Zarafa LDAP Howto Debian/Ubuntu

From Zarafa wiki

Jump to: navigation, search



A quick guide to get you up to speed regarding Zarafa with the (OPEN)LDAP backend.


This guide has been tested on Debian 7, 8 and Ubuntu 12.04 LTS.


Please note : slapd uses the hostname to "guess" the organisation name for the LDAP.

In this howto we use the hostname zarafa.example.local, which results in dc=example,dc=local in LDAP.

For your setup you probably want to change this to something more useful.

Install mysql and apache / php

# apt-get install mysql-server libapache2-mod-php5 

Enter the mysql password twice and write it down.

Install OpenLDAP

# apt-get install slapd ldap-utils

Enter LDAP administrator password twice and write it down.

Use slapcat to verify that the install took the defaults from your hostname for your organisation correctly, if that's not the case run dpkg-reconfigure -plow slapd and set it up manually

# slapcat
dn: dc=example,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.local
dc: example
structuralObjectClass: organization
entryUUID: 907f25dc-91f2-1032-97fa-b34646bf14f6
creatorsName: cn=admin,dc=example,dc=local
createTimestamp: 20130805081250Z
entryCSN: 20130805081250.289774Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=local
modifyTimestamp: 20130805081250Z

dn: cn=admin,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9dm1rV21GdmVPbVBXTnI4blhSbE5oeVVmTTVSWm4vV2U=
structuralObjectClass: organizationalRole
entryUUID: 907fc91a-91f2-1032-97fb-b34646bf14f6
creatorsName: cn=admin,dc=example,dc=local
createTimestamp: 20130805081250Z
entryCSN: 20130805081250.293957Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=local
modifyTimestamp: 20130805081250Z</nowiki>

When dpkg-reconfigure -plow slapd does not seem to work, you can set the configuration using the following debconf-set-selections as depicted below and then dpkg-reconfigure slapd

echo "slapd slapd/no_configuration boolean false" | debconf-set-selections
echo "slapd slapd/domain string example.local" | debconf-set-selections
echo "slapd shared/organization string 'example'" | debconf-set-selections
echo "slapd slapd/password1 password zarafano1" | debconf-set-selections
echo "slapd slapd/password2 password zarafano1" | debconf-set-selections
echo "slapd slapd/backend select HDB" | debconf-set-selections
echo "slapd slapd/purge_database boolean true" | debconf-set-selections
echo "slapd slapd/allow_ldap_v2 boolean false" | debconf-set-selections
echo "slapd slapd/move_old_database boolean true" | debconf-set-selections

Create the placeholder for our users.

Create a file called org.ldif containing:

dn: ou=People,dc=example,dc=local
objectClass: organizationalUnit
objectClass: top
ou: People

Import the ldif file into ldap.

# ldapadd -x -D cn=admin,dc=example,dc=local -W -f org.ldif

Check if it was added with a simple search.

# ldapsearch -x -D cn=admin,dc=example,dc=local -W -b dc=example,dc=local

Download and install Zarafa

Choose the version for your distribution from

We will be using zcp-7.1.5-42059-debian-7.0-x86_64-free.tar.gz in this howto.

# wget

# tar zxvf zcp-7.1.5-42059-debian-7.0-x86_64-free.tar.gz

# cd zcp-7.1.5-42059-debian-7.0-x86_64

# ./

When prompted for mysql password use the on you have entered earlier.

Accept the defaults for the other questions.

Press y to accept the install of the suggested packages.

Reboot the system.

# reboot

After the boot check if Zarafa is up and running.

# zarafa-admin -l

User list for Default(1):
	Username	Fullname	Homeserver	

Add the Zarafa schema to our ldap

# zcat /usr/share/doc/zarafa/zarafa.ldif.gz | ldapadd -H ldapi:/// -Y EXTERNAL

Add an Zarafa user to our ldap

Create a new ldif file called user.ldif containing the following. This user will have zarafa admin rights:

dn: uid=john,ou=People,dc=example,dc=local
objectClass: posixAccount
objectClass: top
objectClass: zarafa-user
objectClass: inetOrgPerson
gidNumber: 1000
cn: John Doe
homeDirectory: /home/john
mail: [email protected]
uidNumber: 1000
zarafaAliases: [email protected]
zarafaUserServer: Zarafa
uid: john
zarafaAccount: 1
zarafaAdmin: 1
sn: Doe
userPassword: john
zarafaQuotaOverride: 1
zarafaEnabledFeatures: imap
zarafaDisabledFeatures: pop3
zarafaQuotaWarn: 1000000000
zarafaQuotaSoft: 1100000000
zarafaQuotaHard: 1200000000
# ldapadd -x -D cn=admin,dc=example,dc=local -W -f user.ldif

Verify the user anonymously.

# ldapsearch -xLLL -b dc=example,dc=local uid=john

Changing the zarafa configuration

Edit /etc/zarafa/server.cfg

Change the line user_plugin into the following.

user_plugin             = ldap

Setup the ldap.cfg

# cd /etc/zarafa/
# cp ldap.openldap.cfg ldap.cfg

For this howto to we will be using anonymous binding

Edit /etc/zarafa/ldap.cfg

Change the line ldap_bind_user = cn=admin,cn=users,dc=zarafa,dc=com into the following.

ldap_bind_user =

Change the search base so it matches our organisation.

ldap_search_base = dc=example,dc=local

Restart the zarafa-server

 # /etc/init.d/zarafa-server restart 

Check if Zarafa can get the user from LDAP

# zarafa-admin -l

User list for Default(2):
	Username	Fullname	Homeserver	
	john		John Doe	

Lets show the details of our user john.

# zarafa-admin --details john

Username:		john
Fullname:		John Doe
Emailaddress:		[email protected]
Active:			yes
Administrator:		yes
Address book:		Visible
Auto-accept meeting req:no
Mapped properties:
Current user store quota settings:
 Quota overrides:	yes
 Warning level:		953.67 MB
 Soft level:		1049.04 MB
 Hard level:		1144.41 MB
Current store size:	0.00 MB
Groups (1):

Ldap optimization

Create a file called optimize-index.ldif containing:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn eq
olcDbIndex: gidNumber eq
olcDbIndex: mail eq
olcDbIndex: memberUid eq
olcDbIndex: ou eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
olcDbIndex: zarafaAccount eq
olcDbIndex: zarafaAliases eq
olcDbIndex: zarafaViewPrivilege eq

Add the ldif to add the new indexes.

# cat optimize-index.ldif | ldapmodify -Y EXTERNAL -H ldapi:///

Check if our new olcDbIndex keys have been added.

# slapcat -b cn=config | grep olcDbIndex:

olcDbIndex: objectClass eq
olcDbIndex: cn eq
olcDbIndex: gidNumber eq
olcDbIndex: mail eq
olcDbIndex: memberUid eq
olcDbIndex: ou eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
olcDbIndex: zarafaAccount eq
olcDbIndex: zarafaAliases eq
olcDbIndex: zarafaViewPrivilege eq

You could check your slapd logging for suggestion of additional candidates for indexation.

# cat /var/log/syslog |grep bdb_equality_candidates

Ldap backup and restore using slapcat / slapadd


For the configuration use the the 0 since it is the first database.

# slapcat -n 0 -l config.ldif

For the organisation use the the 1 since it is the second database.

# slapcat -n 1 -l example.local.ldif


Make sure you have stopped slapd before doing this.

You can use slapadd -n 0/1 to restore the respective databases.

# slapadd -n 0 -l config.ldif
# slapadd -n 1 -l example.local.ldif

Be careful to check if your restored databases end up in /var/lib/ldap with the correct permissions.

The owner should be openldap:openldap and the permissions 0600

Disable anonymous binding

If required you can disable anonymous binding.

Taken from

Changing the default behaviour

Create a file disable_anon_backend.ldif

dn: olcDatabase={1}hdb,cn=config
add: olcRequires
olcRequires: authc

Create a file disable_anon_frontend.ldif

dn: olcDatabase={-1}frontend,cn=config
add: olcRequires
olcRequires: authc

Use ldapmodify to commit these changes.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f disable_anon_frontend.ldif
# ldapmodify -Y EXTERNAL -H ldapi:/// -f disable_anon_backend.ldif

Testing if it works

After this the following should not be possible anymore.

# ldapsearch -xLLL -b dc=example,dc=local uid=john

The following should work.

# ldapsearch -x -D cn=admin,dc=example,dc=local -W -b dc=example,dc=local

Modify Zarafa ldap.cfg

ldap_bind_user = cn=admin,dc=example,dc=local
ldap_bind_passwd = writtendownearlier

Restart the Zarafa server

# service zarafa-server restart

Check zarafa users list

# zarafa-admin -l
Personal tools