How to configure auto-provisioning with AD: Difference between revisions
mNo edit summary |
|||
(16 intermediate revisions by 3 users not shown) | |||
Line 11: | Line 11: | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=How to configure auto-provisioning (autoprov) with AD= | =How to configure auto-provisioning (autoprov) with AD= | ||
{{KB|{{ | <hr> | ||
{{KB|{{WIP}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}} | |||
<hr> | |||
<!-- Wiki/Article Body --> | <!-- Wiki/Article Body --> | ||
Line 18: | Line 21: | ||
---- | ---- | ||
; '''This article explains how to configure automatic user provisioning, if Zimbra is configured to use external LDAP (Active Directory). ''' : ''More information on how to configure Zimbra with AD can be found: [[https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory here]]'' | ; '''This article explains how to configure automatic user provisioning, if Zimbra is configured to use external LDAP (Active Directory). ''':''More information on how to configure Zimbra with AD can be found: [[https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory here]], and directions on how to configure auto-provisioning with external LDAP [[https://wiki.zimbra.com/wiki/How_to_configure_autoprovisioning_with_external_LDAP here]]''' | ||
Line 28: | Line 31: | ||
$ vim /tmp/autoprov.txt | $ vim /tmp/autoprov.txt | ||
md example.com zimbraAutoProvAccountNameMap "samAccountName" | |||
md example.com +zimbraAutoProvAttrMap description=description | |||
md example.com +zimbraAutoProvAttrMap displayName=displayName | |||
md example.com +zimbraAutoProvAttrMap givenName=givenName | |||
md example.com +zimbraAutoProvAttrMap cn=cn | |||
md example.com +zimbraAutoProvAttrMap sn=sn | |||
md example.com zimbraAutoProvAuthMech LDAP | |||
md example.com zimbraAutoProvBatchSize 40 | |||
md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=example,DC=com" | |||
md example.com zimbraAutoProvLdapAdminBindPassword secret | |||
md example.com zimbraAutoProvLdapBindDn "Administrator@example.com" | |||
md example.com zimbraAutoProvLdapSearchBase "CN=Users,dc=example,dc=com" | |||
md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)" | |||
md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389" | |||
md example.com zimbraAutoProvMode EAGER | |||
md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}." | |||
md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com | |||
md example.com zimbraAutoProvNotificationSubject "New account auto provisioned" | |||
ms server.example.com zimbraAutoProvPollingInterval "1m" | |||
ms server.example.com +zimbraAutoProvScheduledDomains "example.com" | |||
Line 54: | Line 58: | ||
:zimbraAutoProvLdapSearchBase | :zimbraAutoProvLdapSearchBase | ||
:zimbraAutoProvLdapURL | :zimbraAutoProvLdapURL | ||
The '''zimbraAutoProvAttrMap''' attribute defines the attribute map for mapping attribute values from the external entry to Zimbra account attributes. | |||
Values are in the format of '''{external attribute}={zimbra attribute}.''' | |||
:''Note: If this is not set, no attributes from the external directory are populated in Zimbra account.'' | |||
For the last two entries starting with '''ms''', you have to use your server's fqdn. | For the last two entries starting with '''ms''', you have to use your server's fqdn. | ||
Line 63: | Line 71: | ||
:prov> md example.com zimbraAutoProvAccountNameMap "samAccountName" | :prov> md example.com zimbraAutoProvAccountNameMap "samAccountName" | ||
:prov> md example.com zimbraAutoProvAttrMap description=description | :prov> md example.com zimbraAutoProvAttrMap description=description | ||
:prov> md example.com zimbraAutoProvAttrMap | :prov> md example.com zimbraAutoProvAttrMap displayName=displayName | ||
:prov> md example.com zimbraAutoProvAttrMap givenName=givenName | :prov> md example.com zimbraAutoProvAttrMap givenName=givenName | ||
:prov> md example.com zimbraAutoProvAttrMap sn= | :prov> md example.com zimbraAutoProvAttrMap cn=cn | ||
:prov> md example.com zimbraAutoProvAttrMap sn=sn | |||
:prov> md example.com zimbraAutoProvAuthMech LDAP | :prov> md example.com zimbraAutoProvAuthMech LDAP | ||
:prov> md example.com zimbraAutoProvBatchSize 40 | :prov> md example.com zimbraAutoProvBatchSize 40 | ||
:prov> md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC= | :prov> md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=example,DC=com" | ||
:prov> md example.com zimbraAutoProvLdapAdminBindPassword Zimbra1 | :prov> md example.com zimbraAutoProvLdapAdminBindPassword Zimbra1 | ||
:prov> md example.com zimbraAutoProvLdapBindDn "Administrator@example.com" | :prov> md example.com zimbraAutoProvLdapBindDn "Administrator@example.com" | ||
:prov> md example.com zimbraAutoProvLdapSearchBase " | :prov> md example.com zimbraAutoProvLdapSearchBase "CN=Users,dc=example,dc=com" | ||
:prov> md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)" | :prov> md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)" | ||
:prov> md example.com zimbraAutoProvLdapURL "ldap://192.168. | :prov> md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389" | ||
:prov> md example.com zimbraAutoProvMode EAGER | :prov> md example.com zimbraAutoProvMode EAGER | ||
:prov> md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}." | :prov> md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}." | ||
:prov> md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com | :prov> md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com | ||
:prov> md example.com zimbraAutoProvNotificationSubject "New account auto provisioned" | :prov> md example.com zimbraAutoProvNotificationSubject "New account auto provisioned" | ||
:prov> ms | :prov> ms server.example.com zimbraAutoProvPollingInterval "1m" | ||
:prov> ms | :prov> ms server.example.com +zimbraAutoProvScheduledDomains "example.com" | ||
Line 89: | Line 98: | ||
*before adding entries | *before adding entries | ||
2015-07-09 03:22:00,484 INFO [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com | |||
2015-07-09 03:22:00,490 INFO [AutoProvision] [] autoprov - 0 external LDAP entries returned as search result | |||
2015-07-09 03:22:00,490 INFO [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022200.488Z | |||
*after adding new entries | *after adding new entries | ||
2015-07-09 03:26:00,546 INFO [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com | |||
2015-07-09 03:26:00,553 INFO [AutoProvision] [] autoprov - 1 external LDAP entries returned as search result | |||
2015-07-09 03:26:00,553 INFO [AutoProvision] [] autoprov - auto creating account in EAGER mode: test@example.com, dn="CN=test,OU=zimbrausers,DC=example,DC=com" | |||
2015-07-09 03:26:00,558 INFO [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022600.550Z | |||
2015-07-09 03:26:00,565 INFO [AutoProvision] [] autoprov - Sleeping for 60000 milliseconds. | |||
Line 127: | Line 136: | ||
'''LDAP errors and exceptions''' | '''LDAP errors and exceptions''' | ||
Exception: [LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data <span style="color:#FF0000"> 52e </span>, v893] | |||
Raw: [LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data xxx, vece ] | |||
There are several values that can indicate what LDAP function is causing the issue. Here are some general references for Microsoft Active Directory: | There are several values that can indicate what LDAP function is causing the issue. Here are some general references for Microsoft Active Directory: | ||
Line 161: | Line 170: | ||
---- | ---- | ||
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0|04/20/2016}} | |||
{{NeedSME|SME1|SME2|Copy Editor}} |
Latest revision as of 22:49, 18 September 2020
How to configure auto-provisioning (autoprov) with AD
Zimbra auto-provisioining
- This article explains how to configure automatic user provisioning, if Zimbra is configured to use external LDAP (Active Directory).
- More information on how to configure Zimbra with AD can be found: [here], and directions on how to configure auto-provisioning with external LDAP [here]'
Solution
1. Create a file with the following entries:
$ vim /tmp/autoprov.txt
md example.com zimbraAutoProvAccountNameMap "samAccountName" md example.com +zimbraAutoProvAttrMap description=description md example.com +zimbraAutoProvAttrMap displayName=displayName md example.com +zimbraAutoProvAttrMap givenName=givenName md example.com +zimbraAutoProvAttrMap cn=cn md example.com +zimbraAutoProvAttrMap sn=sn md example.com zimbraAutoProvAuthMech LDAP md example.com zimbraAutoProvBatchSize 40 md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=example,DC=com" md example.com zimbraAutoProvLdapAdminBindPassword secret md example.com zimbraAutoProvLdapBindDn "Administrator@example.com" md example.com zimbraAutoProvLdapSearchBase "CN=Users,dc=example,dc=com" md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)" md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389" md example.com zimbraAutoProvMode EAGER md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}." md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com md example.com zimbraAutoProvNotificationSubject "New account auto provisioned" ms server.example.com zimbraAutoProvPollingInterval "1m" ms server.example.com +zimbraAutoProvScheduledDomains "example.com"
The options are self-explanatory. The ones that you might want to change according to your environment are:
- zimbraAutoProvLdapAdminBindDn
- zimbraAutoProvLdapAdminBindPassword
- zimbraAutoProvLdapSearchBase
- zimbraAutoProvLdapURL
The zimbraAutoProvAttrMap attribute defines the attribute map for mapping attribute values from the external entry to Zimbra account attributes. Values are in the format of {external attribute}={zimbra attribute}.
- Note: If this is not set, no attributes from the external directory are populated in Zimbra account.
For the last two entries starting with ms, you have to use your server's fqdn.
2. Execute the file:
$ zmprov < /tmp/autoprov.txt
- prov> md example.com zimbraAutoProvAccountNameMap "samAccountName"
- prov> md example.com zimbraAutoProvAttrMap description=description
- prov> md example.com zimbraAutoProvAttrMap displayName=displayName
- prov> md example.com zimbraAutoProvAttrMap givenName=givenName
- prov> md example.com zimbraAutoProvAttrMap cn=cn
- prov> md example.com zimbraAutoProvAttrMap sn=sn
- prov> md example.com zimbraAutoProvAuthMech LDAP
- prov> md example.com zimbraAutoProvBatchSize 40
- prov> md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=example,DC=com"
- prov> md example.com zimbraAutoProvLdapAdminBindPassword Zimbra1
- prov> md example.com zimbraAutoProvLdapBindDn "Administrator@example.com"
- prov> md example.com zimbraAutoProvLdapSearchBase "CN=Users,dc=example,dc=com"
- prov> md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
- prov> md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389"
- prov> md example.com zimbraAutoProvMode EAGER
- prov> md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
- prov> md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
- prov> md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
- prov> ms server.example.com zimbraAutoProvPollingInterval "1m"
- prov> ms server.example.com +zimbraAutoProvScheduledDomains "example.com"
The configuration work without the need of restarts.
3. To test, create a user in AD, and then follow the entries in /opt/zimbra/log/mailbox.log file. To be able to see more, enable [debug].
- Ideally you have to see the following output in normal logging mode:
- before adding entries
2015-07-09 03:22:00,484 INFO [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com 2015-07-09 03:22:00,490 INFO [AutoProvision] [] autoprov - 0 external LDAP entries returned as search result 2015-07-09 03:22:00,490 INFO [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022200.488Z
- after adding new entries
2015-07-09 03:26:00,546 INFO [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com 2015-07-09 03:26:00,553 INFO [AutoProvision] [] autoprov - 1 external LDAP entries returned as search result 2015-07-09 03:26:00,553 INFO [AutoProvision] [] autoprov - auto creating account in EAGER mode: test@example.com, dn="CN=test,OU=zimbrausers,DC=example,DC=com" 2015-07-09 03:26:00,558 INFO [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022600.550Z 2015-07-09 03:26:00,565 INFO [AutoProvision] [] autoprov - Sleeping for 60000 milliseconds.
4. If we login with the test@example.com, we can see that there is an e-mail sent as per our attributes:
- md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
- md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
- md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
More information
More information for the attributes can be found in /opt/zimbra/docs/autoprov.txt file.
There is a [bug] regarding auto-provisioning and zimbra versions prior ZCS 8.0.8. If you have zimbra 8.0.7 and lower, the auto-provisioning works only the first time. Then it stops, due to the difference in the zimbraAutoProvLastPolledTimestamp format in zimbra and in AD. This attribute need to be set to null, to be able to have the autoprov automatically pulling the entries.
Troubleshooting
1. Some of the exceptions thrown during the configuration are clear, but some are not and the following information will help with troubleshooting:
LDAP errors and exceptions
Exception: [LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e , v893]
Raw: [LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data xxx, vece ]
There are several values that can indicate what LDAP function is causing the issue. Here are some general references for Microsoft Active Directory:
The AD-specific error code is the one after data and before vece or v893 in the actual error string returned to the binding process.
525 | user not found |
52e | invalid credentials |
530 | not permitted to logon at this time |
531 | not permitted to logon at this workstation |
532 | password expired |
533 | account disabled |
534 | The user has not been granted the requested logon type at this machine |
701 | account expired |
773 | user must reset password |
775 | user account locked |
8350 | DN format is incorrect |