Setting up Zimbra BES Connector

My organization has several employees with BlackBerry devices, and as we run Zimbra for our mail server, we'd like those employees to be able to sync their BlackBerries with our mail server. To do this requires two things: BlackBerry Enterprise Server ("BES" for short) and Zimbra BES Connector ("ZBC" for shoft).

Zimbra BES Connector is designed to run on the same logical machine as BlackBerry Enterprise Server, and as it turns out, ZBC's requirements (as stated in the ZBC Admin Guide) are considerably more strict than BES. To wit:

• ZCS 5.0.7 or later
  
• Microsoft Windows Server 2003 operating system
  
• Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 (MAPI/CDO)
  
• BlackBerry Enterprise Server 4.1 or BlackBerry Express 4.1
  
• Zimbra Collaboration Suite Connector for BlackBerry Enterprise Server .msi executable file
  
• Outlook® 2007 messaging and collaboration client
  

BES's requirements:

• Minimum requirements for up to 500 users: Intel® Pentium® IV processor (2GHz or greater), 1.5 GB RAM, MSDE 2000 or higher, 20 GB disk space in addition to Windows® requirements


• Windows 2000 Server (Server or Advanced Server Editions) with Service Pack 4 or Windows Server 2003 with Service Pack 1


• Integrates with Microsoft® Exchange 5.5 (Service Pack 4 or later), Microsoft Exchange 2000 (Service Pack 2 or later) or Microsoft Exchange 2003 mail server environments (mixed mode or native installation).


• Microsoft Exchange 5.5 Administrator, Microsoft Exchange 2000 System Manager or Microsoft Exchange 2003 System Manager, Microsoft Exchange 2007 MAPI Client


• Microsoft Internet Explorer® version 6.0 or later

I'm ignoring the Exchange server requirements per the ZBC documentation, but everything else still stands.

Having recently become very fond of setting up things on virtual machines, and since this installation is still in the testing stage right now, I'll set this up on a VM with:

• Windows Server 2003


• 1.5 GB RAM


• Outlook 2007


• MAPI/CDO 1.2.1


• Internet Explorer 7


• BlackBerry Enterprise Server 4.1 for Exchange (60-day, 20-user trial version)


• 30GB HDD

Note that you must set up a separate user account (see here for details) that BES and associated services will run under. It will not work if you simply install BES as Administrator and set all the services to run as system services. I learned this the hard way. :(

Once the VM is set up, the next step is to install the Zimbra BES Connector by means of the MSI file. This is a quick matter. Now I'll create an Administrator account for BES on Zimbra using the Admin Console. If you're following along, feel free to choose a username and password to your liking; I recommend diceware.com and a bunch of D6's for password generation.

The next step is to make sure that the Zimbra server's mail port has SSL enabled. To allow both SSL and non-SSL, execute (on the mail server, as the Zimbra user) zmtlsctl both. To allow only SSL, execute zmtlsctl https.

Now I'll delete and recreate the BES mail profiles "BlackBerryServer" and "BlackBerryManager". To do this, I go to the Start Menu on the BES server, then choose Control Panel, then Mail. This brings up the BlackBerryServer Mail Setup dialog. Here, I choose "Show Profiles".

This dialog only shows the BlackBerryServer profile. No big deal - if the other profile was there, I'd delete it anyway, so this just saves me a step. After deleting the BlackBerryServer profile, I hit "Add" to create a new profile, and I get dialog titled "Add New E-mail Account". This dialog is trying to set up an email account for me automatically, but I don't want that, so I click "Manually configure server settings or additional server types" at the bottom and hit Next. From here, I select "Other", which allows me to select "Zimbra Collaboration Server" from the box below. I hit Next, and am presented with a "Zimbra Server Configuration Settings" dialog. I put in the name of my mail server and the port that the Zimbra admin service is listening on ¹, check "use secure connection", and put in the BES Administrator account credentials that I set up in the Zimbra Admin Console. After that, I hit "OK". I follow the same process to create the BlackBerryServer profile.

Now I can start the BlackBerry Controller service, which should start any other services that BES requires².

¹ZCB connects to the Zimbra administrative interface, so in addition to putting in the name of your Zimbra server, you'll have to put the port (typically 7071) in as well, e.g. "mail.example.com:7071" (source)

²The first time I did this, I got an error dialog: "Error 1069: The service did not start due to a logon Failure." Turns out this was not an error in my BES configuration, but the Windows service configuration (details). I switched the service from running as the Administrator account to the system account, and after that was able to start the service successfully.

From here, the connector is set up. I can see the users on my mail server in the Global Address List. I haven't figured out how to provision anyone in BES yet, but that's a BES issue, not a Zimbra issue.

