How to integrate Zimbra Collaboration Suite with Active Directory

    Many enterprises, especially in the CIS, already have an established IT infrastructure, which often uses a tool like Microsoft's Active Directory to manage and authenticate users. And often in such enterprises, when they begin to plan the implementation of the Zimbra Collaboration Suite, the question arises whether ZCS can fit into their infrastructure normally and use Microsoft AD for user authentication? Well, Zimbra is quite capable of working in conjunction with Active Directory and now we will talk about how to achieve this.

    image

    So, suppose that in the infrastructure of your enterprise Active Directory is located on the domain.local domain , and Zimbra is supposed to be installed on the mail.domain.com domain . In the process of integrating Zimbra and Active Directory, we will connect AD as an external LDAP for ZCS and therefore we recommend that you immediately ban users from changing their password themselves. Also note that to verify the success of the integration of Zimbra and Active Directory, on the server with AD it is recommended to have at least one account with a known login / password pair to verify the success of connecting two information systems.

    AD to ZCS is connected to the Zimbra administration console at mail.domain.com : 7071 / zimbraAdmin /. Here we have to select the Configure item in the left sidebar, and then the Domains sub-item. In the list of domains, now we need to select the one that we will use in conjunction with AD, and by clicking on the selected domain right mouse button, select the item “Configure Authentification”. After that, the external LDAP settings dialog will appear on the screen, in which we will “befriend” Zimbra with AD.

    On the Authentification Mode page, select “External Active Directory”, then on the Authentification Settings page, enter information about the server with AD. You will be required to enter the domain name, ip-address of the server and the port through which access to AD is provided, and the next page, entitled LDAP Bind, is suggested to be left blank.

    image

    In the Authentification Config Summary window, you can verify that Zimbra has successfully connected to AD by entering the correct login / password pair of any user. In case the connection is successful, Zimbra will automatically calculate the Bind DN for this user. You can then leave the External Group Settings and Domain Configuration Complete pages as they are. This completes the integration of Zimbra with AD and we can only create existing users from AD in Zimbra for successful synchronization between information systems.

    With a small number of accounts, you can do it manually, but if there are really a lot of accounts, it will be best to automate this process using the Auto-provisioning function. To do this, we need to go to the Zimbra server and perform a number of manipulations on the command line there:

    su zimbra
    zmprov md domain.com zimbraAutoProvMode LAZY
    zmprov md domain.com zimbraAutoProvLdapURL "ldap://domain.local:389"
    zmprov md domain.com zimbraAutoProvLdapStartTlsEnabled FALSE
    zmprov md domain.com zimbraAutoProvLdapAdminBindDn "zimbra@domain.local"
    zmprov md domain.com zimbraAutoProvLdapAdminBindPassword PassworD
    zmprov md domain.com zimbraAutoProvLdapSearchBase "ou=User,dc=domain,dc=local)"
    zmprov md domain.com zimbraAutoProvLdapSearchFilter "(samAccountName=%u)"
    zmprov md domain.com zimbraAutoProvLdapBindDn "%u@%d"
    zmprov md domain.com zimbraAutoProvAccountNameMap sAMAccountName
    zmprov md domain.com +zimbraAutoProvAttrMap "sn=sn" +zimbraAutoProvAttrMap "description=description" +zimbraAutoProvAttrMap "cn=displayName" +zimbraAutoProvAttrMap "givenName=givenName" +zimbraAutoProvAttrMap "zimbraMailAlias=mail"
    zmprov md domain.com zimbraAutoProvNotificationFromAddress admin@domain.com
    zmprov md domain.com zimbraAutoProvNotificationSubject "Мы рады приветствовать вас на борту нашего почтового сервера"
    zmprov md domain.com zimbraAutoProvNotificationBody "Ваш аккаунт был создан автоматически. Ознакомьтесь с инструкцией по работе с электронной почтой, перейдя по данной ссылке"
    zmprov md domain.com zimbraAutoProvBatchSize 20
    zmprov md domain.com zimbraAutoProvAuthMech LDAP
    zmcontrol restart

    With this configuration, the user account will be automatically created on the Zimbra server when you first try to log into the web client using the existing login / password pair. Note that in some cases, in order for the auto-configuration to work correctly, it may be necessary to change the port number from 389 to 3268.

    After all these steps have been completed, your users can log in to their mail on the server from Zimbra using the login / password pair from AD, which will greatly simplify IT management. enterprise infrastructure

    Also popular now: