Authentification against samba Active directory

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
machine12
Posts: 6
Joined: Mon Jul 16, 2018 11:35 am
Location: Croatia
ZCS/ZD Version: ZCS 8.8.8

Authentification against samba Active directory

Post by machine12 »

Hi everyone,

I have the following situation

Zimbra OSE 8.8.8

my external domain is example.com
my inside samba AD domain is ad.example.com

i would like to use AD authentication of Zimbra against inner AD domain. I know how to do it but my question are:

When I change the authentication to external active directory can the external AD be different (in this example its an sub-domain of external domain) for the authentication to work, or just the usernames have to be the same?
If I just want to test it and return again to internal LDAP, will the passwords of the internal LDAP be intact?

Thanks in advance
PaperAdvocate
Posts: 23
Joined: Tue Oct 11, 2016 9:28 pm

Re: Authentification against samba Active directory

Post by PaperAdvocate »

If your Zimbra is in production and you don't want to break things for the existing users, you could add another testing subdomain to your Zimbra server (such as testing.example.com) and use this to test AD authentication. You don't need to setup MX records or anything since you're not testing mailflow. Just create some testing accounts for @testing.example.com and try using AD auth there.

For external authentication only the username seems to matter not the @example.com or @ad.example.com. I have @domainA.com as the users email addresses and @internal.domainB.com as the AD domain which Zimbra authenticates against; users are able to login either with just user.name or user.name@domainA.com.

There is a fallback feature so you can still authenticate with Zimbra internally if the external authentication fails: https://wiki.zimbra.com/wiki/Using_and_ ... _attribute

I've never used it before but it's for the scenario that you describe.
machine12
Posts: 6
Joined: Mon Jul 16, 2018 11:35 am
Location: Croatia
ZCS/ZD Version: ZCS 8.8.8

Re: Authentification against samba Active directory

Post by machine12 »

Thank a lot. I will try it your way
PaperAdvocate wrote:If your Zimbra is in production and you don't want to break things for the existing users, you could add another testing subdomain to your Zimbra server (such as testing.example.com) and use this to test AD authentication. You don't need to setup MX records or anything since you're not testing mailflow. Just create some testing accounts for @testing.example.com and try using AD auth there.

For external authentication only the username seems to matter not the @example.com or @ad.example.com. I have @domainA.com as the users email addresses and @internal.domainB.com as the AD domain which Zimbra authenticates against; users are able to login either with just user.name or user.name@domainA.com.

There is a fallback feature so you can still authenticate with Zimbra internally if the external authentication fails: https://wiki.zimbra.com/wiki/Using_and_ ... _attribute

I've never used it before but it's for the scenario that you describe.
Post Reply