Authentication Bypass in MailboxImportServlet vulnerability (reminder)

Delete LOCAL password in LADP Auth env

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
Posts: 18
Joined: Thu Aug 29, 2019 10:38 pm
ZCS/ZD Version: 9.0.0_GA_3976

Delete LOCAL password in LADP Auth env

Postby winproof » Tue Jan 24, 2023 2:45 pm

we use a mixed environnement, some users auth on ldap server (samba AD) , others on zimbra server.

i have a problem, if a user who previously existed only on the zimbra server is added on the ldap, when he changes his password on ldap, his old password still remain active on zimbra server, and he can still connect with his old password.

how i can purge (delete) his password on zimbra server?

i've found a workaround, if i disable ldap auth, and set "empy password option" allowed, i can set user password to nothing using "zmprov sp user "" ", and after reactivate ldap auth and "empty password option" re-set to forbiden, user cannot any longer log locally, but it' really dirty :D

no better solution? (maybe cli command, or deleting a ldap object in zimbra server?)


Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 18 guests