A Zimbra server extension to change Active Directory passwords from the Zimbra web client.
This is the Zimbra-Community/Zeta Alliance fork of AD Password, it does not require zmpkg and comes with more documentation compared to the other versions.
The original project by Antonio Messina (firstname.lastname@example.org) https://github.com/xMAnton/ADPassword this version is tested on Zimbra 8.6 and Windows 2012 R2 Active Directory.
ADPassword also supports Zentyal as directory server, please check the wiki:
If you use the same SSL certificate on your AD as on Zimbra there is a good change you can skip this step. If you already use your AD server for external auth, you can probably skip this as well. If you are not sure, configure your domain to auth against AD first before installing this extension.
This is the recommend install method. If you do not want the cli install, you can also try the GUI most steps are in the video: https://www.youtube.com/watch?v=AYmsdw3tHoU
Review your LDAP configuration in the commands below and then copy-paste them:
mkdir -p /opt/zimbra/lib/ext/adpassword wget https://github.com/Zimbra-Community/ADPassword/releases/download/0.0.1/ADPassword.jar -O /opt/zimbra/lib/ext/adpassword/adPassword.jar su zimbra zmprov md domain.ext zimbraAuthLdapBindDn "%email@example.com" zmprov md domain.ext zimbraAuthLdapSearchBase "CN=Users,DC=DOMAIN,DC=EXT" zmprov md domain.ext zimbraAuthLdapSearchBindDn "CN=serviceAccount,CN=Users,DC=DOMAIN,DC=EXT" zmprov md domain.ext zimbraAuthLdapSearchBindPassword "your-password-here" zmprov md domain.ext zimbraAuthLdapSearchFilter "(samaccountname=%u)" zmprov md domain.ext zimbraAuthLdapURL "ldaps://ad-server-ip-or-dns:636" zmprov md domain.ext zimbraExternalGroupLdapSearchBase "CN=Users,DC=DOMAIN,DC=EXT" zmprov md domain.ext zimbraExternalGroupLdapSearchFilter "(samaccountname=%u)" zmprov md domain.ext zimbraAuthMech "ad" zmprov md domain.ext zimbraAuthMechAdmin "ad" zmprov md domain.ext zimbraPasswordChangeListener ADPassword zmprov gd domain.ext | grep -i ldap | grep -v Gal zmprov gd domain.ext | grep -i zimbraPasswordChangeListener zmprov md domain.ext zimbraAuthFallbackToLocal FALSE zmcontrol restart
Do a password change while you run the following command:
tail -f /opt/zimbra/log/mailbox.log
Verify your configuration:
zmprov gd domain.ext | grep -i ldap | grep -v Gal
Wrong bind DN: LDAP: error code 34 - 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME) Forgot to set zimbraAuthLdapSearchFilter or other required attribute: A network service error has occurred system failure: java.lang.NullPointerException
|Rating||( 2 ratings )|
|Categories||Business , Mail|
|Compatibility||ZCS 7.0 or later|
|License||Apache License v2.0|
By: rlipski on on 1/18/17 for version 0.0.1
The plugin works but only for zimbraAuthLdapSearchBase that is set. So basically, as long as the users are located in the following search base:
OU=TestDomain,DC=Test,DC=local as set in the zimbraAuthLdapSearchBase then it will find the user and reset the password.
However, I have multiple sub-ous that are setup. So if i have users in the following ou under that above search base (zimbraAuthLdapSearchBase "OU=TestDomain,DC=Test,DC=local ")
It will say permission denied in the password reset dialog. After debugging the log, i found that it is searching for that user in the search base despite the fact that they are located under another OU under that search base hence why they cannot find the user for password reset. Not sure if there is a way to work around this, but other than that it works great. But, currently i can only use one OU of Users. I also confirmed this by changing the search base to that OU to test what I had thought and it will reset only the users in that search base that is set.
By: ajcody on on 12/23/16 for version 0.0.1