<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello everyone,</p>
<p>My apologies for not communicating this change, however you are
recommended to set <b>zimbraAuthFallbackToLocal = FALSE </b>copy
pasting the blog about this here:</p>
<p><a class="moz-txt-link-freetext" href="https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/">https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/</a></p>
<section class="entry">
<p>Zimbra support various authentication sources for
authenticating users. Examples include external LDAP, Active
Directory and custom authentication plugins.</p>
<p>Prior to Zimbra 10.0.8 the setting of <strong>zimbraAuthFallbackToLocal</strong>
had no effect on administrative accounts. Meaning you could use
the username and password from Zimbra LDAP for signing on to an
admin account. Even if the admin account is non-existing in the
external authentication source or you entered a password that
does not match the external authentication source.</p>
<p>In some cases people installing Zimbra would use a simple
password when installing Zimbra, then set-up external
authentication and did not realize the original simple password
was still working. In addition someone could set an admin
password on the Zimbra LDAP to create something that could be
seen as a back door, as this effectively bypasses external
authentication.</p>
<p>To improve Zimbra security and adhere to more modern auditing
requirements, from Zimbra 10.0.8 onwards the setting of <strong>zimbraAuthFallbackToLocal</strong>
will be honored for administrative accounts as well as regular
accounts. The recommended setting when using external
authentication is:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">zmprov md example.com zimbraAuthFallbackToLocal FALSE</pre>
<p>If you are unable to add your admin account to your external
authentication source, you are recommended to follow the steps
here:</p>
<p><a
href="https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication"
class="moz-txt-link-freetext">https://wiki.zimbra.com/wiki/How_To_Create_an_Admin_Account#How_to_regain_access_to_admin_account_if_using_external_LDAP_or_Active_Directory_authentication</a></p>
Regards, Barry<br>
</section>
<p></p>
<p><br>
</p>
<div class="moz-cite-prefix">On 26-04-2024 10:55, Frédéric Nass
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1386640880.294797.1714121757733.JavaMail.zimbra@univ-lorraine.fr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div
style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000">
<div><br>
</div>
<div>Hello everyone,<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>For those having troubles logging in to the admin console
after applying patch 10.0.8 (with a 'local' admin account not
present in domain's external LDAP auth backend), you might
want to set zimbraAuthFallbackToLocal to TRUE on the domain of
the admin account, as
<a class="moz-txt-link-freetext" href="https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331">https://github.com/Zimbra/zm-mailbox/commit/f8cda9897a26dcdf4a58d28de13c464afd1da331</a>
(ZBUG-2859 missing in 10.0.8 release notes) changed the way
things work.<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Cheers,<br data-mce-bogus="1">
</div>
<div>Frédéric.<br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>--<br data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__">Frédéric Nass <br>
<br>
Sous-direction Infrastructures et Services<br>
Direction du Numérique <br>
Université de Lorraine<br>
Tél : +33 3 72 74 11 35<br>
</div>
</div>
</blockquote>
</body>
</html>