cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco + Zimbra LDAP

vasisualy
Champ on-the-rise
Champ on-the-rise
Dear all,

Im trying to combine Alfresco with my existing Zimbra server.
My idea is to use zimba's LDAP server as the only one authentication mechanism.
It means that every Zimbra's user may login into Alfresco with the same credentials and the home folders as his/her full name.

As I see for this purpose I have to set
authentication.chain=ldap1:ldap
ldap.authentication.active=true
ldap.synchronization.active=true


My problem that LDAP schema in Zimbra is quite different than it was described in wiki and on this forum and I'm not LDAP guru.

Here is Zimbra LDAP scheme
[img]http://wiki.zimbra.com/images/b/bc/5_Zimbra_LDAP.4.1.2.jpg[/img]

Zimbra LDAP info http://wiki.zimbra.com/index.php?title=Zimbra_Directory_Service_(LDAP)
As you see there is no any subtrees.
All user info stores in flat structure. ()

Here is example of users LDIF record for Zimbra's user.
#——————————————————————————-
# This file has been generated on  from zimbra.local:389
# by Softerra LDAP Browser 2.6 (http://www.ldapbrowser.com)
#——————————————————————————-
version: 1
dn: uid=vasisualy,ou=people,dc=zimbra,dc=local
zimbraMailTransport: lmtp:zimbra.local:7025
zimbraAccountStatus: active
zimbraMailDeliveryAddress: vasisualy@zimbra.local
initials: Middle
givenName: John
sn: Smith
userPassword: {SSHA}Zb9zGRCymqk76tjE9BBZT8D8789D0Hf6
zimbraMailStatus: enabled
zimbraId: f22d0251-453d-474a-a3e4-c4f2bf3c8698
mail: sti@zimbra.local
displayName: John Middle. Smith
uid: vasisualy
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
zimbraPasswordModifiedTime: 20090910110003Z
cn: John Middle. Smith
zimbraMailHost: zimbra.local
zimbraLastLogonTimestamp: 20090910134126Z
zimbraPrefDefaultSignatureId: f748cca8-04dd-4e7f-a066-187e22357b85
zimbraSignatureName: My signature
zimbraPrefMailSignature: Here is my signature.
zimbraSignatureId: f748cca8-04dd-4e7f-a066-187e22357b85
zimbraPrefUseTimeZoneListInCalendar: TRUE
postalCode: 01030
ou: Department No 1
zimbraAllowAnyFromAddress: FALSE
street:: 5th Street
zimbraNotes: Notes text.
description: Description
co: Ukraine
physicalDeliveryOfficeName: Office 1
l: Kiev
telephoneNumber: 1125
st: State
company: Company Name
—————–

I have done some work and authentication works.

When user logs into Alfresco as  vasisualy it displays as vasisualy.
But I need a user like "John Middle. Smith" instead of vasisualy with home folder.
As I see for this I have to use LDAP sync and it is a problem for me now.

ldap.synchronization.personQuery=(&(ou\=*)(objectClass\=organizationalPerson)(zimbraMailStatus\=enabled))
ldap.synchronization.userSearchBase=ou\=People,dc\=zimbra,dc\=local
Alfresco imports users but stops on groups.

I do not know how to configure following group parameters in Alfresco for my LDAP my schema.
Could someone explain me this parameters more detailed than wiki?
ldap.synchronization.groupQuery=
ldap.synchronization.groupSearchBase= 
ldap.synchronization.groupType=
ldap.synchronization.groupIdAttributeName=
ldap.synchronization.groupMemberAttributeName=

Is it possible to configure static non LDAP groups for LDAP users?


Thank you in advance.
29 REPLIES 29

ivan_plestina
Champ in-the-making
Champ in-the-making
Oh and btw, it looks to me that LDAP sync worked perfectly but authentication messed things up by creating another user… Can you try to modify:
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=zimbra,dc=local
to
ldap.authentication.userNameFormat=%s@zimbra.local

Not sure if you'll need to escape that '@' with a '\'. This definately works with AD LDAP i.e. you can authenticate with your email. %s is what you type into the login form, and @zimbra.local is appended in the background automatically. No idea will it work for zimbra but it should solve the double users problem.

dward
Champ on-the-rise
Champ on-the-rise
Ivan, your suggeston won't work because zimbraMailDeliveryAddress is not part of the DN, and therefore it won't be able to resolve the entered user ID to a DN.

BUT, a change I am about to check in to HEAD will allow you to use any user attribute, including email address, as the user ID attribute, because we are going to support search based DN resolution when ldap.authentication.userNameFormat is empty.

So I'm afraid it's not possible now, but it will be just as soon as HEAD is open for check ins again.

vasisualy
Champ on-the-rise
Champ on-the-rise
I started to write  this replay 2 hour late before yours.
Anyway I will put it.
I will try your advices and report soon.

You need to set
ldap.synchronization.userIdAttributeName=uid
zimbraMailDeliveryAddress was the wrong attribute to use, as it contains the @zimbra.local suffix.

I see. But zimbra's DistributionList contains in zimbraMailForwardingAddressattribute only e-mails not UIDS.

If I set ldap.synchronization.userIdAttributeName=uid it will conflict with Groups which contain e-mail not UIDs.

Am I wrong?

