ZCS Administrator Guide 8.0

Open Source Edition

External LDAP and External Active Directory Authentication Mechanism

External LDAP and external Active Directory authentication can be used if the email environment uses another LDAP server or Microsoft Active Directory for authentication and Zimbra-LDAP for all other VMware Zimbra Collaboration Server-related transactions. This requires that users exist in both OpenLDAP and in the external LDAP server.

The external authentication methods attempt to bind to the specified LDAP server using the supplied user name and password. If this bind succeeds, the connection is closed and the password is considered valid.

The zimbraAuthLdapURL and zimbraAuthLdapBindDn attributes are required for external authentication.

zimbraAuthLdapURL attribute ldap://ldapserver:port/ identifies the IP address or host name of the external directory server, and port is the port number. You can also use the fully qualified host name instead of the port number.

For example:

ldap://server1:3268
ldap://exch1.acme.com

If it is an SSL connection, use ldaps: instead of ldap:. The SSL certificate used by the server must be configured as a trusted certificate.

zimbraAuthLdapBindDn attribute is a format string used to determine which DN to use when binding to the external directory server.

During the authentication process, the user name starts out in the format:

user@domain.com

The user name might need to be transformed into a valid LDAP bind DN (distinguished name) in the external directory. In the case of Active Directory, that bind dn might be in a different domain.