Configure authentication with Active Directory: Difference between revisions
Line 93: | Line 93: | ||
== LDAP+STARTTLS or LDAPS port 389 or 636 == | == LDAP+STARTTLS or LDAPS port 389 or 636 == | ||
Eventually Microsoft will require the use of STARTTLS on port 389 making connections to port 389 encrypted after STARTTLS has been performed. See: https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a in the meantime you can also use port 636 and use LDAPS. While LDAPS seems unofficially deprecated it is a secure option as ALL communication will be encrypted with TLS. See: https://github.com/Zimbra-Community/ADPassword/blob/master/wiki/Enable%20LDAPS%20on%20Windows%202008%20Active%20Directory%20Domain.md | Eventually Microsoft will require the use of STARTTLS on port 389 making connections to port 389 encrypted after STARTTLS has been performed. See: https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a in the meantime you can also use port 636 and use LDAPS. While LDAPS seems unofficially deprecated it is a secure option as ALL communication will be encrypted with TLS. See: https://github.com/Zimbra-Community/ADPassword/blob/master/wiki/Enable%20LDAPS%20on%20Windows%202008%20Active%20Directory%20Domain.md and https://github.com/Zimbra-Community/ADPassword | ||
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0|03/24/2015}} | {{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0|03/24/2015}} | ||
{{NeedSME|SME1|SME2|Copyeditor}} | {{NeedSME|SME1|SME2|Copyeditor}} |
Revision as of 13:51, 6 February 2023
Configure authentication with Active Directory
Configure authentication with Active Directory
Purpose
In this article we will explore the steps that needs to be taken in order to configure authentication with Active Directory and Zimbra Collaboration.
The scope of this article does not cover the configuration of AD. Check the Additional Content section at the bottom for instructions on AD installation.
Resolution
Prerequisites:
1. For this article we will be using Windows Server 2012. 2. Active Directory configured with couple of users which we will use to test the configuration (see below).
3. Right click on each user and select Properties. Make sure that each user has User Logon Name configured under the Account tab.
Part 1
Login to the AdminUI and navigate to the Configuration section.
Click on the Domains on the left side to show the available domains on the right side. Right click the domain you would like to configure, and select Configure Authentication option.
On the following window select External Active Directory.
Enter the AD domain name and its name/IP.
Leave the next window as it is.
After completing the configuration, you can test if the authentication works on the next window.
Leave the next two windows unchanged.
Part 2
To synchronize Zimbra with Active Directory, we need to create the same account names in Zimbra.
Click on the Home button to get back to the Manage option.
Click on the Manage button to access the user section.
Click on the button top-right and select New, to create new user.
The user that we will create must have the same name as the AD user for which we are creating login. The domain name should be the one used for zimbra, not the AD.
If we scroll down at the same user creation window, notice that there is no password section. That is because it is taken from AD.
Part 3
Test the configuration.
To test the configuration, we will try to login with the newly created user.
If you can log in, then the configuration has been successful.
Additional Content
- Here is a good external article on how to configure AD on Windows Server 2012: http://www.rackspace.com/knowledge_center/article/installing-active-directory-on-windows-server-2012
LDAP+STARTTLS or LDAPS port 389 or 636
Eventually Microsoft will require the use of STARTTLS on port 389 making connections to port 389 encrypted after STARTTLS has been performed. See: https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a in the meantime you can also use port 636 and use LDAPS. While LDAPS seems unofficially deprecated it is a secure option as ALL communication will be encrypted with TLS. See: https://github.com/Zimbra-Community/ADPassword/blob/master/wiki/Enable%20LDAPS%20on%20Windows%202008%20Active%20Directory%20Domain.md and https://github.com/Zimbra-Community/ADPassword