Mixed authentication - disable external for specific accounts

7224jobe · Post by **7224jobe** » Tue Dec 16, 2014 3:54 pm

Hi everybody, in our setup we have Zimbra 8.0.6 configured with authentication on Active Directory, and zimbraAuthFallbackToLocal set to TRUE to allow logins for specific accounts (related to automatical internal services) that do not have a domain account. Everything works ok, but we have zimbra log files filled with failed AD login attempts by those accounts, since they check their inboxes automatically very often.
Is there a way to set only internal authentication for specific accounts? I found only domain-wide settings.

greges · Post by **greges** » Fri Jan 16, 2015 1:52 am

Hi jobe, did you find solution? I have exactly same issue.

jorgedlcruz · Post by **jorgedlcruz** » Fri Jan 16, 2015 2:43 am

Hi guys,

Could you please let us know the result of zmcontrol -v ?

Best regards

greges · Post by **greges** » Fri Jan 16, 2015 3:19 am

Release 8.0.6_GA_5922.RHEL6_64_20131203103705 RHEL6_64 FOSS edition

Yeah..., i know - time to upgrade. But will it change anything in that case?

7224jobe · Post by **7224jobe** » Fri Jan 16, 2015 3:40 am

Hi Jorge and greges,

I did not manage to find a solution for this problem

Here is my zmcontrol -v:

Release 8.0.6.GA.5922.UBUNTU10.64 UBUNTU10_64 NETWORK edition

greges · Post by **greges** » Fri Jan 16, 2015 5:51 am

An idea ...

In my case, there would be no problem if I could change order of authentication method. First one - Local auth (Zimbra), second - External (Active Directory).

If the first one completes success then no external auth.

If the first one fail - then try external auth.

Is it possible?

Explaining - Why I need this?

I've made migration process of accounts with passwords from old email system (not zimbra) to Zimbra. Old system was configured only for local auth (separate user passwords for A.D. and mail server) So, now I have some clients with are authenticate with local passwords (old way - will change in time) and some clients with are authenticate with domain. And some email accounts with are not in the domain.

And now... For users with domain accounts which have e-mail clients configured "old way" - with "local" passwords , there are cases when AD can lock their accouts because of many authentication failures in short time (ex. someone has a lot of configured/connected Zimbra calendars and many e-mail accouts). And It's happening.

greges · Post by **greges** » Tue Jan 20, 2015 9:42 am

Jorge de la Cruze , any idea? You asked to check MTA version, what for?

jasggomes · Post by **jasggomes** » Tue Jan 29, 2019 9:42 am

Hi to all,

Zimbra version is 8.8.7_GA_1964.FOSS

Instead of opening another thread, I'll use this one.

Due to the fact that we had to upgrade our Win 2008 R2 server to Win2019 Essentials, we are now facing an issue related to the number of users we can have on the AD itself.

So, we have the authentication to the AD enabled but we have more than 25 email addresses in use, mainly these are service accounts, so the idea is to allow these service accounts to login using the local database instead of the AD one.

Can this be done? or do I need to revert back to use only the local database and disable the use of the AD one ?

Regards.
JG

DualBoot · Post by **DualBoot** » Tue Jan 29, 2019 9:51 am

Hello,

you set up the authentication fallback to do that.

Regards,

jasggomes · Post by **jasggomes** » Tue Jan 29, 2019 11:30 am

DualBoot wrote:Hello,

you set up the authentication fallback to do that.

Regards,

Thank you for your reply.

Well, pretty much after writing on these threads I managed to find the setting that allows to use both Internal and External.

For future reference to others, it is on::

Configure -> Domains -> <domain to be configured> ->edit
then
Authentication -> click the checkbox 'If fail,fail back to local password management'.

This solved the question to me, as my accounts now can log on using local authentication.

Regards.
JG

Zimbra Forums