When Active Directory is used to manage users on the internal network, the system administrator is faced with the task of configuring the solutions used to log users using passwords stored in AD. This can be done in Zimbra OSE by enabling and configuring the appropriate authentication mode. The principle of operation of this authentication mode is that Zimbra OSE transmits the password entered by the user to Active Directory and receives a response from it whether this password is correct or not. If the answer is yes, the user successfully logs into his account, otherwise the login attempt is recognized as unsuccessful and the user is prompted to re-enter the password. In this article, we will talk about how to properly configure Zimbra OSE for authentication using Active Directory.
Zimbra OSE provides several different authentication mechanisms. Among them:
Internal – authentication is done using internal LDAP
External LDAP – Authentication occurs using external LDAP
External Active Directory – Authentication is done using AD
Kerberos5 – authentication occurs using a Kerberos ticket
Custom – customize your own authentication mechanism
The first three types of authentication can be configured both from the administrator console and from the command line. You can only configure custom authentication and Kerberos authentication using the Zimbra OSE command line. In this tutorial, we will configure the “External Active Directory” authentication type.
Requirements for Authentication with an External AD Server
The main requirement when using this type of authentication is the presence of local accounts associated with accounts in AD in Zimbra OSE. In the event that there are few accounts, you can add and remove them manually as needed. However, if there are a lot of them, it would be best to configure the automatic creation of new users from AD in Zimbra OSE. A script from kiby75 is best suited for this task, which allows you to synchronize a list of users from AD with Zimbra OSE with minimal effort.
Note that when using AD to authenticate users, the Zimbra OSE administrator, like the user himself, does not have the ability to change the account password. This is because account passwords are no longer stored in Zimbra LDAP. You can change the account password in the Active Directory itself.
Configuring in the admin console
In order to configure authentication using an external Active Directory server, go to the Zimbra OSE administrator console, in our case it is https://mail.example.ru:7071… Go to the “Settings” section and select “Domains” on the left side of the window.
In the list of domains that appears, right-click on the domain for which you are configuring authentication and select “Configure Authentication” in the context menu.
In the window that opens, select the “External Active Directory” item and click “Next”
Enter the name of the AD server, its IP address, the port used to connect, and optionally configure the use of SSL encryption when connecting to the server.
Test your AD connectivity by looking for one of the users stored there. If the connection is successful, the message “Authentication test completed successfully” appears.
On the next screen, leave the data in all fields unchanged.
Click Finish to complete the AD authentication setup.
Command line configuration
If there is no access to the graphical interface of the Zimbra OSE administrator console, it is possible to configure user authentication via AD in the Zimbra OSE command line. To do this, enter the commands:
sudo su - zimbra zmprov modifyDomain mail.example.ru zimbraAuthMech ad zmprov modifyDomain mail.example.ru zimbraAuthLdapURL ldap://10.0.1.55:3268 zmprov modifyDomain mail.example.ru zimbraAuthLdapBindDn %firstname.lastname@example.org
In this case, user authentication will be configured using an unencrypted LDAP communication channel. If you want to use encryption when connecting to AD, use the LDAPS punctuation with the corresponding port number:
sudo su - zimbra zmprov modifyDomain mail.example.ru zimbraAuthMech ad zmprov modifyDomain mail.example.ru zimbraAuthLdapURL ldaps://10.0.1.55:3269 zmprov modifyDomain mail.example.ru zimbraAuthLdapBindDn %email@example.com
Mixed authentication type
When using authentication using an external AD server, the administrator can leave the user the option to log in with the password of the Zimbra OSE account. This can be useful, for example, in the event of a disaster that renders the AD server unavailable. In order to allow the user to log in with the password of the Zimbra OSE account, you must enable the zimbraAuthFallbackToLocal parameter using the command zmprov modifyDomain mail.example.ru zimbraAuthFallbackToLocal TRUE… This option is disabled by default.
After that, the user will be able to log in using both the password from the AD account and the password of the local account. Note that in Zimbra OSE, when using authentication through the AD server, it is forbidden to change account passwords.
To set a local password for the account, use the command zmprov setPassword firstname.lastname@example.org P @ $$ w0rDwhere P @ $$ w0rD is the local password of the user account.
You can disable this potentially unsafe feature using the command zmprov modifyDomain mail.example.ru zimbraAuthFallbackToLocal FALSE
You can test the correctness of authentication through AD by logging in as a test user.
For all questions related to Zextras Suite and Team Pro, you can contact Zextras Representative Ekaterina Triandafilidi by e-mail email@example.com.