Results 1 to 5 of 5

Thread: [SOLVED] Zimbra 6, authentication mode

  1. #1
    Join Date
    Jul 2010
    Posts
    46
    Rep Power
    5

    Default [SOLVED] Zimbra 6, authentication mode

    Can you in Zimbra 6 set authentication mode per user basis not just for whole domain ?

    What I want is that I can set external AD authentication mode for some users and internal authentication mode for others.

    Best regards, Primoz.

  2. #2
    Join Date
    Sep 2009
    Location
    Spain
    Posts
    233
    Rep Power
    6

    Default

    You can't have the authentication set up in a per-user basis, BUT you can set up external authentication and have it fallback to local if the first one fails... this way users not authenticated in MSAD would try with ZCS' internal LDAP.

    Be careful, though, don't set up an easy password for your MSAD users. If their AD password fails they could use this other one to get into Zimbra.

    Also, you could set up different COS for these two types of users just so your MSAD users won't be able to change the Zimbra password. Covers up that little security issue nicely.

    anyway, the command you'll need for this is:

    zmprov modifyDomain [yourdomain] zimbraAuthFallBackToLocal TRUE

  3. #3
    Join Date
    Jul 2010
    Posts
    46
    Rep Power
    5

    Default

    Be careful, though, don't set up an easy password for your MSAD users. If their AD password fails they could use this other one to get into Zimbra.

    Also, you could set up different COS for these two types of users just so your MSAD users won't be able to change the Zimbra password. Covers up that little security issue nicely.
    Can you please explan this a little bit more, with some example if possible ?

    Thank you very much.

  4. #4
    Join Date
    Sep 2009
    Location
    Spain
    Posts
    233
    Rep Power
    6

    Default

    Ok. Let's say that when you created all your users' accounts in Zimbra you gave them a dummy password "zimbra" (how original ) knowing/thinking that they will never use it since all your authentication would be done through MSAD.

    But now you've set up your domain's authentication to fall back to local (i.e your ZCS' internal directory). Any user that inputs "zimbra" as the password will fail when authenticating against MSAD but, with the fallback, will be granted access into ZCS (or rather ZWC).

    Add onto that the hability to change the ZCS password and they can set it to whatever they wish and keep a "backdoor" open into their account. Possibly even if their MSAD account is disabled.

    So, my advice, have a COS for users who authenticate against MSAD not allowing them to change the password, and keep the ZCS password rather complex. And another COS for users who authenticate internally (fallback) if you want/need/allow them to change their ZCS password.

  5. #5
    Join Date
    Jul 2010
    Posts
    46
    Rep Power
    5

    Default

    Thank you very much.

Similar Threads

  1. ZCS7 Beta only Listens on IPv6
    By tobru in forum Installation
    Replies: 2
    Last Post: 03-25-2011, 04:31 AM
  2. [SOLVED] Help, I think I am running Zimbra as root!
    By primaxx in forum Administrators
    Replies: 9
    Last Post: 10-06-2010, 12:04 PM
  3. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  4. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 01:58 AM
  5. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 10:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •