Server > Zimbra LDAP Auth?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
pdrass
Posts: 2
Joined: Sat Dec 15, 2018 7:48 pm

Server > Zimbra LDAP Auth?

Post by pdrass »

Zimbra Community: 8.8.9_GA_3026.FOSS
Domains: 9
Ubuntu 16.04 LTS

I have a question about binding LDAP with auth. I have a proxmox mail gateway I was testing out and it wants to authenticate to Zimbra LDAP. This is primarily so it can allow users to log into the quarantine web interface.

I can only get this to work if I enabled anonymous bind:

Code: Select all

/opt/zimbra/libexec/zmldapanon -d <-- disables
/opt/zimbra/libexec/zmldapanon -e <-- enables
Although this is on the LAN and behind a firewall I'd rather not allow anonymous binds if possible.

I then found a command that would show me the "zimbra" LDAP bind password:

Code: Select all

zmlocalconfig | grep -i ldap
* Scrolling through the output I see

Code: Select all

zimbra_ldap_password = password_string_here
...where the "password_string_here" is seemingly the password.

I try to used this in the credentials box and it doesn't seem to work. If I leave it all blank (user and pass) with anonymous bind enabled it works and syn's LDAP to the proxmox mail gateway.

Does anyone know if that is the correct way to authenticate and find what the Zimbra LDAP user name and password is with the zmlocalconfig command? I think I saw another config file somewhere that just had a "*" in it for the password which seemed odd.

After that I'd like to work on getting LDAPS <-- secure working. I think I saw a Zimbra wiki on how to do that. I had to already overcome the default listening IP for Zimbra that makes LDAP only listen on localhost. I needed to go edit /etc/hosts and restart the LDAP service.

Code: Select all

zimbra@zimbra:~$ cat /etc/hosts
127.0.0.1	localhost
# 127.0.1.1	zimbra.yourdomain.tld	zimbra
10.0.10.10	zimbra.yourdomain.tld	zimbra
Any help here to put the icing on this config cake would be much appreciated!

Thanks!
7224jobe
Outstanding Member
Outstanding Member
Posts: 283
Joined: Sat Sep 13, 2014 1:55 am
ZCS/ZD Version: 8.8.15_FOSS Patch38

Re: Server > Zimbra LDAP Auth?

Post by 7224jobe »

Hello, take a look at this community wiki page: https://wiki.zimbra.com/wiki/ShanxT-LDAP-CheatSheet it shows a way to query Zimbra LDAP, without anonymous bind.
pdrass
Posts: 2
Joined: Sat Dec 15, 2018 7:48 pm

Re: Server > Zimbra LDAP Auth?

Post by pdrass »

Thanks!

Even though I saw and read through it ultimately I needed to read through the ProxMox Mail Gateway help button (?) LOL.

It states:
Bind user

It is highly recommended that the user which you use for connecting to the LDAP server only has the permission to query the server. For LDAP servers (for example OpenLDAP or FreeIPA), the username has to be of a format like uid=username,cn=users,cn=accounts,dc=domain , where the specific fields are depending on your setup. For Active Directory servers, the format should be like username@domain or domain\username.
Duh! So once I used the "username" string as:
uid=zimbra,cn=admins,cn=zimbra
...it worked! I made sure to disable anonymous access before testing this and now my anonymous query access is disabled and I can query it with the password. Again, it's not exposed in any way to the outside on port 389 so I think we're OK.

I might see if I can enable LDAPS next to button it up.

Thanks again! Not sure how I can mark this as "solved" but it should be now.
Post Reply