Product SiteDocumentation Site

4.4. User Authentication

Another important configuration option for the Zarafa Server is the user_plugin. This setting determines which back-end is used for managing users and groups. There are four options, namely db, unix and ldap and ldapms.
By default the db plugin is used as it does not require any further configuration. The ldap plugin is used most in larger setups as it proves to be most flexible and integrates nicely with an organization’s the existing infrastructure.
The ldapms plugin is required when configuring a multi-server Zarafa environment. Multi-server support is only available in the Enterprise edition.
More information on managing users can be found in Chapter 8, User Management.
For a comparison between the different plugins, see the table below:
Table 4.1. User plugin comparison
Feature DB Unix LDAP LDAPMS
Create/delete/modify users
X
X
X
X
Set aliases
On MTA level
On MTA level
X
X
Hide users
-
-
X
X
Sendas permissions
X
X
X
X
Sendas permissions of groups
-
-
X
X
Security Groups
X
X
X
X
Distribution groups
-
-
X
X
Hide groups
-
-
X
X
Dynamic groups
-
-
X
X
Contacts support
-
-
X
X
Multi-tenancy support
X
-
X
X
Addresslists support
-
-
X
X
Multi-server support
-
-
-
X

Important

Although multi-tenancy is already possible when using the DB plugin, we strongly suggest using an LDAP backend when planning to host multiple tenants within one installation.

4.4.1. The DB Authentication Plugin

This plugin uses the Zarafa MySQL database to store user and group information. The zarafa-admin tool can be used to manage users.
The DB plugin supports only basic user and group information. For more advanced configurations, we advise to use the LDAP plugin.
For more information about user management with the zarafa-admin tool, see Chapter 8, User Management.

4.4.2. The Unix Authentication Plugin

The Unix plugin is used on a server which has all its user information setup in the /etc/passwd file. Group information will be read from /etc/group. Passwords are checked against /etc/shadow, so the zarafa-server process must have read access to this file (this process is normally run as root, so usually that is not a problem).
Since the unix files do not contain enough information for Zarafa, there are some properties of a user that will be stored in the database. These properties are the email address, overriding quota settings, and administrator settings. The zarafa-admin tool has to be used to update these user properties. All other user properties are done using the normal unix tools.
A configuration file, /etc/zarafa/unix.cfg, exists for this plugin. The default set by this file are usually enough, in-line comments explain each option. In this configuration file the uid range of users wanted in the Zarafa server needs to be defined. The same goes for the groups.
Non-active users are appointed by a specific shell, default /bin/false. These users cannot login, but the stores can be opened by other users. An administrator should setup the correct access rights for these stores.
For an overview of all configuration options of the unix authentication plugin, use:
man zarafa-unix.cfg

4.4.3. The LDAP Authentication Plugin

The LDAP plugin is used for coupling any LDAP compliant server with the Zarafa Server. This way, all users, groups and membership information can be retrieved ‘live’ from an LDAP server.
The LDAP plugin support next to the default users, groups and companies also the following object types:
  • Contacts — External SMTP contacts which can be used as members of distribution lists
  • Addresslists — Sub categories of the Global Address Book, based on a specified LDAP filter
  • Dynamic groups — Dynamically created groups, based on a specified LDAP filter. Therefore LDAP plugin is the recommended user plugin for ZCP.
The Zarafa Server needs two configuration directives in the server.cfg configuration file to use the LDAP backend, namely:
user_plugin = ldap
user_plugin_config = /etc/zarafa/ldap.cfg
The defaults for OpenLDAP and for Active Directory can be found in the /usr/share/doc/zarafa/example-config directory. Based on these examples the /etc/zarafa/ldap.cfg file should be adjusted to configure the LDAP authentication plugin.
More details about configuring the LDAP plugin with OpenLDAP, see Section 5.2, “Configure ZCP OpenLDAP integration” or Section 5.3, “Configure ZCP Active Directory integration” for Active Directory.