Zimbra supports various authentication sources for authenticating users. Examples include external LDAP, Active Directory and custom authentication plugins.
Prior to Zimbra 10.0.8 the setting of zimbraAuthFallbackToLocal had no effect on administrative accounts. Meaning you could use the username and password from Zimbra LDAP for signing on to an admin account. Even if the admin account is non-existing in the external authentication source or you entered a password that does not match the external authentication source.
In some cases people installing Zimbra would use a simple password when installing Zimbra, then set-up external authentication and did not realize the original simple password was still working. In addition someone could set an admin password on the Zimbra LDAP to create something that could be seen as a back door, as this effectively bypasses external authentication.
To improve Zimbra security and adhere to more modern auditing requirements, from Zimbra 10.0.8 onwards the setting of zimbraAuthFallbackToLocal will be honored for administrative accounts as well as regular accounts. The recommended setting when using external authentication is:
zmprov md example.com zimbraAuthFallbackToLocal FALSE
If you are unable to add your admin account to your external authentication source, you are recommended to follow the steps here:
This blog post also applies on Zimbra 9.0 P40 which has reached End of General Support.
“This blog post also applies on Zimbra 9.0 P40 which has reached End of General Support.”
Zimbra 9.0 General Support was extended and ends on 12/31/2024.
It is only extended for existing customers.