Account Name different from Active Directory Username

[Jason Hung]

Quick question:

How would you configure AD to authenticate with a different Zimbra account name? For example: jason.hung@domain.com (Zimbra account) and jhung (Active Directory account). For now, we have been using internal authentication since we haven't figured out how to link the two. We don't want to use jhung@domain.com as the primary email; we want to use jason.hung@domain.com with jhung as the AD Login.

Can I bind LDAP to the email address listed in AD for the user? Is there a better way to keep the email address first.last@domain.com?

Thanks.

[Picchioni]

Hey Jason,
I'm wondering if you ever figured out how to make this work. I'm in the same boat you are.

[Jason Hung]

Actually, I did! I will post my results here in a minute. You can even login with an alias as long as the email address for the user is the same as the main email address for the user. To get this to work properly, the email attribute in Active Directory must be exactly like how your main email address is presented.

[Picchioni]

Awesome!
Thanks

[Jason Hung]

Authentication mechanism: External LDAP
LDAP bind DN template: %u@ad.YOURDOMAINNAME.com
LDAP URL: ldap://ad.YOURDOMAINNAME.com:389
Enable StartTLS
LDAP filter: (|(samAccountName=%u) (mail=%u@YOURDOMAINNAME.com)(mail=%n))
LDAP search base: dc=ad,dc=YOURDOMAINNAME,dc=com
Use DN/Password to bind to external server: Yes
cn=ZimbraUser,cn=Users,dc=ad,dc=YOURDOMAINNAME,dc= com

[Picchioni]

Oh great. I'll have to try this in a few minutes. I'm assuming you're also running a script that syncs zimbra with AD?

[Jason Hung]

Sort of... we have an activation webpage where they "subscribe" to their email account. It's connected to our payroll/HR system and they generate their AD and email account at the same time. We use the SOAP API using Ruby on Rails, as well as our Payroll system's SOAP service and LDAP libraries.

If you want to see a demo of how we do it, send me a PM, and I'll send you a link to our system.

[mario]

Quote:

Originally Posted by Jason Hung

Quick question:

How would you configure AD to authenticate with a different Zimbra account name? For example: jason.hung@domain.com (Zimbra account) and jhung (Active Directory account). For now, we have been using internal authentication since we haven't figured out how to link the two. We don't want to use jhung@domain.com as the primary email; we want to use jason.hung@domain.com with jhung as the AD Login.

Can I bind LDAP to the email address listed in AD for the user? Is there a better way to keep the email address first.last@domain.com?

Thanks.

I have same problem, only difference the external is OpenLdap.
Can you explain how it works for you and where the patch has to be applied?

Mario

[lk2oo3]

Hi Jason

hope you read this..

I opened a new thread for a similar question
(Account Name different from Active Directory Username, 2nd)

I found very intreasting your solution,
but what it made me spend a lot of time is that often I made test enabling startls option in the authentication wizard:
the only way I found to let zimbra 6.05 authenticate on win2008 server,
was to disable startls in the wizard.

So I ask you:

in #5 "Enable StartTLS" was an error in writing your solution or, really enabled StarTLS option?

Finally,
if you really use "Enable StartTLS", do you configured something other in particular on windows server / zimbra ?

Thanx in advance for any suggestion, bye, Luca.