How to migrate from AD to LDAP when using Zimbra

This year marks exactly 20 years since the world first saw Microsoft's Active Directory. Being an implementation of LDAP and Kerberos, it was AD that became the link that linked all Microsoft products into a single ecosystem. However, after 20 years, IT managers are increasingly aware of the disadvantages associated with the fact that almost all of the enterprise’s business processes are somehow tied to the software products of one corporation.



Numerous incidents, ranging from scandals related to surveillance of users and refusals to localize accumulated personal data, to tensions between the US and Russia, have served as a kind of calls that made the country's IT managers wonder if IT is controlled by it - the infrastructure of enterprises, as it seems, and what will happen to their infrastructure if one day Microsoft products, due to sanctions, suddenly become unavailable in our country?



image



The answer to these questions is not encouraging, because having deployed their infrastructure on software solutions from one supplier, IT managers actually put all their eggs in one basket. And if several years ago this basket seemed rather strong, now it does not make such an impression. That is why a steady trend has appeared in the country for, if not the complete migration of the entire infrastructure, then for the replacement of its individual nodes with free solutions, the use of which eliminates the above risks.



Among the first candidates for replacement, of course, was a collaboration system, because it stores the most critical information for any modern company, and the system itself is extremely important for the normal functioning of the enterprise. Zimbra Collboration Suite Open-Source with the additions of Zextras Suite can become an excellent candidate for replacing the mail server. This solution not only has broad functionality, but is also more profitable in terms of cost of ownership, and is free from the risks associated with licensing. In addition, as we already wrote, Zimbra Collaboration Suite can integrate with Microsoft AD, which means it fits perfectly into the existing infrastructure of the enterprise.



However, after one by one the majority of the enterprise nodes will be replaced by free analogues, the question of replacing Active Directory will certainly appear on the agenda. There are a lot of analogues of this solution, but after the abandonment of AD, the need for reconfiguring other information systems that are configured to work specifically with AD will necessarily follow. Let’s see what changes need to be made to Zimbra configured to work with Active Directory in order to remove the integration between these information systems.



If you set up integration of Zimbra with AD and auto-configuration of accounts according to our instructions , the procedure for disabling it will largely repeat the process already completed. Only this time you should decide what will be used instead of AD. It can be any other external LDAP server, or built into Zimbra LDAP.



The second way is much easier to implement, but involves more labor-intensive support. Since all users already exist in Zimbra LDAP, you do not have to re-install and reconnect external LDAP, as well as enable auto-configuration of accounts in Zimbra Collaboration Suite. To do this, just select the Configure item in the Zimbra admin console in the left side panel, and then the Domains sub-item. In the list of domains now you need to select the one we will use and, right-clicking on the selected domain, select the "Configure Authentification" item, where you need to switch the authorization method to "Internal" . If you select this authentication method, no further settings will be required.



Although Zimbra LDAP is essentially an LDAP server, for security reasons a number of restrictions were put in it, because of which it does not support some authentication methods, and therefore you may be able to use it for authentication in some applications and fail in other applications and services in the enterprise. Also, an extremely bad idea would be to access Zimbra LDAP from the outside Internet. That is why, if you will not make Zimbra LDAP the main one in the enterprise and continue to use Zimbra in combination with the integrated LDAP, you will have to add and delete users manually, as well as manually manage their passwords. For information on how to do this, see our article on password security policies at Zimbra.



The first way is to deploy a separate full-featured LDAP server in the enterprise and configure authentication in Zimbra based on the data from it. There are a lot of options for such LDAP servers, which is why we will consider the process of such configuration based on Zentyal LDAP as a free and free solution.



Let the server with Zentyal be located on the local network of the enterprise at 192.168.1.100, while the Zimbra server has the FQDN mail.company.ru . As in the previous case, to configure authorization via external LDAP, we will go to the Zimbra administration console . Here, in the left side panel, select Configure , and then the Domains sub-item. In the list of domains now you need to select the one that we will use and, right-clicking on the selected domain, select "Configure Authentification" , where you need to switch the authorization method to "External LDAP" . Here we need to specify the following data:





After that, you need to test the authorization through Zentyal LDAP. To do this, create a user in Zimbra that is available in Zentyal LDAP and try to enter the web interface. If the password is correct, the login will succeed, if the entered password does not match what is stored in LDAP, then the login error will occur.



In order to automatically create users in Zimbra, you need to run several commands:



zmprov md company.ru zimbraAutoProvMode LAZY zmprov md company.ru zimbraAutoProvLdapURL ldap://192.168.1.100:390 zmprov md company.ru zimbraAutoProvLdapAdminBindDn " admin cn=,dc=company,dc=ru" zmprov md company.ru zimbraAutoProvLdapAdminBindPassword "********" zmprov md company.ru zimbraAutoProvLdapSearchFilter " (&(|(objectclass=inetOrgPerson)((memberof=cn=mail,ou=Groups,dc=company,dc=ru))(uid=%u)) " zmprov md company.ru zimbraAutoProvLdapSearchBase "ou=Users,dc=company,dc=ru" zmprov md company.ru +zimbraAutoProvAttrMap description=description +zimbraAutoProvAttrMap cn=displayName +zimbraAutoProvAttrMap givenName=givenName +zimbraAutoProvAttrMap sn=sn zmcontrol restart
      
      





After this, the first successful attempt to enter the Zimbra mailbox using the user name and password entered in LDAP, the account will be created automatically, which saves the administrator from having to create users in Zimbra manually.



Thus, Zimbra Open-Source Edition is able to work perfectly not only with AD, but also with any other LDAP server, which on the one hand provides the ability to use it in any IT infrastructure, and on the other hand allows you to quickly migrate from proprietary software to free and back, without any damage to functionality. In addition, the full-featured Zimbra web client allows users to access it from any platform.



For all questions related to the Zextras Suite, you can contact the representative of the company "Zextras" Katerina Triandafilidi by e-mail katerina@zextras.com



All Articles