ZCS Administrator's Guide 8.0.4
ZCS Administrator's Guide 8.0.4
Network Edition


Provisioning User Accounts > Auto Provisioning New Accounts from External LDAP

Auto Provisioning New Accounts from External LDAP
When an external LDAP authentication mechanism, such as external LDAP authentication, preauth, or SPNEGO, is configured for a ZCS domain, you can set up ZCS to automatically create users accounts on ZCS. Primary email address and account attributes are mapped from an external directory.
You can configure how and when new accounts should be created from the external directory data.
*
LAZY mode. When users log into ZWC the first time through one of the authentication mechanisms supported for auto provisioning and when the user does not exist in the ZCS directory, a new account is automatically created in ZCS for the user.
*
EAGER mode. ZCS polls the external directory for accounts to auto provision. You configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and which domains are scheduled for account auto provision on which servers.
When an account is created, the account name (characters before @) is mapped from a user attribute on the external directory that you define in zimbraAutoProvAccountNameMap. Other account information, such as first and last name, phone numbers, address, is populated from the attributes mapped from the external directory based on zimbraAutoProvAttrMap. Review the external directory’s attributes to determine which ones should be mapped to a zimbra attribute.
COS assignment for auto-provisioned accounts is exactly the same as how COS is determined for manually provisioned accounts. That is, if a COS is set for the domain, this COS is assigned to the accounts that are created. If a domain COS is not set, the ZCS default COS is assigned.
You can configure a Welcome email messages that is sent to the new accounts when it is created. The subject and body of the email can be configured on AutoProvNotification*** attributes on the domain.
Auto-Provision Attributes
The following attributes are used with zmprov to configure auto provisioning of new accounts with an external LDAP directory. Most of the auto-provision attributes are on the domain level.
 
