Bước 1 – Tạo các tài khoản tu1, tu2, tu3 tương ứng với các tài khoản trong OU AD, các tài khoản này không đặt mật khẩu. Show
Tiếp theo ta thao tác trên giao diện admin để config LDAP là Domain controller window server. Máy chủ AD của mình trong miền là tudv.xyz với IP 103.28.36.64 Bạn nhập vào 1 user đã tạo trên AD để test connection, ở đây mình nhập tu1 => Xác thực test thành công. Quay trở lại Zimbra server login thử Với phương thức xác thực này, bạn hoàn toàn có thể áp dụng các policy trong domain với các user, để có hiệu lực với các tài khoản Zimbra. Ví dụ đơn giản là policy chặn login chủ nhật,hàng ngày chặn xác thực từ 18h-6h sáng hôm sau.Bạn sẽ không thể login vào thời gian vi phạm policy này. (Lưu ý nếu bạn sử dụng AD trong vùng mạng nào đó, mà sử dụng Firewall, hãy NAT port của AD , và chỉ cho phép IP Zimbra server kết nối đến tại port 389,trong bài LAB này mình sử dụng VPS). Lời kếtQua bài viết trên, Nhân Hòa đã hướng dẫn các bạn tạo xác thực các tài khoản zimbra bằng Active Directory, 1 mô hình xác thực tập chung. However, you might consider them very similar to each other because Active Directory is in fact Microsoft’s implementation of LDAP. Active Directory supports LDAP binding and basic LDAP protocol connectivity. They work together to empower an organization with knowledge and security. LDAP vs Active Directory – A SynopsisService LDAP (Lightweight Directory Access Protocol) Active Directory Functionality LDAP helps in communicating with Active Directory. Active Directory is a database directory system. Supported platforms LDAP is not limited to Windows only but also supports Linux, AIX, Solaris, and HP-UX 11.11. Microsoft Active Directory works on Windows servers. Standard LDAP is an open source. Active Directory is Microsoft’s proprietary. It needs a Microsoft domain controller to function. Flexibility High flexibility Low flexibility Device Management LDAP requires no device management protocol. Active Directory controls Windows devices through Group Policy Objects (GPOs). Philosophy LDAP protocol modifies and queries items in Active Directory. Active Directory is a database-based system that offers many network-related services like authentication, policy administration, user and group management, DNS based services, etc. To understand the above … differences in details, let’s focus on understanding Active Directory and LDAP’s significance in managing an organization’s identity & access management framework. What is Active Directory?Microsoft introduced Active Directory to provide easy and centralized management of users, computers, and other network resources by storing their information in a single directory. It is the most common directory service used by organizations today. Active Directory has two main functions where it allows:
Imagining a world without Active Directory will be like providing your credentials repeatedly to sign in to every application and manual labor for the IT team to assign the permissions and access to resources. Some of the most used Active Directory services are:
Why should you Consider Active Directory?If you are working in an environment based on Windows and Microsoft, Active Directory turns out to be the best choice. With the Active Directory console, network management tasks become easier for administrators in several ways, such as:
Alternatives to Active DirectoryThere are a few alternatives that administrators can consider if they do not wish to use Active Directory. One such alternative is OpenLDAP. It is somewhat of a free, open-source alternative. Do not confuse it with LDAP. OpenLDAP is more than just a protocol. OpenLDAP is a directory service but does not match the feature level of Active Directory.
On the other hand:
With so many advantages, organizations mostly go for a combination of Active Directory and Azure AD. However, there are still some IT companies that choose OpenLDAP because Azure does not support the LDAP protocol for cloud infrastructure. What is LDAP?LDAP is a lightweight access protocol used to access and manage directory services. Other complementary protocols include SAML, SMB, Kerberos, OAuth, Radius, etc. For example, with AD FS, you use SAML. Similarly, Active Directory uses Kerberos to manage tokens. Over the years, LDAP has been considerably enhanced to meet the requirements of IT teams. Historical PerspectiveIn 1993, Tim Howes along with his colleagues developed LDAP as a low-overhead version of X.500 directory service protocol called DAP. In early 1990s, X.500 was used on limited systems since it was hard on the network (bandwidth intensive) and systems (large footprint). To overcome this, LDAP was introduced that allowed user management and facilitated user authentication to files, applications, servers, and other IT resources with reduced demand on endpoints, bandwidth use, and overhead. LDAP offers a language for the client applications to communicate to different directory services. In simple words, LDAP is a way to talk to Active Directory. LDAP and Active Directory are just like HTTP and Apache, where HTTP is a web protocol used by Apache. LDAP FunctionalityLDAP provides a simplified directory storage method. It can help add, modify, and delete records. It also facilitates searching records and ensuring user authentication and access to these resources. There are four major components to an LDAP functionality.
LDAP AuthenticationTo keep your data secure, LDAP offers two main authentication types.
LDAP QueryLDAP queries are the commands used to retrieve information from a directory service. For example, if you want to view the expired user accounts in Active Directory, you can use the following LDAP query: (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) Similarly, if you want to see the groups that a particular user is part of, you apply the following LDAP command: (&(objectClass=user)(sAMAccountName=yourUserName) (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com)) How Active Directory and LDAP Work TogetherLDAP is the core protocol that allows Active Directory to perform all the directory access services, including Active Directory Service Interfaces (ADSI).
How does LDAP Limit Data Breach Threats in Active Directory?Active Directory is a prized target for external security threats. If a hacker gets access to even a single account, sensitive files can be at risk. And if the account is an administrator account, the extent of damage could be unfathomable. This is where LDAP steps in as a savior. Organizations can use any of the LDAP authentication methods as a strong defense against such security threats.
How do LDAP Queries Work in GroupID?LDAP queries help in accessing data from Active Directory. If you have GroupID with you, this process becomes much easier. GroupID provides a GUI-based management console to interact with the directory. In GroupID Automate and Self Service, when you create a Smart Group or Dynasty, you assign some rules for the membership of these groups. GroupID translates these rules into an LDAP query. When executed, this query retrieves records from Active Directory and updates group memberships. You do not need to apply the queries every time you need to update group memberships. GroupID further allows you to limit the search scope for security roles in Active Directory with LDAP queries. For example, you can set the LDAP filter to “Country=United States”. When a role member performs a search, GroupID retrieves only those objects from Active Directory whose Country attribute is set to the United States. |