Setting up Zimbra BES Connector

My organization has several employees with BlackBerry devices, and as we run Zimbra for our mail server, we'd like those employees to be able to sync their BlackBerries with our mail server. To do this requires two things: BlackBerry Enterprise Server ("BES" for short) and Zimbra BES Connector ("ZBC" for shoft).

Zimbra BES Connector is designed to run on the same logical machine as BlackBerry Enterprise Server, and as it turns out, ZBC's requirements (as stated in the ZBC Admin Guide) are considerably more strict than BES. To wit:

• ZCS 5.0.7 or later
  
• Microsoft Windows Server 2003 operating system
  
• Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 (MAPI/CDO)
  
• BlackBerry Enterprise Server 4.1 or BlackBerry Express 4.1
  
• Zimbra Collaboration Suite Connector for BlackBerry Enterprise Server .msi executable file
  
• Outlook® 2007 messaging and collaboration client
  

BES's requirements:

• Minimum requirements for up to 500 users: Intel® Pentium® IV processor (2GHz or greater), 1.5 GB RAM, MSDE 2000 or higher, 20 GB disk space in addition to Windows® requirements


• Windows 2000 Server (Server or Advanced Server Editions) with Service Pack 4 or Windows Server 2003 with Service Pack 1


• Integrates with Microsoft® Exchange 5.5 (Service Pack 4 or later), Microsoft Exchange 2000 (Service Pack 2 or later) or Microsoft Exchange 2003 mail server environments (mixed mode or native installation).


• Microsoft Exchange 5.5 Administrator, Microsoft Exchange 2000 System Manager or Microsoft Exchange 2003 System Manager, Microsoft Exchange 2007 MAPI Client


• Microsoft Internet Explorer® version 6.0 or later

I'm ignoring the Exchange server requirements per the ZBC documentation, but everything else still stands.

Having recently become very fond of setting up things on virtual machines, and since this installation is still in the testing stage right now, I'll set this up on a VM with:

• Windows Server 2003


• 1.5 GB RAM


• Outlook 2007


• MAPI/CDO 1.2.1


• Internet Explorer 7


• BlackBerry Enterprise Server 4.1 for Exchange (60-day, 20-user trial version)


• 30GB HDD

Note that you must set up a separate user account (see here for details) that BES and associated services will run under. It will not work if you simply install BES as Administrator and set all the services to run as system services. I learned this the hard way. :(

Once the VM is set up, the next step is to install the Zimbra BES Connector by means of the MSI file. This is a quick matter. Now I'll create an Administrator account for BES on Zimbra using the Admin Console. If you're following along, feel free to choose a username and password to your liking; I recommend diceware.com and a bunch of D6's for password generation.

The next step is to make sure that the Zimbra server's mail port has SSL enabled. To allow both SSL and non-SSL, execute (on the mail server, as the Zimbra user) zmtlsctl both. To allow only SSL, execute zmtlsctl https.

Now I'll delete and recreate the BES mail profiles "BlackBerryServer" and "BlackBerryManager". To do this, I go to the Start Menu on the BES server, then choose Control Panel, then Mail. This brings up the BlackBerryServer Mail Setup dialog. Here, I choose "Show Profiles".

This dialog only shows the BlackBerryServer profile. No big deal - if the other profile was there, I'd delete it anyway, so this just saves me a step. After deleting the BlackBerryServer profile, I hit "Add" to create a new profile, and I get dialog titled "Add New E-mail Account". This dialog is trying to set up an email account for me automatically, but I don't want that, so I click "Manually configure server settings or additional server types" at the bottom and hit Next. From here, I select "Other", which allows me to select "Zimbra Collaboration Server" from the box below. I hit Next, and am presented with a "Zimbra Server Configuration Settings" dialog. I put in the name of my mail server and the port that the Zimbra admin service is listening on ¹, check "use secure connection", and put in the BES Administrator account credentials that I set up in the Zimbra Admin Console. After that, I hit "OK". I follow the same process to create the BlackBerryServer profile.

Now I can start the BlackBerry Controller service, which should start any other services that BES requires².

¹ZCB connects to the Zimbra administrative interface, so in addition to putting in the name of your Zimbra server, you'll have to put the port (typically 7071) in as well, e.g. "mail.example.com:7071" (source)

²The first time I did this, I got an error dialog: "Error 1069: The service did not start due to a logon Failure." Turns out this was not an error in my BES configuration, but the Windows service configuration (details). I switched the service from running as the Administrator account to the system account, and after that was able to start the service successfully.

From here, the connector is set up. I can see the users on my mail server in the Global Address List. I haven't figured out how to provision anyone in BES yet, but that's a BES issue, not a Zimbra issue.

Setting up an LDAP replica server using Zimbra

We run Zimbra at work, as well as an OpenLDAP server. It occurred to us that it would be great if we could standardize on a single LDAP solution and reduce our administrative overhead. Since Zimbra has such nice management tools, I want to go with Zimbra. So my plan is to build an LDAP replication server that will initially be slaved off of the main Zimbra mail server, but eventually will be the LDAP master that the mail server is slaved to. It occurs to me that one thing I'll have to do some digging into is using that LDAP server with Samba (which we use for a lot of file sharing) - I don't know if Zimbra's LDAP setup has the Samba stuff in it by default or not.

The official documentation for this process is in the Zimbra Connection Suite Multi-Server Installation Guide, specifically the Configuring LDAP Replication section. There are also instructions in the LDAP topic of the Zimbra wiki, but the instructions in the official docs are more detailed.

To begin with, I went over to the mail server and enabled replication:


ssh mail.company.com
su -
su - zimbra
/opt/zimbra/libexec/zmldapenablereplica


Output from zmldapenablereplica:


Enabling sync provider...succeeded
Stopping LDAP on mail.company.com...done
Starting LDAP on mail.company.com...done


I then built a VM using Ubuntu Server 8.04 LTS, one of the distributions supported by Zimbra. I then downloaded (download location) the proper version of the Zimbra Network Edition installer, unpacked the installation files into /tmp, and started the installer:


cd /tmp
tar xzf /home/kit/zcs-NETWORK-5.0.11_GA_2695.UBUNTU8_64.20081117023527.tgz
cd zcs-NETWORK-5.0.11_GA_2695.UBUNTU8_64.20081117023527
./install.sh


It informed me that I had to fiddle /etc/hosts (see this howto for details). I did so, and re-ran the installer. This time, I got:


Operations logged to /tmp/install.log.26576
Checking for existing installation...
zimbra-ldap...NOT FOUND
zimbra-logger...NOT FOUND
zimbra-mta...NOT FOUND
zimbra-snmp...NOT FOUND
zimbra-store...NOT FOUND
zimbra-apache...NOT FOUND
zimbra-spell...NOT FOUND
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
zimbra-convertd...NOT FOUND
zimbra-cluster...NOT FOUND
zimbra-core...NOT FOUND


PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
ZIMBRA, INC. ("ZIMBRA") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.

License Terms for the Zimbra Collaboration Suite:
http://www.zimbra.com/license/zimbra_network_eval_license.pdf


Press Return to continue

Checking for prerequisites...
FOUND: NPTL
FOUND: sudo-1.6.9p10-1ubuntu3.3
FOUND: libidn11-1.1-1
MISSING: libpcre3
MISSING: libgmp3c2
FOUND: libexpat1-2.0.1-0ubuntu1
FOUND: libstdc++6-4.2.3-2ubuntu7
MISSING: libstdc++5
MISSING: libltdl3
Checking for suggested prerequisites...
FOUND: perl-5.8.8

###ERROR###

One or more prerequisite packages are missing.
Please install them before running this installer.

Installation cancelled.


Easy enough to fix, just install those packages. The installer is nice enough to use Ubuntu's package names, so with a simple cut-and-paste, I can do:


apt-get install libpcre3 libgmp3c2 libstdc++5 libltdl3


Now, for the third time, I run ./install.sh, and this time it starts the installation. As the documentation suggests, I install only the zimbra-core and zimbra-ldap packages, and am presented with:


Main menu

1) Common Configuration:
2) zimbra-ldap: Enabled
3) Enable default backup schedule: yes
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit

*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help)


As per the instructions, I go into "Common Configuration":


Common configuration

1) Hostname: hostname.company.com
2) Ldap master host: hostname.company.com
3) Ldap port: 389
4) Ldap Admin password: set
5) Require secure interprocess communications: yes
6) TimeZone: (GMT-08.00) Pacific Time (US & Canada)

Select, or 'r' for previous menu [r]


I choose option 2 here and set my LDAP master host to "mail.company.com". I then choose option 4 to set the LDAP Admin password to the Zimbra LDAP password set on mail.company.com (find this by executing "zmlocalconfig -s zimbra_ldap_password" as the Zimbra user on the master LDAP server) and then choosing "r" to return to the previous menu.

From the main menu, I choose option 2, "zimbra-ldap":


Ldap configuration

1) Status: Enabled
2) Create Domain: yes
3) Domain to create: hostname.company.com
4) Ldap Root password: set
5) Ldap Replication password: set
6) Ldap Postfix password: set
7) Ldap Amavis password: set
8) Ldap Nginx password: set

Select, or 'r' for previous menu [r]


Here, I choose option 2 to set "Create Domain" to "no", then set the LDAP replication password to the LDAP replication password on the mail server (find this by executing "zmlocalconfig -s ldap_replication_password" as the Zimbra user on the master LDAP server). I then choose "r" to return to the main menu, and "a" to apply my changes.

Now, all that remains is to test the setup. As the Zimbra user, I execute "zmprov gaa", which displays all the accounts set up on the mail server. But, just to be sure, I create a user on the mail server:


zmprov ca foo.mcbarson@company.com password


Now, when I run "zmprov gaa" on the replication server, I see "foo.mcbarson@company.com" at the bottom of the list. LDAP replication is a success. But that's only half of what needs to be done. I still need to set up the mail server to replicate from the LDAP server I've just set up. However, as it's nearly time to go home, I think I'll save that for another day.

Proof-of-concept AoE on Linux

One thing I've been wanting to play with at work is ATA over Ethernet. Seems like a pretty neat trick - stick a bunch of drives in a box somewhere and mount them from somewhere else, like a VMWare image.

There's a nice article on Debian Administration on how to do this. I'll mostly be parroting that article, but I figure it might be useful to show how I did it.

I took an old P4 box that we had laying around with a 20G hard drive and put Debian 4.0 on it. I set up the disk using LVM2, because I was curious what would happen if I did that. My LVM setup:

5G root, formatted ext3
500M swap
12.92G "files", unformatted. I figure since I'll be using this thing as an AoE volume, I'll let the system that actually mounts this volume do the formatting. I don't think that's strictly necessary, though.

Also, per the article, I installed the "aoetools" and "vblade" packages. "aoetools" provides various useful tools for managing AoE volumes. "vblade" is described as a "virtual AoE blade emulator", which will allow me to export a local disk (or in this case, LV) over AoE. In this case, the command is:

vbladed 0 1 eth0 /dev/mapper/aoetest-files

And, sure enough, I see in my syslog:


... vbladed: ioctl returned 0
... vbladed: 13870562238 bytes
... vbladed: pid 2306: e0.1, 27090944 sectors


So now I need to access the AoE volume. Before I get into that, though, I'll note that both my AoE proof-of-concept machine and the machine I'll be mounting the AoE volume from have a dedicated network interface that I'll be using for AoE (connected via a crossover cable, in production I'd have a dedicated switch). I'd do similarly in production so that my AoE traffic wasn't sharing the network with regular network traffic. While I think this is good practice, it's not strictly necessary, and I'm pretty sure it's possible to run AoE over the regular network if you have to.

On my desktop (which I'll be using to mount the AoE volume) I've installed the "aoetools" package and loaded the AoE kernel module with modprobe aoe. Next I do aoe-discover, and I see:

"aoe-discover: /dev/etherd/discover does not exist or is not writeable."

Well, that's not good. What did I do wrong? Nothing, as it turns out. This is a bug in Ubuntu 8.10, and as yet, there has been no fix posted. But maybe I can fix it myself.

grep etherd /etc/udev/rules.d/* on the Debian box gives me:


/etc/udev/rules.d/udev.rules:SUBSYSTEM=="aoe", KERNEL=="discover", NAME="etherd/%k"
/etc/udev/rules.d/udev.rules:SUBSYSTEM=="aoe", KERNEL=="err", NAME="etherd/%k"
/etc/udev/rules.d/udev.rules:SUBSYSTEM=="aoe", KERNEL=="interfaces", NAME="etherd/%k"
/etc/udev/rules.d/udev.rules:SUBSYSTEM=="aoe", KERNEL=="revalidate", NAME="etherd/%k"


The same command on my Ubuntu box gives me nothing. However, I can't just tack those lines on to /etc/udev/rules.d/udev.rules on my desktop, because apparently Ubuntu doesn't use that file. Instead I'll create a special file just for AoE, and I'll put it in /etc/udev/rules.d/25-aoe.rules. Restart udev, and viola! The devices are there!

Now, when I run "aoe-discover", I see nothing. That's OK. aoe-discover doesn't have any output. It's aoe-stat that will tell me what's there, and when I run that, I get:

e0.1 13.870GB eth1 up

Hooray! I create a filesystem with: mkfs.ext3 /dev/etherd/e0.1, then, as a test, create a 100M file: dd if=/dev/urandom of=/mnt/test1 bs=1M count=100. Takes 15.1 seconds. Creating a similar file locally? 14.8 seconds, so not too bad for speed. Of course, the two boxen are connected via a crossover - I might well see some slowdown using a switch.

So here we have it. A proof-of-concept Linux-based AoE appliance using commodity hardware. Since the AoE volume is an LVM logical volume on the appliance, you can use LVM tools to change the size of that LV, should you need to. I wouldn't recommend it, though.

Setting up LVM on an already-setup box

I have this box at work that someone else was nice enough to set up with Debian Lenny and a great big honkin' RAID5 array. We've already got the basic filesystem structure set up on the box, but we'd like to add the RAID as well.

I'm going to set up the RAID as its own volume group under LVM. This allows us, should the OS drive fail, to slap another drive with an OS on it into the machine, boot, and remount the RAID. It also allows us to dynamically add storage, say some sort of SAN, to the physical volume, then resize the logical volumes on the fly. It also simplifies things a little by keeping the OS volume group and the file storage volume group separate.

Being an LVM newbie, I'll be referencing A simple introduction to working with LVM and The LVM HOWTO. You can assume that most any LVM-specific command syntax I pulled out of one of those two sources.

Now, the first thing to do is set up a partition on the RAID array, as LVM runs on top of physical partitions. I do this with fdisk, because that's the way I learned it. :) If I were a bit more clever, or if I felt like it, I'd do this with a single call to sfdisk.

Next I create a physical volume for the RAID: pvcreate /dev/sda1, and then a volume group: vgcreate file-storage /dev/sda1. Checking my work with vgscan, I see:


Reading all physical volumes. This may take a while...
Found volume group "os" using metadata type lvm2
Found volume group "file-storage" using metadata type lvm2


Now I want to create a logical volume (LV) that encompasses the entire volume group. I do this by first examining the output of vgdisplay, where I see the line: "Free PE / Size 357375 / 1.36 TB" (I told you it was a big honkin' RAID. Also note here that "PE" means "Physical Extent", the size of one quantum of storage in LVM. One PE is exactly the same size as one LE, so here one LE is about 4 MB). I will thus create an LV of 357375 extents, lvcreate -n files file-storage -l 357375. With this done, it's time to format the LV.

After consulting with my colleagues, I've decided to use ext4 for the filesystem on the RAID. I like what I read about ext4, both on Wikipedia and from IBM, and as this box is slated to become a backup server, it seems like a good place to play with it. Before I begin, though, I'll update the kernel to the latest version in (Debian) testing: 2.6.26-1, so as to have the latest ext4 fixes that have been included in Debian kernels. Even with that, though, I'll want to add "nodealloc" to the line in my fstab for the RAID:

It should be noted that the stock 2.6.26 ext4 has problems with delayed allocation and with filesystems with non-extent based files. So until Debian starts shipping a 2.6.27 based kernel or a 2.6.26 kernel with at least the 2.6.26-ext4-7 patchset, you should mount ext4dev filesystems using -o nodelalloc and only use freshly created filesystems using "mke2fs -t ext4dev". (Without these fixes, if you try to use an ext3 filesystem which was converted using tune2fs -E test_fs -o extents /dev/DEV, you will probably hit a kernel BUG the moment you try to delete or truncate an old non-extent based file.)

At any rate, per the ext4 HOWTO, I'll create an ext4 filesystem on the "files" LV with: mke2fs -t ext4dev /dev/file-storage/files. And wait. And wait. And wait some more, because 1.36 TiB is a lot of space.

From here, the RAID is like any other filesystem. Pick a mount point, make sure to mount it "-o nodelalloc", and off you go.

CORRECTION: Debian kernel 2.6.26-1 does not support the "nodelalloc" mount option. I ended up installing kernel 2.6.27.7 from http://kernel.org/. As the "nodelalloc" option was only recommended for 2.6.26-based kernels, I am no longer mounting the ext4 filesystem with the "nodelalloc" option.

Installing Ubuntu 8.04 on an ASUS F8Va-C1 laptop

As my primary workstation, I just ordered an ASUS F8Va-C1 laptop from Newegg. On the surface, this thing looked slick. 2.53GHz Intel Core2 Duo processor, 4GB of RAM, ATI Radeon 3650 video card with 1G dedicated VRAM, and a 320GB HDD. It came with Vista installed, but I figured I could just resize the Windows partition and install Ubuntu. The best laid plans...

I decided to go with Ubuntu 8.10, Intrepid Ibex. Lacking a CD burner on my current machine, I had one of my colleagues burn a copy for me. I put the CD into my new laptop (after spending a good 15 minutes trying to figure out that F2 was the key to get into the BIOS - serves me right for not RTFMing) and turned it on. Splash screen came up, and eventually I was presented with a white screen and nothing more. No sounds, no cursor, nothing.

Then I tried 8.04, and at least got the LiveCD to boot. I tried doing the install from the LiveCD, but ended up getting SquashFS errors (i.e. bad sectors on the CD). I took the thing home after work, burned an 8.10 CD according to the Coasterless CD burning instructions for Linux (just in case I was having issues caused by a poorly-burned CD), and had the same results. I burned an 8.04 CD using the same instructions and got a little further, but again got SquashFS errors. I booted the CD via an external drive I had laying around, and got even further, but still got SquashFS errors. As it was the night before Thanksgiving, and I had to be up at 0500 to brine the turkey, I decided not to play with it any further.

Today I brought the laptop back into work and installed an Ubuntu 8.04 network install image onto a USB stick using UNetbootn. So far, this is going well. I've been able to set up my disk using LVM (unfortunately, in all the installation attempts I deleted the Vista install, but hey, it's Vista. I'll likely be putting XP Pro on the Windows partition.) I'm keeping my fingers crossed...

Those SquashFS errors, though, have me worried. I suspect that the laptop's internal CD drive is messed up - I need to do some tests to be sure.

iPhone vs. BlackBerry Storm

Our company is in the process of deciding on a single phone/PDA platform to standardize on. We've narrowed it down to two choices: iPhone and BlackBerry (I assume the BlackBerry Storm)

First of all, there's a study by SquareTrade that says the iPhone is "less than half as likely to fail" than phones from BlackBerry. In an IT environment that says a lot, because when a device fails, or starts to go south, it adds to IT costs - if nothing else, it's taking time away from IT that they could spend in maintenance and upgrades.

Next, there's a study from J.D. Power and Associates that says iPhone users are more satisfied with their phones than BlackBerry users. In J.D. Power's Business Wireless Smartphone Customer Satisfaction, Apple scored 778 points out of a possible 1000, while RIM (manufacturer of BlackBerry devices) only scored 703.

From here, let's look at individual user experience. Subjective, to be sure, but still important:

Mitchell Ashley Compares the Storm and the iPhone. In his comparison, he finds that he prefers the Storm for phone quality, touch screen (the Storm's touch screen is a "double-click" paradigm, like Windows, while the iPhone, like the Macintosh, is a "single-click" paradigm), keyboard, battery life, and expandable memory. The iPhone wins on multi-touch support, web browsing experience, and application support.

