From frederic.nass at univ-lorraine.fr Fri Apr 26 10:55:57 2024 From: frederic.nass at univ-lorraine.fr (=?utf-8?B?RnLDqWTDqXJpYw==?= Nass) Date: Fri, 26 Apr 2024 10:55:57 +0200 (CEST) Subject: [Users] If you can't log in to admin console anymore since 10.0.8... Message-ID: <1386640880.294797.1714121757733.JavaMail.zimbra@univ-lorraine.fr> Hello everyone, For those having troubles logging in to the admin console after applying patch 10.0.8 (with a 'local' admin account not present in domain's external LDAP auth backend), you might want to set zimbraAuthFallbackToLocal to TRUE on the domain of the admin account, as https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331 (ZBUG-2859 missing in 10.0.8 release notes) changed the way things work. Cheers, Fr?d?ric. -- Fr?d?ric Nass Sous-direction Infrastructures et Services Direction du Num?rique Universit? de Lorraine T?l : +33 3 72 74 11 35 -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at barrydegraaff.nl Fri Apr 26 11:39:12 2024 From: info at barrydegraaff.nl (Barry de Graaff) Date: Fri, 26 Apr 2024 11:39:12 +0200 Subject: [Users] If you can't log in to admin console anymore since 10.0.8... In-Reply-To: <1386640880.294797.1714121757733.JavaMail.zimbra@univ-lorraine.fr> References: <1386640880.294797.1714121757733.JavaMail.zimbra@univ-lorraine.fr> Message-ID: Hello everyone, My apologies for not communicating this change, however you are recommended to set *zimbraAuthFallbackToLocal = FALSE *copy pasting the blog about this here: https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/ Zimbra support various authentication sources for authenticating users. Examples include external LDAP, Active Directory and custom authentication plugins. Prior to Zimbra 10.0.8 the setting of *zimbraAuthFallbackToLocal* had no effect on administrative accounts. Meaning you could use the username and password from Zimbra LDAP for signing on to an admin account. Even if the admin account is non-existing in the external authentication source or you entered a password that does not match the external authentication source. In some cases people installing Zimbra would use a simple password when installing Zimbra, then set-up external authentication and did not realize the original simple password was still working. In addition someone could set an admin password on the Zimbra LDAP to create something that could be seen as a back door, as this effectively bypasses external authentication. To improve Zimbra security and adhere to more modern auditing requirements, from Zimbra 10.0.8 onwards the setting of *zimbraAuthFallbackToLocal* will be honored for administrative accounts as well as regular accounts. The recommended setting when using external authentication is: zmprov md example.com zimbraAuthFallbackToLocal FALSE If you are unable to add your admin account to your external authentication source, you are recommended to follow the steps here: https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication Regards, Barry On 26-04-2024 10:55, Fr?d?ric Nass wrote: > > Hello everyone, > > For those having troubles logging in to the admin console after > applying patch 10.0.8 (with a 'local' admin account not present in > domain's external LDAP auth backend), you might want to set > zimbraAuthFallbackToLocal to TRUE on the domain of the admin account, > as > https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331 > (ZBUG-2859 missing in 10.0.8 release notes) changed the way things work. > > Cheers, > Fr?d?ric. > > -- > Fr?d?ric Nass > > Sous-direction Infrastructures et Services > Direction du Num?rique > Universit? de Lorraine > T?l : +33 3 72 74 11 35 -------------- next part -------------- An HTML attachment was scrubbed... URL: From frederic.nass at univ-lorraine.fr Fri Apr 26 11:49:45 2024 From: frederic.nass at univ-lorraine.fr (=?utf-8?B?RnLDqWTDqXJpYw==?= Nass) Date: Fri, 26 Apr 2024 11:49:45 +0200 (CEST) Subject: [Users] If you can't log in to admin console anymore since 10.0.8... In-Reply-To: References: <1386640880.294797.1714121757733.JavaMail.zimbra@univ-lorraine.fr> Message-ID: <1717559410.392379.1714124985060.JavaMail.zimbra@univ-lorraine.fr> Hello, No worries, Barry. I didn't took long to figure it out. ;-) Thank you for the additional information. Cheers, Fr?d?ric. ----- Le 26 Avr 24, ? 11:39, Barry de Graaff a ?crit : > Hello everyone, > My apologies for not communicating this change, however you are recommended to > set zimbraAuthFallbackToLocal = FALSE copy pasting the blog about this here: > [ > https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/ > | > https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/ > ] > Zimbra support various authentication sources for authenticating users. Examples > include external LDAP, Active Directory and custom authentication plugins. > Prior to Zimbra 10.0.8 the setting of zimbraAuthFallbackToLocal had no effect on > administrative accounts. Meaning you could use the username and password from > Zimbra LDAP for signing on to an admin account. Even if the admin account is > non-existing in the external authentication source or you entered a password > that does not match the external authentication source. > In some cases people installing Zimbra would use a simple password when > installing Zimbra, then set-up external authentication and did not realize the > original simple password was still working. In addition someone could set an > admin password on the Zimbra LDAP to create something that could be seen as a > back door, as this effectively bypasses external authentication. > To improve Zimbra security and adhere to more modern auditing requirements, from > Zimbra 10.0.8 onwards the setting of zimbraAuthFallbackToLocal will be honored > for administrative accounts as well as regular accounts. The recommended > setting when using external authentication is: > zmprov md example.com zimbraAuthFallbackToLocal FALSE > If you are unable to add your admin account to your external authentication > source, you are recommended to follow the steps here: > [ > https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication > | > https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication > ] > Regards, Barry > On 26-04-2024 10:55, Fr?d?ric Nass wrote: >> Hello everyone, >> For those having troubles logging in to the admin console after applying patch >> 10.0.8 (with a 'local' admin account not present in domain's external LDAP auth >> backend), you might want to set zimbraAuthFallbackToLocal to TRUE on the domain >> of the admin account, as [ >> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331 >> | >> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331 >> ] (ZBUG-2859 missing in 10.0.8 release notes) changed the way things work. >> Cheers, >> Fr?d?ric. >> -- >> Fr?d?ric Nass >> Sous-direction Infrastructures et Services >> Direction du Num?rique >> Universit? de Lorraine >> T?l : +33 3 72 74 11 35 -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at network-studio.com Fri Apr 26 14:06:15 2024 From: david at network-studio.com (David Touitou) Date: Fri, 26 Apr 2024 14:06:15 +0200 (CEST) Subject: [Users] If you can't log in to admin console anymore since 10.0.8... In-Reply-To: <1717559410.392379.1714124985060.JavaMail.zimbra@univ-lorraine.fr> References: <1386640880.294797.1714121757733.JavaMail.zimbra@univ-lorraine.fr> <1717559410.392379.1714124985060.JavaMail.zimbra@univ-lorraine.fr> Message-ID: <1957666127.19057071.1714133175780.JavaMail.zimbra@network-studio.com> Hi. The release notes have been updated accordingly. https://forums.zimbra.org/viewtopic.php?t=72845&start=20 David ----- Mail original ----- > De: "Fr?d?ric Nass" > ?: "Barry de Graaff" > Cc: "Zeta Alliance" > Envoy?: Vendredi 26 Avril 2024 11:49:45 > Objet: Re: [Users] If you can't log in to admin console anymore since 10.0.8... > Hello, > > No worries, Barry. I didn't took long to figure it out. ;-) Thank you for the > additional information. > > Cheers, > Fr?d?ric. > > ----- Le 26 Avr 24, ? 11:39, Barry de Graaff a ?crit : > >> Hello everyone, > >> My apologies for not communicating this change, however you are recommended to >> set zimbraAuthFallbackToLocal = FALSE copy pasting the blog about this here: > >> [ >> https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/ >> | >> https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/ >> ] > >> Zimbra support various authentication sources for authenticating users. Examples >> include external LDAP, Active Directory and custom authentication plugins. > >> Prior to Zimbra 10.0.8 the setting of zimbraAuthFallbackToLocal had no effect on >> administrative accounts. Meaning you could use the username and password from >> Zimbra LDAP for signing on to an admin account. Even if the admin account is >> non-existing in the external authentication source or you entered a password >> that does not match the external authentication source. > >> In some cases people installing Zimbra would use a simple password when >> installing Zimbra, then set-up external authentication and did not realize the >> original simple password was still working. In addition someone could set an >> admin password on the Zimbra LDAP to create something that could be seen as a >> back door, as this effectively bypasses external authentication. > >> To improve Zimbra security and adhere to more modern auditing requirements, from >> Zimbra 10.0.8 onwards the setting of zimbraAuthFallbackToLocal will be honored >> for administrative accounts as well as regular accounts. The recommended >> setting when using external authentication is: >> zmprov md example.com zimbraAuthFallbackToLocal FALSE > >> If you are unable to add your admin account to your external authentication >> source, you are recommended to follow the steps here: > >> [ >> https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication >> | >> https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication >> ] >> Regards, Barry > >> On 26-04-2024 10:55, Fr?d?ric Nass wrote: > >>> Hello everyone, > >>> For those having troubles logging in to the admin console after applying patch >>> 10.0.8 (with a 'local' admin account not present in domain's external LDAP auth >>> backend), you might want to set zimbraAuthFallbackToLocal to TRUE on the domain >>> of the admin account, as [ >>> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331 >>> | >>> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331 >>> ] (ZBUG-2859 missing in 10.0.8 release notes) changed the way things work. > >>> Cheers, >>> Fr?d?ric. > >>> -- >>> Fr?d?ric Nass > >>> Sous-direction Infrastructures et Services >>> Direction du Num?rique >>> Universit? de Lorraine > >> T?l : +33 3 72 74 11 35