External LDAP authentication with zimbraAuthLdapExternalDn: Difference between revisions

 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=How to configure external LDAP authentication with zimbraAuthLdapExternalDn=
{{BC|Community Sandbox}}
{{KB|{{Unsupported}}|{{ZCS XXX}}|{{ZCS XXX}}|}}
__FORCETOC__
<div class="col-md-12 ibox-content">
= How to configure external LDAP authentication with zimbraAuthLdapExternalDn=
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}


<!-- Wiki/Article Body -->
<!-- Wiki/Article Body -->


=== External LDAP authetication ( zimbraAuthLdapExternalDn ) ===
=== External LDAP authentication ( zimbraAuthLdapExternalDn ) ===
----
----


; This article explains how to configure external LDAP athentication (AD or LDAP), using the zimbraAuthLdapExternalDn attribute. 
''More information on how to configure Zimbra with AD can be found: [[https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory  here]]''
: ''More information on how to configure Zimbra with AD can be found: [[https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory  here]]''




Line 14: Line 16:
==== Solution ====
==== Solution ====
----
----
The idea behind this type of authentication is to use a zimbra user that does not exists in AD, but at the same time to be able to login to his WebUI using already existing AD user. 
'''How to steps:'''
1. Create user test@example.com
[[File:Ext1.jpeg]]
With the red we see where to write the bindDN of the account we will use for the setup. More information on the syntax of this value can be found in '''/opt/zimbra/docs/externalldapauth.txt'''. Excerpt from that file:
Account attribute zimbraAuthLdapExternalDn
          Unlike (A) and (B), which are domain settings, this is an account level setting.
          This overrides the bind template and/or search setting, and directly contains the DN for the user in the external ldap server.
      zimbraAuthLdapBindDn and zimbraAuthLdapSearchFilter can contain expansion variables that are to be substituted by components in the account name:
          %n = username with @ (or without, if no @ was specified)
          %u = username with @ removed
          %d = domain as foo.com
          %D = domain as dc=foo,dc=com
          e.g. for user pshao@zimbra.com
          %n => pshao@zimbra.com
          %u => pshao
          %d => zimbra.com
          %D => dc=zimbra,dc=com
      '''example for zimbraAuthLdapBindDn:''' uid=%u,ou=people,%D  (whatever LDAP DIT structure they are using)
----
2. Create a user in AD. We will be using that user for the authentication of user ''test''.
[[File:Ext2.jpeg]]
----
3. View of the AD user from Softerra LDAP browser.
[[File:Ext3.jpeg]]
----
4. After the above steps are completed we can test the configuration by logging with the zimbra user that does not exists in AD. Here is a little excerpt from mailbox.log during the authentication of user ''test'':
2015-09-23 18:10:06,259 DEBUG [qtp1937601231-102:http://127.0.0.1:80/service/soap/AuthRequest] [name=test@azmo.com;oip=192.168.56.1;ua=zclient/8.0.9_GA_6191;] account - auth with explicit  dn of CN=test2,CN=zimbra,DC=azmo,DC=com
2015-09-23 18:10:06,283 DEBUG [qtp1937601231-102:http://127.0.0.1:80/service/soap/AuthRequest] [name=test@azmo.com;oip=192.168.56.1;ua=zclient/8.0.9_GA_6191;] ldap - OPEN_CONN - millis=[23], resp=[0 (success)], usage=[LDAP_AUTH_EXTERNAL], conn=[7], url=[ldap://192.168.56.40:389], connType=[PLAIN], bindDN=[CN=test2,CN=zimbra,DC=azmo,DC=com]
Summary of the logging:
* test@azmo.com - the user we log into WebUI.
* CN=test2,CN=zimbra,DC=azmo,DC=com - the user we use to bind to, when authenticating against AD
* 192.168.56.40 - AD server
----
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0| 31/05/2016}}
{{NeedSME|SME1|SME2|COPY EDITOR}}

Latest revision as of 09:35, 18 October 2016

How to configure external LDAP authentication with zimbraAuthLdapExternalDn

   KB 22350        Last updated on 2016-10-18  




5.00
(one vote)


External LDAP authentication ( zimbraAuthLdapExternalDn )


More information on how to configure Zimbra with AD can be found: [here]


Solution


The idea behind this type of authentication is to use a zimbra user that does not exists in AD, but at the same time to be able to login to his WebUI using already existing AD user.

How to steps:

1. Create user test@example.com

Ext1.jpeg


With the red we see where to write the bindDN of the account we will use for the setup. More information on the syntax of this value can be found in /opt/zimbra/docs/externalldapauth.txt. Excerpt from that file:

Account attribute zimbraAuthLdapExternalDn
         Unlike (A) and (B), which are domain settings, this is an account level setting.
         This overrides the bind template and/or search setting, and directly contains the DN for the user in the external ldap server.
     zimbraAuthLdapBindDn and zimbraAuthLdapSearchFilter can contain expansion variables that are to be substituted by components in the account name:
         %n = username with @ (or without, if no @ was specified)
         %u = username with @ removed
         %d = domain as foo.com
         %D = domain as dc=foo,dc=com
         e.g. for user pshao@zimbra.com
         %n => pshao@zimbra.com
         %u => pshao
         %d => zimbra.com
         %D => dc=zimbra,dc=com
     example for zimbraAuthLdapBindDn: uid=%u,ou=people,%D  (whatever LDAP DIT structure they are using)



2. Create a user in AD. We will be using that user for the authentication of user test.

Ext2.jpeg



3. View of the AD user from Softerra LDAP browser.

Ext3.jpeg



4. After the above steps are completed we can test the configuration by logging with the zimbra user that does not exists in AD. Here is a little excerpt from mailbox.log during the authentication of user test:

2015-09-23 18:10:06,259 DEBUG [qtp1937601231-102:http://127.0.0.1:80/service/soap/AuthRequest] [name=test@azmo.com;oip=192.168.56.1;ua=zclient/8.0.9_GA_6191;] account - auth with explicit   dn of CN=test2,CN=zimbra,DC=azmo,DC=com
2015-09-23 18:10:06,283 DEBUG [qtp1937601231-102:http://127.0.0.1:80/service/soap/AuthRequest] [name=test@azmo.com;oip=192.168.56.1;ua=zclient/8.0.9_GA_6191;] ldap - OPEN_CONN - millis=[23], resp=[0 (success)], usage=[LDAP_AUTH_EXTERNAL], conn=[7], url=[ldap://192.168.56.40:389], connType=[PLAIN], bindDN=[CN=test2,CN=zimbra,DC=azmo,DC=com]

Summary of the logging:

  • test@azmo.com - the user we log into WebUI.
  • CN=test2,CN=zimbra,DC=azmo,DC=com - the user we use to bind to, when authenticating against AD
  • 192.168.56.40 - AD server

Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 31/05/2016
Article ID: https://wiki.zimbra.com/index.php?title=External_LDAP_authentication_with_zimbraAuthLdapExternalDn Date Modified: 2016-10-18



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 COPY EDITOR Last edit by Teodor Vizirov
Jump to: navigation, search