Our system is using a LDAP server (OUD) and we're bringing Zimbra to the system. However, Zimbra use its default LDAP server (OpenLDAP). That's is paintul with 2 LDAP servers which store same user information.
Is there any way that Zimbra store its users in an external LDAP server?
Many thanks
Nope, zimbra needs his own internal LDAP server. Zimbra LDAP server stores user accounts, Class of Services, global settings and servers configuration.
The best practice is to manage user accounts in an external LDAP server (OpenLdap, Active Directory...) and then sync data beetwen external LDAP and Zimbra internal LDAP. There are many scripts on the Internet you'll find to do that.
You can either configure "Delegated Auth", zimbra will validate user auth against you external LDAP server and not internal LDAP (unless you activate the fallback). The point is to manage user passwords in your external LDAP server, so users won't be confused.
Related
Let's say I want to have keycloak synced with the LDAP and use it as the source for authentication. (I've managed to do this already)
But is there a way to let the keycloak be itself the identity provider if, for some reason, the LDAP connection is down?
First you should avoid ldap going down, by setting HA, using HAproxy and keepalived for example, as for Keycloak, you can disable "Sync Registrations" in your keycloak LDAP IDP, and create users using the admin interface, these users are stored in your local database of keycloak, and not on the LDAP so even if its goes down those users can stil get access to Keyclaok.
Refer to https://www.janua.fr/understanding-keycloak-user-federation/ for more details.
I managed to create a custom LDAP Storage Provider to do this.
check How to create a custom UserStorageSPI on Keycloak
I am using MarkLogic version 8.04 on CentOS 6. I am trying to do external authentication/authorization using LDAP.
I've created an external security authentication object:
name ldap-config-simple
authentication ldap
authorization ldap
ldap server url ldap://<my server address>:389
ldap base ou=<mycompany>,dc=<info>,dc=<my org>
ldap attribute sAMAccountName
ldap default user cn=<user id>,ou=xxxx,ou=yyyyy,dc=<info>,dc=<my org>
ldap bind method simple
and associated it with an HTML App server (here are the pertinent settings):
authentication basic
internal security true
external security ldap-config-simple
And I have associated an LDAP group to a role (here are the pertinent settings):
external name cn=marklogic,ou=groups,dc=<info>,dc=<my org>
The problem is that authentication fails when I try to access the App server using my LDAP user. The log for the external LDAP server shows that the search string that MarkLogic sends looks like this:
(member=cn=marklogic,ou=groups,dc=<info>,dc=<my org>)
But the LDAP server is expecting the search to be:
(memberOf=cn=marklogic,ou=groups,dc=<info>,dc=<my org>)
The LDAP Server admin assures me that "memberOf" is the accepted standard for this type of query. We are using an OpenLDAP server - it is a pretty standard LDAP installation. Is there a way to have MarkLogic send "memberOf=" for the search rather than "member=" ?
Note that I was able to authenticate with my LDAP user ID through the App Server when I associated my user's DN in the LDAP server to a configured MarkLogic user. But I would prefer to use the Role based authentication since that puts the access controls in the LDAP server.
Any help appreciated.
Answering my own question. It is working now with the configuration above - although I didn't make any changes. MarkLogic support told me that a previous configuration may have been cached. In the process of debugging this I did a network packet trace to see exactly what MarkLogic was sending and it looks like it actually requests both the "memberOf" and "member" groups - I guess the LDAP admin only saw the latter in the logs.
I am doing external authentication using LDAP. I have to authenticate a user via LDAP and allow the user to access many app servers. I want to know how to map all the ldap user ( users in ldap server Example:ldap://company1.local:389) with users in Database. I have created a external configuration object and assigned to a new http server with application level authentication. I dont want to store ldap user password in database. Do I have to create all users(same as in active directory) in database with some password and map them?
Yes, it's possible to configure ML to use external authentication via LDAP:
http://docs.marklogic.com/guide/security/external-auth
Can we enable both authentication method LDAP and External User in owncloud ?
we have two types of user internal and external.
for internal users we want to configure LDAP and
for external user we want to configure External User IMAP.
Please reply can we do this.
I would like to create a user similar to admin, but with restricted privs. The user would be able to create/read/delete objects under a certain DN in the directory, but not others.
Typically, the native server providing the LDAP service has an ACL model.
Within that system, you can create users with appropriate trustee rights/ACLs.
For example, in eDirectory, you would grant this new user object BCRDI rights to the container of interest, then have your LDAP app authenticate as that user.
In Active Directory you can do the same thing.
In Open LDAP you can do the same thing.
The specific details depend on the server providing the LDAP service. (I like others, hate saying LDAP server, since really they are not LDAP servers. They are offering an LDAP service on top of whatever database they store objects in.)