Description 
Value: LDAP, PREAUTH, KRB5, SPNEGO
Defines the LDAP search base for auto provision, used in conjunction with zimbraAutoProvLdapSearchFilter. If not set, LDAP root DSE will be used.
For LAZY mode, either zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn must be set. If both are set, zimbraAutoProvLdapSearchFilter will take precedence.
Defines the LDAP external DN template for account auto provisioning. For LAZY mode, either zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn must be set. If both are set, zimbraAutoProvLdapSearchFilter will take precedence.
Note: Invalid mapping configuration will cause the account creation to fail.
Defines the email address to put in the From header for the Welcome email sent to the newly created account. If not set, no notification email is sent to the newly created account.
Supported variables: ${ACCOUNT_ADDRESS}, ${ACCOUNT_DISPLAY_NAME}
Supported variables ${ACCOUNT_ADDRESS}, ${ACCOUNT_DISPLAY_NAME}
com.zimbra.cs.account.Account.AutoProvisionListener interface. The singleton listener instance is invoked after each account is auto created in Zimbra. Listener can be plugged in as a server extension to handle tasks like updating the account auto provision status in the external LDAP directory.
At each eager provision interval, ZCS does an LDAP search based on the value configured in zimbraAutoProvLdapSearchFilter. Returned entries from this search are candidates to be auto provisioned in this batch. The zimbraAutoProvLdapSearchFilter should include an assertion that will only hit entries in the external directory that have not yet been provisioned in ZCS, otherwise it's likely the same entries will be repeated pulled in to ZCS. After an account is auto provisioned in ZCS, com.zimbra.cs.account.Account.AutoProvisionListener.postCreate
(Domain domain, Account acct, String external DN) will be called by the auto provisioning framework. Customer can implement the AutoProvisionListener interface in a ZCS server extension and get their AutoProvisionListener.postCreate() get called. The implementation of customer's post Create method can be, for example, setting an attribute in the external directory on the account just provisioned in ZCS. The attribute can be included as a condition in the zimbraAutoProvLdapSearchFilter, so the entry won't be returned again by the LDAP search in the next interval.
Lists the domains scheduled for EAGER auto provision on this server. Scheduled domains must have EAGER mode enabled in zimbraAutoProvMode. Multiple domains can be scheduled on a server for EAGER auto provision. Also, a domain can be scheduled on multiple servers for EAGER auto provision.
At each interval, the auto provision thread iterates through all domains in zimbraAutoProvScheduledDomains and auto creates accounts up to domain.zimbraAutoProvBatchSize. If that process takes longer than zimbraAutoProvPollingInterval than the next iteration starts immediately instead of waiting for zimbraAutoProvPollingInterval amount of time.
Configure Eager Mode Auto-Provisioning
ZCS polls the external directory for accounts to auto provision. You configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and which domains are scheduled for account auto provision on which servers.
1.
zmprov
2.
md <domain.com> zimbraAutoProvMode EAGER
3.
md <domain.com> zimbraAutoProvBatchSize <#>
4.
ms <server.com> zimbraAutoProvPollingInterval <x> minutes
5.
ms <server.com> +zimbraAutoProvScheduledDomains <domain1.com> +zimbraAutoProvScheduledDomains <domain2.com>
6.
a.
md <domain.com> zimbraAutoProvLdapURL “ldap://xxx.xxx.xxx.xxx:<port>
The LDAP port is usually 389.
b.
md <domain.com> zimbraAutoProvLdapStartTlsEnabled TRUE
c.
LDAP Admin bind DN for auto provision in the format cn=<LDAPadmin_name>, dc=autoprov, dc=<company_name>, dc=<com>
md <domain.com> zimbraAutoProvLdapAdminBinDn “cn=admin, dc=autoprov, dc=company, dc=com”
d.
md <example.com> zimbraAutoProvLdapAdminBindPassword <password>
e.
%n - User name with the @.
%u - User name with the @ removed.
%d - Domain as domain.com
To use the LDAP search filter, type
md <domain.com> zimbraAutoProvLdapSearchFilter “(uid=<%placeholder>)”
f.
Define the LDAP search base for auto provision. This is the location in the directory from which the LDAP search begins. This is used with zimbraAutoProvLdapSearchFilter. If this is not set, the LDAP directory root, rootDSE, is the starting point. Type
md <domain.com> zimbraAutoProvLdapSearchBase <“location”>
For example, “dc=autoprov,dc=company,dc-com”
g.
%n - User name with the @
%u - User name with the @ removed
%d - Domain as domain.com
md <domain.com> zimbraAutoProvLdapBindDn <“placeholder1”>
7.
md <domain.com> zimbraAutoProvAccountNameMap < value>
8.
IMPORTANT: Invalid mapping configuration will cause the account creating to fail.
To map the “sn” value on the external entry to “displayName” on the Zimbra account and map description value on the external entry to description on the ZCS account, type
md <domain.com> +zimbraAutoProvAttrMap sn=displayName +zimbraAutoProvAttrMap description=description
9.
md <domain.com> zimbraAutoProvNotificationFromAddress <name@domain.com>
10.
exit
Configure Lazy Mode Auto-Provisioning
Lazy mode auto provisioning automatically creates a new account when a user authenticates from a one of the following external authentication mechanisms: LDAP, preauth, Kerberos 5, Spnego.
1.
zmprov
2.
md <domain.com> zimbraAutoProvMode LAZY
3.
md <example.com> zimbraAutoProvAuthMech <type> +zimbraAutoProvAuthMech <type2>
4.
a.
md <domain.com> zimbraAutoProvLdapURL “ldap://xxx.xxx.xxx.xxx:<port>
The LDAP port is usually 389.
b.
md <domain.com> zimbraAutoProvLdapStartTlsEnabled TRUE
c.
LDAP Admin bind DN for auto provision in the format cn=<LDAPadmin_name>, dc=autoprov, dc=<company_name>, dc=<com>
md <domain.com> zimbraAutoProvLdapAdminBinDn <“bindDN”
For example, “cn=admin, dc=autoprov, dc=company, dc=com”
d.
md <example.com> zimbraAutoProvLdapAdminBindPassword <password>
e.
Note: Either zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn must be configured for the LAZY mode.
Supported search terms to use include:
%n - User name with the @.
%u - Username with the @ removed.
%d - Domain as domain.com
To use the LDAP search filter, type
md <domain.com> zimbraAutoProvLdapSearchFilter <“placeholder”>
f.
Define the LDAP search base for auto provision. This is the location in the directory from which the LDAP search begins. This is used with zimbraAutoProvLdapSearchFilter. If this is not set, the LDAP directory root, rootDSE, is the starting point. Type
md <domain.com> zimbraAutoProvLdapSearchBase <“location”
For example, “dc=autoprov,dc=company,dc-com”
g.
%n - User name with the @, or without, if no @ was specified.
%u - Username with the @ removed
%d - Domain as foo.com
md <domain.com> zimbraAutoProvLdapBindDn “uid=%<placeholder1>, %<placeholder2>”
5.
md <domain.com> zimbraAutoProvAccountNameMap < value>
6.
To map the sn value on the external entry to displayName on the Zimbra account and map description value on the external entry to description on the ZCS account, type as
md <domain.com> +zimbraAutoProvAttrMap sn=displayName +zimbraAutoProvAttrMap description=description
7.
(Optional) If you want to send a Welcome email to new accounts, enter the from address of the originator. Type
md <domain.com> zimbraAutoProvNotificationFromAddress <name@domain.com>
8.
exit.
Copyright © 2013 VMware Inc.