Now that I have gotten ldaputil supposedly working, what happens next? The primary goal is to install and test Zimbra. This will be on Sassafras. These steps have been accomplished: . Set up LDAP master on Sunset with periodic content updates. . Move jimc and mathtest mail service off Sassafras. == Zimbra Setup We're getting ZCS (Zimbra Collaboration Suite) Open Source Edition (Binary). License: http://www.zimbra.com/license/zimbra_public_eula.html (This is the 2nd license, called ZP-EULA.) It looks like we're legally OK to use this product. We're getting version 6.0.7-GA (the latest) for SLES-11 64-bit. Also available: SLES-10 64-bit or 32-bit. Looks like we're going to have to compile it on our own 32-bit machines -- later. This will be on a different open-source license. Package URL: http://files2.zimbra.com/downloads/6.0.7_GA/zcs-6.0.7_GA_2473.SLES11_64.20100616222133.tgz Compressed file size 364Mb (oink). Decompressed 378Mb. It's mostly a pile of RPM files. Installation procedure: Un-tar the downloaded file in temp space and execute ./install.sh which installs the RPMs, asks you about your setup, and then totally trashes your LDAP, Postfix, Apache, configuration (at least). The payload is a collection of RPMs, as follows, each basename being followed by $version.$arch.rpm ($arch is x86_64). zimbra-apache zimbra-core zimbra-ldap zimbra-logger zimbra-memcached zimbra-mta zimbra-proxy zimbra-snmp zimbra-spell zimbra-store The documentation is a bunch of PDFs most of which describe import wizards for e.g. Outlook, Domino, iCalendar. ZWC_User_Guide_6.0.pdf might be useful. Also Zimbra_Schema.pdf . The most important one is admin.pdf . quick_start.pdf says: This is for the "single server" mode of installation. ZCS includes the Zimbra MTA, the Zimbra LDAP server, and the Zimbra Mailbox server. ZCS is designed to be the only application suite installed on the server. This means the installer assumes that it can overwrite any packages and config files on the system, specifically conf for the following packages, plus adding several users and groups to /etc/{passwd,group} without going through YOUR user management procedures. The bundle includes: Apache Jetty Postfix + ClamAV SpamAssassin Amavisd-New OpenLDAP MySQL You need to get rid of any other webserver, database, LDAP or MTA. The installation will monkey with the configuration of these items. Prerequisites: Disc partitions suggested for a new installation of RHEL-4: boot 100Mb, swap 2*RAM, root (everything else). Software: NPTL Native POSIX Threads Library have To detect the thread variant: getconf GNU_LIBPTHREAD_VERSION sudo have libidn have GMP Gnu Multiple Precision Library have compat-libstdc++-33 (RHEL only) -- libstdc++-33 (SLES-11) Have Network: When installing RHEL-4, you need to specify your FQDN, gateway, DNS server IPs, your IP/mask, Firewall off, no SELinux, suppress sendmail. DNS: your host needs an "A" and MX record. It will create a UNIX user called "zimbra". And some others. It's going to ask you for a password for the administrator. It will also want the LDAP administrator password (but it doesn't ask for the admin's DN?) Password issues: . The Zimbra Administrator's password will be the same as Bugs and needs to be changed periodically. We will add Zimbra as a normal system account, and hope that the idiots don't try to add it to /etc/passwd by cowboy programming like they usually do. UID = 40 , regno=system040 ) Pre-create homedir as /opt/zimbra (owned by zimbra). Must exist on the mail server (not Sunset). Change of plans: UID = 52, shell=/bin/bash. zimbra:x:52:51:Zimbra Administrator:/opt/zimbra:/bin/bash (51=postfix) zimbra:*:9797:0::::: . The LDAP administrator's password needs to be something you can type in. Not including newlines, that is, /etc/ldap/root.secret must not end with a newline. Rebuilding the LDAP admin password: Done (the trailing = is part of the password). . It plans on doing "su" (or "sudo") to postfix or amavis. These users need to exist in LDAP (and NIS) and to have a password. We'll use... shouldn't be variable. I wish it weren't crypt. Use something from randompw and hide it in /etc/postfix/postfix.secret On the fly, install amavisd-new, see what it does in /etc/passwd, de-install, and provide OUR amavis special user. Also PW for Postfix. Idiot, it didn't create any amavis user. /etc/sysconfig/amavis has USE_AMAVIS="no" meaning don't monkey with /etc/postfix/whatever. Used existing accounts: vscan:x:65:119:Vscan Account:/var/spool/vscan:/bin/false postfix:x:51:51:Postfix:/var/spool/postfix:/bin/false . Zimbra wants these groups: tty:*:5:zimbra postfix:*:51:postfix,zimbra zimbra:!:1238: chgto 120 postdrop:!:1239: chgto 121 vscan:!:119: Stays at 119 Also need to add zimbra to group shadow, to read X.509 key for TLS and in passwd: < zimbra:x:52:1238:Zimbra Administrator:/opt/zimbra:/bin/bash (grp=120) < vscan:x:65:119:Vscan Account:/var/spool/vscan:/bin/false (no change) . OK, now the passwd and group entries are right, and you can do (as jimc) "su -s /bin/sh -c id $luser", type in the password, and it works. The password may be found in sunset:/etc/postfix/postfix.secret . Re-created /opt/zimbra as a symlink to /m1/zimbra-zcs-6.0.7-SLES11_64 . I think eventually we will have to take zimbra, postfix, vscan out of the NIS/LDAP tables. Making a backup of /etc and /var/lib. In /s1/zimbra.prebku Running the installer on Sassafras: ./install.sh |& tee $j/zimbra.ins . No zimbra packages were found (good). . Error - zimbra user exists with incorrect home directory: (empty) Msg from util/utilfunc.sh The installer wants the Zimbra user in /etc/passwd Also shell = .../bash Fixing these. . Now it proceeds to show the license URL (press return) . Listed prerequisites are recognized. sysstat is missing (recommended). Not in main distro. Obtained. Installed. Zimbra likes it. . Select the packages to install: zimbra-ldap NO zimbra-logger yes zimbra-mta yes zimbra-snmp NO zimbra-store yes zimbra-apache yes This is required for the webmail spell checker zimbra-spell yes zimbra-memcached NO Be careful, users' mailboxes are on NFS Default is no. zimbra-proxy NO Default is no. . Unknown distro openSUSEUNKNOWN_64, has SLES11_64, needs --platform-override on command line. Starting over... . It removes the previous instance of Zimbra (just these, for us): Removing /opt/zimbra Removing zimbra crontab entry...done. Cleaning up zimbra init scripts...done. Cleaning up /etc/ld.so.conf...done. Cleaning up /etc/security/limits.conf...done. Installing packages (no error messages) . Port conflict detected: 25 (for zimbra-mta) (press any key to ignore) (on the fly I stopped cron (for restarter), postfix, spamd. . Now it goes into configuration. Configuration options: Common configuration LDAP master host: you can specify a different LDAP host. Set sunset.math.ucla.edu (FQDN required due to TLS). (For single host installation, use own FQDN.) LDAP Admin password "Not Verified". Logs on Sunset say it tried to bind as dn="uid=zimbra,cn=admins,cn=zimbra" method=128. This domain container does not exist, duh. Then it opened another connection but closed without doing anything. Twice. Final values for common config: 1) Hostname: sassafras.math.ucla.edu 2) Ldap master host: sunset.math.ucla.edu 3) Ldap port: 389 ** 4) Ldap Admin password: Not Verified 5) LDAP Base DN: cn=zimbra With single host inst, it doesn't ask for base DN. 6) Secure IPC: yes 7) TimeZone: America/Los_Angeles Zimbra-store config 1) Status: Enabled 2) Create Admin User: yes 3) Admin user to create: admin@sassafras.math.ucla.edu chgto zimbra@sassafras.math.ucla.edu ** 4) Admin Password UNSET (set to bugs PW) 5) Enable automated spam training: yes 6) Spam training user: spam.zhl09ehuk@sassafras.math.ucla.edu chgto spam.train@sassafras.math.ucla.edu 7) Non-spam(Ham) training user: ham.5kgtzruks@sassafras.math.ucla.edu chgto ham.train@sassafras.math.ucla.edu 8) Global Documents Account: wiki@sassafras.math.ucla.edu 9) SMTP host: sassafras.math.ucla.edu 10) Web server HTTP port: 80 11) Web server HTTPS port: 443 12) Web server mode: http 13) IMAP server port: 143 14) IMAP server SSL port: 993 15) POP server port: 110 16) POP server SSL port: 995 17) Use spell check server: yes 18) Spell server URL: http://sassafras.math.ucla.edu:7780/aspell.php 19) Configure for use with mail proxy: FALSE 20) Configure for use with web proxy: FALSE 21) Enable version update checks: TRUE 22) Enable version update notifications: TRUE 23) Version update notification email: admin@sassafras.math.ucla.edu chgto zimbra@sassafras.math.ucla.edu 24) Version update source email: admin@sassafras.math.ucla.edu chgto zimbra@sassafras.math.ucla.edu zimbra-mta config: 1) Status: Enabled 2) MTA Auth host: sassafras.math.ucla.edu 3) Enable Spamassassin: yes 4) Enable Clam AV: yes 5) Notification address for AV alerts: zimbra@sassafras.math.ucla.edu ** 6) Bind password for postfix ldap user: Not Verified ** 7) Bind password for amavis ldap user: Not Verified (both set to value in sunset:/etc/postfix/postfix.secret) (but could not verify since users not created) Other configs: zimbra-logger Enabled zimbra-spell Enabled Default Class of Service Configuration 1) Enable Instant Messaging Feature: Disabled (chgto enable) 2) Enable Briefcases Feature: Enabled 3) Enable Tasks Feature: Enabled 4) Enable Notebook Feature: Enabled Saving in /opt/zimbra/config.17551 (copy to $j/zimbra.conf.1 ) Hit "a" to make configuration operative. Quit. Apparently this means abandon changes. When you do ./install.sh --uninstall , it doesn't actually remove /opt/zimbra. But it does remove most of the stuff. Things to snoop on: /opt/zimbra/mailboxd/etc/keystore /opt/zimbra/mailboxd /opt/zimbra/java/jre/lib/security/cacerts /opt/zimbra/conf/ca com_zimbra_phone -- this is a "common zimlet". I wonder what it does. zimbra-ldap Domain: default is the server's FQDN. Should be math.ucla.edu? Passwords by which various users authenticate to LDAP: Root (administrator?), LDAP replication server, Postfix user Amavis user nginx user zimbra-store Admin user, default is admin@[mailhost.example.com] Admin user's password Spam and Ham training users (for global SpamAssassin database) Port configuration: webserver modes: HTTP Only plaintext HTTPS Only encrypted Mixed Log in encrypted, other traffic plaintext Both Provide both ports but don't switch to HTTPS for login Redirect Response to HTTP is a redirect to equivalent HTTPS. (I think this is what we want.) Spell checker port: 7780 (currently unassigned). zimbra-mta MTA auth host: ?? Antivirus alerts email address: Postfix user's password Amavis user's password zimbra-snmp Decline this. zimbra-logger Accept this, no configuration options zimbra-spell I think we want to enable this. No configuration. Class of service (feature selection): Collapse/expand menu yes Start server after config No Save config to file (hit this periodically) Quit yes Page 13: installation steps: Disable your MTA and MySQL. Un-tar the downloaded file into temporary space. Run ./install.sh License agreement. Check for prereq software, die if unavailable. Select sub-packages. We want all except zimbra-snmp. It installs the packages. For each component it shows a configuration menu. Type X to expand the menu. Type the number of a section or item, then fill in the required information. Type r to return to the main menu. Type a to accept the configuration. To check on the server: su - zimbra ; zmcontrol status Do the "final setup", create a SSH key for the Zimbra user, and configure syslog for the statistics display. Creating accounts: can be done one at a time, or you can create a CSV file (max 500 lines) defining a lot of users at once. Not using host OS integration, hiss, boo. Importing mail from Exchange, Domino, Outlook. blecch. ----- Left off: Uninstalled. Need to re-do the installation, this time accepting their LDAP. Before doing so, remember to turn off cron postfix spamd We'll copy the schema and realm containers to Sunset, then reinstall again using Sunset as the master. Installation notes: Needs --platform-override on command line. Confirm that no Zimbra packages are installed. Agree to license terms. Finds prerequisite packages and its own payload packages. Select for installation: everything but zimbra-snmp. Declined zimbra-memcached zimbra-proxy (this is the default) Re-do configuration steps (see above). 1. Common config, 4. LDAP admin PW: it thinks this is set. 2. LDAP config. It thinks it set all 5 passwords already. Log file for applying the config: /tmp/zmsetup.08252010-135809.log It barfed, printed out a bunch of memory maps. /opt/zimbra/libexec/zmsetup.pl to finish the config. LDAP Schemas in use: Installing core schema... Installing cosine schema... Installing inetOrgPerson schema... Installing zimbra schema... Installing amavis schema... Evidently it created its own host cert. It's going to allow ssl_allow_untrusted_certs and ssl_allow_mismatched_certs mailboxd_keystore_password = U7T1X1Mvik zimbra_ldap_userdn='uid=zimbra,cn=admins,cn=zimbra' Creating /opt/zimbra/ssl/zimbra/ca/ca.key and .pem (and store in LDAP) Saving server config key zimbraSSLPrivateKey...failed. (doesn't say why) /opt/zimbra/bin/ldap: line 100: 303 Aborted (core dumped) \ sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -4 -u zimbra \ -h "${bind_url} ldapi:///" -F /opt/zimbra/data/ldap/config (Tried this 7 times, failed equally) Syslog shows slapd started Croaked. Program terminated with signal 6 "aborted" after an "abort" system call, stack trace (abridged): free, pthread_once, _nsl_default_nss, _nss_compat_initgroups_dyn, initgroups, slap_init_user, main Google search: another user had this problem, but nobody answered him. Problem may or may not be that initgroups sends an empty list of groups. int initgroups(const char *user, gid_t group); (no list here) zimbra is in groups tty and postfix. initgroup should have found them. However, "ypcat group | grep zimbra" yields nothing. slap_init_user (user=0xa13020 "zimbra", group=0x0) (don't know if that's NULL, or group "root"). strace reveals: Reads /etc/passwd Reads /proc/sys/kernel/ngroups_max (content is 65536) Fails to connect to /var/run/nscd/socket Reads /etc/default/nss (contains only comments) freed invalid pointer The only packages that were installed were the Zimbra payload. Schema: /opt/zimbra/openldap-2.4.22.3z/etc/openldap/config/cn=config/cn=schema.ldif /opt/zimbra/openldap-2.4.22.3z/etc/openldap/schema/zimbra.schema and .ldif /opt/zimbra/openldap-2.4.22.3z/var/openldap-data (no slapd, no content here) Cowboy programming, setting up our own LDAP server. Copied /opt/zimbra/openldap-2.4.22.3z/etc/openldap/schema/zimbra.schema to sunset:/etc/openldap/schema and copied /opt/zimbra/openldap-2.4.22.3z/etc/openldap/schema/zimbra.ldif to ditto and /var/lib/ldap/slapd.d/cn\=config/cn\=schema/ Created a database: sunset:/var/lib/ldap/slapd.d/cn\=config/olcDatabase\={3}zimbra.ldif which has these mods from hdb.ldif: dn: olcDatabase={3}zimbra olcDatabase: {3}zimbra olcSuffix: dc=zimbra,dc=sassafras,dc=math,dc=ucla,dc=edu olcAccess (not stuffed) (jackass to try to do this without access rules) (keeping the existing rules even though useless) olcRootDN: uid=zimbra,cn=admins,cn=zimbra,dc=sassafras,dc=math,dc=ucla,dc=edu olcRootPW: {SSHA}zxcvbnmasdfghjklqwertyuiop To produce the password hash: echo -n 'qwertyiop' | slappasswd -h '{SSHA}' -T /dev/stdin Starting slapd, it says: config error processing cn=zimbra,cn=schema,cn=config,cn=schema,cn=config Removed the schema, this error goes away, and now it says: olcSuffix: value #0: namingContext "dc=zimbra,dc=sassafras,dc=math,dc=ucla,dc=edu" already served by a preceding hdb database serving namingContext "dc=math,dc=ucla,dc=edu" The removed files are in /var/lib/ldap/slapd.jail Left off at: De-installed Zimbra yet again. LDAP running minus Zimbra schema. Need to do (on sassafras) insserv -r /etc/init.d/zimbra (otherwise restarter bitches) newaliases (zimbra wierds out the format) crontab -u zimbra -r (tries to run uninstalled zimbra) Strategy: Convert Zimbra schema (sunset: /etc/openldap/schema/zimbra.schema ) to LDIF and add it using ldapadd. Utilities: slapschema -- Checks database content for compliance with schema schema2ldif -- Converts schema into LDIF Running schema2ldif: it uses a "bed of procrustes" approach to line joining. I wrote a script to do comparisons(ldifjoin.pl). The distributed ldif file has very chatty DESC fields. Could that be giving indigestion to slapd? No, my joiner tossed comments at the wrong time. Capitalization of the word objectClass differs: < objectclass: olcSchemaConfig converted by schema2ldif --- > objectClass: olcSchemaConfig as distributed. slapadd: "Databases configured as subordinate are also updated..." admin guide: "Slapd looks at suffixes in definition order. If one DB suffix is a prefix of another, the shorter one must occur later." slapcat does not seem to dump the schema (use -b cn=config)! Using tar... Trying to add zimbra.ldif (theirs): For jiggering the database, look for dn: olcDatabase={1}hdb (or whatever) containing olcRootDN field. There's one on ./cn=config/cn=schema.ldif It's in a schema, not functional. There's one on ./cn=config/olcDatabase={0}config.ldif and its value is cn=config Allegedly it added the Zimbra schema. Used this command line: ldapadd -x -D cn=config -y /etc/openldap/root.secret -ZZ \ -f /etc/openldap/schema/zimbra.ldif Ended up in /var/lib/ldap/slapd.d/cn=config/cn=schema/cn\=\{6\}zimbra.ldif Spot checks indicate the content arrived undamaged; however, the numerous multiple attr values have serial numbers prefixed, making it hard to do a diff. Next step, make the content database. There are 2 possibilities: A. The only realm container is cn=zimbra B. The realm is cn=zimbra,dc=sassafras,dc=math,dc=ucla,dc=edu I'm trying plan A first. file://localhost/usr/share/doc/packages/openldap2/guide/admin/guide.html Extract the definition for math.ucla.edu like this: ldapsearch -x -D cn=config -y /etc/openldap/root.secret -ZZ \ -s sub -b 'olcDatabase={1}hdb,cn=config' This delivered the content. Editing and making these changes: dn: olcDatabase={3}hdb,cn=config (Change the number) olcDatabase: {3}hdb (Change the number) olcSuffix: cn=zimbra (vs. dc=math,dc=ucla,dc=edu) olcAccess: Clearly bogus, but leave alone. olcRootDN: uid=zimbra,cn=admins,cn=zimbra (vs. uid=root,dc=math,dc=ucla,dc=edu) From the zimbra_ldap_userdn configuration parameter of Zimbra. The RootDN doesn't have to be in the DB, but must be under the prefix. olcRootPW: {SSHA}stuff (Use Zimbra admin's password) olcDbDirectory: /var/lib/ldap/zimbra.db Per man page fro slapd-hdb, a separate directory must be used for each database. Create directory /var/lib/ldap/zimbra.db with mode 750 owner ldap:ldap Upload the edited database definition with this command line: ldapadd -x -D cn=config -y /etc/openldap/root.secret -ZZ \ -f /tmp/root.jimc/hdb3.ldif (same as for loading the schema except different input) (If you partially add the database but an error occurs, you need to restart ldap before trying again.) Allegedly it loaded the content. The database files were created. OK, let's try reinstalling Zimbra. Stop cron postfix spamd ./install.sh --platform-override Decline zimbra-ldap this time. Do not remove pre-existing /opt/zimbra It retrieved config from /opt/zimbra/.saveconfig/config.save and will use these as defaults. 1 (common), 2 (LDAP master host) = sunset.math.ucla.edu 1 (common), 4 (LDAP admin pw) = xxxxxx No error messages, it must have worked. But it didn't create anything in the Zimbra LDAP database (check by slapcat -n 3 -l $j/zimbra.dump ) Also: ldapsearch -x -D uid=zimbra,cn=admins,cn=zimbra -W -b cn=zimbra -s sub 1 (common), 5 (LDAP base DN) = cn=zimbra (is the default, apparently) 1 (common), 7 (timezone) = America/Los_Angeles (imported & missing from LDAP) 2 (store), 2 (admin pw) = xxxxxx 2 (store), 6,7 (training accts) = {spam,ham}.train@sassafras.math.ucla.edu 2 (store), 21 (version checks) = enable 3 (mta), 5 (AV alert address) = zimbra@sassafras.math.ucla.edu 3 (mta), 6,7 (postfix,amavis PW) = xxxxxxxx Stuck at this point. passwords are Not Verified. See below for how to fix. 7 (COS) 1,2,3 were disabled but we want them. Turn on. s (save to file> a (apply) Setup operations logged in a /tmp file, copied to /opt/zimbra/install.log /tmp/zmsetup.08262010-143018.log Adding sassafras to zimbraMailHostPool in default COS...failed. Couldn't find a server entry for sassafras.math.ucla.edu Installing all skins and features (such as IM) failed in default COS. Creating domain sassafras.math.ucla.edu...failed. A lot of installation failed. I think we'd better uninstall and do it over yet again. Likely the server entry wasn't created because the realm containers didn't exist. Fixed, they exist now including dn: cn=servers,cn=zimbra /var/spool/cron/tabs/zimbra needs to already exist (but empty) (??) Well, it exists now, seems to have believable content. How to fix the passwords being Not Verified: In a forum posting, someone had success using /opt/zimbra/libexec/zmsetup.pl http://www.zimbra.com/forums/installation/40217-solved-little-bump-zimbra-road.html bluethundr_ had this problem. bdial (moderator) suggested: zmlocalconfig -s | grep ldap_postfix_password This shows what it was configured as (after you hit "apply"), not what's (not) in the database. Here are the PWS in the distributed file: amavis zmamavis uid=zmamavis,cn=appaccts,$config{ldap_dit_base_dn_config} Default value of ldap_dit_base_dn_config is cn=zimbra nginx zmnginx Seems related to proxy uid=zmnginx,cn=appaccts,$config{ldap_dit_base_dn_config} postfix zmpostfix uid=zmpostfix,cn=appaccts,$config{ldap_dit_base_dn_config} ldap_replication_password zmreplica uid=zmreplica,cn=admins,$config{ldap_dit_base_dn_config} ldap_root_password zimbra mailboxd_keystore_base_password zimbra mailboxd_keystore_password zimbra mailboxd_truststore_password changeit mysql_root_password zimbra zimbra_ldap_password (set up on prev run) zimbra_logger_mysql_password zimbra zimbra_mysql_password zimbra See here for backup procedure (disaster recovery): http://wiki.zimbra.com/index.php?title=Open_Source_Edition_Backup_Procedure#A_Simple_Shell_Script_Method Krishopper suggests: ./install.sh --softwareonly (skip config steps). Then replace /opt/zimbra with the copy in the tgz file. Fixed OP's prob. Use the source, Luke! ./libexec/zmsetup.pl sub setLdapPostPass solicits the PW and stores it in $config{LDAPPOSTPASS}, sets $ldapPostChanged = 1, may run ldapIsAvailable(), and returns. Found something: /opt/zimbra/docs/ldap.txt It tells how to load the schema (see above). Doesn't seem to create realm containers though. Bingo! Found ./conf/zimbra.ldif which creates realm containers. ldapadd -x -D uid=zimbra,cn=admins,cn=zimbra -W -ZZ -f ./conf/zimbra.ldif Content was added. Setting the passwords in the database: Create a file like: dn: uid=zmpostfix,cn=appaccts,cn=zimbra changetype: modify replace: userPassword userPassword: {SSHA}outputfromslappasswd - dn: uid=zmamavis,cn=appaccts,cn=zimbra changetype: modify replace: userPassword userPassword: {SSHA}outputfromslappasswd - (note empty line at end and not at beginning). Now do: ldapmodify -x -D uid=zimbra,cn=admins,cn=zimbra -W -ZZ -f /tmp/zimbrapw.ldif (give password of Zimbra admin when asked) Now in zmsetup.pl, you can set the passwords and they can be verified. --------------------------------- Try installation again. ./install.sh --platform-override Accept license agreement Decline the offer to delete /opt/zimbra Select packages: ldap NO, logger Y, mta Y snmp NO store Y apache Y spell Y memcached N (default), proxy N (default) It found the saved config file from the last installation and used the values there as defaults. Configuration items that need to be set: 1. Common, LDAP master: sunset.math.ucla.edu LDAP admin password (see sunset:/etc/postfix/postfix.secret , same for all) (when you set this, it extracts defaults from LDAP table if existing. Since installation didn't finish last time, defaults that formerly were nonnull are erased.) Timezone: America/Los_Angeles (it wants a number, this is 23) Apparently it extracts a default from the local timezone and you can just hit enter. 