[Users] If you can't log in to admin console anymore since 10.0.8...
Frédéric Nass
frederic.nass at univ-lorraine.fr
Fri Apr 26 11:49:45 CEST 2024
Hello,
No worries, Barry. I didn't took long to figure it out. ;-) Thank you for the additional information.
Cheers,
Frédéric.
----- Le 26 Avr 24, à 11:39, Barry de Graaff <info at barrydegraaff.nl> a écrit :
> Hello everyone,
> My apologies for not communicating this change, however you are recommended to
> set zimbraAuthFallbackToLocal = FALSE copy pasting the blog about this here:
> [
> https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/
> |
> https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/
> ]
> Zimbra support various authentication sources for authenticating users. Examples
> include external LDAP, Active Directory and custom authentication plugins.
> Prior to Zimbra 10.0.8 the setting of zimbraAuthFallbackToLocal had no effect on
> administrative accounts. Meaning you could use the username and password from
> Zimbra LDAP for signing on to an admin account. Even if the admin account is
> non-existing in the external authentication source or you entered a password
> that does not match the external authentication source.
> In some cases people installing Zimbra would use a simple password when
> installing Zimbra, then set-up external authentication and did not realize the
> original simple password was still working. In addition someone could set an
> admin password on the Zimbra LDAP to create something that could be seen as a
> back door, as this effectively bypasses external authentication.
> To improve Zimbra security and adhere to more modern auditing requirements, from
> Zimbra 10.0.8 onwards the setting of zimbraAuthFallbackToLocal will be honored
> for administrative accounts as well as regular accounts. The recommended
> setting when using external authentication is:
> zmprov md example.com zimbraAuthFallbackToLocal FALSE
> If you are unable to add your admin account to your external authentication
> source, you are recommended to follow the steps here:
> [
> https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication
> |
> https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication
> ]
> Regards, Barry
> On 26-04-2024 10:55, Frédéric Nass wrote:
>> Hello everyone,
>> For those having troubles logging in to the admin console after applying patch
>> 10.0.8 (with a 'local' admin account not present in domain's external LDAP auth
>> backend), you might want to set zimbraAuthFallbackToLocal to TRUE on the domain
>> of the admin account, as [
>> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331
>> |
>> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331
>> ] (ZBUG-2859 missing in 10.0.8 release notes) changed the way things work.
>> Cheers,
>> Frédéric.
>> --
>> Frédéric Nass
>> Sous-direction Infrastructures et Services
>> Direction du Numérique
>> Université de Lorraine
>> Tél : +33 3 72 74 11 35
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20240426/e715c8eb/attachment-0001.html>
More information about the Users
mailing list