I guess this may end up as a request for enchancement, but I wanted to bounce it around here first.
In my opinion it would be very usefull for each domain to have two authentication methods, one for the user side and one for the administrator side. In our enviornment we use one time password cards for administrator types, at least when it comes to using their admin privs.
To mimic that behaviour, I can certainly point the authentication for a domain to an LDAP server that forces those with one time passwords to use their one time passwords and those without to use their normal passwords. The problem is that doing so would basically mean that administrators could never use mobile devices because the burden of typing in their one time passwords whenever the device tries to sync would be a killer, and IMAP/Outlook connections would not be far behind in the hassle level.
Ideally there would be a separate configuration screen for admin authentication for each domain, just like the configure authentication screen currently applying to all users.
As a hack, I could place an htaccess around the admin interface and mod apache to handle it and force the admins to log in twice when they use the admin interface but then I have to worry about redoing that whenever we install a Zimbra update and about what else it may break.
Can anyone think of an alternate work around?