2. Zimbra Store Admin user to create: change to zimbra@sassafras.math.ucla.edu PW = from postfix.secret (with operational experience we may decide to change this to the bugs password) 6,7 spam/ham training user: chgto {spam,ham}.train@sassafras.math.ucla.edu 21 version update: enable this 23,24 version update email, chgto zimbra@sassafras.math.ucla.edu 3. MTA config 6,7 Postfix and amavis passwords, set to the standard one. The users don't have to exist yet in LDAP. 6. Default COS, enable all features (IM, Briefcase, Tasks, Notebook) Hit "a" to apply configuration. (This includes "s" save to file, don't need to do that separately.) Post config activities logged to /tmp/zmsetup.09022010-091248.log Creating server entry for sassafras.math.ucla.edu...failed. And things go downhill from there. Need to debug this. Look for the above text, also "Creating domain %s" "Creating %s alias", "Creating user %s". "cs" must mean Create Server. Suppose we run this turkey by hand. /opt/zimbra/bin/zmprov -m -l cs sassafras.math.ucla.edu SunCertPathBuilderException: unable to find valid certification path to requested target Analysing the Zimbra X.509 infrastructure. /opt/zimbra/conf/ca is equivalent to /etc/ssl/certs and contains one key/cert pair for: It's a self-signed certificate with CN=sassafras.math.ucla.edu . It seems to be in the most basic format with no usage flags. /opt/zimbra/java/jre/lib/security contains cacerts which is a Java KeyStore. It includes the above self-signed cert. Let's try to add the Mathnet root cert to the Java KeyStore. Note that Math's root cert expires in 2012 and will have to be replaced. Executing On Sassafras: The keystore type is -storetype JKS (other types are BKS, pkcs12, ...) The keystore is -keystore /opt/zimbra/java/jre/lib/security/cacerts The password likely is still "changeit", which should be changed. keytool -printcert -file /etc/ssl/certs/ucla-math.crt keytool -import -alias mathnet -file /etc/ssl/certs/ucla-math.crt (expand to) keytool -import -keystore /opt/zimbra/java/jre/lib/security/cacerts -alias mathnet -file /etc/ssl/certs/ucla-math.crt Supposedly the cert was imported. Now need to import the secret key /etc/ssl/private/host.key and the corresponding cert /etc/ssl/hostcerts/host.crt . There is no way to import a secret key, nor to export it! You have to generate a key pair, generate a CSR, get it signed, and import the resulting cert. Defaults: -keyalg DSA -keysize 1024 -validity 90 -file (stdin/stdout) -sigalg MD5withRSA (for RSA key) -import can read a X.509 cert or a PKCS#7 cert chain. keytool -genkey -keystore /opt/zimbra/java/jre/lib/security/cacerts -alias sassafras -dname "C=US, ST=California, L=Los Angeles, O=UCLA Mathematics Department, OU=Host Certificate, CN=sassafras.math.ucla.edu, emailAddress=bugs@math.ucla.edu" -validity 3670 -keyalg RSA -keysize 2048 (worked; using keystore PW for secret key, remember if changing) keytool -certreq -keystore /opt/zimbra/java/jre/lib/security/cacerts -alias sassafras -file /tmp/sassafras.csr (get it signed) (If PEM, convert to DER like this:) openssl x509 -in /tmp/sassafras.pem -out /tmp/sassafras.der -outform der keytool -import -keystore /opt/zimbra/java/jre/lib/security/cacerts -alias sassafras -file /tmp/sassafras.crt This all appeared to work. Now trying to re-run "zmprov cs". It must have connected to the LDAP server because the error message changed. Now it is: ERROR: service.FAILURE (system failure: unable to get config) (cause: javax.naming.NameNotFoundException [LDAP: error code 32 - No Such Object]) Starting Zimbra installation from the beginning: Asked to verify integrity of message store. It couldn't use MySQL because permission denied for root user. So don't do that. To upgrade, it removes and reinstalls all the RPM packages. Falls on face, Creating server entry for sassafras.math.ucla.edu...failed. No better than before. The keystore was replaced. This likely happened during automatic config titled "Setting up CA...done." Tidbit: "If you are using external LDAP authentication you can create the users with no local password by supplying the empty string "" after the username" (when doing zmprov user@domain "password"). See here for more info: http://wiki.zimbra.com/wiki/LDAP#Connecting_to_an_External_LDAP_Server_with_SSL Tidbit: how to set up a custom logo; http://wiki.zimbra.com/wiki/King0770-Notes-Chameleon-Skin