Get best of the week

Password Management in Zimbra Collaboration Suite Open-Source Edition

Password management has always been one of the most important problems associated with the safe operation of information systems. The ability to safely store and quickly change passwords for multiple accounts, the ability for users to safely reset a forgotten password, and the ability to safely reset an administrator password - all these functions are no less important than the password security policy that we talked about earlier. In this article, we will look at how these functions are implemented in Zimbra OSE.



Changing the user and global administrator

password The global administrator password is set during the installation of Zimbra OSE and can subsequently be changed in the web client settings. The user password is initially set when creating the account, however, the administrator can enable the forced password change when the user first logs into the web client so that the user does not forget to set his own password.

In case the user forgets his password, Zimbra OSE provides a password recovery function. This function, if enabled by the administrator, allows the user to specify a backup mailbox to which a temporary confirmation code will come. With this one-time code, a user can access the Zimbra OSE web client and change their password.

However, if the administrator suddenly forgot the password for his account and because of this cannot log into the web client to change the password, he can use the setPassword attribute  or just  sp on the command line. For example, the command  zmprov sp admin@company.ru qwerty  allows you to change the administrator password to qwerty without logging in to the Zimbra OSE web client. The same command can be used to change the password of any other user.

Note also that the administrator does not have the option to view the user's password. This limitation is due to the fact that Zimbra OSE, in principle, does not store user passwords in clear text. Instead, Zimbra OSE only stores salted password hashes and, when trying to log in, compares the hash of the password entered by the user with what is stored in the LDAP server.

Password change during authentication through AD

If AD is used to authenticate users, passwords are also not stored on the server. Instead, Zimbra OSE simply passes AD the user input and receives a response about whether this account is authenticated or not. And since all account information is stored on another server, when using external AD it is usually recommended to disable the self-change password feature in the Zimbra OSE web client.

However, there is a way to combine user authentication through AD with the ability to independently change the password for users. This can be done by an extension called  Active Directory Change Password . It changes the functionality of the password change button in the Zimbra OSE web client so that the password in AD changes. 

The extension is quite easy to install and works as follows:

  • User clicks password change button
  • Enter password
  • Extension defines user DN
  • Searches for an external AD server
  • Makes changes to the account password over a secure connection

The extension is installed on the command line using the following commands:
 
 mkdir -p /opt/zimbra/lib/ext/adpassword
  wget https://github.com/Zimbra-Community/ADPassword/raw/master/out/artifacts/ADPassword_jar/ADPassword.jar -O /opt/zimbra/lib/ext/adpassword/adPassword.jar
  su zimbra
  zmprov md domain.ext zimbraAuthLdapBindDn "%u@company.ru"
  zmprov md domain.ext zimbraAuthLdapSearchBase «CN=Users,DC=DOMAIN,DC=EXT»
  zmprov md domain.ext zimbraAuthLdapSearchBindDn «CN=serviceAccount,CN=Users,DC=DOMAIN,DC=EXT»
  zmprov md domain.ext zimbraAuthLdapSearchBindPassword "*********"
  zmprov md domain.ext zimbraAuthLdapSearchFilter "(samaccountname=%u)"
  zmprov md domain.ext zimbraAuthLdapURL «ldaps://ad.company.ru:636»
  zmprov md domain.ext zimbraExternalGroupLdapSearchBase «CN=Users,DC=DOMAIN,DC=EXT»
  zmprov md domain.ext zimbraExternalGroupLdapSearchFilter "(samaccountname=%u)"
  zmprov md domain.ext zimbraAuthMech «ad»
  zmprov md domain.ext zimbraAuthMechAdmin «ad»
  zmprov md domain.ext zimbraPasswordChangeListener ADPassword
  zmprov gd domain.ext | grep -i ldap | grep -v Gal
  zmprov gd domain.ext | grep -i zimbraPasswordChangeListener
  zmprov md domain.ext zimbraAuthFallbackToLocal FALSE
  zmcontrol restart

In addition, if your Zimbra OSE and Active Directory servers use different SSL certificates, you should add the AD certificate to the trusted list on the Zimbra OSE server. If both information systems use the same certificate, you can skip this step.

Thus, after installing this extension, your users will be able to change their password directly in the Zimbra OSE web client, even when using authentication using AD.

Mass password reset

It is quite acceptable situations in which you may need to quickly reset passwords for a large number of Zimbra OSE users. In the event that the number of users is large enough, manually resetting passwords will take a lot of time, which may simply be unacceptable in a critical situation. A script can help optimize this task, which can automatically reset the passwords of users of both a single domain and an entire mail server.

For example, reset the passwords of all users of the company.ru domain. To do this, log into the server and run the command  zmprov -l gaa company.ru> /tmp/domainusers.txt . As a result of the execution of this command, the text file domainusers.txt will be created, in which all users of the domain specified by us will be listed. If you do not specify a domain in this command, all accounts on this server will be written to the text file.

After that, you can remove from the received text file all system accounts, such as galsync or spam, as well as those users whose password will not be reset. When the file is ready, you can run the following script:

for i in `cat / tmp / domainusers.txt`; do newpass = "Z1mBr @` openssl rand -base64 12`0a "&& / opt / zimbra / bin / zmprov sp $ i $ newpass && echo $ i $ newpass >> newlogin.txt && echo $ i && sleep 5s; done

The result of this script will be a newlogin.txt file with new account passwords. We recommend that you save it in a safe place as soon as possible and delete this file from the server. After that, you can inform users of their new passwords so that they can continue to work in Zimbra OSE.

Separate password for mobile devices

Another interesting feature that becomes available after installing the Zextras Suite of extensions for Zimbra OSE is a separate password for entering the mailbox from a mobile device. In other words, an additional password is created for an account using its account on a mobile device, with which it can synchronize its device with a mailbox, but cannot log into the Zimbra OSE web client. This feature can significantly increase the security of using e-mail outside the office, as the mobile device may be compromised or even stolen, and the mobile password function will help prevent the real account password from falling into the hands of attackers.


Creating a password for mobile devices is quite simple. This can be done both in the administration console using the Zextras plugin, and on the command line. So, for example, using the command  zxsuite mobile setAccountMobilePassword manager@company.ru Z1mBr @, you will give the user manager@company.ru the password Z1mBr @. Using the command  zxsuite mobile getAccountMobilePassword manager@company.ru you can see the mobile password of the user manager@company.ru, and using the command zxsuite mobile unsetAccountMobilePassword manager@company.ru you can completely remove the mobile password from the specified user. 

For all questions related to the Zextras Suite, you can contact the representative of the company "Zextras" Ekaterina Triandafilidi by e-mail katerina@zextras.com

More articles:


All Articles