field used as Zimbra user account (by default: uid)
  • Account type: for Zimbra this can be name, id or foreignKey (by default: id)
  • Preauthentication URL: Zimbra preauthentication URL, either with full URL (ex: http://zimbra.lan/service/preauth), either only with path (ex: /service/preauth) (by default: /service/preauth)
  • Local SSO URL pattern: regular expression to match the SSO URL (by default: ^/zimbrasso$)
Due to Handler API change in 1.9, you need to set these attributes in lemonldap-ng.ini and not in Manager, for example:
zimbraPreAuthKey = XXXX
zimbraAccountKey = uid
zimbraBy =id
zimbraUrl = /service/preauth
zimbraSsoUrl = ^/zimbrasso$