GAL Sync Account: Difference between revisions
(Adding category) |
Asrivastava (talk | contribs) No edit summary |
||
(25 intermediate revisions by 9 users not shown) | |||
Line 1: | Line 1: | ||
{{BC|Certified}} | |||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=Gal Sync Account= | |||
{{KB|{{ZC}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}} | |||
{{WIP}} | |||
=Description= | =Description= | ||
Enabling a GAL sync account will permit browsing and paging of the global address list when selecting contacts during message composition with the Zimbra web client. Contact data from Zimbra's internal GAL and external sources can be synced to the account. The galsync account is a resource account and does not consume a Zimbra license. | Enabling a GAL sync account will permit browsing and paging of the global address list when selecting contacts during message composition with the Zimbra web client. Contact data from Zimbra's internal GAL and external sources can be synced to the account. The galsync account is a resource account and does not consume a Zimbra license. | ||
Line 21: | Line 28: | ||
==Command Line== | ==Command Line== | ||
===ZCS 8=== | |||
ZCS 8 adds the server (-s) option to designate which Zimbra mailstore where the GAL sync account will reside. This argument is required. Each mailstore in the environment can have at most one GAL sync account per domain. | |||
zmgsautil createAccount -a galsync@domain.com -n InternalGAL --domain domain.com \ | |||
-s server.name -t zimbra -f _InternalGAL | |||
zmgsautil forceSync -a galsync@domain.com -n InternalGAL | |||
===ZCS 6/7=== | |||
zmgsautil createAccount -a galsync@domain.com -n InternalGAL --domain domain.com -t zimbra -f _InternalGAL | zmgsautil createAccount -a galsync@domain.com -n InternalGAL --domain domain.com -t zimbra -f _InternalGAL | ||
zmgsautil forceSync -a galsync@domain.com -n InternalGAL | zmgsautil forceSync -a galsync@domain.com -n InternalGAL | ||
Line 68: | Line 82: | ||
==Command Line== | ==Command Line== | ||
If the external GAL was configured on the command line, or is already configured without a datasource, ''zmgsautil'' can be used to setup the external LDAP datasource. If the galsync account is being created for the first time and external GAL is configured, the datasource will be setup with the ''zmgsautil createAccount'' command. | If the external GAL was configured on the command line, or is already configured without a datasource, ''zmgsautil'' can be used to setup the external LDAP datasource. If the galsync account is being created for the first time and external GAL is configured, the datasource will be setup with the ''zmgsautil createAccount'' command. | ||
===ZCS 8=== | |||
zmgsautil createAccount -a galsync@domain.com -n ExternalGAL --domain domain -t ldap -f _ExternalGAL | ZCS 8 adds the required server (-s) option. Each mailstore server can have at most one GAL sync account. | ||
zmgsautil createAccount -a galsync@domain.com -n ExternalGAL --domain domain \ | |||
-s mailstore.server.name -t ldap -f _ExternalGAL | |||
===ZCS 6/7=== | |||
zmgsautil createAccount -a galsync@domain.com -n ExternalGAL --domain domain -t ldap -f _ExternalGAL | |||
==Adding Additional Datasources== | ==Adding Additional Datasources== | ||
Line 99: | Line 117: | ||
257 | 257 | ||
</pre> | </pre> | ||
*Add new datasource with ''zmgsautil | *Add new datasource with ''zmgsautil addDataSource''. | ||
<pre> | <pre> | ||
zmgsautil | zmgsautil addDataSource -a galsync@domain.com -n AnotherGAL --domain domain.com -t ldap -f _AnotherGAL -p 1d | ||
</pre> | </pre> | ||
* Configure the newly created ''AnotherGAL'' datasource with the proper server and authentication credentials. '''Not performing this step will result in the datasource inheriting the GAL configuration from the domain.''' | * Configure the newly created ''AnotherGAL'' datasource with the proper server and authentication credentials. '''Not performing this step will result in the datasource inheriting the GAL configuration from the domain.''' | ||
Line 168: | Line 186: | ||
=Troubleshooting= | =Troubleshooting= | ||
==GAL paging or external GAL sync is not functioning with multiple datasources== | |||
Verify ''zimbraDataSourceEnabled'' is not '''FALSE''' for any one datasource. If one datasource must be disabled, then it should be deleted. | Verify ''zimbraDataSourceEnabled'' is not '''FALSE''' for any one datasource. If one datasource must be disabled, then it should be deleted. | ||
==GAL search skips the first external GAL DS in the galsync account== | |||
