Results 1 to 10 of 10

Thread: Auto provisioning ZCS8 on Samba4 active directory anyone got this working yet?

  1. #1
    jaapaikema's Avatar
    jaapaikema is offline Active Member
    Join Date
    Jan 2008
    Location
    Groningen, The Netherlands
    Posts
    25
    Rep Power
    7

    Default Auto provisioning ZCS8 on Samba4 active directory anyone got this working yet?

    After some digging in the forums I finaly figured out how to use Samba4 AD as an external LDAP.

    Now I'm facing the next problem Auto provisioning new accounts in my AD to ZCS8.

    I've read several post telling how to do it the proper way with a M$ AD, but I'm not willing to pay M$ for the AD.

    - Zimbra 8.0 Auto Provisioning help
    - ZIMBRA + external LDAP - autoprovisioning accounts created in external LDAP
    - Zimbra 8 Auto Provisioning not work properly

    Anyone got the autoprovisioning to work with Samba4?

    My config:

    Code:
    [zimbra@zimbra8 ~]$ zmprov gd digos.lin |grep zimbraAutoProv
    zimbraAutoProvAccountNameMap: sAMAccountName
    zimbraAutoProvAuthMech: LDAP
    zimbraAutoProvAuthMech: PREAUTH
    zimbraAutoProvAuthMech: KRB5
    zimbraAutoProvBatchSize: 20
    zimbraAutoProvLdapAdminBindDn: administrator@example.lin
    zimbraAutoProvLdapAdminBindPassword: p@ssw0rd
    zimbraAutoProvLdapBindDn: %u@EXAMPLE.LIN
    zimbraAutoProvLdapSearchBase: dc=EXAMPLE,dc=LIN
    zimbraAutoProvLdapSearchFilter: (|(sAMAccountName=%u)(mail=%u@example.lin)(mail=%n))
    zimbraAutoProvLdapURL: ldap://samba4.example.lin:389 ldap://samba4.example.lin:3268
    zimbraAutoProvMode: LAZY
    zimbraAutoProvMode: MANUAL
    zimbraAutoProvNotificationBody: Your account has been auto provisioned.  Your email address is ${ACCOUNT_ADDRESS}.
    zimbraAutoProvNotificationSubject: New account auto provisioned
    according to "/opt/zimbra/docs/autoprov.txt" this config should work, but it doesn't

  2. #2
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    62
    Rep Power
    2

    Default

    Hi,

    I'm in a similar situation, using SAMBA4 as the AD domain. I want to also auto-provision from the domain, however I am uncertain if you were using Zimbra OSE. Were you? Also, did you get this figured out?

  3. #3
    Raunaq's Avatar
    Raunaq is offline Zimbra Employee
    Join Date
    Nov 2012
    Location
    Bangalore
    Posts
    171
    Rep Power
    2

    Default

    Will test it tomorrow. I dont think there should be a problem . Will let you know.

  4. #4
    Raunaq's Avatar
    Raunaq is offline Zimbra Employee
    Join Date
    Nov 2012
    Location
    Bangalore
    Posts
    171
    Rep Power
    2

    Default

    AFAIK zimbraAutoProvAuthMech: LDAP should just work .Will test it and let you know the result.

  5. #5
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    62
    Rep Power
    2

    Default

    Yeah I've found guides how to do it, took a bit of google-fu. Right now I'm trying to figure out how to limit who gets provisioned and who doesn't. Perhaps by group. Any ideas?

  6. #6
    jaapaikema's Avatar
    jaapaikema is offline Active Member
    Join Date
    Jan 2008
    Location
    Groningen, The Netherlands
    Posts
    25
    Rep Power
    7

    Default

    Quote Originally Posted by BloodyIron View Post
    Yeah I've found guides how to do it, took a bit of google-fu. Right now I'm trying to figure out how to limit who gets provisioned and who doesn't. Perhaps by group. Any ideas?
    Will you share the links to the guides or supply a complete step-by-step guide? Thnx in advance

  7. #7
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    62
    Rep Power
    2

    Default

    I'm going to try and work towards building a guide, but I don't want to make promises on when it will be written just yet. I keep making pretty massive development progress, so I may forget to include some things here.

    Some of the useful guides and resources I've found thus far are :

    zmprov attributes - outlines how to find paramters you can get from LDAP and convert them to paramters in a zimbra account

    Active Directory: LDAP Syntax Filters - TechNet Articles - United States (English) - TechNet Wiki - microsoft documentation on LDAP queries against active directory, syntax examples. a highly useful resource

    LDAP Binding Strings - helped with LDAP and domain terminology

    Zimbra 8 Auto Provisioning - IT Enterprise Solution Sharing | IT Enterprise Solution Sharing - example guide on autoprovisioning against LDAP, this is how you do it against Active Directory (via LDAP)

    http://www.zimbra.com/docs/ne/8.0.2/...ml&single=true - more auto provisioning documentation

    configuration - Setting up a mail server best practices to be recognized as legitimate - Server Fault - good advisory for setting up trustable mail servers

  8. #8
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    62
    Rep Power
    2

    Default

    Currently I have my zimbra OSE installation autoprovisioning against my SAMBA4 Active Directory domain for members of a specific group in a specific OU (I couldn't search domain-wide for a specific group, I had to declare OU/container).

    Here are the configurations I had to do to autoprovision (NOTE: this does not inherently mean the accounts auth against active directory)

    zmprov md testmail.idocz.net zimbraAutoProvMode EAGER
    zmprov md testmail.idocz.net zimbraAutoProvBatchSize 20
    zmprov md testmail.idocz.net zimbraAutoProvLdapURL "ldap://192.168.0.100:389"
    zmprov md testmail.idocz.net zimbraAutoProvLdapAdminBindDn "cn=administrator,cn=users,dc=domain,dc=local"
    zmprov md testmail.idocz.net zimbraAutoProvLdapAdminBindPassword ADMINPASSWORD
    zmprov md testmail.idocz.net zimbraAutoProvLdapSearchBase "dc=domain,dc=local"
    zmprov md testmail.idocz.net zimbraAutoProvLdapSearchFilter "(memberOf=cn=mailtest,cn=Users,dc=domain,dc=local )"
    zmprov md testmail.idocz.net zimbraAutoProvLdapBindDn "%u@testmail.domain.net"
    zmprov md testmail.idocz.net zimbraAutoProvAccountNameMap samAccountName
    zmprov md testmail.idocz.net +zimbraAutoProvAttrMap sn=sn +zimbraAutoProvAttrMap givenName=gn
    zmprov ms testmail.idocz.net +zimbraAutoProvScheduledDomains testmail.domain.net
    zmprov ms testmail.idocz.net zimbraAutoProvPollingInterval 1m


    some things to keep in mind:

    - when you watch the logs it keeps reporting members it sees in the group, even if they've already been provisioned (account exists already on zimbra). I'm not sure if this is concerning or expected behavior. I also don't know if my batch size setting of 20 will mean i need to increase it later when the group has more than 20 members

    - the LDAP Filter criteria is very flexible, the hardest part is learning the syntax for exactly what you want

    - I had made the "mailtest" group in the Users container (I think it's an OU) originally, and I did not include "cn=Users" in the LDAP filter originally. the auto provision did not pick up on the group until I moved it into the root of the structure. However, as outlined above, adding the "cn=Users" declaration meant I could put the group back in the Users OU/container/folder

    - the attrmap part provisions the first and last name into the new account from the domain, very helpful

    - this mechanism is very reliable so far

    - i have not observed any accounts or their data being overwritten if the zimbra account already exists

  9. #9
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    62
    Rep Power
    2

    Default

    I've also been dumping info into this thread, but I'm not sure if it's redundant data at this point : Zimbra LDAP autoprovision, limit by group?

  10. #10
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    62
    Rep Power
    2

    Default

    At this point I am trying to setup the management of two domains that are provisioned from our one domain. My thoughts are the Zimbra server is agnostic of the email domains, and the AD domain. For each email domain I setup different provisioning configurations, mostly for which group it looks at to who should have accounts made. Additionally I think I need to setup virtual hosts and other stuff which is mostly found in the web gui admin panel, very nice, but I haven't gotten to this part of testing just yet.

    As for this very moment, before I go further with the dual domain thing, I am trying to work on migrating mailbox data from exchange to the new server so I can have users test it.

    Another possibly helpful tidbit is that I'm doing all my testing against a subdomain of the existing domain. So testmail.domain.net has a separate MX record, A record, rDNS and such from the domain.net that is currently in use. I will be doing this for both domains until we complete the migration.

    Furthermore, I am trying to figure out how to automatically create an alias for a new account. I want people to login with their domain login, but I want their from email address to be first.last@testmail.domain.net instead of jsmit@testmail.domain.net , not sure how to automate this just yet. I've found the commands for alias creation, and changing default from though.

    So much to do omg!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 4
    Last Post: 12-03-2013, 07:00 PM
  2. Change Password not working with Active Directory
    By pornsakb in forum Administrators
    Replies: 8
    Last Post: 05-15-2011, 12:41 AM
  3. GAL not working with Active Directory
    By ardiederich in forum Installation
    Replies: 13
    Last Post: 02-12-2008, 08:01 PM
  4. auto create user from Active Directory
    By yattamax in forum Administrators
    Replies: 2
    Last Post: 11-12-2007, 11:04 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •