Zarafa & Zentyal 3.5

[StuartNaylor]

I have been having a few probs with the Zarafa Schema Extentions but might as well kickstart things.

I am not a great fan of the Zentyal User manager and have been trying to connect with phpldapadmin to not avail.

Having a web application would be great but just haven't had much success so its back to the desktop with Jxplorer.

Jxplorer is a really great java ldap browser and editor and it can connect to samba.

Code: [Select]

sudo apt-get install jxplorer
I think only Administrator is set up as a schema administrator but I will have to check this.

I had a domain admin account and for some reason couldn't connect, when I used the Administrator account no problem.

The contents of /etc/dovecot/dovecot-ldap.conf will help you with connection details.

Here is mine.

Code: [Select]

# Generated by Zentyal
hosts = 127.0.0.1:3268
dn = "CN=Administrator,CN=Users,DC=zentyal,DC=lan"
dnpass = "a@qdErceqlL5ROrhxy8E"
sasl_bind = no
tls = no
ldap_version = 3
deref = never
scope = subtree
base = DC=zentyal,DC=lan
auth_bind = yes

user_filter = (&(mail=%u)(objectClass=user)(!(userAccountControl=514)))
pass_filter = (&(mail=%u)(objectClass=user)(!(userAccountControl=514)))
user_attrs = =home=/var/vmail/%Ld/%Ln/,=mail=maildir:/var/vmail/%Ld/%Ln/Maildir/
pass_attrs = userPassword=password
For some reason Zentyal have used the global catalog port of 3268. I haven't a clue why as this will create havoc if Zentyal ever does become part of a forrest.
I suggest using 389 in fact I don't just suggest use 389

So as I say didn't get far with schema's but instead of https://community.zarafa.com/pg/plugins/release/21794/developer/tdeklein/samba4-ad-integration-for-zarafa

I am just going to manually add the schema.

Hopefully others will join and add to the thread.

[StuartNaylor]

https://community.zarafa.com/pg/plugins/release/21794/developer/tdeklein/samba4-ad-integration-for-zarafa

Works and adds the schema

You need to install dos2unix as its part of the script

Code: [Select]

apt-get install dos2unix
Make sure Samba is stopped

Code: [Select]

service samba-ad-dc stop
Or use webmin >System>Bootup & Shutdown

Run the script from the download

Code: [Select]

bash zarafa_schema_add.sh DC=ZENTYAL,DC=LAN ./ -v -H /var/lib/samba/private/sam.ldb -writechanges -dontclean
It takes so long that I thought it was in an endless loop, doh!

[defetonezzz]

Thank you for information... i like your post

[StuartNaylor]

Still working on Zarafa and getting to grips with things. Please join as the help will be appreciated.

[tose]

I was really disappointed by the dropping of Zarafa in 3.5

Great job making the effort to continue work on Zarafa in Zentyal. I'm probably too early with this question, but just wondering what your intention might be in terms of a management GUI. Is Zentyal too non-standard in Ubuntu terms that Z-Admin could not co-exist ?

I have some spare hardware so might try to replicate your work when I get some time. Happy to participate in anyway.

[StuartNaylor]

Sorry slowed down my efforts and need to get back to it.

I started with jxplorer but finding Apache Directory Studio much better.

In fact its not called directory studio for no reason.

Still stuck with the problem that to get the relevant security id's you need to use samba-tool to add new users.

http://linuxcostablanca.blogspot.co.uk/2012/02/samba-4-posix-domain-user.html has some excellent examples.

I have been toying with the idea of maybe making a webmin module for samba4 users that allows custom classes to be added.

This not just with Zarafa but for any specific application ldap requirements to automount entries.

I could do with a few of us getting together maybe.

I suffer from recurring TM which is a bit like MS and just had another bout, which has knocked me off me feet a bit.
Been relatively ok this last month but still a bit crap.

I like Zentyal but I really find the custom community requirements in dev and support way to high.

I hate to mention webmin so much but its a great complement to Zentyal and very easy to create and add modules.
You can just import them on the fly.

I have a bit of a per project on http://sourceforge.net/projects/samba4all/ and I will give it a go there.
That is vanilla samba4 then will try it out on zentyal.

[EDIT]
I have been trying to find a ldap tool that is web based that could run from server just like the zentyal webadmin or webmin.

phpldapadmin eventually I got going but its buggy, so I am running a mile from that.

Usually complex actions on the CLI have me running for cover. I have memory problems and a GUI is just great for me.

ldbedit is really simple to use and the below example edits the entry where samaccountname=winadmin which is my windows administration account.

Code: [Select]

ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(samaccountname=winadmin)'
Give that a go as -e is the editor you want to use I prefer the simplicity of nano and just change winadmin to the user you need.

 

[StuartNaylor]

Ok posting to myself but starting to get somewhere with Zarafa on 3.5.

I really do think Zentyal  should bring back the Zarafa option until stability and migration options with Openchange are finalised.

But hey. Here is Zarafa install on 3.5 and could do with some feedback.

My fqdn zent1.zentyal.lan

Code: [Select]

wget http://download.zarafa.com/community/final/7.1/7.1.10-44973/zcp-7.1.10-44973-ubuntu-14.04-x86_64-free.tar.gz
tar zxvf zcp-7.1.10-44973-ubuntu-14.04-x86_64-free.tar.gz
cd zcp-7.1.10-44973-ubuntu-14.04-x86_64
dpkg -i *.deb
apt-get install -f
I noticed in there is zarafamigration.exe http://doc.zarafa.com/trunk/Migration_Manual/en-US/html-single/
Haven't tried it but the zarafa to pst migration might be handy for some and also the is always imapcopy.
Anyway I digress.
In /var/lib/zentyal/conf we have various files that contain various essential details.
samba.passwd the administrator password which is why you shouldn't change things but really the administrator should be visible and maybe a ebox samba account should be used.
I did notice that the zentyal dovecot settings are using the global catalog still, #hosts = 127.0.0.1:3268# which could be a source of problems down the road.
I dunno I guess because the DN's are for this realm it doesn't matter. I have been trying to get my head round the implications of running various sites that might all have there own email server. Then also being the global catalog this will also be a forest of several domains. A nasty smell of burning came from my right ear, so decided to stop thinking about it.

I did also notice Zentyal have moved from the administrator for mail directory tasks which is great, not sure why not a single ebox account for the system though.

Anyway the samba.password file contains oiAmNqpWR2H6Ua@k8jqx
and the  zentyal-mysql.passwd contains oA5TGRwf

Apols but I use webmin for quite a few tasks so install webmin if you want to follow my procedure.

Code: [Select]

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.690_all.deb
dpkg --install webmin_1.690_all.deb
Create a service for webmin allow port 10000 then on the firewall allow the webmin service on the local lan. (for me this is acceptable and no less secure than the zentyal web admin) Both I never allow wan side and use a VPN.

In webmin in the others section there is a filemanager that makes things easy.
/etc/zarafa/server.cfg

Code: [Select]

# Name for identifying the server in a multi-server environment
server_name = zent1
##############################################################
# MYSQL SETTINGS (for database_engine = mysql)
# The password for the user (leave empty for no password)
mysql_password = oA5TGRwf
In the zarafa server config I use the hostname as the servername and we need to supply the root password of my SQL.

Also in /etc/mysql/conf.d/zentyal.cnf

Code: [Select]

[mysqld]
innodb = on
default-storage-engine = MyISAM
character-set-server=utf8

[client]
default-character-set=utf8I had to change innodb = off to innodb = on because Zarafa requires this. I am not sure why Zentyal force it off as the default is MyISAM. Dunno maybe someone can say why?

Webmin >System>Bootup & Shutdown tick zarafa-server and restart.

Code: [Select]

root@zent1:~# zarafa-admin -l
User list for Default(1):
        Username        Fullname        Homeserver
        ------------------------------------------
        SYSTEM          SYSTEM          zent1

zarafa-admin -l shows that zarafa is running but we have no users because we are purely using database authentication which we need to change to ldap.

From the previous post we need to add the schema to the LDAP.
https://forum.zentyal.org/index.php/topic,22332.msg85942.html#msg85942

This adds the schema but doesn't add the classes or entries to the user.

I made a little script and will do this with that bash ZarafaAD username baseDN maildomain should setup your user.
Its set to create the user as a Zarafa admin so you might want to edit this.

Code: [Select]

bash ZarafaAD winadmin DC=zentyal,DC=lan zentyal.lan
Modified my Winadmin user and set him up with some defaults.
You can always use the following to edit at a later stage.

Code: [Select]

ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(samaccountname=winadmin)'
copy /etc/zarafa/ldap.active-directory.cfg to /etc/zarafa/ldap.conf

Edit the following sections so the match your ldap.

Code: [Select]

ldap_host = localhost
ldap_bind_user = CN=Administrator,CN=Users,DC=zentyal,DC=lan
ldap_bind_passwd = oiAmNqpWR2H6Ua@k8jqx
ldap_search_base = dc=zentyal,dc=lan

Edit /etc/zarafa/server.cfg

Code: [Select]

user_plugin             = ldap
Restart zarafa-server & zarafa-admin -l should show something like the following.

Code: [Select]

root@zent1:~# zarafa-admin -l
User list for Default(7):
        Username                Fullname                Homeserver
        --------------------------------------------------------------
        SYSTEM                  SYSTEM                  zent1
        zentyal-mail-zent1      zentyal-mail-zent1
        Administrator           Administrator
        winadmin                Win Admin
        dns-zent1               dns-zent1
        krbtgt                  krbtgt
        Guest                   Guest

Starting to get somewhere. Haven't checked the zarafa to postfix settings yet or if sending and receiving mails works.

a2ensite zarafa-webaccess for some reason doesn't work and currently scratching around this one?

OK a new one for me, renamed the two files in sites-available and added .conf to the end.

a2ensite zarafa-webaccess.conf and a2ensite zarafa-webapp.conf now work!!!?

[lcat]

...
In /var/lib/zentyal/conf we have various files that contain various essential details.
samba.passwd the administrator password which is why you shouldn't change things but really the administrator should be visible and maybe a ebox samba account should be used.
...

zentyal 3.5, in /var/lib/zentyal/conf there is no samba.passwd, only samba.keytab... Password now encripted with Kerberos?

[StuartNaylor]

Yeah I was working on a daily of 3.5 which zentyal have moved to a better user. They have moved the account from Administrator which needed to be done.

dn = "CN=zentyal-mail-zent1,CN=Users,DC=office,DC=zentyal,DC=lan" could use that one and have a look in /etc for the dovecot or postfix as the password is there.

Or you can create another user who can browse the ldap and use that with the password you supply or stay with the administrator.

I seemed to have problems with the ldb tools and with any other distro debian, unbuntu, arch I don't have.

I have been meaning to come back but wondering if its worth while.

[StuartNaylor]

Went back to zarafa and have a automated install.

Its should get zarafa up and running on 3.5.

Setup Zentyal with file and mail services and create a user / domain admin say zarafa.

disable the pop and imap of the mail as zarafa will do that.

Run bash zarafa-install from root (sudo -i to get there)
Supply the user details and password and go hopefully

If anybody has a VM or test machine would you give it a try and report back.

Many Thanks

Stuart

PS Script attached

Will have a look at zpush and getting things completly tidy

Would appreciate so input

http://doc.zarafa.com/7.1/Migration_Manual/en-US/html-single/

[tose]

Hi Stuart,

Tried your script & it seemed to work fine. Box rebooted. Zarafa Webapp displayed ok so I guess all ok from the Apache side.

But at the command line a "zarafa-admin -l" told me zarafa-server was not running.  Ok, "service zarafa-server start" seemed to work ok but then the service stopped after a few seconds. Checking "/var/log/zarafa/server.log" showed me:-

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Wed Jul 30 19:00:17 2014: Starting zarafa-server version 7,1,10,44973, pid 4482
Wed Jul 30 19:00:17 2014: Listening for priority pipe connections on /var/run/zarafa-prio
Wed Jul 30 19:00:17 2014: Listening for pipe connections on /var/run/zarafa
Wed Jul 30 19:00:17 2014: Listening for TCP connections on port 236
Wed Jul 30 19:00:17 2014: Connection to database 'zarafa' succeeded
Wed Jul 30 19:00:17 2014: zarafa-licensed is running, but no license key was found. Not all commercial features will be available.
Wed Jul 30 19:00:17 2014: Cannot instantiate user plugin: ldap_bind_s: Invalid credentials
Wed Jul 30 19:00:17 2014: Unable to initialize user plugin
Wed Jul 30 19:00:23 2014: Server shutdown complete.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I checked "/etc/zarafa/ldap.cfg" & it has the correct credentials for the "Domain Admin" user I created & used to run your zarafa-install script. I then thought about where I might find alternative ldap credentials. Tried the Zentyal install "administrator" account (the one created during zentyal install) but no joy there either. Not sure where to find any alternative LDAP credentials?

That's all I've got for now. I really want to offer you encouragement. I see you doing all sorts of good work in these forums & I wish I had both the time & skills to be of more assistance. The dropping of Zarafa from Zentyal is, to me, a crying shame. I will try to get back here & feed back to you as much as possible.

[StuartNaylor]

I would love for it to be able to drop custom ldifs in the Zentyal user manager.

This would add the required attributes, a hook for the action would be brilliant as you could use parameters to set variable data.

Also and ldif that would display these in the similar way RSAT has a custom attributes page in AD users & computers.

Until then we will have to resort to ldbedit -H /var/lib/samba/private/sam.ldb -e nano '(samaccountname=userid)'  or something like guess we could make a little script that made it a bit more tidy.

I wasn't sure how many of the community would be able to work out of the normal user manager and if it was worth while.

Once they are setup there is not much to do and the script would automate that but quota's changes and deactivation would require the above.

I think its always good to have alternatives but I stopped because of lack of interest.

If you email me I will walk you through or post on the thread.

which account did you choose to connect to the ldap Administrator? Domain Admins is a group isn't it? Create a user call it Zarafa and use that

[tose]

Yes, I created a user (called zarafa) & made it a member of the Domain Admins group & used it to run the install. I'll retry the install to double check my work.

[StuartNaylor]

I will start up the install again and see how I go. Make sure everything is currently working.

[tose]

Borrowing one of your tips from earlier in the thread Stuart, I retrieved the ldap credentials from /etc/dovecot/dovecot-ldap.conf, then used them to replace the "ldap_bind_user" & "ldap_bind_passwd" values in /etc/zarafa/ldap.cfg

zarafa-server now starts & runs without error & created users can login to Webapp. Mail send appears to work but not yet being received into mailboxes, but hey, it's a start. No more time now but thanks again.