Zimbra internal and external LDAP authorization

[snpz]

Hi folks!
This is my first thread about zimbra.
My situation: I created Samba + OpenLDAP domain - everything works! Log in domain works, can change password from windows and all the usual NT4 domain features works. Than there is one more samba file server, that authorizes to this External LDAP! Everything's cool, but! My pain is Zimbra server (on DMZ port) that authorizes internally. Right now i would like to change this Zimbra authorization to this External LDAP and there is an option to configure it in admin console, so no problem, but... will Zimbra work on selected domain using External LDAP and internal authorization at the same time? I ask this thing because i have to migrate ~50 users from local authorization to domain and it is going to take more than a couple of hours, but people need their e-mail an stuff. Maybe I'm thinking wrong and someone has other ideas how to manage this trick?
Sorry for my poor English!
Regards,
Martins
P.S.Zimbra Version 5.0.11_GA_2695.SLES10_64.FOSS Nov 17, 2008

[phoenix]

Welcome to the forums.

Normally Zimbra will only use one server for authentication unless you have the following set:

Code:

su - zimbra
zmprov md domain.com zimbraAuthFallbackToLocal TRUE

That will allow you to migrate users to your external LDAP as you need. Do note that currently there is no synchronisation between external and internal authentication mechanisms (there is an RFE in bugzilla for it for passwords. It will also mean that if your external LDAP is unavailable your users will still be able to login to their email.

[snpz]

Thanks for quick response!
One more missunderstanding i have: as far as i understand this option u mentioned will allow to login into e-mail accounts using both - LDAP and internal authozitation methods at the same time, right? If i migrate authorization to external LDAP to users, than how i gonna be able to link that user1@mydomain.com authorized internally right now is the same user1@mydomain.com with same IMAP box, but right now authorized to external LDAP?!
Sorry, if it is too stupid question , but i didn't find this information in none of the topics and i really need to be sure about all the topics i'm interested in before i start to migrate.

[phoenix]

No, that's not quite how the authentication works. You can only authenticate against the internal LDAP or an external LDAP, the option I've given you will allow you to use an external LDAP and if the user doesn't exist there (or the external becomes unavailable for some reason) then it will 'fallback' to using the internal LDAP for authentication. If you want to migrate your users to an external LDAP then you will have to create the user in that LDAP, is that what you were asking and have I understood your question correctly?

[snpz]

Ok, about an option (zmprov md domain.com zimbraAuthFallbackToLocal TRUE) u mentioned i understood.
About migration - i have made all users in my external LDAP and i have zimbra internal LDAP. On the supposition that i added zimbra to external LDAP, how can i tell zimbra that user1@mydomain.com in internal LDAP with all mailbox is the same as user user1@mydomain.com in external LDAP? How will it recognise users with their mailboxes?

[phoenix]

If you create user1@mydomain.com with a password and point the Zimbra Authentication (in the Admin UI) at that external LDAP server they will be able to access their email - the user will also need to be provisioned in Zimbra as user1@mydomain.com. Does that answer your question?

[snpz]

Quote:

Originally Posted by phoenix

If you create user1@mydomain.com with a password and point the Zimbra Authentication (in the Admin UI) at that external LDAP server they will be able to access their email - the user will also need to be provisioned in Zimbra as user1@mydomain.com. Does that answer your question?

Actually it doesnt (or i just don't understand)! I will try to explain what i need:
External LDAP - already works, domain users created as well! Domain username is just surname (Domain\Surname).
Internal Zimbra LDAP - e-mail users, created as name.surname@mydomain.lv (picture in attachment)
If i point authorization to External LDAP, should i make External LDAP user (Domain\name.surname) the same as zimbra internal LDAP (name.surname)?

[phoenix]

Quote:

Originally Posted by snpz

If i point authorization to External LDAP, should i make External LDAP user (Domain\name.surname) the same as zimbra internal LDAP (name.surname)?

Yes, you should. I thought that's what I had said in my previous reply - the username & domain name for logging in must be the same in your external LDAP and your internal LDAP.

[snpz]

Hehehe! My misunderstanding than! Sorry!
Ok, tomorrow I will modify some test users, make some FW rules and try to add zimbra to this External LDAP. I will report about success
Thanks for your advice and patience

[babel]

Sorry

How to synchronize External Ldap with Internal Ldap ?