To access Zimbra’s LDAP with external tools (ldapsearch, shelldap, apache directory studio, etc.), you need a login. If you have an older Zimbra (5.x.x or earlier), or your install began at one of these older versions, you may have anonymous read access enabled. Though disabling this would be recommended, if your Zimbra install is configured this way, you can view the bulk of the contents of your main LDAP directory without even authenticating.
Here are a few ways to access Zimbra Ldap.
Your Zimbra Account (read only)
You can use your Zimbra account to authenticate. With a default Zimbra LDAP configuration, this will give you read access to most of the LDAP directory. Your username will be the DN of your Zimbra account as it exists in ldap, not your email address.
If your email address is “email@example.com”, your login (your LDAP DN) will be “uid=username,ou=People,dc=something,dc=example,dc=com”.
How does this map out?
- dc=something,dc=example,dc=com: Every “domain component” (every chunk between the dots) is separated out into these “dc=<something>” stanzas.
- ou=People: This is a section for all actual users within the domain
- uid=username: The uid is the “userid”
A DN is actually a single-line method of representing a place in a tree hierarchy (think like the folder pane in an explorer window). You might imagine it more like this:
Root -> [+] dc=biz -> [-] dc=com -> [-] dc=example -> [-] dc=something -> [+] cn=Groups -> [-] ou=People -> [+] uid=bob -> [+] uid=username -> [+] dc=net
You can test the account’s access at the commandline using ldapsearch:
ldapsearch -x -h zldap1.example.com -D uid=username,ou=People,dc=something,dc=example,dc=com -w somepassword
This should spit out the entire LDAP directory.
Note that Zimbra’s not really designed for user access to LDAP. There are two main takeaways from this fact:
- There are no access controls (relative to the access controls of the accounts/delegated admin accounts). In a multi-tenant environment, for example, an authenticated user could see anything in the LDAP directory. Hence, allowing LDAP access to users is inherently insecure outside of single organizations who might actually desire this.
- Because Zimbra isn’t really designed with user access to LDAP in mind, the authentication methods are likewise not all supported by LDAP. A user can auth to LDAP if they have a userPassword attribute on their DN, but if Zimbra is configured to auth against an external LDAP or AD, a user will be unable to auth (unless there is an old userPassword attribute, but then they’ll be authing against some old unexpected crypt rather than the external service). Any other non-internal-LDAP auth methods (preauth key, whatever) will have the same issue.
The Main Zimbra Admin Account
The main Zimbra admin account can auth to LDAP and edit/change any value in the main LDAP tree. In general, it is not recommended to edit LDAP directly, but it can be useful. For example, I’ve seen a domain rename fail, resulting in both the old and new domain name continuing to exist in Zimbra, but in the “shutdown” state. Zimbra will NOT let you do ANYTHING with the accounts/domain while in this state, so the only solution is to login to LDAP and fix it yourself.
You can get the credentials to login to ldap via zmlocalconfig:
zimbra@zldap1:~$ zmlocalconfig -s zimbra_ldap_userdn zimbra_ldap_password zimbra_ldap_userdn = uid=zimbra,cn=admins,cn=zimbra zimbra_ldap_password = somepassword
The user DN to auth with should always be uid=zimbra,cn=admins,cn=zimbra, but the password will vary with every Zimbra installation.
As with the user account, you can test this at the commandline using ldapsearch:
ldapsearch -x -h zldap1.example.com -D uid=zimbra,cn=admins,cn=zimbra,dc=example,dc=com -w somepassword
Root LDAP User
If you need to view or adjust the actual LDAP config (it all exists in it’s own tree with the base of ‘cn=config’ in modern Zimbra installs), you will need to use the root LDAP user. The DN for this user should be cn=config, and the password can be had via zmlocalconfig:
zimbra@zldap1:~$ zmlocalconfig -s ldap_root_password ldap_root_password = somepassword
While you can use this similarly to the Zimbra admin password and access/edit the main LDAP directory with this, you’re really trying to get to the config tree. Use these credentials, but specifying the base of ‘cn=config’, and you’ll get what you’re looking for.
Testing with ldapsearch:
ldapsearch -x -h zldap1.example.com -b 'cn=config' -D cn=config -w somepassword
You should get the entire cn=config tree output.
Note on Password Security
For the sake of these examples, I used “-w <password>” for the argument to ldapsearch. There is also a -W argument that asks the user for a password. This is much more secure, as including the password in the arguments may leave the password in your command history or viewable on the process table.