• Category: webaccess
  • License: GNU Affero General Public License (AGPL) version 3
  • Updated: 2012-8-23
  • Downloads: 1387


Author Recommended:

Previous releases:

Other Projects

Milo Oostergo's projects:




This project extends the Zarafa WebAccess with a two factor authentication based on Yubikey

Full description:


The Zarafa Yubikey integration will extend the Zarafa WebAccess with two factor authentication.

Next to the default username and password authentication, a OTP (One Time Password) generated on the Yubikey is checked against the Yubikey authentication servers.

A Yubikey is a cheap usb device, which can be used as authentication token for services and networks.The Yubikey can purchased on or

In order to use Yubikey integration for Zarafa, please make sure:

  • PHP 5.2 or higher is installed
  • PHP-LDAP is installed
  • ZCP 7.0 is installed
  • Zarafa is connected to a LDAP backend

To have a two factor authentication in the Zarafa WebAccess the login screen will be extended, see screenshot below.


To enable the Yubikey Zarafa integration use the following steps:

  • Download the Yubikey php module from and place it in /usr/share/zarafa-webaccess
  • Rename the directory to Auth_Yubico-2.x to Auth
  • Download the of this project and unzip it in /usr/share/zarafa-webaccess
  • Patch the index.php file via patch -p0 -F4 < index.patch
  • Patch the client/login.php file via patch -p0 -F4 < ../login.patch
  • Place the file get_publicid.php file in the Auth directory

The get_publicid.php script will search in the LDAP directory for the publicid of the Yubikey and checks if the user who logs in with Yubikey matches also the username in LDAP with the used Yubikey public id. The script has to be modified with the correct ldap host, search base, bind user, username attribute and attribute where the Yubikey publicid is located.

Example LDIF file

dn: uid=john,ou=People,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: zarafa-user uid: johnuidNumber: 1000 gidNumber: 1000 homeDirectory: /home/john mail: [email protected] cn: John Doe carLicense: vvrrkdhjhbaa <<<<<< this is the public yubikey id

Request an API key for the Yubikey authentication servers on

  • Replace the client id and secret key in the index.php file

Now you are ready to test it!

  • Place the public id (first 12 characters) of your Yubikey in the Yubikey LDAP attribute of your username
  • Open the WebAccess and fill in username, password and OTP and see if you are able to login