Setting up an LDAP replica server using Zimbra

We run Zimbra at work, as well as an OpenLDAP server. It occurred to us that it would be great if we could standardize on a single LDAP solution and reduce our administrative overhead. Since Zimbra has such nice management tools, I want to go with Zimbra. So my plan is to build an LDAP replication server that will initially be slaved off of the main Zimbra mail server, but eventually will be the LDAP master that the mail server is slaved to. It occurs to me that one thing I'll have to do some digging into is using that LDAP server with Samba (which we use for a lot of file sharing) - I don't know if Zimbra's LDAP setup has the Samba stuff in it by default or not.

The official documentation for this process is in the Zimbra Connection Suite Multi-Server Installation Guide, specifically the Configuring LDAP Replication section. There are also instructions in the LDAP topic of the Zimbra wiki, but the instructions in the official docs are more detailed.

To begin with, I went over to the mail server and enabled replication:


ssh mail.company.com
su -
su - zimbra
/opt/zimbra/libexec/zmldapenablereplica


Output from zmldapenablereplica:


Enabling sync provider...succeeded
Stopping LDAP on mail.company.com...done
Starting LDAP on mail.company.com...done


I then built a VM using Ubuntu Server 8.04 LTS, one of the distributions supported by Zimbra. I then downloaded (download location) the proper version of the Zimbra Network Edition installer, unpacked the installation files into /tmp, and started the installer:


cd /tmp
tar xzf /home/kit/zcs-NETWORK-5.0.11_GA_2695.UBUNTU8_64.20081117023527.tgz
cd zcs-NETWORK-5.0.11_GA_2695.UBUNTU8_64.20081117023527
./install.sh


It informed me that I had to fiddle /etc/hosts (see this howto for details). I did so, and re-ran the installer. This time, I got:


Operations logged to /tmp/install.log.26576
Checking for existing installation...
zimbra-ldap...NOT FOUND
zimbra-logger...NOT FOUND
zimbra-mta...NOT FOUND
zimbra-snmp...NOT FOUND
zimbra-store...NOT FOUND
zimbra-apache...NOT FOUND
zimbra-spell...NOT FOUND
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
zimbra-convertd...NOT FOUND
zimbra-cluster...NOT FOUND
zimbra-core...NOT FOUND


PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
ZIMBRA, INC. ("ZIMBRA") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.

License Terms for the Zimbra Collaboration Suite:
http://www.zimbra.com/license/zimbra_network_eval_license.pdf


Press Return to continue

Checking for prerequisites...
FOUND: NPTL
FOUND: sudo-1.6.9p10-1ubuntu3.3
FOUND: libidn11-1.1-1
MISSING: libpcre3
MISSING: libgmp3c2
FOUND: libexpat1-2.0.1-0ubuntu1
FOUND: libstdc++6-4.2.3-2ubuntu7
MISSING: libstdc++5
MISSING: libltdl3
Checking for suggested prerequisites...
FOUND: perl-5.8.8

###ERROR###

One or more prerequisite packages are missing.
Please install them before running this installer.

Installation cancelled.


Easy enough to fix, just install those packages. The installer is nice enough to use Ubuntu's package names, so with a simple cut-and-paste, I can do:


apt-get install libpcre3 libgmp3c2 libstdc++5 libltdl3


Now, for the third time, I run ./install.sh, and this time it starts the installation. As the documentation suggests, I install only the zimbra-core and zimbra-ldap packages, and am presented with:


Main menu

1) Common Configuration:
2) zimbra-ldap: Enabled
3) Enable default backup schedule: yes
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit

*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help)


As per the instructions, I go into "Common Configuration":


Common configuration

1) Hostname: hostname.company.com
2) Ldap master host: hostname.company.com
3) Ldap port: 389
4) Ldap Admin password: set
5) Require secure interprocess communications: yes
6) TimeZone: (GMT-08.00) Pacific Time (US & Canada)

Select, or 'r' for previous menu [r]


I choose option 2 here and set my LDAP master host to "mail.company.com". I then choose option 4 to set the LDAP Admin password to the Zimbra LDAP password set on mail.company.com (find this by executing "zmlocalconfig -s zimbra_ldap_password" as the Zimbra user on the master LDAP server) and then choosing "r" to return to the previous menu.

From the main menu, I choose option 2, "zimbra-ldap":


Ldap configuration

1) Status: Enabled
2) Create Domain: yes
3) Domain to create: hostname.company.com
4) Ldap Root password: set
5) Ldap Replication password: set
6) Ldap Postfix password: set
7) Ldap Amavis password: set
8) Ldap Nginx password: set

Select, or 'r' for previous menu [r]


Here, I choose option 2 to set "Create Domain" to "no", then set the LDAP replication password to the LDAP replication password on the mail server (find this by executing "zmlocalconfig -s ldap_replication_password" as the Zimbra user on the master LDAP server). I then choose "r" to return to the main menu, and "a" to apply my changes.

Now, all that remains is to test the setup. As the Zimbra user, I execute "zmprov gaa", which displays all the accounts set up on the mail server. But, just to be sure, I create a user on the mail server:


zmprov ca foo.mcbarson@company.com password


Now, when I run "zmprov gaa" on the replication server, I see "foo.mcbarson@company.com" at the bottom of the list. LDAP replication is a success. But that's only half of what needs to be done. I still need to set up the mail server to replicate from the LDAP server I've just set up. However, as it's nearly time to go home, I think I'll save that for another day.

Proof-of-concept AoE on Linux

One thing I've been wanting to play with at work is ATA over Ethernet. Seems like a pretty neat trick - stick a bunch of drives in a box somewhere and mount them from somewhere else, like a VMWare image.

There's a nice article on Debian Administration on how to do this. I'll mostly be parroting that article, but I figure it might be useful to show how I did it.

I took an old P4 box that we had laying around with a 20G hard drive and put Debian 4.0 on it. I set up the disk using LVM2, because I was curious what would happen if I did that. My LVM setup:

5G root, formatted ext3
500M swap
12.92G "files", unformatted. I figure since I'll be using this thing as an AoE volume, I'll let the system that actually mounts this volume do the formatting. I don't think that's strictly necessary, though.

Also, per the article, I installed the "aoetools" and "vblade" packages. "aoetools" provides various useful tools for managing AoE volumes. "vblade" is described as a "virtual AoE blade emulator", which will allow me to export a local disk (or in this case, LV) over AoE. In this case, the command is:

vbladed 0 1 eth0 /dev/mapper/aoetest-files

And, sure enough, I see in my syslog:


... vbladed: ioctl returned 0
... vbladed: 13870562238 bytes
... vbladed: pid 2306: e0.1, 27090944 sectors


So now I need to access the AoE volume. Before I get into that, though, I'll note that both my AoE proof-of-concept machine and the machine I'll be mounting the AoE volume from have a dedicated network interface that I'll be using for AoE (connected via a crossover cable, in production I'd have a dedicated switch). I'd do similarly in production so that my AoE traffic wasn't sharing the network with regular network traffic. While I think this is good practice, it's not strictly necessary, and I'm pretty sure it's possible to run AoE over the regular network if you have to.

On my desktop (which I'll be using to mount the AoE volume) I've installed the "aoetools" package and loaded the AoE kernel module with modprobe aoe. Next I do aoe-discover, and I see:

"aoe-discover: /dev/etherd/discover does not exist or is not writeable."

Well, that's not good. What did I do wrong? Nothing, as it turns out. This is a bug in Ubuntu 8.10, and as yet, there has been no fix posted. But maybe I can fix it myself.

grep etherd /etc/udev/rules.d/* on the Debian box gives me:


/etc/udev/rules.d/udev.rules:SUBSYSTEM=="aoe", KERNEL=="discover", NAME="etherd/%k"
/etc/udev/rules.d/udev.rules:SUBSYSTEM=="aoe", KERNEL=="err", NAME="etherd/%k"
/etc/udev/rules.d/udev.rules:SUBSYSTEM=="aoe", KERNEL=="interfaces", NAME="etherd/%k"
/etc/udev/rules.d/udev.rules:SUBSYSTEM=="aoe", KERNEL=="revalidate", NAME="etherd/%k"


The same command on my Ubuntu box gives me nothing. However, I can't just tack those lines on to /etc/udev/rules.d/udev.rules on my desktop, because apparently Ubuntu doesn't use that file. Instead I'll create a special file just for AoE, and I'll put it in /etc/udev/rules.d/25-aoe.rules. Restart udev, and viola! The devices are there!

Now, when I run "aoe-discover", I see nothing. That's OK. aoe-discover doesn't have any output. It's aoe-stat that will tell me what's there, and when I run that, I get:

e0.1 13.870GB eth1 up

Hooray! I create a filesystem with: mkfs.ext3 /dev/etherd/e0.1, then, as a test, create a 100M file: dd if=/dev/urandom of=/mnt/test1 bs=1M count=100. Takes 15.1 seconds. Creating a similar file locally? 14.8 seconds, so not too bad for speed. Of course, the two boxen are connected via a crossover - I might well see some slowdown using a switch.

So here we have it. A proof-of-concept Linux-based AoE appliance using commodity hardware. Since the AoE volume is an LVM logical volume on the appliance, you can use LVM tools to change the size of that LV, should you need to. I wouldn't recommend it, though.