[Users] If you can't log in to admin console anymore since 10.0.8...

Barry de Graaff info at barrydegraaff.nl
Fri Apr 26 11:39:12 CEST 2024 

Hello everyone,

My apologies for not communicating this change, however you are 
recommended to set *zimbraAuthFallbackToLocal = FALSE *copy pasting the 
blog about this here:

https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/

Zimbra support various authentication sources for authenticating users. 
Examples include external LDAP, Active Directory and custom 
authentication plugins.

Prior to Zimbra 10.0.8 the setting of *zimbraAuthFallbackToLocal* had no 
effect on administrative accounts. Meaning you could use the username 
and password from Zimbra LDAP for signing on to an admin account. Even 
if the admin account is non-existing in the external authentication 
source or you entered a password that does not match the external 
authentication source.

In some cases people installing Zimbra would use a simple password when 
installing Zimbra, then set-up external authentication and did not 
realize the original simple password was still working. In addition 
someone could set an admin password on the Zimbra LDAP to create 
something that could be seen as a back door, as this effectively 
bypasses external authentication.

To improve Zimbra security and adhere to more modern auditing 
requirements, from Zimbra 10.0.8 onwards the setting of 
*zimbraAuthFallbackToLocal* will be honored for administrative accounts 
as well as regular accounts. The recommended setting when using external 
authentication is:

zmprov md example.com zimbraAuthFallbackToLocal FALSE

If you are unable to add your admin account to your external 
authentication source, you are recommended to follow the steps here:

https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication

Regards, Barry


On 26-04-2024 10:55, Frédéric Nass wrote:
>
> Hello everyone,
>
> For those having troubles logging in to the admin console after 
> applying patch 10.0.8 (with a 'local' admin account not present in 
> domain's external LDAP auth backend), you might want to set 
> zimbraAuthFallbackToLocal to TRUE on the domain of the admin account, 
> as 
> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331 
> (ZBUG-2859 missing in 10.0.8 release notes) changed the way things work.
>
> Cheers,
> Frédéric.
>
> --
> Frédéric Nass
>
> Sous-direction Infrastructures et Services
> Direction du Numérique
> Université de Lorraine
> Tél : +33 3 72 74 11 35
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20240426/93061068/attachment.html>

More information about the Users mailing list