Thank you.

vasisualy
Champ on-the-rise
Champ on-the-rise
Dear mates,
I changed setting to ldap.synchronization.userIdAttributeName=uid

As expected duplicated users are gone.

part of Alfresco log:
23:54:40,416  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'wiki'
23:54:40,613  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'spam.gq9grspa'
23:54:40,854  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'ham.gftvdq5ag'
23:54:41,080  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'vasisualy'
23:54:41,278  INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
23:54:41,300  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating group 'All Users'
23:54:41,352  INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'
23:54:41,353  INFO  [security.sync.ChainingUserRegistrySynchronizer] 5 user(s) and 1 group(s) processed

Group 'All Users' was created as empty.
[img]http://i27.tinypic.com/dwxs9u.png[/img]

I think I need some manipulations on Zimbra side to achieve really good group integration.

Only few parameters are stii not clear for me.
ldap.synchronization.groupType=
ldap.synchronization.personType=
What does it really mean?

And is the any additional parameters in Alfresco configs to import persons attributes from LDAP?
like Organization: Job Title: Location: Presence Provider: , etc.

Thank you.

ivan_plestina
Champ in-the-making
Champ in-the-making
I think I need some manipulations on Zimbra side to achieve really good group integration.

Only few parameters are stii not clear for me.
ldap.synchronization.groupType=
ldap.synchronization.personType=
What does it really mean?

And is the any additional parameters in Alfresco configs to import persons attributes from LDAP?
like Organization: Job Title: Location: Presence Provider: , etc.

Thank you.

I believe dward's changes once in HEAD will fix things for you.

groupType and personType are mappings to the objectclass name in LDAP for groups and users. For example in AD groupType=group, in OpenLDAP it's groupOfNames and similar.

vasisualy
Champ on-the-rise
Champ on-the-rise
Hello all,

I've done myself a little tricky script.
This script based on script written by Carlos Vidal <cvidal@whitehatmail.fr> and found on Zimbra support forum
It modifies Zimbra's LDAP.

Example:
Zimbra distribution list alfresco_users@hansa.com.ua:
  group1@company.com
  user5@company.com

Run script as zimbra user
zimbra$ python /opt/bin/dl2groups.py -a -d -p `zmlocalconfig -s -m nokey zimbra_ldap_password`
  Removing all existing group CNs from LDAP
  Expanding and Processing DistributionLists and it's members
  Done.

It makes LDAP records like

cn=alfresco_users,ou=groups,dc=company,dc=com
  objectClass: groupOfNames (structural)
  objectClass: top (abstract)
  cn: alfresco_users
  member: uid=user1,ou=people,dc=company,dc=com
  member: uid=user1,ou=people,dc=company,dc=com
  member: uid=user1,ou=people,dc=company,dc=com
  description: desc
  o: Alfresco users


Script parameters:
Parameters:
-a, –add  :add group CN records according DistributionLists
-d, –del  :remove all existing group CN records
-p, –print : print proposed changes


-u=name, –user=name :LDAP login as uid=name,cn=admins,cn=zimbra
                     :defaulf login is uid=zimbra,cn=admins,cn=zimbra
-p=, –pass=, –passwd=, password=  :LDAP password
-b=, –base=  :LDAP search base
-h, –help   : this help screen message
-l, –list    :list possible changes (for tesing)

This script accepts nested distribution lists and duplicated uses.

To add it to the Zimbra's crontab to run it hourly run (for detals see https://help.ubuntu.com/community/CronHowto )
zimbra@:~$ crontab -e

and add lines to the end of file
# ZIMBRAEND – DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART

# Zimbra LDAP groups mirroring
*/15 * * * * /usr/bin/python /opt/bin/dl2groups.py -a -d -p `/opt/zimbra/bin/zmlocalconfig -s -m nokey zimbra_ldap_password` > /dev/null 2>&1

Update: I just updates last line. Now it works.

I know that this script is not perfect. Hope someone improve and contribute it.
Warning: this script tested only on my own zimbra instance. Please do proper backups procedures before running it first time.

I pasted dl2groups.py on   http://pastebin.com/RgJsn6PD

I will be glad for your response.

jimmykirk
Champ in-the-making
Champ in-the-making
Wow, that looks promising for us Zimbra users.

Does this change existing groups? Are you also using Zimbra for posix/samba authentication as well?

I'd love to have an "alfresco users" group to prevent my dummy accounts like "serveralerts@domain.com" from populating in Alfresco.

vasisualy
Champ on-the-rise
Champ on-the-rise
As you probably know Zimbra does not use traditional ou=group structure.
It uses distribution lists as uid=distribution_list

This script makes groups according distribution lists.

scyonix
Champ in-the-making
Champ in-the-making
Hi i'm getting the below error when itried to run the script on my zimbra server, pls help me to find out a solution…



zimbra@localhost$;  python /tmp/dl2groups.py -a -d -p `zmlocalconfig -s -m nokey zimbra_ldap_password`
Removing all existing group CNs from LDAP
Expanding and Processing DistributionLists and it's members
createCnGroup: error for  cn=test,ou=groups,dc=testmail,dc=example,dc=com
Traceback (most recent call last):
  File "dl2groups.py", line 367, in ?
    createCnGroup(l,grp,realmembs)
  File "dl2groups.py", line 234, in createCnGroup
    if type(e.message) == dict and e.message.has_key('desc'):
AttributeError: NAMING_VIOLATION instance has no attribute 'message'

vasisualy
Champ on-the-rise
Champ on-the-rise
Sorry for late response.
As I see script can not create ou=groups.

I use more than one mail domain in my Zimbra configuration.
How many mail domains do you use?

Try to change in script
LDAP_BASE = 'dc=local'

Try to run
zimbra> python dl2groups.py  -l -p `zmlocalconfig -s -m nokey zimbra_ldap_password`

Does it print correct changes?