I have installed Zimbra 4.5 on a new, fully-updated, 32-bit CentOS 5 server with no apparent problems. I have checked that the basic collaborative features work as advertised. Nice product -- strong integration work! In fact, from an "truly open framework" perspective, there is only one serious feature I need that Zimbra seems to lack: the ability for external systems to authenticate users by group, which I guess means by Distribution List.
As far as I can tell, the only way Zimbra aggregates users is into Distribution Lists (a confirmation of this would be appreciated). it seems that with the "User object", a generous amount of the data is kept in LDAP, mostly in standard schema objects, so that external software services can access it in a standard way. Any extra Zimbra-specific user information is stored in MySQL, I presume. Sadly, this entirely sensible model was not followed in the design of the "Group Object", which seems to be stored entirely in MySQL, despite the fact that the groupOfUniqueNames LDAP object type is now ubiquitous and well-supported.
I have tried using the Zimbra-LDAP-Posix extensions to get some kind of group data into Zimbra-LDAP, but even when I create a SMB domain, some Posix groups, and try to group some users, I get two problems:
- In the Zimbra administration UI, there appears to be no way to assign a user to more than one Poisx group. Can this really be true? Can this limitation be overcome by editing the data store more directly?
- Even when I assign a Zimbra account to a (single) Posix group, I cannot find where this information is encoded in the LDAP database! Is it there? How does PAM get your POSIX group info solely from LDAP (query examples would be appreciated)?
I need to secure lots of web-based content using apache, enough content that managing a separate user access for each resource is out of the question -- group-based access is required.
So my question is this: is there any way to use Zimbra to model groups of users (as Distribution Lists, Posix groups, or anything else!) in the LDAP database alone?
If yes, how? If not, how do veteran Zimbrans make apache authorize users against Zimbra?
Thanks in advance for your advice.