Integrating with Active Directory

[mrsaqib]

hi there

i have just integrated an Active Directory account in Zimbra but i wanna know one thing,

how do i sync the AD users with Zimbra users automatically or do i need to do it manually..

Thanks and Regards,

[uxbod]

You will need to script it manually.

[mrsaqib]

Thanks but can you guide me to any script or piece of code.

I will be very thankful to you.

Thanks and Regards.

[uxbod]

Which will be your source Zimbra or AD ?

[mrsaqib]

Ok, i need all my 'active directory' users to be created in 'zimbra', i think in that case the source will be 'AD' ?

Every time i create a user in 'AD', it will be created in 'zimbra' automatically.

[uxbod]

Well there are two ways you could do this :-

1) Extract you AD users and compare to list of ZCS users
2) Use PHP and AdLDAP to create the AD users; and if you search the forums for PHP there are some classes for creating users in ZCS

[Hivos]

I recently dug up this post, which seems to do exactly what you need. It's a python script and here's the code:

Code:

#!/usr/bin/python

# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; GPLv3
#      
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#              
# To obtain a copy of the GNU General Public License, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
#
#--------------------------------------------------------------------------------------------------
# Notes:
# This script automatically creates zimbra accounts from active directory, the actrive directory account must have
# the employeeType=STUDENT attributed set. If accounts are in the 'banned' active directory group then the
# account will automatically be locked when the script is run, and unlocked if they are no longer in the AD 
# banned group                       
#--------------------------------------------------------------------------------------------------

# Variables can be changed here:
banned =  'CN=Banned,CN=Users,DC=college,DC=internal'
# an OU for banned users
scope   = 'ou=OU,dc=college,dc=internal'
#the search scope
domain = "domain.college.internal" # "example.com"
ldapserver="server1"
#ldap server
port="389" 
#ldap port (389 default)
emaildomain="zimbra.school.sch.uk"
#the email domain
ldapbinddomain="DOMAIN"
#the domain of the ldap bind account
ldapbind="ldapusername"
#the account name of the account to bind to ldap
ldappassword="password"
#the ldap password
pathtozmprov="/opt/zimbra/bin/zmprov"
#--------------------------------------------------------------------------------------------------
import ldap, string, os, time, sys

#output the list of all accounts from zmprov gaa (get all accounts)
f = os.popen(pathtozmprov +' gaa')
zmprovgaa= []
zmprovgaa = f.readlines()
           
l=ldap.initialize("ldap://"+ldapserver+"."+domain+":"+port) 
l.simple_bind_s(ldapbinddomain+"\"+ldapbind,ldappassword) #bind to the ldap server using name/password 

try:
    res = l.search_s(scope, 
    ldap.SCOPE_SUBTREE, "(&(ObjectCategory=user) (userAccountControl=512)(employeeType=STUDENT))", ['sAMAccountName','givenName','sn','memberOf'])
#userAccountControl  512 = normal , 514 = disabled account
    for (dn, vals) in res:
      accountname = vals['sAMAccountName'][0].lower()
      try:
        sirname = vals['sn'][0].lower()
      except: 
        sirname = vals['sAMAccountName'][0].lower()
      try:
        givenname = vals['givenName'][0]          
      except:
        givenname = vals['sAMAccountName'][0].lower()
      try:
        groups = vals['memberOf']
      except:
        groups = 'none'
      initial = givenname[:1].upper()
      sirname = sirname.replace(' ', '')
      sirname = sirname.replace('\'', '')
      sirname = sirname.replace('-', '')
      sirname = sirname.capitalize()
      name = initial + "." + sirname
      accountname = accountname + "@" + emaildomain
      password = "  \'\' "
      sys.stdout.flush()
      
      # if the account doesn't exist in the output of zmprov gaa create the account
      if accountname +"\n" not in zmprovgaa:
        
        print  accountname," exists in active directory but not in zimbra, the  account is being created\n"
        time.sleep(1)
        os.system(pathtozmprov +' ca %s %s displayName %s' % (accountname,password,name))  


      # if the account is in the group 'banned' check to see if account already locked
      if banned in groups:
        zmprovga = os.popen(pathtozmprov + ' ga %s' % (accountname))
        ga= []
        ga = zmprovga.readlines()
        locked = "zimbraAccountStatus: locked\n"
        if locked not in ga: #if account not locked then lock it
          print accountname, " has been BANNED from the internet. The email account has been locked "
          os.system(pathtozmprov + ' ma %s zimbraAccountStatus locked' % (accountname))
          time.sleep(1)
        else:
          print accountname, " has a locked email account because they are in the 'banned' group"
       
       #set any accounts to 'active' if they are not in the banned group and the account is currently locked
      else:
        zmprovga = os.popen(pathtozmprov + ' ga %s' % (accountname))
        ga= []
        ga = zmprovga.readlines()
        locked = "zimbraAccountStatus: locked\n"
        if locked in ga:
          os.system(pathtozmprov + ' ma %s zimbraAccountStatus active' % (accountname))
          time.sleep(1)
          print accountname, " is no longer in the 'banned' group, therefore the account has been activated"                            

           
except ldap.LDAPError, error_message:
  print error_message          

l.unbind_s()

Just to be clear: I didn't write this code, CyberNerd published this at the EduGeek forums.