About 2-3 month ago, Excellent team was invited by a government institution in Bogor, Indonesia, to setup Zimbra Mail Server and upgrade an existing Zimbra mail server to use external LDAP authentication. Although Zimbra itself already using LDAP, our client asked me to setup a separated LDAP Server. This server will be used as a central account/authentication server for SSO/Single Sign On
Configuring LDAP Server using SUSE Linux Enterprise Server (SLES) or openSUSE is not too difficult because YAST has it’s own module to be configure via YAST | Network Services | LDAP Server menu. The difficult part is to import the Zimbra account data into an LDIF file that can be imported to the SLES LDAP server.
Below is the script modified from articles Script for Export-Import Zimbra Account + Password. I modify the script to insert some attribute, such as home directory, GID, UID and others required by Posix Schema.
001.
#!/bin/sh
002.
003.
#Hapus Layar
004.
clear
005.
006.
echo
-e
"###################################################################################"
007.
echo
-e
"# Zimbra export-ldap.sh ver 0.0.1 #"
008.
echo
-e
"# Skrip untuk export account Zimbra berikut profile dan password #"
011.
echo
-e
"###################################################################################"
012.
013.
# /* Variable untuk bold */
014.
ibold=
"33[1m"
"n===> "
015.
ebold=
"33[0m"
016.
017.
# /* Parameter */
018.
echo
""
019.
echo
-n
"Enter Domain Name (ex : vavai.com) : "
020.
read
NAMA_DOMAIN
021.
echo
-n
"Enter path folder for exported account (ex : /home/vavai/) : "
022.
read
FOLDER
023.
024.
# /* Membuat file hasil export dan mengisi nama domain */
025.
MOD_FILE=
"$FOLDER/zcs-acc-mod.ldif"
026.
LDIF_FILE=
"$FOLDER/acc-add.ldif"
027.
028.
vUID=1004
029.
030.
rm
-f $MOD_FILE
031.
rm
-f $LDIF_FILE
032.
033.
touch
$MOD_FILE
034.
touch
$LDIF_FILE
035.
036.
037.
# /* Check versi Zimbra yang digunakan */
038.
VERSION=`
su
- zimbra -c 'zmcontrol -
v
'`;
039.
ZCS_VER=
"/tmp/zcsver.txt"
040.
# get Zimbra <span id="z461je1231s_4">LDAP password</span>
041.
ZIMBRA_LDAP_PASSWORD=`
su
- zimbra -c
"zmlocalconfig -s zimbra_ldap_password | cut -d ' ' -f3"
`
042.
043.
touch
$ZCS_VER
044.
echo
$VERSION &
gt
; $ZCS_VER
045.
046.
echo
-e $ibold
"Retrieve Zimbra User.............................."
$ebold
047.
048.
grep
"Release 5."
$ZCS_VER
049.
if
[ $? = 0 ];
then
050.
USERS=`
su
- zimbra -c 'zmprov gaa'`;
051.
LDAP_MASTER_URL=`
su
- zimbra -c
"zmlocalconfig -s ldap_master_url | cut -d ' ' -f3"
`
052.
fi
053.
054.
grep
"Release 7."
$ZCS_VER
055.
if
[ $? = 0 ];
then
056.
USERS=`
su
- zimbra -c 'zmprov -l gaa'`;
058.
fi
059.
060.
echo
-e $ibold
"Processing account, please wait.............................."
$ebold
061.
# /* Proses insert account kedalam file hasil export */
062.
for
ACCOUNT
in
$USERS;
do
063.
NAME=`
echo
$ACCOUNT`;
064.
DOMAIN=`
echo
$ACCOUNT |
awk
-F@ '{print $2}'`;
065.
ACCOUNT=`
echo
$ACCOUNT |
awk
-F@ '{print $1}'`;
066.
ACC=`
echo
$ACCOUNT |
cut
-d '.' -f1`
067.
068.
if
[ $NAMA_DOMAIN == $DOMAIN ] ;
069.
then
070.
OBJECT=
"(&(objectClass=zimbraAccount)(mail=$NAME))"
071.
dn=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT |
grep
dn:`
072.
073.
074.
displayName=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT |
grep
displayName: |
cut
-d ':' -f2 |
sed
's/^ *//g' |
sed
's/ *$//g'`
075.
076.
077.
givenName=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT |
grep
givenName: |
cut
-d ':' -f2 |
sed
's/^ *//g' |
sed
's/ *$//g'`
078.
079.
userPassword=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT |
grep
userPassword: |
cut
-d ':' -f3 |
sed
's/^ *//g' |
sed
's/ *$//g'`
080.
081.
cn=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT |
grep
cn: |
cut
-d ':' -f2 |
sed
's/^ *//g' |
sed
's/ *$//g'`
082.
083.
initials=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT |
grep
initials: |
cut
-d ':' -f2 |
sed
's/^ *//g' |
sed
's/ *$//g'`
084.
085.
sn=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT |
grep
sn: |
cut
-d ':' -f2 |
sed
's/^ *//g' |
sed
's/ *$//g'`
086.
087.
088.
if
[
"$giveName"
==
""
];
then
089.
echo
"
090.
dn: uid=$ACCOUNT,ou=people,
dc
=excellent,
dc
=co,
dc
=
id
091.
cn: $displayName
092.
sn: $sn
093.
uid: $ACCOUNT
094.
objectClass:
top
095.
objectClass: inetOrgPerson
096.
objectClass: posixAccount
097.
gidNumber: 100
098.
uidNumber: $vUID
099.
homeDirectory: /home/$ACCOUNT
100.
loginShell: /bin/
bash
101.
" &
gt
;&
gt
; $LDIF_FILE
102.
103.
echo
"$dn
104.
changetype: modify
105.
replace: userPassword
106.
userPassword:: $userPassword
107.
" &
gt
;&
gt
; $MOD_FILE
108.
109.
else
110.
111.
echo
"
112.
dn: uid=$ACCOUNT,ou=people,
dc
=excellent,
dc
=co,
dc
=
id
113.
cn: $displayName
114.
givenName: $givenName
115.
sn: $sn
116.
uid: $ACCOUNT
117.
objectClass:
top
118.
objectClass: inetOrgPerson
119.
objectClass: posixAccount
120.
gidNumber: 100
121.
uidNumber: $vUID
122.
homeDirectory: /home/$ACCOUNT
123.
loginShell: /bin/
bash
124.
" &
gt
;&
gt
; $LDIF_FILE
125.
126.
echo
"$dn
127.
changetype: modify
128.
replace: userPassword
129.
userPassword:: $userPassword
130.
" &
gt
;&
gt
; $MOD_FILE
131.
132.
fi
133.
134.
echo
"Adding account $NAME"
135.
fi
136.
let
vUID=vUID+1
137.
done
138.
echo
-e $ibold
"All account has been exported sucessfully into $MOD_FILE and $LDIF_FILE..."
$ebold
The script will produce two pieces of files : add.ldif and zcs-acc-acc-mod.ldif. The first one can be used for LDAP data input with the following command:
[/code lang=”bash”]
ldapadd -Wx -D “cn=Administrator,dc=excellent,dc=co,dc=id” -H ldap://localhost -f acc-add.ldif
[/code]
Use the second file to match LDAP user password with an existing password in Zimbra
[/code lang=”bash”]
ldapmodify -f zcs-acc-mod.ldif -x -H ldapi:/// -D “cn=Administrator,dc=excellent,dc=co,dc=id” -w PasswordLDAPServer
[/code]
If you wish to include another attribute or schema, simply edit the script and made necessary modification.