We have been on Zimbra for close to a year now since our initial migration from Exchange 2003. During that time we have been running “split” GAL lists in Zimbra between AD and Zimbra’s local GAL repository. With the phasing out of our Exchange server we wanted to be able to migrate back to using Zimbra’s native GAL lists instead of split mode.
In our environment our locations have multiple MFP devices that offer scan to email being fed from an LDAP/AD based address book so we would also need to switch these from using AD to using Zimbra. The problem came when selecting the correct LDAP BIND account to use. Initially I tried using a basic user account from Zimbra as these credentials but could never get this to work successfully. I then tried using the backend LDAP admin that Zimbra uses with OpenLDAP in the background and this worked successfully. For security best practice we do not use “full admin” accounts for BIND accounts like this so I set out to locate or create a read-only account that could be used for this purpose. Zimbra recommends not “messing” directly with OpenLDAP so I was not too excited to go that route, although it is possible: http://www.openldap.org/doc/admin24/access-control.html
I reached out to a contact at Zimbra and did some inquiry on this issue as Zimbra publicly really doesn’t talk much about this functionality even though many companies use MFP devices with address books. Zimbra as it turns out does already have some backend OpenLDAP read-only level accounts for other services to use: zmpostfix, amavis, nginx, and bes are a few of these accounts.
I chose to use the zmpostfix account, to locate the password for this account you will need to run the following on your Zimbra server: zmlocalconfig -s ldap_postfix_password
Based on Zimbra’s backend schema, the following information would be needed:
Search Scope/Root: ou=people,dc=yourdomain,dc=com
BIND User: uid=zmpostfix,cn=appaccts,cn=zimbra
BIND Pass: The username you found by running zmlocalconfig -s ldap_postfix_password
After locating the user/pass I was able to get this working properly on our HP and Xerox brand MFPs while still maintaining best practice for our security side. After speaking with Zimbra this is their recommended method for accomplishing this as well.