Results 1 to 8 of 8

Thread: Zimbra LDAP autoprovision, limit by group?

  1. #1
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    61
    Rep Power
    2

    Question Zimbra LDAP autoprovision, limit by group?

    So I am pretty sure I have enough to setup auto-provision based on LDAP/AD, however I don't want all accounts to have mailboxes. My google-fu has not yet turned up a result, but is there a way to limit auto-provisioning from LDAP/AD based on group or some other element of a user?

  2. #2
    Raunaq's Avatar
    Raunaq is offline Zimbra Employee
    Join Date
    Nov 2012
    Location
    Bangalore
    Posts
    163
    Rep Power
    2

    Default

    Well You can use lazy mode , in which only those account which authenticate using the provided mechanism get provisioned.Let me know if that helps.

  3. #3
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    61
    Rep Power
    2

    Default

    Well, I'd prefer the EAGER mode, but in the case of LAZY, how do you restrict by group or OU or something like that for who can log in and who can't? So far as I can tell, in either EAGER or LAZY mode all accounts created will have access or be provisioned.

    Quote Originally Posted by Raunaq View Post
    Well You can use lazy mode , in which only those account which authenticate using the provided mechanism get provisioned.Let me know if that helps.

  4. #4
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    61
    Rep Power
    2

    Default

    I'm thinking this may do the trick:

    Zmprov md domain.local zimbraAutoProvLdapSearchFilter “(&(objectCategory=mailgroup)”
    Does this behave how I think it will? Make it so that only members of the "mailgroup" group will be provisioned?

  5. #5
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    61
    Rep Power
    2

    Default

    This is my latest attempt at the group filter:

    zmprov md domain.local zimbraAutoProvLdapSearchFilter "(memberOf=cn=mailtest,ou=Users,dc=domain,dc=local )"
    mailtest is the group

    this filter does not seem to work

  6. #6
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    61
    Rep Power
    2

    Default

    Okay so I have some success

    First, I moved the group to the root of the domain, it was under the container (aka folder) "Users", the default one. Once I moved it the following LDAP filter worked:

    zmprov md testmail.idocz.net zimbraAutoProvLdapSearchFilter "(memberOf=cn=mailtest,dc=domain,dc=local)"
    I'm now trying to figure out how to get it to search all containers or something. I may have to use OUs or something.

    Btw this is a pretty good resource : Active Directory: LDAP Syntax Filters - TechNet Articles - United States (English) - TechNet Wiki

    Oh and btw my Active Directory domain is running on a SAMBA4 installation on Ubuntu 13.04 with the package from the main repo (no compiling) if anyone was the slightest bit curious. Go OSS!

  7. #7
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    61
    Rep Power
    2

    Default

    Okay so to add some more detail, after setting up autoprovision I realized it was not also authenticating against the domain. I set that up, and the details are actually self-explanatory, just point it to the IP, give it login/password, yadda yadda. It was very surprising how easy it was.

    Now, the user authenticates against the domain. If I disable the user on the domain, they cannot login. The error at login is "bad password" equivalent, but the log shows NT_STATUS_ACCOUNT_DISABLED so if I need to search logs I can check user vs result ezpz. Re-enabling lets them back in as expected.

    The only thing that is curious is when I remove a user from the group, they can still login, and their mailbox isn't deleted. I'm not sure which behavior I want in this scenario though. It seems deleting a mailbox because you were removed from a group is a harsh mistress.

    Additionally the LDAP filter in the logs keeps finding the same member of the group, but does not _appear_ to be creating the account infinitely. I created a mailbox folder, and the data didn't seem to get wiped, but it is concerning about unforseen complications.

    All in all, solid.

  8. #8
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    61
    Rep Power
    2

    Default

    Argh auto provision isn't happening after reboot.

    Disregard, it took like 10mins before auto provision started, and is now happening at the period I set (1 minute).

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 2
    Last Post: 10-06-2012, 04:45 AM
  2. BUG Zimbra Ldap Posix group
    By avaloncio in forum Administrators
    Replies: 0
    Last Post: 11-10-2010, 02:10 PM
  3. Creating a new group in Zimbra's LDAP?
    By Adrnalnrsh in forum Administrators
    Replies: 0
    Last Post: 09-30-2009, 03:51 PM
  4. Replies: 2
    Last Post: 07-03-2009, 05:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •