Authentication Methods

Authentication Methods#

The Mesh and Directory Role, which installs an OpenLDAP service, is employed by Carbonio for user authentication and account management.

Carbonio has the ability to use multiple authentication mechanisms. The authentication type can be set independently for each domain defined in the Carbonio infrastructure. Each of them can be managed from CLI or Carbonio Admin Panel: please follow the cross references given to configure each of the methods.

  1. Carbonio. This is the default authentication method, which allows to configure and use an external AD or an external LDAP, while the local LDAP will be used as fall back (Although you can disable it). Additionally, you can secure authentication by defining SAML or 2FA. See SAML by CLI | GUI, 2FA by CLI | GUI (global) | GUI (domain).

  2. Local LDAP. The internal authentication method assumes that the LDAP scheme is running on the Carbonio server where the Directory Server Role is installed.

  3. External LDAP. The external LDAP authentication method allows to connect to an LDAP server, possibly external to the Carbonio infrastructure, using a username and password existing in the external database. See how to configure it by CLI or by GUI.

  4. External Active Directory. The external Active Directory authentication method involves the use of Microsoft Active Directory services for authentication and Carbonio’s Directory Server services for all other transactions. See how to configure it by CLI or by GUI.

Both the External LDAP and External Active Directory have as their main requirement that users exist on both servers. Please refer to Sections External LDAP and External Active Directory respectively for configuration details.

Disable the Fallback Mechanism#

Whenever an external authentication mechanisms is active, the Carbonio local authentication serves as fallback when the external is not reachable. To prevent this behaviour, and relying only on the external authentication, you need to explicitly set, for each domain, the attribute zimbraAuthFallbackToLocal to FALSE: as the zextras user, execute the following command, replacing example.com with the correct domain.

zextras$ carbonio prov md example.com zimbraAuthFallbackToLocal FALSE