While Mitchell Ashley seemed pretty clearly in favor of the BlackBerry, the San Jose Mercury News wasn't as impressed. Although they also liked the BlackBerry's keyboard and call quality, they found it hard to click on things in the UI: "Sometimes ... I had a hard time clicking on icons I wanted: At times, the browser would zoom in on the icon rather than activating it. Or I'd end up clicking an adjacent link". They also found that the BlackBerry would tend to bog down when trying to do too many things at once, such as looking at photographs while listening to music. And while neither activity is particularly business-related, it's worth noting that these devices will probably end up getting used for a lot of non-business purposes as well. :)

In a NetworkWorld comparison, the reviewers were particularly impressed by the iPhone's WiFi capability. This allows the iPhone to connect to local wireless networks when available to access the Internet, saving on per-minute data fees. On a large download, this cost savings can be quite significant. On the other hand, the reviewers thought that even though the iPhone had gone a long way towards being useful for enterprise users (particularly by supporting Microsoft SharePoint and Cisco IPsec VPN) the BlackBerry was still the de facto standard for enterprise wireless devices. As an IT professional, I particularly like how the BlackBerry allows IT departments to put fine-grained security policies on the devices, going so far as to allow the internal digital camera to be disabled via a security policy. On the other hand, there's the keyboard:



Blackberry keyboard on left.

Now, it's possible that this keyboard can be configured to have one "button" for each key, but as pictured here, that keyboard might just be a deal breaker.

Something that is also useful to consider is the network. In both 2007 and 2008, Verizon have come out ahead of AT&T in terms of call quality. Business users tend to spend a lot of time on the phone, so call quality is very important. Additionally, a 2008 survey found Verizon superior in terms of customer service and reliability.

Let's talk price: $200 after $50 mail-in rebate for the BlackBerry Storm. $199 for the iPhone 3G (8 GB version, $299 for 16GB). Both prices are with two year contract. Note also that these are consumer prices, but I expect business prices to be proportional.

Finally, let's discuss support for Zimbra, the mail server we use here. We're also quite fond of its calendaring and contacts, and it would be awfully nice if those things could be synchronized to the phone, as opposed to just email. I'll begin with the iPhone.

Zimbra's official word on the iPhone states that synchronizing the iPhone's native email, calendar, and contacts with ZCS can be done by means of ActiveSync. This requires Zimbra Network Edition (i.e. the one you pay for, not the free one). There is also a mobile client "built for devices such as the iPhone" called iZimbra.

Zimbra's support for BlackBerry requires the user not only to have Zimbra Network Edition, but also BlackBerry Enterprise Server - a significant price tag. However, with these systems in place, you get:

• Over-the-air synchronization of mail, address book, calendar in the native BlackBerry UI
  
• Sync to all BlackBerry devices
  
• Full access to Zimbra GAL
  
• Search messages
  
• Open / view attachments
  
• Manage calendar events; accept / decline meetings
  
• Administrators add / provision users directly in the BlackBerry Administration Console
  

This last bit troubles me a little. I'm used to adding and provisioning users in Zimbra's administration panel, but it looks here like I'd have to switch to doing things in this BlackBerry Administration Console. So maybe this solution is geared more towards organizations who already have a BlackBerry infrastructure in place.

So there you have it. After reading these articles, I'm leaning towards the iPhone. The BlackBerry has some nice things going for it - in particular, I'd love to experience the "tactile keyboard" thing that they're advertising - but overall, I think the iPhone is a more practical choice. It's more reliable, and there's less extra software to be put in place to synchronize it with Zimbra. It's what I'll be recommending.

First post! WOOT!

Welcome to my tech blog. I've just taken a position as a systems administrator for a company in Lawrence, Kansas, and I thought it might be nice to have a place to post all the tech-y stuff I encounter on a daily basis.

Opinions expressed on this blog are strictly my own, and do not necessarily represent those of my employer, who shall remain nameless.