3.5/5 - (2 votes)

Password management has always been one of the most important problems associated with the safe operation of information systems. The ability to safely store and quickly change passwords for multiple accounts, the ability for users to safely reset a forgotten password and an administrator password are all no less important than the password security policy that we talked about earlier. In this article, we will understand how these functions are implemented in Zimbra OSE.

User password and global administrator change

The global administrator password is set during the installation of Zimbra OSE and can subsequently be changed in the web client settings. The user password is initially set when creating the account, but the administrator can enable the forced password change when the user first logs into the web client so that the user does not forget to set his own password.

In case the user forgets his password, Zimbra OSE provides a password recovery function. This function, if enabled by the administrator, allows the user to specify a backup mailbox to which a temporary confirmation code will come. With this one-time code, a user can access the Zimbra OSE web client and change their password.

However, if the administrator suddenly forgot the password for his account and because of this cannot log into the web client to change the password, he can use the setPassword attribute or just sp on the command line. For example, the command zmprov sp [email protected] qwerty allows you to change the administrator password to qwerty without logging in to the Zimbra OSE web client. The same command can be used to change the password of any other user.

Note also that the administrator does not have the option to view the user’s password. This limitation is due to the fact that Zimbra OSE, does not store user passwords in clear text. Instead, Zimbra OSE only stores password hashes and, when trying to log in, compares the hash of the password entered by the user with what is stored in the LDAP server.

Password change during authentication through AD

In the case of using AD to authenticate users, passwords are also not stored on the server. Instead, Zimbra OSE simply passes AD the user input and receives a response about whether this account is authenticated or not. And since all account information is stored on another server, when using external AD, it is usually recommended to disable the self-change password feature in the Zimbra OSE web client.

However, there is a way to combine user authentication through AD with the ability to independently change the password for users. This can be done by an extension called Active Directory Change Password. It changes the functionality of the password change button in the Zimbra OSE web client so that the password in AD changes.

The extension is quite easy to install and works like this:

  • User clicks password change button
  • Enters password
  • Extension defines user DN
  • Searches in an external AD server
  • Makes changes to the account password over a secure connection

The extension is installed on the command line using the following commands:

 mkdir -p /opt/zimbra/lib/ext/adpassword
  wget https://github.com/Zimbra-Community/ADPassword/raw/master/out/artifacts/ADPassword_jar/ADPassword.jar -O /opt/zimbra/lib/ext/adpassword/adPassword.jar
  su zimbra
  zmprov md domain.ext zimbraAuthLdapBindDn "%[email protected]"
  zmprov md domain.ext zimbraAuthLdapSearchBase «CN=Users,DC=DOMAIN,DC=EXT»
  zmprov md domain.ext zimbraAuthLdapSearchBindDn «CN=serviceAccount,CN=Users,DC=DOMAIN,DC=EXT»
  zmprov md domain.ext zimbraAuthLdapSearchBindPassword "*********"
  zmprov md domain.ext zimbraAuthLdapSearchFilter "(samaccountname=%u)"
  zmprov md domain.ext zimbraAuthLdapURL «ldaps://ad.company.ru:636»
  zmprov md domain.ext zimbraExternalGroupLdapSearchBase «CN=Users,DC=DOMAIN,DC=EXT»
  zmprov md domain.ext zimbraExternalGroupLdapSearchFilter "(samaccountname=%u)"
  zmprov md domain.ext zimbraAuthMech «ad»
  zmprov md domain.ext zimbraAuthMechAdmin «ad»
  zmprov md domain.ext zimbraPasswordChangeListener ADPassword
  zmprov gd domain.ext | grep -i ldap | grep -v Gal
  zmprov gd domain.ext | grep -i zimbraPasswordChangeListener
  zmprov md domain.ext zimbraAuthFallbackToLocal FALSE
  zmcontrol restart

In addition, if your Zimbra OSE and Active Directory servers use different SSL certificates, you should add the AD certificate to the trusted list on the Zimbra OSE server. If both information systems use the same certificate, you can skip this step.

Thus, after installing this extension, your users will be able to change their password directly in the Zimbra OSE web client, even when using authentication using AD.

Mass password reset

It is quite acceptable situations in which you may need to quickly reset passwords for a large number of Zimbra OSE users. In case that the number of users is large enough, manually resetting passwords will take a lot of time, which may simply be unacceptable in a critical situation. A script can help optimize this task, which can automatically reset user passwords for both a single domain and an entire mail server.

For example, reset the passwords of all users of the company.ru domain. To do this, log into the server and run the command zmprov -l gaa company.ru> /tmp/domainusers.txt. As a result of the execution of this command, a text file domainusers.txt will be created, in which all users of the specified domain will be listed. If you do not specify a domain in this command, all accounts on this server will be written to the text file.

After that, you can remove from the received text file all system accounts, such as galsync or spam, as well as those users whose password will not be reset. When the file is ready, you can run the following script:

for i in `cat /tmp/domainusers.txt`; do newpass=«[email protected]`openssl rand -base64 12`0a» && /opt/zimbra/bin/zmprov sp $i $newpass && echo $i  $newpass  >> newlogin.txt && echo $i && sleep 5s; done

The result of this script will be a newlogin.txt file with new account passwords. We recommend that you save it in a safe place as soon as possible and delete this file from the server. After that, you can inform users of their new passwords so that they can continue to work in Zimbra OSE.

Separate password for mobile devices

Another interesting feature that becomes available after installing the Zextras Suite of extensions for Zimbra OSE is a separate password for entering the mailbox from a mobile device. In other words, an additional password is created for an account using its account on a mobile device, with which it can synchronize its device with the mailbox, but cannot log in to the Zimbra OSE web client. This feature can significantly increase the security of using e-mail outside the office, as the mobile device can be compromised or even stolen, and the mobile password function will help to prevent the real account password from falling into the hands of attackers.

Creating a password for mobile devices is quite simple. This can be done both in the administration console using the Zextras plugin, and on the command line. So, for example, using the command zxsuite mobile setAccountMobilePassword [email protected] Z1mBr @, you will give the user [email protected] the password Z1mBr @. Using the command zxsuite mobile getAccountMobilePassword [email protected] you can see the mobile password of the user [email protected], and using the command zxsuite mobile unsetAccountMobilePassword [email protected] you can completely remove the mobile password from the specified user.