Ctrl+K
What do you think about our new Documentation Layout? Take the survey
Back to Documentation Hub

LDAP

LDAP#

The Mesh and Directory Role, which installs an OpenLDAP service, is used by Carbonio for user authentication and account management.

The OpenLDAP features the ability to use three authentication mechanisms provided by Carbonio. The authentication type can be set independently for each domain defined in the Carbonio infrastructure.

  1. Local LDAP. The internal authentication method assumes that the LDAP scheme is running on the Carbonio server where the Directory Server Role is installed.

  2. External LDAP. The external LDAP authentication method allows to connect to an LDAP server, possibly external to the Carbonio infrastructure, using a username and password existing in the external database.

  3. External Active Directory The external Active Directory authentication method involves the use of Microsoft Active Directory services for authentication and Carbonio’s Directory Server services for all other transactions.

Both the External LDAP and External Active Directory have as their main requirement that users exist on both servers. Please refer to Section External LDAP for configuration details.

Whenever an external authentication method is configured, it will be used as the default and the local authentication serves as fallback.

Local LDAP#

The default authentication method is local LDAP. This method does not require any specific configuration other than the installation of the Mesh and Directory Role according to the procedure described in the documentation.

External LDAP#

To illustrate how an external LDAP source works in Carbonio, we build on the following scenario.

Scenario

  • Define on Carbonio the domain authentication.example.com

  • On an external LDAP server, located at 172.24.0.10 a domain called external_ldap.com exists

    Note

    This external source can also be another Carbonio.

  • On the external LDAP server a dedicated user exists, that will be used for the LDAP connection (for example service.ldap@external_ldap.com with password a_strong_pwd!)

Our goal is to have the authentication.example.com domain users authenticate with the passwords of the domain accounts external_ldap.com defined on the external ldap server

On Carbonio, set up the authentication.example.com domain for authentication on the external LDAP using the command below. Remember to change the values in the scenario with the actual values of your infrastructure!

zextras$ carbonio prov md authentication.example.com \
zimbraAuthLdapSearchBase "ou=people,dc=external_ldap,dc=com" \
zimbraAuthLdapSearchBindDn \
"uid=service.ldap,ou=people,dc=external_ldap,dc=com" \
zimbraAuthLdapSearchBindPassword "a_strong_pwd!" \
zimbraAuthLdapSearchFilter "uid=%u" zimbraAuthLdapURL \
"ldap://172.24.0.10:389"

Create three test accounts on the external LDAP domain with username and password:

user1@external_ldap.com password1
user2@external_ldap.com password2
user3@external_ldap.com password3

Finally, we also create 3 accounts on Carbonio

zextras$ carbonio prov ca user1@authentication.example.com ""
zextras$ carbonio prov ca user2@authentication.example.com ""
zextras$ carbonio prov ca user3@authentication.example.com ""

Warning

Do not provide any passwords in these commands!

If all the steps have been performed correctly, any of the three accounts can login to Carbonio using the passwords defined on the respective users of the external LDAP server.

Contents