Make sure ''zimbraGALMode'' is set to '''both''' on the domain. Remember, the first external DS on the galsync account inherits the external GAL settings configured for the domain. See [http://bugzilla.zimbra.com/show_bug.cgi?id=41321 bug 41321]. | Make sure ''zimbraGALMode'' is set to '''both''' on the domain. Remember, the first external DS on the galsync account inherits the external GAL settings configured for the domain. See [http://bugzilla.zimbra.com/show_bug.cgi?id=41321 bug 41321]. | ||
<pre> | <pre> | ||
zmprov md domain.com zimbraGALMode both | zmprov md domain.com zimbraGALMode both | ||
</pre> | </pre> | ||
==GAL contains duplicate entries== | |||
If multiple datasources are specified, galsync can grab duplicates if the search scope overlaps. Duplicates will not be reconciled. Open the galsync account from the admin console and find out which contact folders are holding the duplicated entry. Refine the search base on the datasource and force another sync with ''zmgsautil''. | If multiple datasources are specified, galsync can grab duplicates if the search scope overlaps. Duplicates will not be reconciled. Open the galsync account from the admin console and find out which contact folders are holding the duplicated entry. Refine the search base on the datasource and force another sync with ''zmgsautil''. | ||
==GAL does not contain all entries from Active Directory== | |||
Have a look at the mailNickname attribute in Active Directory for the missing entries. This attribute is required in the default AD filter in Zimbra. Please see Zimbra [https://bugzilla.zimbra.com/show_bug.cgi?id=11562 bug 11562]. As a workaround, it is safe to remove the mailNickname requirement by designating zimbraGalLdapFilter on the domain or datasource. | |||
Get the default for the AD search filter | |||
<pre> | |||
zmprov gcf zimbraGalLdapFilterDef | grep ad: | |||
</pre> | |||
Insert this value into zimbraGalLdapFilter for the domain or datasource | |||
<pre> | |||
(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(!(msExchHideFromAddressLists=TRUE))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList))) | |||
</pre> | |||
The above filter just omits the (mailnickname=*) portion of the default filter. Changing the default AD filter in global config is not recommended. | |||
Also, make sure auto-complete works as expected. You may need to set zimbraGalAutoCompleteLdapFilter on the domain or GAL sync account datasource as well. | |||
==Unable to search for resources by site, building, etc.== | |||
This can happen if the GAL is external and resources are local. | |||
*Make sure ''zimbraGalAlwaysIncludeLocalCalendarResources'' is ''TRUE''. zimbraGalAlwaysIncludeLocalCalendarResources is a global and domain attribute. | |||
*A force sync of the GalSync account is needed for this attribute to take effect (Ex: zmgsautil forceSync -a galsync@example.com -n InternalGAL) | |||
*In some instances, the attribute mappings for searchable fields could be missing. Check for these attribute maps in the global and domain configuration: | |||
zimbraGalLdapAttrMap: zimbraCalResBuilding=zimbraCalResBuilding | |||
zimbraGalLdapAttrMap: zimbraCalResCapacity,msExchResourceCapacity=zimbraCalResCapacity | |||
zimbraGalLdapAttrMap: zimbraCalResFloor=zimbraCalResFloor | |||
*If something is missing, add the attribute map. | |||
zmprov mcf zimbraGalLdapAttrMap zimbraCalResBuilding=zimbraCalResBuilding | |||
*Remove the target galsync datasource where resources reside. | |||
*Delete the contact folder for the datasource from the galsync account. | |||
*Create a new datasource for resources in the galsync account. | |||
*Perform a full sync of the datasource. | |||
=References= | =References= | ||
[http://www.zimbra.com/forums/users/31243-gal-browsing-6-0-a-2.html Forums: GAL Browsing]<br> | [http://www.zimbra.com/forums/users/31243-gal-browsing-6-0-a-2.html Forums: GAL Browsing]<br> | ||
[http://bugzilla.zimbra.com/show_bug.cgi?id=29697 Bug 29697] External (non-Zimbra) addresses in GAL | [http://bugzilla.zimbra.com/show_bug.cgi?id=29697 Bug 29697] External (non-Zimbra) addresses in GAL | ||
{{Article_Footer|ZCS 6.0.x| | [http://www.itcreate.net IPhone Developers] | ||
{{Article_Footer|ZCS 6.0.x|03/14/2013}} | |||
[[Category:Administration]] | [[Category:Administration]] | ||
[[Category:GAL]] | [[Category:GAL]] | ||
[[Category:ZCS 6.0]] | [[Category:ZCS 6.0]] | ||
[[Category:ZCS 8.0]] |
Revision as of 10:20, 9 May 2018
Gal Sync Account
Description
Enabling a GAL sync account will permit browsing and paging of the global address list when selecting contacts during message composition with the Zimbra web client. Contact data from Zimbra's internal GAL and external sources can be synced to the account. The galsync account is a resource account and does not consume a Zimbra license.
To setup an account properly for sync, there must be
- A GAL sync account
- An internal or external datasource on the GAL sync account.
Setting Up Internal GAL Sync
For the internal setup, the internal datasource is automatically created when using the following steps.
Admin Console
- In the server admin console, select a domain for GAL sync under "Domains".
- Click "Configure GAL".
- Set "GAL mode:" "Internal".
- Enter a value for "Most results returned by GAL Search".
- Enter a new account name for "GAL sync account name".
- Set "Datasource" name to InternalGAL.
- Enter a GAL polling interval. The GAL polling interval is the time between syncs to the internal LDAP.
- Next, then Finish.
- To force sync, go to the CLI and use zmgsautil
zmgsautil forceSync -a galsync@domain.com -n InternalGAL
Command Line
ZCS 8
ZCS 8 adds the server (-s) option to designate which Zimbra mailstore where the GAL sync account will reside. This argument is required. Each mailstore in the environment can have at most one GAL sync account per domain.
zmgsautil createAccount -a galsync@domain.com -n InternalGAL --domain domain.com \ -s server.name -t zimbra -f _InternalGAL zmgsautil forceSync -a galsync@domain.com -n InternalGAL
ZCS 6/7
zmgsautil createAccount -a galsync@domain.com -n InternalGAL --domain domain.com -t zimbra -f _InternalGAL zmgsautil forceSync -a galsync@domain.com -n InternalGAL
Setting Up External GAL Sync
Every domain in the Zimbra installation can have a single Active Directory or external LDAP GAL configuration. The first external datasource for the galsync account will use the external LDAP or Active Directory GAL configuration. Additional datasources require the configuration for the external source to be within the datasource itself. For example, consider this external GAL configuration for AD:
## Get Domain zmprov gd domain.com | grep -i gal zimbraGalLdapBindDn: CN=galsync, OU=Service Accounts, OU=Servers, DC=Corp, DC=domain, DC=com zimbraGalLdapBindPassword: thePassword zimbraGalLdapFilter: ad zimbraGalLdapPageSize: 1000 zimbraGalLdapSearchBase: DC=Corp, DC=domain, DC=com zimbraGalLdapURL: ldap://ds1.corp.domain.com:3268 zimbraGalMaxResults: 100 zimbraGalMode: both zimbraGalSyncInternalSearchBase: DOMAIN ## Get Datasource zmprov gds galsync@domain.com # name ActiveDirectoryGAL # type gal objectClass: zimbraDataSource objectClass: zimbraGalDataSource zimbraCreateTimestamp: 20090728211318Z zimbraDataSourceEnabled: TRUE zimbraDataSourceFolderId: 257 zimbraDataSourceId: 4c94f205-43fb-4706-a13b-8ce64eadde4e zimbraDataSourceName: ActiveDirectoryGAL zimbraDataSourcePollingInterval: 1d zimbraDataSourceType: gal zimbraGalLastFailedSyncTimestamp: 20090818071009Z zimbraGalLastSuccessfulSyncTimestamp: 20090925155938Z zimbraGalStatus: enabled zimbraGalType: ldap
The ActiveDirectoryGAL datasource uses the GAL configuration stored in the domain's GAL configuration attributes.
Admin Console
- Specify "GAL mode:" as one of "External" or "Both".
- Choose a datasource name. E.g., ActiveDirectoryGAL or ExternalGAL.
- Enter a polling interval.
- Specify "Server type" and configure the the rest of the external GAL settings.
