Results 1 to 4 of 4

Thread: External auth / order of authentication process

  1. #1
    joukom is offline Intermediate Member
    Join Date
    Apr 2007
    Posts
    16
    Rep Power
    8

    Default External auth / order of authentication process

    Hello!

    If Zimbra is configured with external ldap authentication provider (we authenticate against our AD), the external authentication provider is tried first when authenticating user. The user is able to log in using the external password, and set a password for zimbra account (as we don't provision passwords in zimbra for new users), and they are instructed to use the zimbra internal password when using external mail/calendar clients, as they are not allowed to save the AD domain password on home computers etc.

    This authentication provider processing goes on wrong order however. Every time a user logs on using zimbra password, the external password is tried first, and if the user does several logons within short period (like having several calendars subscribed on caldav client), the AD account gets locked. And after that the user cannot log in at all until the account is unlocked. If the process worked the other way, there would be no problem (we could disable account lockout on zimbra, but will not do it for AD; or the zimbra could count only totally failed logins for account lockout counter).

    Is there a way to set the authentication process go other way around, or are we the only one suffering from this?

    - J

  2. #2
    joukom is offline Intermediate Member
    Join Date
    Apr 2007
    Posts
    16
    Rep Power
    8

    Default

    Hmm... seems like this is an uncommon scenario. I just noticed the bug #6353, and if this modification will be implemented, the whole scenario will be rendered impossible.

    When considering a solution to that bug, please take into account that some might want to keep both internal and external password for users.

    I'd suggest that the bug #6353 would be solved in a way that leaves a possibility for the administrator to decide the behavior. Like, a two or three checkboxes in COS/whatever-is-appropriate configuration:
    - enable/disable logins using zimbra internal authentication
    - enable/disable change password in user options
    - change password changes only internal / both internal and external password

    Also, the suggested bug fix would require all users to be in external database, which is currently not the case for us. We keep regular users in AD, but administrative and some special accounts are in Zimbra only.

    - J

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,569
    Rep Power
    57

    Default

    If you wish to make a comment or suggestions for that bug you should create an account on bugzilla and add your comments to the bug report. The forums is not the place for adding bug information, it needs to be where the developers will see it.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    joukom is offline Intermediate Member
    Join Date
    Apr 2007
    Posts
    16
    Rep Power
    8

    Default

    Thanks, phoenix. I did comment the bug now.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. External LDAP Auth with TLS
    By bvsantos in forum Administrators
    Replies: 1
    Last Post: 05-13-2008, 09:20 AM
  2. Can't seem to get global in BES
    By sdemeyer in forum Zimbra Connector for BlackBerry
    Replies: 12
    Last Post: 03-19-2008, 08:22 AM
  3. External LDAP authentication problem
    By mchamboredon in forum Installation
    Replies: 2
    Last Post: 01-16-2008, 10:02 AM
  4. External Authentication with Active Directory via LDAPS
    By merrill in forum Administrators
    Replies: 1
    Last Post: 10-21-2007, 01:13 PM
  5. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 03:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •