Setting up external authentication in Carbonio

One of the simplest and most convenient ways to manage password security policy at an enterprise is centralized authentication. Since authentication is performed on a single server, all password change operations also occur in a single information system, and the password security policy is configured once. In this article, we will discuss how to integrate Carbonio with an external Active Directory or external LDAP, which are used at an enterprise to authenticate users.

This instruction is suitable for both users of the free version of Carbonio Community Edition and the commercial version of Carbonio.

Authentication in Active Directory

You can configure external authentication with an existing Active Directory server either in the administrator console or in the command line.

The principle of its operation is that when a user enters their account name and password, the data is not compared with the password hashes stored in Carbonio LDAP, but is transferred to an external AD server, where authentication is verified. As a result of verification, Carbonio receives a response from Active Directory, which either confirms successful authentication or does not confirm it. Based on this response, the user is logged in, or a corresponding error is displayed.

To configure in the admin console, go to the Domains section – test.carbonio.local – Authentication

In the window that opens, select the external Active Directory authorization method and specify a number of required parameters:

Unique Name Template – use macros like %u, for example uid=%u,dc=ad,dc=carbonio,dc=local)

URL – specify the domain name or IP address of the AD server, for example ad.carbonio.local:389

Filter – as a filter, specify to use only those accounts that correspond to living users in the domain, for example (&(objectCategory=person)(objectClass=user))

Basic search – specify a query that will find all accounts in the domain, for example (dc=ad,dc=carbonio,dc=local)

User – Specify the user name that has read access to the LDAP branch that contains your mail domain accounts (The AD global administrator name can be used)

Password – specify the password of the user who has read rights to the LDAP branch where your mail domain accounts are located (The AD global administrator password can be used)

The option below “Try local password management in case of failure using other methods” allows you to use the local Carbonio password for login in addition to the Active Directory password. This can be useful in case the AD server fails or is unavailable.

When all the settings are entered, click the “Login and Confirm” button to check the correctness of the entered data. If the connection is successful, click “Save” to save the entered settings.

In the command line, authentication is configured by editing several attributes for the domain being configured. Let's consider the example of the mail domain test.carbonio.local, users from which will be authenticated in the domain ad.carbonio.local

  • Authentication Mechanism – carbonio prov modifyDomain test.carbonio.local zimbraAuthMech ad

  • Unique name template – carbonio prov modifyDomain test.carbonio.local zimbraAuthLdapBindDn uid=%u,dc=ad,dc=carbonio,dc=local

  • Username for search and authentication – carbonio prov modifyDomain test.carbonio.local zimbraAuthLdapSearchBindDn uid=zextras,dc=ad,dc=carbonio,dc=local

  • User password for search and authentication – carbonio prov modifyDomain test.carbonio.local zimbraAuthLdapSearchBindPassword 654321

  • Search base – carbonio prov modifyDomain test.carbonio.local zimbraAuthLdapSearchBase dc=ad,dc=carbonio,dc=local

  • Search filter – carbonio prov modifyDomain test.carbonio.local zimbraAuthLdapSearchFilter samaccountname=%u

  • Active Directory Server Address – carbonio prov modifyDomain test.carbonio.local zimbraAuthLdapURL ldap://ad.carbonio.local

In case you want to use local Carbonio passwords as well, use the command carbonio prov modifyDomain test.carbonio.local zimbraAuthFallbackToLocal TRUE to enable this function and carbonio prov modifyDomain test.carbonio.local zimbraAuthFallbackToLocal FALSE to turn off.

Carbonio user authentication in external LDAP is configured in the same way as for Active Directory.

Authenticate users outside the template

The authentication setup example above is domain-wide and only works correctly if the domain has users on the Active Directory or LDAP side with the same names as in Carbonio.

If there is no such pattern and user accounts on the Active Directory or LDAP side have different names, you will need to configure BindDN for each such user separately.

This is done using the command line. For example, the command carbonio prov modifyAccount zextras@test.carbonio.local zimbraAuthLdapBindDn uid=admin,dc=ad,dc=carbonio,dc=local will map the Carbonio account zextras@test.carbonio.local to the account admin@ad.carbonio.local.

In this case, if you have previously configured template authentication for the entire domain, all accounts that match the configured template will be able to use the entered settings for authentication and will not need to additionally specify a Bind DN for them.

For questions regarding testing, purchasing, licensing and consultations, please contact the exclusive partner Zextras at sales@svzcloud.ru.

You can get information and exchange information about Carbonio CE in groups in Telegram CarbonioMail And Carbonio CE Unofficial

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *