GAL and sub-domains

[DJ Ghost]

Hi,

I thought GAL was something we can access from the main domain and all sub-domains but when I'm in a sub-domains account I cannot get anything from the main domain GAL.

Is there a way to link sub-domains to show and autocomplete adresses located in the main domain ?

[mmorse]

On individual domains (inherited from global), by default zimbraGalInternalSearchBase & zimbraGalSyncInternalSearchBase are set to DOMAIN. Thus if you're using multiple domains and still want to leave the GAL enabled, people can only search within their domain for privacy.

You can let a domain look across all domains for the GAL by setting that to ROOT.

If that situation is fine for you / it's all your users in those 2 domains and you're ok with all seeing each other, then set them to ROOT and you're done. (Infact you can set it globally zmprov mcf zimbraGalInternalSearchBase ROOT)

(If you're using external LDAP/AD auth that's zimbraGalLdapSearchBase & zimbraGalSyncLdapSearchBase.)

---

If you want to allow lookup in domain and any sub.domains set that attribute to SUBDOMAINS.

Notice that for all intensive purposes sub.domain.com can be set to DOMAIN or SUBDOMAINS here and there's no difference. That's because SUBDOMAINS isn't intended for the sub to view the parent, just the parent to see the sub.

Do read on to understand how that works:

zmprov cd domain.com
zmprov cd subdomain.com
zmprov ca usermain@domain1.com usermain
zmprov ca usersub@sub.domain.com usersub
zmprov md domain1.com zimbraGalInternalSearchBase SUBDOMAINS
zmprov md sub.domain1.com zimbraGalInternalSearchBase SUBDOMAINS
(or mcf to do it globally)

Login to usermain
Type 'u' in a new mail (assuming you have auto complete from GAL enabled) and you'll get back:
usermain@domain.com
usersub@sub.domain.com

Login to usersub
Type 'u' and you'll get back just:
usersub@sub.domain.com

Get it?

And you'll continue to get nothing but usersub@sub.domain.com unless you make an alpha.sub.domain.com & useralphasub@alpha.sub.domain.com

At which point logging in as usersub and typing 'u' will return:
usersub@sub.domain.com
useralphasub@alpha.sub.domain.com

Usermain would then return 3 values:
usermain@domain.com
usersub@sub.domain.com
useralphasub@alpha.sub.domain.com

(When testing be sure to refresh your browser every time you set zimbraGalInternalSearchBase, seems it uses the value at time of account login.)

---

So what can be done if you can't use ROOT & want sub.domain.com users to see domain.com users?
You could use both internal & 'external' GAL lookups against yourself so that A<>B and B<>A (use the GAL wizard):

DomainA:
GAL: both
Server type: LDAP
LDAP url: ldap://serverwithldapservice.domain.com:389
LDAP filter: (uid=%u) parenthesis included
Autocomplete filter: It should autofill with externalLdapAutoComplete, but doesn't always do so the first round of setting up; though it will show up after you apply. (but you could add it now if wanted/if it requires you to in an error at the end)
LDAP search base: dc=domainB,dc=com ("" might coax search across all domains)
Bind DN: shouldn't need to bother - but you could always do something like cn=admin,dc=domain,dc=com

DomainB:
GAL: both
Server type: LDAP
LDAP url: ldap://serverwithldapservice.domain.com:389 ssl 636 if desired
LDAP filter: (uid=%n) parenthesis included
Autocomplete filter: ignore unless you can't click finish/test gives error/error in mailbox.log then enter externalLdapAutoComplete
LDAP search base: dc=domainA,dc=com
Bind DN: ignore

LDAP Filter notes:
(uid=%u) - The user has a uid attribute value in the external directory equal to the user portion of the Zimbra user account.
(uid=%n) - Entire Zimbra user account is used to identify user in the external directory.
or even (&(|(cn=*%s*)(sn=*%s*)(gn=*%s*)(mail=*%s*)(zimbraM ailDeliveryAddress=*%s*) (zimbraMailAlias=*%s*)(zimbraMailAddress=*%s*))(|( objectclass=zimbraAccount)(objectclass=zimbraDistr ibutionList)))

[iway]

Hi!

Is it possible to disable the GAL for a specific domain altogether? (Privacy issues)

Thanks

Chris

[browland]

When setting up mutliple domains on single server, how can we use the same GAL for all. I have attempted to setup GAL as shown above, however fails to find anything (however no errors either, only search returned no results). I am thinking there is something missing from the post above.

[y@w]

@Bill: You set both zimbraGalInternalSearchBase and zimbraGalSyncInternalSearchBase to ROOT?

[browland]

Please help me find the correct syntax for this change. I also would like to allow people to copy distribution list to their own contacts or allow some to change the email addresses contain within DL. I can not locate any information while searching the Zimbra Website.

[y@w]

zmprov help domain

It's pretty straight forward. It's something like: zmprov md domain.com <property> <value>

[browland]

I could not find this syntax on the internet, but I have completed the task with the "zmprov md {domain.com} zimbraGalSyncInternalSearchBase ROOT" Everything tested and I am now able to view the second domain accounts through the GAL. I did not have to change any settings in UI for the GAL - still setup as internal only. Thanks for this reply. I was also wondering if you know how to change the security on the GAL entries to allow users to copy the GAL DL to their local contacts and update them as they see fit. Also our users have requested the ability to see who is in the DL.

[y@w]

@Bill: What did you mean by GAL DL?


@Chris: Not sure of a way to do that and apparently no one else knows of a way.. If there's not a built-in way you *could* probably hack it and set it as an external LDAP source and put junk data in.. Far from ideal, but that might get the job done.

[iway]

Found it. In the accout and in the COS settings is a checkbox: Global Address List Access.

Disabling that does the trick...