GAL and Active Directory
I'm sure this has been asked many, many times, but although I've searched the forum I've not found any posts explaining just how to set this up.
I'm setting up a new Zimbra server, aiming to integrate it with Active Directory. Authentication appears to be working fine, but when it comes to the GAL I'm stuck. I don't have an in depth knowledge of LDAP, which I think is part of the problem.
However, I think there may be something wrong with the Zimbra setup too since as soon as I try to configure the GAL using the GAL Configuration Wizard, a warning is appearing in the Wizard saying:
"Warning: GAL data sources are not configured for this domain."
This doesn't appear to stop the wizard running though, and I'm unsure if the GAL data source will be created automatically. All the examples I can find for creating these from the command line appear to be repeating settings that will be entered in the Wizard.
Apart from that warning, I have a number of quite basic questions about the details the wizard needs:
1. How do I add a GAL data source to fix that warning?
2. Is the GAL sync account an account in Zimbra, or Active Directory?
3. What is the data source name for the external GAL?
4. I assume external server name is simply the DNS name of my AD server?
5. What is the LDAP search base? Do I just enter (dc=mydomain,dc=com)?
6. What is the Bind DN? Is this an Active Directory account?
7. Am I ok to leave the Sync settings the same as the search settings?
8. What is the search term on the final page?
I know these are all basic, but I've read the documentation, the wiki and the forums. Despite hours of reading I can't find explanations for any of these.
Does nobody have answers to any of these? Any help at all would be appreciated, even a link to some other documentation would be a start.
if you dont mind me joining your thread. i too am looking to get concrete info on this. I see alot of theory when searching the forums, but no pratical answers. i've been trying to search for these same answers for about 2 weeks now. here are some answers ii've found.
2. Gal sync account is actually in zimbra. If you go through the wizard then go to the accounts tree. you will see it there. If you choose to view that mailbox, in the contacts tab you will see the address book that was created for syncing.
3. external server is resolvable DNs or ip address of Exchange global catalog server.
6. Bind Dn is the AD account. i konw enough to make sure that this AD account needs to be able to view the exchange gal addresses that you wish to sync. This is key in exchange with multiple hosted orgs.
8. this has confounded me, no matter what i put in i get "GAL serch test failed" which is better than what i was getting before which was a connection error.
i was able to solve the problems with my zimbra syncing with exchange. even got it working on specific OU's and will be trying sync to specific Exchange address lists tomorrow. please post if you still need help
Great to hear you got it working. I gave up in the end, it just wasn't worth the hassle and we're now running Exchange 2007.
If you could post the details you needed to configure this though it would be appreciated. I'm sure we won't be the last people to be confused by this, so it would be handy to have the answers posted.
First i used this guide for reference, my domain is mill-mgt.com in case anyone is wondering where that name came from.
Zimbra Wiki Article: GAL Sync Account - Zimbra :: Wiki
There are some key steps in order to get your exchange GAL to sync with zimbra. The first step is to create the internal GAL for your zimbra domain. you can do this from the Admin UI or command line. If you have been working on this before you can delete your previous galsync with the following command
zmgsautil deleteAccount -a firstname.lastname@example.org
then create the new account and force sync it
zmgsautil createAccount -a email@example.com -n InternalGAL --domain mill-mgt.com -t zimbra -f _InternalGAL
zmgsautil forcesync -a firstname.lastname@example.org -n InternalGAL
Now that the internal GAl datasource is setup and the gal sync account is configured, its time to setup the Active directory datasource which i did from the command line as well.
zmgsautil createAccount -a email@example.com -n ActiveDirectoryGAL --domain mill-mgt.com -t ldap -f _ActiveDirectoryGAL -p 1d
The next step is important if you want it to work, you must configure the ActiveDirectoryGAL datasource to connect to your AD or Exchange server. The command line is as follows, but i could not get it to work. kept giving me error messages as if i mistyped the zmprov command. I posted it here so you can see what the values are for each setting. I did this step from the Admin GUI.
zmprov mds firstname.lastname@example.org ActiveDirectoryGAL \
zimbraGalSyncLdapBindDn CN=Administrator,CN=Users,DC=exch,DC=it-mgt,DC=net \
zimbraGalSyncLdapBindPassword 3xchang3 \
zimbraGalSyncLdapFilter 'ad' \
zimbraGalSyncLdapSearchBase OU=Millennium-mgt,OU=Hosted Organizations,DC=exch,DC=it-mgt,DC=net \
In the admin GUI you can accomplish the above by doing the following. Im only going to list the items i changed, all the rest stayed at the defaults that i found.
- GAL mode = both
- External GAL polling = 1day
- ldap:// 192.168.50.92 port 3268 [NOTE] this must be the global catalogu server
- LDAP search base: The Distinguished Name (DN) of the folder containing the users you want to see in the GAL. it can either be the root of your domain tree, or any folder under it. If you dont know the DN, use ADSI edit to find out.
- Bind DN = The DN of the account that will be used to connect to AD. I used my admin account for testing, but recommend creating a zimbra account in Exchange just for this purpose.
Lastly the search term is any user in the AD tree so you can see if the Sync will work if you have everything correct up to this point you will get results from your exchange global address list.
any questions please post. :)
I've followed your instructions, when i get to the GAL Test Result it reports back with 'Search Test Successful' but 'Search returned no results' on a object/user i know exists in A/D
what results do you get when you search for '*' (without the quotes)?
same result, Search Test Successful but Search returned no results.
Ok sounds like you have he correct access information, but the search is looking in the wrong place for the user accounts. What OU has the user accounts in windows?