How to configure autoprovisioning by group membership (Active Directory): Difference between revisions

(Created page with "=How to configure autoprovisioning by group membership (Active Directory)= {{KB|{{ZC}}|{{ZCS 8.8.12}}|{{ZCS 8.8}}|{{ZCS 8.7}}|}} <!-- Wiki/Article Body --> === Zimbra auto-...")
 
Line 5: Line 5:
<!-- Wiki/Article Body -->
<!-- Wiki/Article Body -->


=== Zimbra auto-provisioining ===
=== Autoprovisioning by group membership ===
----
----



Revision as of 14:29, 19 April 2019

How to configure autoprovisioning by group membership (Active Directory)

   KB 23840        Last updated on 2019-04-19  




0.00
(0 votes)


Autoprovisioning by group membership


This article explains how to configure automatic user provisioning, based on group membership (Active Directory).
For more information on how to configure autoprovisioning based on Container location check [this] article. Also Zimbra connection with AD can be found: [here], and directions on how to configure auto-provisioning with external LDAP [here]'


Solution


The way we set this is almost identical to the article mentioned [here.] The difference is the values of two attributes:

zimbraAutoProvLdapSearchBase
zimbraAutoProvLdapSearchFilter 

Because we would like to autoprovision users, based on their group membership, we need to first specify the container that will contain those users. This location can contain users that are not part of the group, but those that are part of the group must be located there. And so to do that we first have to set zimbraAutoProvLdapSearchBase attribute. Once this is done, we need to specify the ldap filter, that will filter out the correct users from that container. To do that, we modify zimbraAutoProvLdapSearchFilter attribute.

The steps below will show that. In bold are the two attributes in question.


1. Create a file with the following entries:

$ vim /tmp/autoprov.txt

md example.com zimbraAutoProvAccountNameMap "samAccountName"
md example.com +zimbraAutoProvAttrMap description=description
md example.com +zimbraAutoProvAttrMap displayName=displayName
md example.com +zimbraAutoProvAttrMap givenName=givenName
md example.com +zimbraAutoProvAttrMap cn=cn
md example.com +zimbraAutoProvAttrMap sn=sn
md example.com zimbraAutoProvAuthMech LDAP
md example.com zimbraAutoProvBatchSize 40
md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=example,DC=com"
md example.com zimbraAutoProvLdapAdminBindPassword secret
md example.com zimbraAutoProvLdapBindDn "Administrator@example.com"
md example.com zimbraAutoProvLdapSearchBase "CN=Users,dc=example,dc=com"
md example.com zimbraAutoProvLdapSearchFilter "(memberOf=CN=dlgroup,CN=DistributionGroup,DC=azmo,DC=com)"
md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389"
md example.com zimbraAutoProvMode EAGER
md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned.  Your email address is ${ACCOUNT_ADDRESS}."
md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
ms server.example.com zimbraAutoProvPollingInterval "1m"
ms server.example.com +zimbraAutoProvScheduledDomains "example.com"


Notice that for the zimbraAutoProvLdapSearchFilter attribute, we used memberOf, to specify the group context, based on which the users will be grouped.

The rest of options are self-explanatory. The ones that you might want to change according to your environment are:

zimbraAutoProvLdapAdminBindDn
zimbraAutoProvLdapAdminBindPassword
zimbraAutoProvLdapSearchBase
zimbraAutoProvLdapURL

The zimbraAutoProvAttrMap attribute defines the attribute map for mapping attribute values from the external entry to Zimbra account attributes. Values are in the format of {external attribute}={zimbra attribute}.

Note: If this is not set, no attributes from the external directory are populated in Zimbra account.

For the last two entries starting with ms, you have to use your server's fqdn.


