tech_documents:zimbra:zimbra_ad_authentication

https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory

Since we are going to do this securely (I mean properly) we are going to use LDAPS. This requires a PKI and proper DNS setups. I'm assuming you already have both, but if not I'll provide links.

  1. Add a DNS entry to your AD DNS server for your Zimbra server(s).
  2. Create a username and password in AD inside a dedicated OU for special accounts (never expire, can't change pw), make a note that it's used by the Zimbra server to bind to AD for authentication purposes (optionally name the OU to indicate it shouldn't be renamed or moved…).
  3. Login to Zimbra admin console at https://mail.yourdomain.com:7071
Select Configure -> Domains -> click on gear icon and select New -> type in your domain name then next -> select your Mail Server then next -> skip SSO, next -> set "Authentication mechanism" to "External Active Directory" -> verify the "AD domain name" since it will probably be something like ad.domainname.com -> put in the FDQN of the Windows domain controller in the ldap:// field (e.g. srv01.ad.domainname.com and set port to 389 (don't check SSL), next -> put in the username and password of the bind user setup previously then finish.
  1. Create a new user in Zimbra with the domain that uses AD for authentication (note: you can have multiple email addresses map to 1 AD user account as long as they have different domain names, so user1@domaina.com and user1@domainb could use same AD account).
  2. Open a new browser window and go to https://mail.yourdomainname.com and login using full email address and password.
  3. Copy root-ca certificate to Zimbra server (note, if it's a certificate chain, get the pkcs7 base 64 copy from the server that issued the certificate, so if you just have the sub/intermediate and root certificates then you'll use the root CA to get a copy of the sub/intermediate CA + root CA certificate chain). Open the p7b certificate file that was used to install the root-ca certificate on Windows, copy the contents and paste into new file on Zimbra server → run the command
 openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

to convert the p7b to pem.

  1. copy the converted certificate to /etc/pki/ca-trust/source/anchors/ the run update-ca-trust.
  2. copy the same certificate.cer to /tmp then su - zimbra → /opt/zimbra/bin/zmcertmgr addcacert /tmp/certificate.cer (this imports it into the Zimbra certificate store so it will trust the LDAPS certificate)
  3. Reconfigure each domain to use LDAPS → go back to domains, right click on the domain you want to authenticate via AD then “configure authentication” → check “Use SSL” box and change the port to 636, next → check box “Use DN/Password to bind…”, copy distinguishedName of AD bind user from Windows DC into “Bind DN”, put the bind user password in twice, next → test with user account → next through to finish.

2nd Attempt After I Forgot I Had this Doc Already...

https://wiki.zimbra.com/wiki/Preexisting_Certifcate_Installation_for_Zimbra_6.0

  • Make sure you have LDAPS working on your Windows AD server (see other tutorial for this)
  • Make sure you have Zimbra's DNS resolver pointing the to DNS server of your AD DC.
  • Create a test account in AD that will be used to test AD bind from Zimbra.
  • Login to Zimbra Web UI → 
Select Configure -> Domains -> Right click on the domain you want to use AD authentication with -> Configure Authentication -> select "External Active Directory" -> verify the "AD domain name" since it will probably be something like ad.domainname.com -> put in the FDQN of the Windows domain controller in the ldap:// field (e.g. srv01.ad.domainname.com and set port to 389 (don't check SSL), next -> skip the bind section -> put in the test AD username and password (no domain required eg, ad\testuser) -> Test.
  • If this works then you can move on to configuring LDAPS authentication.
  • On your AD server with LDAPS enabled, export your root and intermediate certificates as BASE 64.
  • Open each certificate you exported, copy the contents and paste them in files in the /tmp folder on the Zimbra mailbox server (1 file per certificate, ex, root.cer and int.cer).
  • Chown each certificate file as zimbra:zimbra
  • Change to zimbra user then use keytool to import certificates (use a different alias for each file imported, if asked to continue select Yes)
keytool -import -alias htint -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit -file /tmp/int.cer
  • Do this for your root and any intermediate certificates
  • Restart Zimbra
  • Go back into web UI where you set the authentication for the domain and check the SSL box then change the port to 636 and test, it should work… keyword being should.

Notes

  • Troubleshooting LDAP external authentication

https://wiki.zimbra.com/wiki/LDAP 

External Authentication
Please see King0770-Notes#External_Authentication_with_LDAP for information on this.

External GAL
Connecting to an External LDAP Server with SSL
If the external LDAP server has a self-signed certificate, you will need to add the cert to the Zimbra keystore(s). Use the following command (substitute your chosen alias and the path to your cert file; all on one line):

sudo /opt/zimbra/java/bin/keytool -import \
  -alias EXTERNAL-LDAP \
  -keystore /opt/zimbra/java/jre/lib/security/cacerts \
  -storepass changeit \
  -file EXTERNAL-LDAP-CERT-FILE
After adding the cert to the keystore, you'll need to restart Tomcat. As the zimbra user, do this:

tomcat stop && tomcat start
Make sure that you have selected SSL when configuring use of the external ldap server in the admin console. You can verify on the command line that this returns an "ldaps" url:

zmprov gd DOMAIN.COM | grep zimbraAuthLdapURL

PS : in order to download the certificate, you can use openssl from the zimbra server :

openssl s_client -connect EXTERNAL-LDAP:636> EXTERNAL-LDAP-CERT-FILE
You just have to clean the resulting file a bit...

Find out if your external auth cert had expired
If your users cannot access their accounts from the web-client, check to see if the external authentication server's ssl cert expired.
If the external authentication's ssl cert expired, you may see errors in the /opt/zimbra/log/mailbox.log file.

Caused by: javax.naming.CommunicationException: simple bind failed: 192.168.2.15:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]

To check to see the the external authentication's ssl cert expired, run the following commands:

openssl s_client -connect EXTERNAL-LDAP:636> EXTERNAL-LDAP-CERT-FILE.crt

openssl x509 -in EXTERNAL-LDAP-CERT-FILE.crt -noout -text
Near the top of the output, you should see Validity dates.
Example:
Not Before: Apr 23 13:54:47 2008 GMT
Not After : Apr 23 13:54:47 2009 GMT
Tip: For a short-term workaround, set localconfig key ssl_allow_untrusted_certs to true from false.

zmlocalconfig -e ssl_allow_untrusted_certs=true
  • tech_documents/zimbra/zimbra_ad_authentication.txt
  • Last modified: 2020/09/28 17:49
  • by dwadmin