Results 1 to 3 of 3

Thread: How-To: Syncronizing distribution lists and AD groups

  1. #1
    Argais is offline Junior Member
    Join Date
    Jul 2013
    Posts
    5
    Rep Power
    2

    Default How-To: Syncronizing distribution lists and AD groups

    Hello everyone.

    I wanted to have some of my distributions lists synced with a couple Active Directory groups.

    After a lot of looking around I ended up coding my own solution for that in python.

    Hopefully it can be of use to some of you.

    Code:
    #!/usr/bin/python
    # coding=UTF-8
    '''
    The script will compare the user list from an AD group with the members from a distribution list
    If the user is on AD and not on the list, it will add it to the list
    If the user is on the list but not on AD, it will remove it from the list
    Tested on Zimbra FOSS 8.0.4
    '''
    # list dic
    # 'distribution list name':'group name on AD'
    lists = {'support': 'Helpdesk', 'comercial': 'Comercial', 'it':'IT'}
    
    # base SCOPE
    scope = 'cn=Users,dc=mydomain,dc=lan'
    
    # search domain
    domain = "mydomain.lan"
    
    # AD server
    ldapserver="server-001"
    
    # connection port
    port="389"
    
    # users domain on zimbra
    emaildomain="mydomain.lan"
    
    # AD bind account domain
    ldapbinddomain="mydomain"
    
    # AD bind account
    ldapbind="zimbra"
    
    # AD bind account password
    ldappassword="zimbra123"
    
    # path to zmprov
    pathtozmprov="/opt/zimbra/bin/zmprov"
    
    #--------------------------------------------------------------------------------------------------
    import ldap, string, os, sys
    
    for list, departament in lists.iteritems():
      # lets get all members of the department
      f = os.popen(pathtozmprov +' gdlm '+ list + '@' + emaildomain +' | egrep -v "^$" | grep -v members | grep -v "#"')
      member_list = []
      member_list = f.readlines()
      res2=[]
    
      l=ldap.initialize("ldap://"+ldapserver+"."+domain+":"+port)
      l.simple_bind_s(ldapbinddomain+"\\"+ldapbind,ldappassword)
      try:
        res = l.search_s(scope, ldap.SCOPE_SUBTREE, "(&(objectClass=user)(memberOf=cn="+departament+",cn=Users,dc=mydomain,dc=lan))", ['sAMAccountName'])
        
        # check if all AD group members are in the list, if they are not there, add them
        print '\nVerifying list ' + list +'@'+ emaildomain
        for (dn, vals) in res:
          accountname = vals['sAMAccountName'][0].lower()
          accountname = accountname + "@" + emaildomain
    
          if accountname +"\n" not in member_list:
            print 'adding '+accountname+ ' to '+ list+'@'+emaildomain
            os.system(pathtozmprov +' adlm %s@%s %s' % (list,emaildomain,accountname))
    
          res2.append(accountname)
    
        # check if all list members are on the AD group, if they are not there, remove them from the list
        for value in member_list:
          accountname=value.rstrip('\n')
          if accountname not in res2:
            print 'removing '+accountname+ ' from '+ list+'@'+emaildomain
            os.system(pathtozmprov +' rdlm %s@%s %s' % (list,emaildomain,accountname))
    
      except ldap.LDAPError, error_message:
        print error_message
      l.unbind_s()

    I also didnt really like the way AD provisioning works, so I made a script for that too (provision from AD/block on zimbra accounts blocked on AD, keep attributes synced), I might post it sometime later

    Cheers!
    Last edited by Argais; 07-30-2013 at 11:08 AM.

  2. #2
    Raunaq's Avatar
    Raunaq is offline Zimbra Employee
    Join Date
    Nov 2012
    Location
    Bangalore
    Posts
    172
    Rep Power
    2

    Default

    Great Stuff.

    Thanks for sharing.You Rock Argais. :-)

  3. #3
    tiger1342's Avatar
    tiger1342 is offline Starter Member
    Join Date
    Mar 2014
    Location
    Budapest
    Posts
    1
    Rep Power
    1

    Default

    Hi Argais!

    Am new in python scripts, but very interesting about your script.
    I have some errors by running it:
    The output looks like:

    ERROR: account.NO_SUCH_DISTRIBUTION_LIST (no such distribution list: list@mydomain.hu)
    Traceback (most recent call last):
    File "./zimbra_ad_sync.py", line 51, in <module>
    l.simple_bind_s(ldapbinddomain+"\\"+ldapbind,ldapp assword)
    File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 206, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
    File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 200, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,Encod eControlTuples(serverctrls),EncodeControlTuples(cl ientctrls))
    File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
    ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"}


    The list name is configured correctly in script file. Am using Sercer 2003 AD + Ubuntu server with Zimbra 8.06. (Python 2.7.3)

    What am I doing wrong?

    Thanks!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 2
    Last Post: 05-17-2013, 05:04 AM
  2. Colaborative groups through distribution lists?
    By ecobrazim in forum Administrators
    Replies: 2
    Last Post: 08-25-2011, 02:40 PM
  3. Replies: 1
    Last Post: 05-25-2011, 06:27 AM
  4. How to use existing LDAP groups for distribution lists
    By b.smith in forum Administrators
    Replies: 1
    Last Post: 08-13-2010, 10:28 AM
  5. Search for groups/distribution lists?
    By Rich Graves in forum Users
    Replies: 0
    Last Post: 03-12-2008, 12:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •