Zimbra permits the use of external LDAP servers per domain for end user authentication. Zimbra user accounts are mapped to LDAP accounts on an external host using an LDAP query filter. Though it is always a good idea to use an LDAP search base, it may not be required by your LDAP server.
Zimbra will use an LDAP query filter to map user accounts to entries on the external LDAP server. For example, Zimbra user firstname.lastname@example.org might be mapped to an entry in the external LDAP server having a uid attribute value of 'usera', mail attribute of 'email@example.com' and an objectClass of 'OrganizationalPerson'. Only a single unique attribute is required to successfully map Zimbra accounts.
To set the LDAP query filter, you will need a substitution variable and an attribute on the external LDAP server to search. The substitution variable is obtained from the 'Username' box on the user login page. Possible substitution variables are (e.g., firstname.lastname@example.org):
- %n = username with @ symbol - returns 'email@example.com'
- %u = username without the @ - returns 'usera'
- %d = domain - returns 'domain.com'
- %D = domain as dc=domain,dc=com - this is a common format for directories such as Active Directory and OpenLDAP
Possible filters for OpenLDAP
- (uid=%u) - The user has a uid attribute value in the external directory equal to the user portion of the Zimbra user account.
- (uid=%n) - Entire Zimbra user account is used to identify user in the external directory.
- (&(cn=%u)(objectClass=OrganizationalPerson)) - The user has a cn attribute value in the directory equal to the user portion of the Zimbra account and has an objectClass value of 'OrganizationalPerson'.
Possible filters for Active Directory
- (samAccountName=%u) - The user has a samAccountName attribute value in AD equal to the user portion of the Zimbra user account.
- (userPrincipalName=%n) - The user has a userPrincipal attribute value in AD equal to the entire Zimbra user account.
LDAP search base
The search bases tells the Zimbra server which part of the external directory tree to search. Think of the search base as the "top" of the directory for your LDAP users although it may not always the top of the directory itself. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.
- o=corp - Exchange 5.5
- o=corp,c=us - Lotus Domino
- dc=domain,dc=com - Active Directory, OpenLDAP
- ou=Mail Users,dc=domain,dc=com - Active Directory restricting to "Mail Users" organizational unit
LDAP bind DN
Configuring external LDAP authentication
In in the "Configuration" section of the administration console.
- Expand "Domains" and select the domain for which to configure authentication.
- Click "Configure Authentication" to initiate the Authentication Configuration Wizard.
- Select "External LDAP" for "Authentication Mechanism". Click "Next".
- In the LDAP URL box, type the fully qualified hostname (FQDN) or IP address of the external LDAP server. Specify the LDAP port if required (default 389). Check "Use SSL" if the external LDAP server is configured for LDAP over SSL (LDAPS).
- Specify the query filter in the "LDAP filter" box.
- Specify the search base in the "LDAP search base" box. Click "Next".
- If the external LDAP server allows anonymous queries to the directory, click "Next" and skip to step 10. Otherwise, check the box for "Use DN/Password to bind to external server".
- In the "Bind DN" box, specify the distinguished name of a user with search permissions on the directory.
- Enter the bind password in the "Bind password" and "Confirm bind password" boxes. Click "Next".
- Review and confirm the authentication settings, then test the configuration by supplying a username and password in the boxes provided.
The easiest way to do LDAP authentication from a 3rd party application is to simply "bind" as the user intended.
Most applications do this by using a search, finding the valid user credentials and then binding as that specific user. Therefore the application doing the authentication needs to bind to the system first to do that search.
See LDAP Apache as a simple example