Results 1 to 2 of 2

Thread: External Authentication via Active Directory on a Separate Network

  1. #1
    Join Date
    May 2011
    Rep Power

    Default External Authentication via Active Directory on a Separate Network

    I'm attempting to set up my Zimbra v6.0.13 installation to authenticate externally against Active Directory (running on Windows Server 2003). If the Zimbra server and the Active Directory server are on two separate networks, do I need to open any specific ports on my routers/firewalls to make sure traffic passes between the two servers without any problem?

  2. #2
    Join Date
    Jul 2009
    Jyväskylä, Finland
    Rep Power


    Here's two ways to do what you want:

    First the fast and dirty hack:

    Get MyEnTunnel
    Install it on your windows server.
    Configure user account on your zimbra server for SSH access.
    Forward ldap port from windows server to zimbra server using MyEnTunnel and the user you just created.
    You want remote tunnel mode for this, lets say you forward 389:
    Notice we're not encrypting LDAP traffic, it's not neccessary since we're using SSH to encrypt the traffic between windows and linux.

    Now configure external authentication for active directory as you would when the AD is in local network(search this forum for howto), just give the bind address as ldap://


    You need to be logged in on the windows server for myentunnel to run/open the login tunnel. (Just connect with remote desktop, and lock screen)

    ----end of first way ----

    Now the proper way:
    (vague explaination, sorry, you'll probably have to google how to do alot of these steps)

    Configure CA services on Windows server.
    Create certificate for your windows server, export it and also export the CA cert.
    Import the certificates to all the neccessary certificate stores on zimbra server. (java/tomcat/jetty/others?)
    (you probably need to do that step every time you upgrade zimbra)
    Enable ldaps on windows. You need ldaps for the traffic to be encrypted here.
    Port forward the 636 port from the network where the AD is to public ip.
    Create firewall rule to permit zimbra server to access to that public ip/port 636.
    Configure zimbra to use ldaps://public-ip:636 as external authentication source


    This way is PITA to configure(read: takes somewhere from 8-40 hours to get working), but it doesn't require you to be logged on the windows server.

Similar Threads

  1. External Authentication with Active Directory
    By eatickets in forum Administrators
    Replies: 3
    Last Post: 03-14-2012, 12:35 AM
  2. External Active Directory Authentication with Secondary DC
    By tbarhorst in forum Administrators
    Replies: 1
    Last Post: 05-02-2011, 12:56 PM
  3. Replies: 0
    Last Post: 03-04-2008, 07:42 AM
  4. Replies: 1
    Last Post: 01-08-2008, 07:21 PM
  5. External Authentication with Active Directory via LDAPS
    By merrill in forum Administrators
    Replies: 1
    Last Post: 10-21-2007, 01:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts