Zimbra Collaboration Suite 7.0
Zimbra Collaboration Suite 7.0
Administrator's Guide
Open Source Edition


Zimbra Directory Service > External LDAP and External Active Directory Authentication Mechanism

External LDAP and External Active Directory Authentication Mechanism
Unlike the internal authentication mechanism, the external authentication mechanism attempts to bind to the directory server using the supplied user name and password. If this bind succeeds, the connection is closed and the password is considered valid.
Two additional domain attributes are required for the external mechanism: zimbraAuthLdapURL and zimbraAuthLdapBindDn.
zimbraAuthLdapURL Attribute and SSL
The zimbraAuthLdapURL attribute contains the URL of the Active Directory server to bind to. This should be in the form:
ldap://ldapserver:port/
where ldapserver is the IP address or host name of the Active Directory server, and port is the port number. You can also use the fully qualified host name instead of the port number.
Examples include:
ldap://server1:3268
ldap://exch1.acme.com
For SSL connection, use ldaps: instead of ldap:. If the SSL version is used, the SSL certificate used by the server must be configured as a trusted certificate.
zimbraAuthLdapBindDn Attribute
The zimbraAuthLdapBindDn attribute is a format string used to determine which user name to use when binding to the Active Directory server.
During the authentication process, the user name starts out in the format:
user@domain.com
The user name may need to be transformed into a valid LDAP bind dn (distinguished name). In the case of Active Directory, that bind dn might be in a different domain.
zimbraAuthFallbackToLocal Attribute
The zimbraAuthFallbackToLocal attribute can be enabled so that the system falls back to the ZCS local authentication if external authentication fails. The default is FALSE.