External Authentication with LDAP

Requires one of the following:
1) set
Set domain attribute zimbraAuthMech to ldap.
zimbraAuthLdapSearchBindPassword => bind DN of the admin user of the external directory
zimbraAuthLdapSearchBindDn => password of the admin user of the external directory
zimbraAuthLdapSearchBase (optional, if not set "" will be used).
Three things are needed for auth to the external LDAP server:
- URL of the LDAP server: zimbraAuthLdapURL
- password entered by user
- the bind DN for the user, this can be setup using one of the following 3 ways. (A) is preferred over (B) because (C) does an extra LDAP search.

(A) zimbraAuthLdapBindDn
This is the bind DN template

(B) zimbraAuthLdapSearchFilter
If set, then zimbraAuthLdapSearchBindPassword, zimbraAuthLdapSearchBindDn, and zimbraAuthLdapSearchBase also need to be set.
Server uses the four attrs to get the bind DN for the user.
Server first does a LDAP search using the zimbraAuthLdapSearchBindDn/zimbraAuthLdapSearchBindPassword credential by zimbraAuthLdapSearchFilter under zimbraAuthLdapSearchBase. The search would return the bind DN for the user, if found.
example for zimbraAuthLdapSearchFilter: (&(mail=%u@%d)(objectclass=person)) (whatever object class they are using)

(C) Account attribute zimbraAuthLdapExternalDn
Unlike (A) and (B), which are domain settings, this is an account level setting. This overrides the bind template and/or search setting, and directly contains the DN for the user in the external ldap server.


2) set
Set domain attribute zimbraAuthMech to ldap.
zimbraAuthLdapBindDn to the template filter for the user in the external directory.
For example, if the user exists at uid=jsmith,cn=users,dc=zimbra,dc=com , set zimbraAuthLdapBindDn on the domain to: uid=%u,cn=users,dc=zimbra,dc=com
Another example uid=%u,ou=people,%D (whatever LDAP DIT structure they are using)

zimbraAuthLdapBindDn and zimbraAuthLdapSearchFilter can contain expansion variables that are to be substituted by components in the account name:
%n = username with @ (or without, if no @ was specified)
%u = username with @ removed
%d = domain as
%D = domain as dc=foo,dc=com

e.g. for user
%n =>
%u => rking
%d =>
%D => dc=zimbra,dc=com

example for zimbraAuthLdapBindDn: uid=%u,ou=people,%D (whatever LDAP DIT structure they are using)

External Authentication Errors

525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
775 - user account locked

Example in the /opt/zimbra/log/mailbox.log file:

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece^@]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(
        at com.sun.jndi.ldap.LdapCtx.connect(
        at com.sun.jndi.ldap.LdapCtx.<init>(
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(

Notable bugs:

More articles written by me,

Jump to: navigation, search