How to integrate Zimbra Collaboration Suite with Active Directory
Many enterprises, especially in the CIS, already have an established IT infrastructure, which often uses a tool such as Microsoft's Active Directory to manage and authenticate users. And often in such enterprises, when they begin to plan the implementation of the Zimbra Collaboration Suite, the question arises whether ZCS can fit into their infrastructure normally and use Microsoft AD to authenticate users? Well, Zimbra is quite capable of working in conjunction with Active Directory and now we will talk about how to achieve this.
So, suppose that in the infrastructure of your enterprise Active Directory is located on the domain.local domain, and Zimbra is supposed to be installed on the mail.domain.com domain. In the process of integrating Zimbra and Active Directory, we will connect AD as an external LDAP for ZCS and therefore we recommend that you immediately ban users from changing their password themselves. We also note that to verify the success of the integration of Zimbra and Active Directory, on the server with AD it is recommended to have at least one account with a known login / password pair to verify the success of connecting two information systems.
AD to ZCS is connected to the Zimbra administration console at mail.domain.com : 7071 / zimbraAdmin / . Here we have to select the Configure item in the left sidebar, and then the Domains sub-item. In the list of domains, now we need to select the one that we will use in conjunction with AD, and by clicking on the selected domain right mouse button, select the item “Configure Authentification”. After that, the external LDAP settings dialog will appear on the screen, in which we will “friends” Zimbra with AD.
On the Authentification Mode page, select the “External Active Directory” item, and then on the Authentification Settings page, enter information about the server with AD. You will be required to enter the domain name, ip-address of the server and the port through which access to AD is provided, and the next page, called LDAP Bind, is suggested to be left blank.
In the Authentification Config Summary window, you can verify that Zimbra has successfully connected to AD by entering the correct login / password pair of any user. In case the connection is successful, Zimbra will automatically calculate the Bind DN for this user. You can then leave the External Group Settings and Domain Configuration Complete pages as they are. This completes the integration of Zimbra with AD and we can only create existing users from AD in Zimbra for successful synchronization between information systems.
With a small number of accounts, this can be done manually, but if there are indeed many accounts, it would be best to automate this process using the Auto-provisioning function. To do this, we need to go to the Zimbra server and perform a number of manipulations on the command line there:
With this configuration, the user account will be automatically created on the Zimbra server when you first try to log into the web client using the existing login / password pair. Note that in some cases, for the autotune to work correctly, it may be necessary to change the port number from 389 to 3268.
After completing all these steps, your users will be able to log into their mail on the server with Zimbra using a username / password pair from AD, which will greatly simplify the management of the company's IT infrastructure
So, suppose that in the infrastructure of your enterprise Active Directory is located on the domain.local domain, and Zimbra is supposed to be installed on the mail.domain.com domain. In the process of integrating Zimbra and Active Directory, we will connect AD as an external LDAP for ZCS and therefore we recommend that you immediately ban users from changing their password themselves. We also note that to verify the success of the integration of Zimbra and Active Directory, on the server with AD it is recommended to have at least one account with a known login / password pair to verify the success of connecting two information systems.
AD to ZCS is connected to the Zimbra administration console at mail.domain.com : 7071 / zimbraAdmin / . Here we have to select the Configure item in the left sidebar, and then the Domains sub-item. In the list of domains, now we need to select the one that we will use in conjunction with AD, and by clicking on the selected domain right mouse button, select the item “Configure Authentification”. After that, the external LDAP settings dialog will appear on the screen, in which we will “friends” Zimbra with AD.
On the Authentification Mode page, select the “External Active Directory” item, and then on the Authentification Settings page, enter information about the server with AD. You will be required to enter the domain name, ip-address of the server and the port through which access to AD is provided, and the next page, called LDAP Bind, is suggested to be left blank.
In the Authentification Config Summary window, you can verify that Zimbra has successfully connected to AD by entering the correct login / password pair of any user. In case the connection is successful, Zimbra will automatically calculate the Bind DN for this user. You can then leave the External Group Settings and Domain Configuration Complete pages as they are. This completes the integration of Zimbra with AD and we can only create existing users from AD in Zimbra for successful synchronization between information systems.
With a small number of accounts, this can be done manually, but if there are indeed many accounts, it would be best to automate this process using the Auto-provisioning function. To do this, we need to go to the Zimbra server and perform a number of manipulations on the command line there:
su zimbra zmprov md domain.com zimbraAutoProvMode LAZY zmprov md domain.com zimbraAutoProvLdapURL "ldap://domain.local:389" zmprov md domain.com zimbraAutoProvLdapStartTlsEnabled FALSE zmprov md domain.com zimbraAutoProvLdapAdminBindDn "zimbra@domain.local" zmprov md domain.com zimbraAutoProvLdapAdminBindPassword PassworD zmprov md domain.com zimbraAutoProvLdapSearchBase "ou=User,dc=domain,dc=local)" zmprov md domain.com zimbraAutoProvLdapSearchFilter "(samAccountName=%u)" zmprov md domain.com zimbraAutoProvLdapBindDn "%u@%d" zmprov md domain.com zimbraAutoProvAccountNameMap sAMAccountName zmprov md domain.com +zimbraAutoProvAttrMap "sn=sn" +zimbraAutoProvAttrMap "description=description" +zimbraAutoProvAttrMap "cn=displayName" +zimbraAutoProvAttrMap "givenName=givenName" +zimbraAutoProvAttrMap "zimbraMailAlias=mail" zmprov md domain.com zimbraAutoProvNotificationFromAddress admin@domain.com zmprov md domain.com zimbraAutoProvNotificationSubject "Мы рады приветствовать вас на борту нашего почтового сервера" zmprov md domain.com zimbraAutoProvNotificationBody "Ваш аккаунт был создан автоматически. Ознакомьтесь с инструкцией по работе с электронной почтой, перейдя по данной ссылке" zmprov md domain.com zimbraAutoProvBatchSize 20 zmprov md domain.com zimbraAutoProvAuthMech LDAP zmcontrol restart With this configuration, the user account will be automatically created on the Zimbra server when you first try to log into the web client using the existing login / password pair. Note that in some cases, for the autotune to work correctly, it may be necessary to change the port number from 389 to 3268.
After completing all these steps, your users will be able to log into their mail on the server with Zimbra using a username / password pair from AD, which will greatly simplify the management of the company's IT infrastructure
Source: https://habr.com/ru/post/437240/