How to configure auto-provisioning with AD: Difference between revisions
Line 106: | Line 106: | ||
[[File:Autoprov.jpeg|1,010px]] | [[File:Autoprov.jpeg|1,010px]] | ||
==== More information ==== | ==== More information ==== | ||
More information for the attributes can be found in '''/opt/zimbra/docs/autoprov.txt''' file. | More information for the attributes can be found in '''/opt/zimbra/docs/autoprov.txt''' file. | ||
There is a [[https://bugzilla.zimbra.com/show_bug.cgi?id=82587��������������������������������������������������� bug]] regarding auto-provisioning and zimbra versions prior ZCS 8.0.8. If you have zimbra 8.0.7 and lower, the auto-provisioning works only the first time. Then it stops, due to the difference in the ''zimbraAutoProvLastPolledTimestamp�����������������������������������'' in zimbra and in AD. This attribute need to be set to null, to be able to have the auto sync. | |||
= IN PROGRESS = | = IN PROGRESS = |
Revision as of 16:19, 16 September 2015
How to configure auto-provisioning (autoprov) with AD
Zimbra auto-provisioining
- This article explains how to configure automatic user provisioning, if Zimbra is configured to use external LDAP (Active Directory).
- More information on how to configure Zimbra with AD can be found: [here]
Solution
1. Create a file with the following entries:
$ vim /tmp/autoprov.txt
- md example.com zimbraAutoProvAccountNameMap "samAccountName"
- md example.com zimbraAutoProvAttrMap description=description
- md example.com zimbraAutoProvAttrMap cn=displayName
- md example.com zimbraAutoProvAttrMap givenName=givenName
- md example.com zimbraAutoProvAttrMap sn=displayName
- md example.com zimbraAutoProvAuthMech LDAP
- md example.com zimbraAutoProvBatchSize 40
- md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=example,DC=com"
- md example.com zimbraAutoProvLdapAdminBindPassword secret
- md example.com zimbraAutoProvLdapBindDn "Administrator@example.com"
- md example.com zimbraAutoProvLdapSearchBase "OU=zimbrausers,dc=example,dc=com"
- md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
- md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389"
- md example.com zimbraAutoProvMode EAGER
- md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
- md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
- md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
- ms server.example.com zimbraAutoProvPollingInterval "1m"
- ms server.example.com +zimbraAutoProvScheduledDomains "example.com"
The options are self-explanatory. The ones that you might want to change according to your environment are:
- zimbraAutoProvLdapAdminBindDn
- zimbraAutoProvLdapAdminBindPassword
- zimbraAutoProvLdapSearchBase
- zimbraAutoProvLdapURL
For the last two entries starting with ms, you have to use your server's fqdn.
2. Execute the file:
$ zmprov < /tmp/autoprov.txt
- prov> md example.com zimbraAutoProvAccountNameMap "samAccountName"
- prov> md example.com zimbraAutoProvAttrMap description=description
- prov> md example.com zimbraAutoProvAttrMap cn=displayName
- prov> md example.com zimbraAutoProvAttrMap givenName=givenName
- prov> md example.com zimbraAutoProvAttrMap sn=displayName
- prov> md example.com zimbraAutoProvAuthMech LDAP
- prov> md example.com zimbraAutoProvBatchSize 40
- prov> md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=azmo,DC=com"
- prov> md example.com zimbraAutoProvLdapAdminBindPassword Zimbra1
- prov> md example.com zimbraAutoProvLdapBindDn "Administrator@example.com"
- prov> md example.com zimbraAutoProvLdapSearchBase "OU=zimbrausers,dc=azmo,dc=com"
- prov> md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
- prov> md example.com zimbraAutoProvLdapURL "ldap://192.168.56.70:389"
- prov> md example.com zimbraAutoProvMode EAGER
- prov> md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
- prov> md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
- prov> md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
- prov> ms nine.example.com zimbraAutoProvPollingInterval "1m"
- prov> ms nine.example.com +zimbraAutoProvScheduledDomains "example.com"
To double check that the configuration is working, create a user in AD, and then follow the entries in /opt/zimbra/log/mailbox.log file. To be able to see more, enable [debug].
- Ideally you have to see the following output in normal logging mode:
- before adding entries
- 2015-07-09 03:22:00,484 INFO [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com
- 2015-07-09 03:22:00,490 INFO [AutoProvision] [] autoprov - 0 external LDAP entries returned as search result
- 2015-07-09 03:22:00,490 INFO [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022200.488Z
- after adding new entries
- 2015-07-09 03:26:00,546 INFO [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com
- 2015-07-09 03:26:00,553 INFO [AutoProvision] [] autoprov - 1 external LDAP entries returned as search result
- 2015-07-09 03:26:00,553 INFO [AutoProvision] [] autoprov - auto creating account in EAGER mode: test@example.com, dn="CN=test,OU=zimbrausers,DC=example,DC=com"
- 2015-07-09 03:26:00,558 INFO [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022600.550Z
- 2015-07-09 03:26:00,565 INFO [AutoProvision] [] autoprov - Sleeping for 60000 milliseconds.
If we login with the test@example.com, we can see that there is an e-mail sent as per our attributes:
- md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
- md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
- md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
More information
More information for the attributes can be found in /opt/zimbra/docs/autoprov.txt file.
There is a [[https://bugzilla.zimbra.com/show_bug.cgi?id=82587��������������������������������������������������� bug]] regarding auto-provisioning and zimbra versions prior ZCS 8.0.8. If you have zimbra 8.0.7 and lower, the auto-provisioning works only the first time. Then it stops, due to the difference in the zimbraAutoProvLastPolledTimestamp����������������������������������� in zimbra and in AD. This attribute need to be set to null, to be able to have the auto sync.
IN PROGRESS
How to configure auto-provisioning (autoprov) with AD
Zimbra auto-provisioining
- This article explains how to configure automatic user provisioning, if Zimbra is configured to use external LDAP (Active Directory).
- For more information on how to configure Zimbra with AD, please check the following link: [link]
Solution
1. Create a file with the following entries:
$ vim /tmp/autoprov.txt
- md example.com zimbraAutoProvAccountNameMap "samAccountName"
- md example.com zimbraAutoProvAttrMap description=description
- md example.com zimbraAutoProvAttrMap cn=displayName
- md example.com zimbraAutoProvAttrMap givenName=givenName
- md example.com zimbraAutoProvAttrMap sn=displayName
- md example.com zimbraAutoProvAuthMech LDAP
- md example.com zimbraAutoProvBatchSize 40
- md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=azmo,DC=com"
- md example.com zimbraAutoProvLdapAdminBindPassword secret
- md example.com zimbraAutoProvLdapBindDn "Administrator@example.com"
- md example.com zimbraAutoProvLdapSearchBase "OU=zimbrausers,dc=azmo,dc=com"
- md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
- md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389"
- md example.com zimbraAutoProvMode EAGER
- md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
- md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
- md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
- ms server.example.com zimbraAutoProvPollingInterval "1m"
- ms server.example.com +zimbraAutoProvScheduledDomains "example.com"
The options are self-explanatory. The ones that you might want to change according to your environment are:
- zimbraAutoProvLdapAdminBindDn
- zimbraAutoProvLdapAdminBindPassword
- zimbraAutoProvLdapSearchBase
- zimbraAutoProvLdapURL
2. To execute the file run:
$ zmprov < /tmp/autoprov.txt
More information
IN PROGRESS