Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Zimbra internal and external LDAP authorization

  1. #1
    snpz's Avatar
    snpz is offline Intermediate Member
    Join Date
    Mar 2009
    Location
    Riga, Latvia
    Posts
    23
    Rep Power
    6

    Default Zimbra internal and external LDAP authorization

    Hi folks!
    This is my first thread about zimbra.
    My situation: I created Samba + OpenLDAP domain - everything works! Log in domain works, can change password from windows and all the usual NT4 domain features works. Than there is one more samba file server, that authorizes to this External LDAP! Everything's cool, but! My pain is Zimbra server (on DMZ port) that authorizes internally. Right now i would like to change this Zimbra authorization to this External LDAP and there is an option to configure it in admin console, so no problem, but... will Zimbra work on selected domain using External LDAP and internal authorization at the same time? I ask this thing because i have to migrate ~50 users from local authorization to domain and it is going to take more than a couple of hours, but people need their e-mail an stuff. Maybe I'm thinking wrong and someone has other ideas how to manage this trick?
    Sorry for my poor English!
    Regards,
    Martins
    P.S.Zimbra Version 5.0.11_GA_2695.SLES10_64.FOSS Nov 17, 2008

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Welcome to the forums.

    Normally Zimbra will only use one server for authentication unless you have the following set:

    Code:
    su - zimbra
    zmprov md domain.com zimbraAuthFallbackToLocal TRUE
    That will allow you to migrate users to your external LDAP as you need. Do note that currently there is no synchronisation between external and internal authentication mechanisms (there is an RFE in bugzilla for it for passwords. It will also mean that if your external LDAP is unavailable your users will still be able to login to their email.
    Last edited by phoenix; 10-06-2009 at 06:47 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    snpz's Avatar
    snpz is offline Intermediate Member
    Join Date
    Mar 2009
    Location
    Riga, Latvia
    Posts
    23
    Rep Power
    6

    Default

    Thanks for quick response!
    One more missunderstanding i have: as far as i understand this option u mentioned will allow to login into e-mail accounts using both - LDAP and internal authozitation methods at the same time, right? If i migrate authorization to external LDAP to users, than how i gonna be able to link that user1@mydomain.com authorized internally right now is the same user1@mydomain.com with same IMAP box, but right now authorized to external LDAP?!
    Sorry, if it is too stupid question , but i didn't find this information in none of the topics and i really need to be sure about all the topics i'm interested in before i start to migrate.

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    No, that's not quite how the authentication works. You can only authenticate against the internal LDAP or an external LDAP, the option I've given you will allow you to use an external LDAP and if the user doesn't exist there (or the external becomes unavailable for some reason) then it will 'fallback' to using the internal LDAP for authentication. If you want to migrate your users to an external LDAP then you will have to create the user in that LDAP, is that what you were asking and have I understood your question correctly?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    snpz's Avatar
    snpz is offline Intermediate Member
    Join Date
    Mar 2009
    Location
    Riga, Latvia
    Posts
    23
    Rep Power
    6

    Default

    Ok, about an option (zmprov md domain.com zimbraAuthFallbackToLocal TRUE) u mentioned i understood.
    About migration - i have made all users in my external LDAP and i have zimbra internal LDAP. On the supposition that i added zimbra to external LDAP, how can i tell zimbra that user1@mydomain.com in internal LDAP with all mailbox is the same as user user1@mydomain.com in external LDAP? How will it recognise users with their mailboxes?

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    If you create user1@mydomain.com with a password and point the Zimbra Authentication (in the Admin UI) at that external LDAP server they will be able to access their email - the user will also need to be provisioned in Zimbra as user1@mydomain.com. Does that answer your question?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    snpz's Avatar
    snpz is offline Intermediate Member
    Join Date
    Mar 2009
    Location
    Riga, Latvia
    Posts
    23
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    If you create user1@mydomain.com with a password and point the Zimbra Authentication (in the Admin UI) at that external LDAP server they will be able to access their email - the user will also need to be provisioned in Zimbra as user1@mydomain.com. Does that answer your question?
    Actually it doesnt (or i just don't understand)! I will try to explain what i need:
    External LDAP - already works, domain users created as well! Domain username is just surname (Domain\Surname).
    Internal Zimbra LDAP - e-mail users, created as name.surname@mydomain.lv (picture in attachment)
    If i point authorization to External LDAP, should i make External LDAP user (Domain\name.surname) the same as zimbra internal LDAP (name.surname)?
    Attached Images Attached Images

  8. #8
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by snpz View Post
    If i point authorization to External LDAP, should i make External LDAP user (Domain\name.surname) the same as zimbra internal LDAP (name.surname)?
    Yes, you should. I thought that's what I had said in my previous reply - the username & domain name for logging in must be the same in your external LDAP and your internal LDAP.
    Last edited by phoenix; 03-31-2009 at 08:25 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    snpz's Avatar
    snpz is offline Intermediate Member
    Join Date
    Mar 2009
    Location
    Riga, Latvia
    Posts
    23
    Rep Power
    6

    Default

    Hehehe! My misunderstanding than! Sorry!
    Ok, tomorrow I will modify some test users, make some FW rules and try to add zimbra to this External LDAP. I will report about success
    Thanks for your advice and patience

  10. #10
    babel is offline Intermediate Member
    Join Date
    Oct 2009
    Posts
    15
    Rep Power
    5

    Default

    Sorry

    How to synchronize External Ldap with Internal Ldap ?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 12
    Last Post: 03-26-2010, 01:13 AM
  2. External LDAP - auto Account creation
    By nepenthe in forum Administrators
    Replies: 9
    Last Post: 08-20-2008, 10:05 AM
  3. External Ldap user attributes
    By jherington in forum Installation
    Replies: 0
    Last Post: 11-20-2007, 12:50 AM
  4. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 03:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •