Zimbra AD password change plugin installation
If an organization uses AD for its user account management, then it may choose to authenticate users for mail via AD. In such cases default "Change password" option provided by Zimbra does not results into password change on AD server. To allow changing of AD password via Zimbra change password, we can install an AD password change plugin in Zimbra. To install the plugin use following steps:
Exporting CA certificate from AD for importing into Zimbra
- Login into AD server
- From run start "mmc" to obtain console window
- In mmc file menu choose "Add span-in" option
- Choose span-in of type certificate and click ok.
- In the following popup-screen choose type as Personal computer
- From the mmc console Expand Certificate -> Personal computer tree
- Choose CA certificate among various certificates shown. Please note that these steps assume that AD is already setup to operate over LDAPS. To learn how to configure AD over LDAPS refer Setup AD to respond to LDAP queries over LDAPS protocol
- Right click CA certificate and from "All Tasks" choose export
- In export pop-up window chose certificate export type as DER with extension cer so that it can be imported into java keystore.
- Copy the exported cer certificate to Zimbra server
Install Zimbra AD Password change plugin
- Download AD password change plugin from https://www.zimbra.org/extend/items/view/adpassword
- As root, create the /opt/zimbra/lib/ext/adpassword directory
- As root, copy downloaded adPassword.jar into /opt/zimbra/lib/ext/adpassword/
- As root, import the DER domain controller certificate into the trusted keystore
- /opt/zimbra/java/jre/bin/keytool -import -keystore /opt/zimbra/java/jre/lib/security/cacerts -file <ca-certificate.cer>
- Keystore default password is changeit
- Restart Zimbra using 'su - zimbra -c "zmcontrol restart"' command.
Configure domain to authenticate via AD with AD password change plugin
- Open the Zimbra Administration console
- Right click domain and choose "configure Authentication"
- Select External LDAP as authentication mechanism. Note that we are choosing 'External LDAP' and not 'External AD', although Zimbra is connected to AD server and not to an LDAP server.
- Type the LDAP URL and check Use SSL
- Type 'samaccountname=%u' in the LDAP filter field
- Specify 'cn=users,dc=SERVER,dc=EXT' in the LDAP search base field
- Check Use DN/Password to bind to external server
- Enter the Bind DN cn=Administrator,cn=users,dc=SERVER,dc=EXT and its password
- If Test passes successfully, then click Finish
- Again in Zimbra Administrative console right click on domain and choose "Edit"
- Under "Authentication" assign the new change password listener ADPassword
Note old password continues to work for another 15 min in some cases. 'This plugin was found to work sometimes and in other cases it simply did not work. Reason why plugin did not work in a few installations is not clear.