[Users] If you can't log in to admin console anymore since 10.0.8...
David Touitou
david at network-studio.com
Fri Apr 26 14:06:15 CEST 2024
Hi.
The release notes have been updated accordingly.
https://forums.zimbra.org/viewtopic.php?t=72845&start=20
David
----- Mail original -----
> De: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> À: "Barry de Graaff" <info at barrydegraaff.nl>
> Cc: "Zeta Alliance" <users at lists.zetalliance.org>
> Envoyé: Vendredi 26 Avril 2024 11:49:45
> Objet: Re: [Users] If you can't log in to admin console anymore since 10.0.8...
> Hello,
>
> No worries, Barry. I didn't took long to figure it out. ;-) Thank you for the
> additional information.
>
> Cheers,
> Frédéric.
>
> ----- Le 26 Avr 24, à 11:39, Barry de Graaff <info at barrydegraaff.nl> a écrit :
>
>> Hello everyone,
>
>> My apologies for not communicating this change, however you are recommended to
>> set zimbraAuthFallbackToLocal = FALSE copy pasting the blog about this here:
>
>> [
>> https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/
>> |
>> https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/
>> ]
>
>> Zimbra support various authentication sources for authenticating users. Examples
>> include external LDAP, Active Directory and custom authentication plugins.
>
>> Prior to Zimbra 10.0.8 the setting of zimbraAuthFallbackToLocal had no effect on
>> administrative accounts. Meaning you could use the username and password from
>> Zimbra LDAP for signing on to an admin account. Even if the admin account is
>> non-existing in the external authentication source or you entered a password
>> that does not match the external authentication source.
>
>> In some cases people installing Zimbra would use a simple password when
>> installing Zimbra, then set-up external authentication and did not realize the
>> original simple password was still working. In addition someone could set an
>> admin password on the Zimbra LDAP to create something that could be seen as a
>> back door, as this effectively bypasses external authentication.
>
>> To improve Zimbra security and adhere to more modern auditing requirements, from
>> Zimbra 10.0.8 onwards the setting of zimbraAuthFallbackToLocal will be honored
>> for administrative accounts as well as regular accounts. The recommended
>> setting when using external authentication is:
>> zmprov md example.com zimbraAuthFallbackToLocal FALSE
>
>> If you are unable to add your admin account to your external authentication
>> source, you are recommended to follow the steps here:
>
>> [
>> https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication
>> |
>> https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication
>> ]
>> Regards, Barry
>
>> On 26-04-2024 10:55, Frédéric Nass wrote:
>
>>> Hello everyone,
>
>>> For those having troubles logging in to the admin console after applying patch
>>> 10.0.8 (with a 'local' admin account not present in domain's external LDAP auth
>>> backend), you might want to set zimbraAuthFallbackToLocal to TRUE on the domain
>>> of the admin account, as [
>>> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331
>>> |
>>> https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331
>>> ] (ZBUG-2859 missing in 10.0.8 release notes) changed the way things work.
>
>>> Cheers,
>>> Frédéric.
>
>>> --
>>> Frédéric Nass
>
>>> Sous-direction Infrastructures et Services
>>> Direction du Numérique
>>> Université de Lorraine
> >> Tél : +33 3 72 74 11 35
More information about the Users
mailing list