Command Line
If the external GAL was configured on the command line, or is already configured without a datasource, zmgsautil can be used to setup the external LDAP datasource. If the galsync account is being created for the first time and external GAL is configured, the datasource will be setup with the zmgsautil createAccount command.
ZCS 8
ZCS 8 adds the required server (-s) option. Each mailstore server can have at most one GAL sync account.
zmgsautil createAccount -a galsync@domain.com -n ExternalGAL --domain domain \ -s mailstore.server.name -t ldap -f _ExternalGAL
ZCS 6/7
zmgsautil createAccount -a galsync@domain.com -n ExternalGAL --domain domain -t ldap -f _ExternalGAL
Adding Additional Datasources
Additional datasources are configured with the zmgsautil tool and the createAccount sub command. This creates an additional datasource on the galsync account and does not overwrite the account. Specific values for the datasource URL, bind DN, bind password and search base are then provisioned with zmprov.
- Retrieve current datasources for the galsync account.
## Get Datasource zmprov gds galsync@domain.com # name ActiveDirectoryGAL # type gal objectClass: zimbraDataSource objectClass: zimbraGalDataSource zimbraCreateTimestamp: 20090728211318Z zimbraDataSourceEnabled: TRUE zimbraDataSourceFolderId: 257 zimbraDataSourceId: 4c94f205-43fb-4706-a13b-8ce64eadde4e zimbraDataSourceName: ActiveDirectoryGAL zimbraDataSourcePollingInterval: 1d zimbraDataSourceType: gal zimbraGalLastFailedSyncTimestamp: 20090818071009Z zimbraGalLastSuccessfulSyncTimestamp: 20090925155938Z zimbraGalStatus: enabled zimbraGalType: ldap
- Optionally create a new contact folder in the galsync account to store the GAL with zmmailbox.
zmmailbox -z -m galsync@domain.com createFolder --view contact /_AnotherGAL 257
- Add new datasource with zmgsautil addDataSource.
zmgsautil addDataSource -a galsync@domain.com -n AnotherGAL --domain domain.com -t ldap -f _AnotherGAL -p 1d
- Configure the newly created AnotherGAL datasource with the proper server and authentication credentials. Not performing this step will result in the datasource inheriting the GAL configuration from the domain.
zmprov mds galsync@domain.com AnotherGAL \ zimbraGalSyncLdapBindDn uid=zimbra,cn=admins,cn=zimbra \ zimbraGalSyncLdapBindPassword thePassword \ zimbraGalSyncLdapFilter '(&(mail=*)(zimbraAccountStatus=active)(!(zimbraHideInGAL=TRUE)))' \ zimbraGalSyncLdapSearchBase dc=anotherdomain,dc=com \ zimbraGalSyncLdapURL ldap://ldap.anotherdomain.com:389 \
- Finally, show all datasources for the galsync account.
zmprov gds galsync@domain.com # name ActiveDirectoryGAL # type gal objectClass: zimbraDataSource objectClass: zimbraGalDataSource zimbraCreateTimestamp: 20090728211318Z zimbraDataSourceEnabled: TRUE zimbraDataSourceFolderId: 257 zimbraDataSourceId: 4c94f205-43fb-4706-a13b-8ce64eadde4e zimbraDataSourceName: ActiveDirectoryGAL zimbraDataSourcePollingInterval: 1d zimbraDataSourceType: gal zimbraGalLastFailedSyncTimestamp: 20090818071009Z zimbraGalLastSuccessfulSyncTimestamp: 20090925155938Z zimbraGalStatus: enabled zimbraGalType: ldap # name AnotherGAL # type gal objectClass: zimbraDataSource objectClass: zimbraGalDataSource zimbraCreateTimestamp: 20090729085331Z zimbraDataSourceEnabled: TRUE zimbraDataSourceFolderId: 25212 zimbraDataSourceId: 1fb50a98-7168-4ade-98e0-fccd414047a2 zimbraDataSourceName: AnotherGAL zimbraDataSourcePollingInterval: 1d zimbraDataSourceType: gal zimbraGalLastSuccessfulSyncTimestamp: 20090925124604Z zimbraGalStatus: enabled zimbraGalSyncLdapBindDn: uid=zimbra,cn=admins,cn=zimbra zimbraGalSyncLdapBindPassword: thePassword zimbraGalSyncLdapFilter: (&(mail=*)(zimbraAccountStatus=active)(!(zimbraHideInGAL=TRUE))) zimbraGalSyncLdapPageSize: 100 zimbraGalSyncLdapSearchBase: dc=anotherdomain,dc=com zimbraGalSyncLdapURL: ldap://ldap.anotherdomain.com:389 zimbraGalType: ldap
The server providing data to the AnotherGAL datasource just happens to be an external Zimbra server, but could be any other LDAP or AD. Be sure to use zimbraGALType ldap and not zimbra if the external LDAP is Zimbra. The zimbra GAL type is reserved for the internal GAL only.
External Contacts From Active Directory
Multiple datasources can be specified for external contacts which contain email addresses with domains not homed on any Zimbra servers; e.g., vendor accounts, outside affiliates, etc. As of this time of writing, external contacts for GAL can only be managed by external datasources. See bug 29697.
zmgsautil createAccount -a galsync@domain.com -n ExternalContactsGAL --domain domain.com -t ldap -p 1d zmprov mds galsync@domain.com ExternalContactsGAL \ > zimbraGalSyncLdapBindDn zimbra@corp.domain.com \ > zimbraGalSyncLdapBindPassword thePassword \ > zimbraGalSyncLdapFilter "(&(objectClass=contact)(mail=*))" \ > zimbraGalSyncLdapSearchBase dc=corp,dc=domain,dc=com \ > zimbraGalSyncLdapURL ldap://ds1.corp.domain.com:3268 \
Troubleshooting
GAL paging or external GAL sync is not functioning with multiple datasources
Verify zimbraDataSourceEnabled is not FALSE for any one datasource. If one datasource must be disabled, then it should be deleted.
GAL search skips the first external GAL DS in the galsync account
Make sure zimbraGALMode is set to both on the domain. Remember, the first external DS on the galsync account inherits the external GAL settings configured for the domain. See bug 41321.
zmprov md domain.com zimbraGALMode both
GAL contains duplicate entries
If multiple datasources are specified, galsync can grab duplicates if the search scope overlaps. Duplicates will not be reconciled. Open the galsync account from the admin console and find out which contact folders are holding the duplicated entry. Refine the search base on the datasource and force another sync with zmgsautil.
GAL does not contain all entries from Active Directory
Have a look at the mailNickname attribute in Active Directory for the missing entries. This attribute is required in the default AD filter in Zimbra. Please see Zimbra bug 11562. As a workaround, it is safe to remove the mailNickname requirement by designating zimbraGalLdapFilter on the domain or datasource.
Get the default for the AD search filter
zmprov gcf zimbraGalLdapFilterDef | grep ad:
Insert this value into zimbraGalLdapFilter for the domain or datasource
(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(!(msExchHideFromAddressLists=TRUE))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
The above filter just omits the (mailnickname=*) portion of the default filter. Changing the default AD filter in global config is not recommended.
Also, make sure auto-complete works as expected. You may need to set zimbraGalAutoCompleteLdapFilter on the domain or GAL sync account datasource as well.
Unable to search for resources by site, building, etc.
This can happen if the GAL is external and resources are local.
- Make sure zimbraGalAlwaysIncludeLocalCalendarResources is TRUE. zimbraGalAlwaysIncludeLocalCalendarResources is a global and domain attribute.
- A force sync of the GalSync account is needed for this attribute to take effect (Ex: zmgsautil forceSync -a galsync@example.com -n InternalGAL)
- In some instances, the attribute mappings for searchable fields could be missing. Check for these attribute maps in the global and domain configuration:
zimbraGalLdapAttrMap: zimbraCalResBuilding=zimbraCalResBuilding zimbraGalLdapAttrMap: zimbraCalResCapacity,msExchResourceCapacity=zimbraCalResCapacity zimbraGalLdapAttrMap: zimbraCalResFloor=zimbraCalResFloor
- If something is missing, add the attribute map.
zmprov mcf zimbraGalLdapAttrMap zimbraCalResBuilding=zimbraCalResBuilding
- Remove the target galsync datasource where resources reside.
- Delete the contact folder for the datasource from the galsync account.
- Create a new datasource for resources in the galsync account.
- Perform a full sync of the datasource.
References
Forums: GAL Browsing
Bug 29697 External (non-Zimbra) addresses in GAL
IPhone Developers