Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page External auth / order of authentication process

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-15-2008, 11:35 PM
Intermediate Member
  
Posts: 16
Default External auth / order of authentication process
Hello!

If Zimbra is configured with external ldap authentication provider (we authenticate against our AD), the external authentication provider is tried first when authenticating user. The user is able to log in using the external password, and set a password for zimbra account (as we don't provision passwords in zimbra for new users), and they are instructed to use the zimbra internal password when using external mail/calendar clients, as they are not allowed to save the AD domain password on home computers etc.

This authentication provider processing goes on wrong order however. Every time a user logs on using zimbra password, the external password is tried first, and if the user does several logons within short period (like having several calendars subscribed on caldav client), the AD account gets locked. And after that the user cannot log in at all until the account is unlocked. If the process worked the other way, there would be no problem (we could disable account lockout on zimbra, but will not do it for AD; or the zimbra could count only totally failed logins for account lockout counter).

Is there a way to set the authentication process go other way around, or are we the only one suffering from this?

- J
Reply With Quote
  #2 (permalink)  
Old 05-17-2008, 10:40 PM
Intermediate Member
  
Posts: 16
Default
Hmm... seems like this is an uncommon scenario. I just noticed the bug #6353, and if this modification will be implemented, the whole scenario will be rendered impossible.

When considering a solution to that bug, please take into account that some might want to keep both internal and external password for users.

I'd suggest that the bug #6353 would be solved in a way that leaves a possibility for the administrator to decide the behavior. Like, a two or three checkboxes in COS/whatever-is-appropriate configuration:
- enable/disable logins using zimbra internal authentication
- enable/disable change password in user options
- change password changes only internal / both internal and external password

Also, the suggested bug fix would require all users to be in external database, which is currently not the case for us. We keep regular users in AD, but administrative and some special accounts are in Zimbra only.

- J
Reply With Quote
  #3 (permalink)  
Old 05-17-2008, 11:26 PM
Zimbra Consultant & Moderator
  
Posts: 20,312
Default
If you wish to make a comment or suggestions for that bug you should create an account on bugzilla and add your comments to the bug report. The forums is not the place for adding bug information, it needs to be where the developers will see it.
__________________
Regards


Bill
Reply With Quote
  #4 (permalink)  
Old 05-18-2008, 12:55 AM
Intermediate Member
  
Posts: 16
Default
Thanks, phoenix. I did comment the bug now.
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.