2. Execute the file:

$ zmprov < /tmp/autoprov.txt

prov> md example.com zimbraAutoProvAccountNameMap "samAccountName"
prov> md example.com zimbraAutoProvAttrMap description=description
prov> md example.com zimbraAutoProvAttrMap displayName=displayName
prov> md example.com zimbraAutoProvAttrMap givenName=givenName
prov> md example.com zimbraAutoProvAttrMap cn=cn
prov> md example.com zimbraAutoProvAttrMap sn=sn
prov> md example.com zimbraAutoProvAuthMech LDAP
prov> md example.com zimbraAutoProvBatchSize 40
prov> md example.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=example,DC=com"
prov> md example.com zimbraAutoProvLdapAdminBindPassword Zimbra1
prov> md example.com zimbraAutoProvLdapBindDn "Administrator@example.com"
prov> md example.com zimbraAutoProvLdapSearchBase "CN=Users,dc=example,dc=com"
prov> md example.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
prov> md example.com zimbraAutoProvLdapURL "ldap://192.168.0.1:389"
prov> md example.com zimbraAutoProvMode EAGER
prov> md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
prov> md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
prov> md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"
prov> ms server.example.com zimbraAutoProvPollingInterval "1m"
prov> ms server.example.com +zimbraAutoProvScheduledDomains "example.com"


The configuration work without the need of restarts.


3. To test, create a user in AD, and then follow the entries in /opt/zimbra/log/mailbox.log file. To be able to see more, enable [debug].

Ideally you have to see the following output in normal logging mode:
  • before adding entries
2015-07-09 03:22:00,484 INFO  [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com
2015-07-09 03:22:00,490 INFO  [AutoProvision] [] autoprov - 0 external LDAP entries returned as search result
2015-07-09 03:22:00,490 INFO  [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022200.488Z
  • after adding new entries
2015-07-09 03:26:00,546 INFO  [AutoProvision] [] autoprov - Auto provisioning accounts on domain example.com
2015-07-09 03:26:00,553 INFO  [AutoProvision] [] autoprov - 1 external LDAP entries returned as search result
2015-07-09 03:26:00,553 INFO  [AutoProvision] [] autoprov - auto creating account in EAGER mode: test@example.com, dn="CN=test,OU=zimbrausers,DC=example,DC=com"
2015-07-09 03:26:00,558 INFO  [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20150709022600.550Z
2015-07-09 03:26:00,565 INFO  [AutoProvision] [] autoprov - Sleeping for 60000 milliseconds.



4. If we login with the test@example.com, we can see that there is an e-mail sent as per our attributes:

md example.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
md example.com zimbraAutoProvNotificationFromAddress prov-admin@example.com
md example.com zimbraAutoProvNotificationSubject "New account auto provisioned"

1,010px



More information

More information for the attributes can be found in /opt/zimbra/docs/autoprov.txt file.

There is a [bug] regarding auto-provisioning and zimbra versions prior ZCS 8.0.8. If you have zimbra 8.0.7 and lower, the auto-provisioning works only the first time. Then it stops, due to the difference in the zimbraAutoProvLastPolledTimestamp format in zimbra and in AD. This attribute need to be set to null, to be able to have the autoprov automatically pulling the entries.



Troubleshooting

1. Some of the exceptions thrown during the configuration are clear, but some are not and the following information will help with troubleshooting:

LDAP errors and exceptions

Exception: [LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data  52e , v893]
Raw: [LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data xxx, vece ]

There are several values that can indicate what LDAP function is causing the issue. Here are some general references for Microsoft Active Directory:

The AD-specific error code is the one after data and before vece or v893 in the actual error string returned to the binding process.

525 user not found
52e invalid credentials
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
534 The user has not been granted the requested logon type at this machine
701 account expired
773 user must reset password
775 user account locked
8350 DN format is incorrect




Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 04/20/2016
Article ID: https://wiki.zimbra.com/index.php?title=How_to_configure_autoprovisioning_by_group_membership_(Active_Directory) Date Modified: 2019-04-19



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 Copy Editor Last edit by Teodor Vizirov
Jump to: navigation, search