LDAP/Active Directory

From XMission Wiki
Jump to: navigation, search

XMission hosted Zimbra LDAP/Active Directory Integration

General information:

Any Zimbra domain hosted by XMission can have either authentication or GAL synchronization connected to an external LDAP or ActiveDirectory (AD) server. These are two independent features (external auth, external gal sync), but share most of the same configuration. Customers commonly want both.


This is what is required to configure external authentication and external GAL sync for XMission hosted Zimbra domains:

  • Confirm XMission will authenticate against customer ActiveDirectory. [ ] Yes [ ] No
  • Confirm XMission will get the GAL from customerActiveDirectory. [ ] Yes [ ] No
  • Provide customer ActiveDirectory server name(s) and port (3269 is the default AD port)
  • SSL must be enabled.
  • What is the customer ActiveDirectory domain name.
  • Provide customer ActiveDirectory bind domain name / password.
  • Customer to provide username/password to test authentication against.
    • This can be temporary for the purposes of configuring AD, no need to reveal credentials for real users.
  • Customer firewall must allow traffic from (mail subnet where XMission Zimbra lives) to the above server/port. Has this been completed? [ ] Yes [ ] No
  • Customer confirms secure password or passphrase requirements. [ ] Yes [ ] No
  • Customer agrees to mandatory password changes for all accounts at least once yearly. [ ] Yes [ ] No
  • External LDAP customers accept that XMission will not monitor password aging. [ ] Yes [ ] No

Please use https://secrets.xmission.com to share sensitive information.


  • The GAL can be synchronized to *both* LDAP/AD and the normal internal Zimbra if desired. This can be useful for distribution lists that aren't in AD.
  • For the GAL sync, XMission will default to a filter of (mail=*) and a search base derived from the AD domain name (ie dc=customerdomain,dc=local if the domain is customerdomain.local), but these values can be changed if needed.


XMission strongly recommends testing functionality. To do this the customer should make a test domain and verify it works as expected. Testing authentication is critical. Once testing has completed XMission recreate the settings on the real customer domain and re-verify.