Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: GAL and sub-domains

  1. #1
    DJ Ghost is offline Senior Member
    Join Date
    May 2008
    Location
    FRANCE
    Posts
    58
    Rep Power
    7

    Default GAL and sub-domains

    Hi,

    I thought GAL was something we can access from the main domain and all sub-domains but when I'm in a sub-domains account I cannot get anything from the main domain GAL.

    Is there a way to link sub-domains to show and autocomplete adresses located in the main domain ?

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    On individual domains (inherited from global), by default zimbraGalInternalSearchBase & zimbraGalSyncInternalSearchBase are set to DOMAIN. Thus if you're using multiple domains and still want to leave the GAL enabled, people can only search within their domain for privacy.

    You can let a domain look across all domains for the GAL by setting that to ROOT.

    If that situation is fine for you / it's all your users in those 2 domains and you're ok with all seeing each other, then set them to ROOT and you're done. (Infact you can set it globally zmprov mcf zimbraGalInternalSearchBase ROOT)

    (If you're using external LDAP/AD auth that's zimbraGalLdapSearchBase & zimbraGalSyncLdapSearchBase.)

    ---

    If you want to allow lookup in domain and any sub.domains set that attribute to SUBDOMAINS.

    Notice that for all intensive purposes sub.domain.com can be set to DOMAIN or SUBDOMAINS here and there's no difference. That's because SUBDOMAINS isn't intended for the sub to view the parent, just the parent to see the sub.

    Do read on to understand how that works:

    zmprov cd domain.com
    zmprov cd subdomain.com
    zmprov ca usermain@domain1.com usermain
    zmprov ca usersub@sub.domain.com usersub
    zmprov md domain1.com zimbraGalInternalSearchBase SUBDOMAINS
    zmprov md sub.domain1.com zimbraGalInternalSearchBase SUBDOMAINS
    (or mcf to do it globally)

    Login to usermain
    Type 'u' in a new mail (assuming you have auto complete from GAL enabled) and you'll get back:
    usermain@domain.com
    usersub@sub.domain.com

    Login to usersub
    Type 'u' and you'll get back just:
    usersub@sub.domain.com

    Get it?

    And you'll continue to get nothing but usersub@sub.domain.com unless you make an alpha.sub.domain.com & useralphasub@alpha.sub.domain.com

    At which point logging in as usersub and typing 'u' will return:
    usersub@sub.domain.com
    useralphasub@alpha.sub.domain.com

    Usermain would then return 3 values:
    usermain@domain.com
    usersub@sub.domain.com
    useralphasub@alpha.sub.domain.com

    (When testing be sure to refresh your browser every time you set zimbraGalInternalSearchBase, seems it uses the value at time of account login.)

    ---

    So what can be done if you can't use ROOT & want sub.domain.com users to see domain.com users?
    You could use both internal & 'external' GAL lookups against yourself so that A<>B and B<>A (use the GAL wizard):

    DomainA:
    GAL: both
    Server type: LDAP
    LDAP url: ldap://serverwithldapservice.domain.com:389
    LDAP filter: (uid=%u) parenthesis included
    Autocomplete filter: It should autofill with externalLdapAutoComplete, but doesn't always do so the first round of setting up; though it will show up after you apply. (but you could add it now if wanted/if it requires you to in an error at the end)
    LDAP search base: dc=domainB,dc=com ("" might coax search across all domains)
    Bind DN: shouldn't need to bother - but you could always do something like cn=admin,dc=domain,dc=com

    DomainB:
    GAL: both
    Server type: LDAP
    LDAP url: ldap://serverwithldapservice.domain.com:389 ssl 636 if desired
    LDAP filter: (uid=%n) parenthesis included
    Autocomplete filter: ignore unless you can't click finish/test gives error/error in mailbox.log then enter externalLdapAutoComplete
    LDAP search base: dc=domainA,dc=com
    Bind DN: ignore

    LDAP Filter notes:
    (uid=%u) - The user has a uid attribute value in the external directory equal to the user portion of the Zimbra user account.
    (uid=%n) - Entire Zimbra user account is used to identify user in the external directory.
    or even (&(|(cn=*%s*)(sn=*%s*)(gn=*%s*)(mail=*%s*)(zimbraM ailDeliveryAddress=*%s*) (zimbraMailAlias=*%s*)(zimbraMailAddress=*%s*))(|( objectclass=zimbraAccount)(objectclass=zimbraDistr ibutionList)))

  3. #3
    iway is offline Partner (VAR/HSP)
    Join Date
    May 2008
    Posts
    432
    Rep Power
    7

    Default

    Hi!

    Is it possible to disable the GAL for a specific domain altogether? (Privacy issues)

    Thanks

    Chris

  4. #4
    browland is offline Senior Member
    Join Date
    Feb 2008
    Posts
    54
    Rep Power
    7

    Default

    When setting up mutliple domains on single server, how can we use the same GAL for all. I have attempted to setup GAL as shown above, however fails to find anything (however no errors either, only search returned no results). I am thinking there is something missing from the post above.
    Bill Rowland MCDST MCSA MCSE

  5. #5
    y@w's Avatar
    y@w
    y@w is offline Moderator
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    @Bill: You set both zimbraGalInternalSearchBase and zimbraGalSyncInternalSearchBase to ROOT?

  6. #6
    browland is offline Senior Member
    Join Date
    Feb 2008
    Posts
    54
    Rep Power
    7

    Default

    Please help me find the correct syntax for this change. I also would like to allow people to copy distribution list to their own contacts or allow some to change the email addresses contain within DL. I can not locate any information while searching the Zimbra Website.
    Bill Rowland MCDST MCSA MCSE

  7. #7
    y@w's Avatar
    y@w
    y@w is offline Moderator
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    zmprov help domain

    It's pretty straight forward. It's something like: zmprov md domain.com <property> <value>

  8. #8
    browland is offline Senior Member
    Join Date
    Feb 2008
    Posts
    54
    Rep Power
    7

    Default

    I could not find this syntax on the internet, but I have completed the task with the "zmprov md {domain.com} zimbraGalSyncInternalSearchBase ROOT" Everything tested and I am now able to view the second domain accounts through the GAL. I did not have to change any settings in UI for the GAL - still setup as internal only. Thanks for this reply. I was also wondering if you know how to change the security on the GAL entries to allow users to copy the GAL DL to their local contacts and update them as they see fit. Also our users have requested the ability to see who is in the DL.
    Bill Rowland MCDST MCSA MCSE

  9. #9
    y@w's Avatar
    y@w
    y@w is offline Moderator
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    @Bill: What did you mean by GAL DL?


    @Chris: Not sure of a way to do that and apparently no one else knows of a way.. If there's not a built-in way you *could* probably hack it and set it as an external LDAP source and put junk data in.. Far from ideal, but that might get the job done.

  10. #10
    iway is offline Partner (VAR/HSP)
    Join Date
    May 2008
    Posts
    432
    Rep Power
    7

    Default

    Found it. In the accout and in the COS settings is a checkbox: Global Address List Access.

    Disabling that does the trick...

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •