Zarafa on the Univention Corporate Server
Teamwork
Univention's Corporate Server has established itself in the open source community as an infrastructure provider for many free projects and products like Zarafa, Open-Xchange, or Kolab. Although all three collaboration solutions are certified for use with UCS, the only groupware appliances based on UCS are the Univention Groupware Server with Kolab and the Open-Xchange Advanced Server Edition.
Zarafa focuses on an uncompromising implementation of the MAPI protocol and positions itself mainly as an inexpensive alternative to MS Exchange. Zarafa's marketing also promotes this image. The latest release, Version 7 [1], includes many interesting features such as Unicode support, a new administrative interface, improved performance – especially for the database – and an optimized IMAP gateway. All of Zarafa's collaboration feature implementations rely on MAPI, a bona fide groupware protocol. Whether this Exchange alternative based on Zarafa really is cheaper – the vendor Zarafa claims up to 50 percent savings – depends on many factors.
Besides the cost of migration, maintenance, service, and administrator training for Linux – nothing much will change for users thanks to complete Outlook support and an Ajax web GUI that is very reminiscent of Outlook. Enterprises might also need to invest in a server operating system, because Zarafa itself doesn't sell its groupware solution as an appliance (in contrast to, say, Open-Xchange), although some Zarafa partners do.
The developers aim to have Zarafa integrate as flexibly as possible with the existing infrastructure. Thus, administrators can decide which Linux distribution they want as the basis for a Zarafa installation. In the best case, the complete infrastructure might come free of charge – if an administrator decides to deploy the community version of Zarafa on a free distribution.
The community version supports an unlimited number of users in terms of the web client and the IMAP gateway, but only three users for Outlook access. It also lacks Active Directory support, the multiuser calendar, and the backup tool – in other words, the functions that the Small Business version offers. Compared with the Small Business version, the Professional version includes the BlackBerry Enterprise Server, high-availability functionality, and automated software distribution. Additionally, the Enterprise variant can be distributed over multiple servers and is client-capable.
UCS Concept
Working on the assumption that a typical Zarafa scenario will be a small to medium company or a corporation, an enterprise distribution is definitely the best choice of server operating system. And, if you are looking for an enterprise distribution, what better place to do so than Univention's Corporate Server (UCS), which is certified for use with Zarafa and designed as an appliance.
Besides the general benefits of any enterprise distribution, such as vendor-maintained repositories with stable, well-matching, and thoroughly tested packages, a long support period (maintenance) is important to administrators of production systems. Univention Server has other attractive functions that aren't necessarily related to its certification as a groupware server, and which I will not cover in this article.
Another benefit of Univention Server is its directory service-based identity and infrastructure management system, with its uniquely pervasive implementation in the Linux enterprise server world. Unfortunately, this setup tends to make manual integration of complex software like Zarafa more difficult. Incidentally, a version of Univention Corporate Server (UCS) free for personal use [2] is also available, which is perfect for setting up a test environment in combination with the Zarafa community version; however, it's not suited for production use in the enterprise.
UCS's unique selling point is its single point of administration design. UCS manages user accounts, groups, and hosts in its web-based identity and infrastructure manager, where all of the components use the same OpenLDAP directory service, the core element in the centralized administration concept. For this to happen, the Univention developers implemented their own domain concept for easier integration of servers and desktops into the centralized identity and infrastructure management. They topped that off with a well-designed role concept for the hosts in the domain that includes the master domain controller, backup domain controller, slave domain controller, member server, managed client, mobile client, and thin client roles. Although this use of the word "domain" is more common in the Microsoft universe, you also see it with different meanings in the context of various services or technologies in the modern IT world.
The UCS domain concept relies on the DNS, LDAP, Samba, and Kerberos services. The DNS service implemented by UCS when you install a DC Master resolves all the names and IP addresses of all systems registered with the management system. The UCS stores all of the DNS settings configured on the management system in LDAP; in fact, it does this for all the other UCS settings, too. Any other installed UCS systems then register with the DNS domain configured in LDAP, which prompts UCS to add new (sub-)domains automatically.
The DNS domain is managed via the computer objects on the management system – a web interface to the LDAP directory service. UCS synchronizes all changes with the DHCP configuration if needed. You can also use the DNS domain for mail routing, if you add it as an MX record. Windows clients can also be UCS domain members, assuming you have enabled Windows service support (Samba) on your UCS. In this case, the UCS domain looks like a Windows NT domain from the Windows client's point of view, and UCS configures the Samba service to reflect the UCS system role.
Windows clients are registered when they join the domain, and any domain-capable Windows version as of XP Professional supports this functionality. That said, you don't need to join the UCS domain to use MS Outlook as your Zarafa client; the Zarafa service runs independently of the UCS function just described. A clean integration with the UCS concept facilitates administration and maintenance, however, which also applies to user management and Zarafa server authentication. Again, this functionality is basically independent of UCS. But, because Zarafa can optionally store the user and authentication data in MySQL, Unix/passwd, or LDAP, it makes sense to configure Zarafa for clean integration with the UCS concept.
UCS relies on the Heimdal Kerberos implementation (Kerberos 5 standard) to implement a genuine and secure "single sign-on" throughout the UCS environment and with Kerberos realms that typically match the boundaries of the DNS domain. Because UCS creates a Kerberos realm to match the DNS domain when you install the DC Master (in the DNS domain example.com, the realm for the Kerberos installation would be EXAMPLE.COM), you automatically have a Kerberos account for any user accounts created on the management system. The DC Master registers all UCS systems as Kerberos hosts, and you can set up trust relationships to integrate existing Kerberos installations.
Another neat feature of the UCS management system is consistent data management in the DNS and Kerberos domain contexts: If you rename a host, the new name applies both in DNS and in the Windows domain. If a user changes a Kerberos or Windows domain password, the change is replicated in the other context.
Zarafa and Univention
In the rest of this article, I will assume you have already installed a UCS DC Master and that the machine is working properly. If needed, you can find help configuring a Zarafa setup [3] using any Zarafa-capable Linux distribution as the basis.
Thanks to the installer script, the install will work without problem on virtually any Linux distribution, assuming the major dependencies in terms of the web server and database are in place. If you are installing from scratch, you need to unpack the installation archive for the latest version of zcp-7.0.2-2xxxxxx-free.tar.gz in any directory for which you have write permissions. Then, change to the zcp-7.0xxxx subdirectory and run the sudo ./install.sh installation script, which will create the /etc/zarafa/server.cfg server configuration file with default values or show you the existing defaults, which you can accept by pressing Enter.
This approach is not recommended in the case of Univention Corporate Server because the default configuration only configures the DB User plugin – using the LDAP plugin requires an additional configuration step – and because using external package sources or generic installers can endanger the integrity of the Univention server. Also, if you choose a standard installation of Zarafa, you lose all the benefits of centralized identity and infrastructure management that UCS offers, even though the groupware functionality would probably still be in place.
Generally, modifying critical configuration files on UCS (i.e., the Postfix configuration), or allowing external scripts to modify them, is not recommended.
To implement standardized configuration management, UCS has a Univention Configuration Registry (UCR), a centralized tool for managing the local system configuration and thus a kind of registration mechanism for system settings where the administrator uses UCR variables to modify individual settings.
UCR variables are managed using the univention-config-registry command (ucr for short) at the console or by using the Univention Configuration Registry UMC module in the web browser. The system updates the many standard configuration files to reflect any changes to the UCR variables registered for them.
Zarafa4ucs
The key feature of Zarafa integration with UCS is that Zarafa also supports single sign-on based on LDAP and Kerberos, or against an existing Active Directory domain controller. To integrate Zarafa with an Active Directory server, you need to configure search requests in the Zarafa server's ldap.cfg.
The central feature of the following workaround is thus the integration of the Zarafa LDAP schema extension to allow Zarafa attributes to be stored in the UCS LDAP; this is handled by zarafa4ucs.
Zarafa4ucs was developed by LINET Services GmbH, one of the first Univention partners. Among other things, the company is known for its Lx-Office product, which LINET shareholder Timo Springmann originally developed for internal use but then published on the Zarafa Community site [4] and on the LINET Services website [5], along with extensive documentation.
The zarafa4ucs integration kit [6] installs and configures Zarafa on the UCS, handling integration of the groupware with the UCS management system at the same time. The LDAP side of this is mainly handled by creating an extended attribute in UCS. The integration kit is provided as a UCS package and not only automatically installs Zarafa with all its required components on UCS, but also lets the administrator manage Zarafa completely in UCS by integrating Zarafa with the web-based UCS administration system.
The integration package itself comprises two components: the schema extension for LDAP, modified for Zarafa, and modified configuration files for running Zarafa on UCS systems. The integration kit retrieves the Zarafa community version packages from an Apt repository provided exclusively for this purpose during the course of the install. No additional license or maintenance fees are charged for using the zarafa4ucs integration package either by Univention or by LINET Services.
Setting Up Zarafa4ucs
The following section relates to the use of the Zarafa integration kit on UCS 2.3 and 2.4 with Zarafa 6.40. The release of UCS 3.0, including Samba4 support, which was imminent when this article was written, will probably change the approach and mean rethinking the whole topic, in particular in combination with the new Zarafa 7 version. That said, however, LINET Services is already working on an implementation.
To set up the integration kit, you need to follow these steps, all of which assume you have root privileges. Before you can install on a UCS system, you need to integrate the dedicated Apt repository as an online repository. To integrate the online repository, you need to use the ucr command that I referred to previously (Listing 1).
Listing 1: Integrating the Online Repository
UCS 2.3 ucr set repository/online/component/zarafa4ucs/server=zarafa4ucs.LINET-services.de \ repository/online/component/zarafa4ucs=enabled \ repository/online/component/zarafa4ucs/version=2.3 \ repository/online/component/zarafa4ucs/prefix=repository UCS 2.4 ucr set repository/online/component/zarafa4ucs/server=zarafa4ucs.LINET-services.de \ repository/online/component/zarafa4ucs=enabled \ repository/online/component/zarafa4ucs/version=2.4 \ repository/online/component/zarafa4ucs/prefix=repository
If you use UCS version 2.3 or 2.4 with a local repository, you might not be able to integrate online repositories. In this case, you can manually integrate the zarafa4ucs package source. On Debian-based systems like UCS, this is done by creating a new sources.list file below /etc/apt/sources.list.d/, taking care that its name starts with a number greater than the last existing source list file (typically 20) – for example, 25_zarafa4ucs.list. Depending on the UCS version and architecture variant you use, the package sources shown in Listing 2 need to be added.
Listing 2: Package Sources
UCS 2.3 - i386 deb http://zarafa4ucs.LINET-services.de/repository/2.3/tained/component zarafa4ucs/all/ deb http://zarafa4ucs.LINET-services.de/repository/2.3/maintained/component zarafa4ucs/i386/ UCS 2.3 - AMD64 deb http://zarafa4ucs.LINET-services.de/repository/2.3/maintained/component zarafa4ucs/all/ deb http://zarafa4ucs.LINET-services.de/repository/2.3/maintained/component zarafa4ucs/amd64/ UCS 2.4 - i386 deb http://zarafa4ucs.LINET-services.de/repository/2.4/maintained/component zarafa4ucs/all/ deb http://zarafa4ucs.LINET-services.de/repository/2.3/maintained/component zarafa4ucs/i386/ UCS 2.4 - AMD64 deb http://zarafa4ucs.LINET-services.de/repository/2.4/maintained/component zarafa4ucs/all/ deb http://zarafa4ucs.LINET-services.de/repository/2.3/maintained/component zarafa4ucs/amd64/
Next, you need to update the package sources by issuing the apt-get update command. Then, you can install the zarafa4ucs packages from the Apt repository, starting with the Zarafa schema extensions for UCS
apt-get install zarafa-ucs-schema
and followed by Zarafa itself:
apt-get install zarafa-ucs
The Zarafa integration kit handles everything else automatically and stores the options you choose as Univention baseconfig variables during the installation process, thus letting you use the Univention configuration tools (UCR) to modify them. Minor issues with zarafa4ucs are described in the "Troubleshooting" box.
Managing Zarafa
Zarafa should be installed and working perfectly by now. Thanks to UCS integration, you don't need to create Zarafa user accounts manually; the Univention Directory Manager takes care of this for you. After successfully completing the zarafa4ucs install, the manager tool will offer you a Zarafa tab in the Directory Manager to facilitate the process of configuring the settings for Zarafa users (Figure 1).
Checking the Zarafa User box converts a UCS user account into a Zarafa user account (Figure 2). The log in and password are the same as for the UCS login, and it is just as easy to promote a user to a Zarafa admin. Another convenient feature is that you don't need to configure the MTA (e.g. Postfix) manually.
Thanks to zarafa4ucs integration, UCS automatically delivers the mail for the individual email addresses defined in UDM to the corresponding Zarafa mailbox.
Administrators can also assign hard and soft quotas or create a simple shared store here, too. Group management is also neatly integrated with Univention Directory Manager. Again, after installing zarafa4ucs, you will see an additional Zarafa tab. If you check the Zarafa Group box (Figure 3), the group immediately appears in Zarafa's global address book.
Incidentally, you can use the email address entered for the selected Zarafa group to contact all of the group members directly. For example, if you send an email to the group address, all of the group members receive a copy of the message in their Zarafa mailbox.
Another useful side effect of successful zarafa4ucs integration is that the UCS portal page now also features a URL for easy access to the Zarafa web interface (Figure 4).
What the Zarafa4ucs Integration Package Does
In a classic Zarafa installation with the installer script, the Zarafa installer takes care of modifying the configuration for the Zarafa server and the most important components – webaccess, dagent, spooler, gateway, and so on – as well as the Postfix configuration for cooperation with Zarafa.
This default configuration is dropped in the case of zarafa4ucs integration, because it is not what you need for cooperation with UCS, or it simply doesn't support the UCS model. Thus, the zarafa4ucs Apt repository only contains the plain vanilla deb packages:
-
zarafa_6.40.x-yyyyy_amd64.deb(server) -
zarafa-webaccess_6.40.x-yyyyy_all.deb(web access) zarafa-webaccess-mobile_6.40.x-yyyyy_all.deb-
zarafa-licensed_6.40.x-yyyyy_amd64.deb(licensing service) zarafa-indexer_6.40.x-yyyyy_amd64.debzarafa-python_6.40.x-yyyyy_amd64.debzarafa-dev_6.40.x-yyyyy_amd64.deblibvmine0_0.7.1++libboost-filesystem1.35.0
The zarafa4ucs integration kit first installs all of the listed packages and then handles the Zarafa configuration and clean integration with the Univention Directory Manager so that all Zarafa functions are manageable in UDM.
Zarafa4ucs mainly integrates the Zarafa LDAP schema extension and creates a matching extended attribute in UCS. For this to happen, zarafa4ucs uses the extension interface provided by UDM and the UCS Registry (UCR) to accommodate most of the modifications performed in zarafa-admin in LDAP/UDM. For details of what happens, see the documentation [6]. A rough overview follows.
After installing the Zarafa Debian packages from the zarafa4ucs repository and restarting the web server, zarafa4ucs installs Zarafa's standard LDAP schema. In a standard installation from the Zarafa-Debian packages, this will be located in /usr/share/doc as a zarafa.schema.gz archive file. The archive is unpacked and copied into /usr/share/zarafa/. Next, zarafa4ucs extends the standard LDAP schema, making the Zarafa zarafa contacts feature manageable in Univention Directory Manager.
For this to happen, zarafa4ucs adds an LDAP z4uContact attribute to UCS. To keep the changes to the original schema to a minimum, the developers created a separate schema file: /usr/share/zarafa/zarafa_extensions.schema [6].
To enable the LDAP schema extension, you need to import it into the active LDAP. For this purpose, the zarafa4ucs kit provides a UCR template by the name of /etc/univention/templates/files/etc/ldap/slapd.conf.d/14zarafa-schema. To register the UCR template file in Univention's Configuration Registry, zarafa4ucs extends the /etc/univention/templates/info/zarafa4ucs.info file with the subfile directive, adding /etc/ldap/slapd.conf.d/14zarafa-schema. It then calls the ucr commands
ucr register zarafa4ucs ucr commit /etc/ldap/slapd.conf > /dev/null 2>&1
and restarts OpenLDAP. For more details, see the documentation.
The zarafa4ucs kit extends Univention Directory Manager. UDM is designed to be extensible by extended attributes and matching syntax; the Univention server documentation [8] provides details. The extension creates containers for storing extended attributes and other Zarafa features, such as the address list function in the UDM user and group sections. You can check out the extensions to the Python code in the comprehensive zarafa4ucs documentation [6].
The extension includes a workaround that lets you convert a "zarafa contact" to a normal user in LDAP. This workaround is necessary because a bug makes it impossible to revoke the ObjectClass class assignment for an LDAP user after making the assignment. Another fairly major workaround described in the documentation relates to the zarafa-admin tool, which is used to modify the meeting request options that typically occur in the context of resources. To integrate the Zarafa address list feature, the LINET experts created Python scripts that can also be verified in the documentation [6].
The main part of the changes performed by zara4ucs relates to modifying the many configuration files that ensure seamless integration of Zarafa in UCS (Figure 6). These files include all of the Zarafa configuration files – server-cfg, dagent.cfg, gateway.cfg, ical.cfg, licensed.cfg, monitor.cfg, ldap.cfg, and spooler.cfg – as well as the Postfix master.cf and maincf mail routing configuration files. Zarafa4ucs thus creates and provides certificates for encrypted communications and configures the Zarafa server, Zarafa web access, and Postfix. When modifying the listed configuration files, zarafa4ucs also creates a number of UCR entries to configure most of the aspects of a typical Zarafa installation, such as:
ucr set zarafa/server/mysql/host="localhost" zarafa/server/mysql/port="3306" zarafa/server/mysql/user="<your MySQL User>" zarafa/server/mysql/password= "<your MySQL Password>" zarafa/server/mysql/database= "<Database name>"
A complete list is available online [6]. After doing this, zarafa4ucs creates Zarafa config file templates in /etc/univention/templates/files/etc/zarafa and adds the paths for the Zarafa configuration files involved to the /etc/univention/templates/info/zarafa4ucs.info file to register the templates. Zarafa4ucs also configures Zarafa web access, which makes it necessary to enable magic_quotes_gpc in the PHP configuration (/etc/php5/apache2/php.ini). To extend the UCS portal page, you can add the URL for Zarafa web access; zarafa4ucs again uses the UCR interface and creates the following commands:
ucr commit /var/www/ucs-overview/de.html.d/42zarafa-webaccess.html ucr commit /var/www/ucs-overview/en.html.d/42zarafa-webaccess.html
UCR variables are also used for the Postfix configuration,
ucr set postfix/mailbox_transport="mailbox_transport = zarafa" ucr set postfix/zarafa=true
following which, Postfix is restarted. Incidentally, zarafa4ucs overwrites the Postfix configuration template because the UCS standard template can't implement all of the required options.
Conclusions
Zarafa and Univention Corporate Server make an interesting team. UCS might originally seem to make it more difficult to integrate Zarafa because of its individual system variable concept and centralized LDAP-based configuration, but it is well worth the extra work to integrate Zarafa with the UCS model. The reward is pervasive administrative ability for Zarafa through the Univention Server web interface, including user management in LDAP. Thanks to the work done by Univention (and Zarafa) partner LINET Services, especially by LINET shareholder Springmann, what looks to be a huge task is actually quite simple because the zarafa4ucs integration package reliably automates all the required steps.