Enable Viewing of Distribution List Members for AD Accounts

Viewing Active Directory Distribution List from Zimbra's GAL

Currently in the admin guide, we have the following steps to enable viewing DL's from Active Directory (AD)...

To view Active Directory distribution list members in messages or in the address book, the GAL group handler for Active Directory must be configured in the ZCS GALsync account for each Active Directory.

To update the GALsync account for each Active Directory, you must know the GALsync account name and all data sources on that GALsync account.

1. To find the GALsync account name:

       zmprov gd {domain} zimbraGalAccountId
       The above command displays the zimbra ID of the GALsync account. To find
       the name: zmprov ga {zimbraId-of-the-GAL-sync-account} | grep "# name"

2. To find the data sources for the GALsync account:

       zmprov gds {gal-sync-account-name-for-the-domain}

3. To enable the group handler for the Active Directory:

       zmprov mds {gal-sync-account-name-for-the-domain} {AD-data-source-name} zimbraGalLdapGroupHandlerClass com.zimbra.cs.gal.ADGalGroupHandler'


However...

When the DL's are sync'd over from AD into the zimbra-GAL, it is generally assumed if you can view the AD-DL in the GAL, you should be able to send a message to the AD-DL.

This is not the case sometimes. When a zimbra user searches for the AD-DL in the compose window, and attempts to send a message, an NDR notice will happen.
Why does this happen? Generally, zimbra-MTA does not know how to route the message.


Proposed Workaround.

1. As the zimbra user, do the following on the zimbra-MTA:

      touch /opt/zimbra/conf/ldap-groups.cf
      chown zimbra:postfix /opt/zimbra/conf/ldap-groups.cf

2. SAMPLE ldap-groups.cf file:

      server_host = active-directory.domain.local
      search_base = OU=Distribution Lists,DC=domain,DC=local
      version = 3
      bind = yes
      bind_dn = CN=zimbra_service,OU=ServiceUsers,DC=domain,DC=local
      bind_pw = *******
      query_filter = (&(objectclass=group)(mail=%s))
      leaf_result_attribute = mail
      special_result_attribute = member

3. Add ldap-groups.cf to zimbra's zimbraMtaVirtualAliasMaps setting:

      zmprov mcf zimbraMtaVirtualAliasMaps 'proxy:ldap:/opt/zimbra/conf/ldap-vam.cf, ldap:/opt/zimbra/conf/ldap-groups.cf'
      OR
      zmprov ms zimbra-mta.domain.com zimbraMtaVirtualAliasMaps 'proxy:ldap:/opt/zimbra/conf/ldap-vam.cf, ldap:/opt/zimbra/conf/ldap-groups.cf'
      zmmtactl restart

4. Test using an AD-DL address:

      postmap -q sales@domain.com ldap:/opt/zimbra/conf/ldap-groups.cf


If you see positive output from the postmap command, zimbra users *should* be able to send messages to their AD-DL's

See, https://bugzilla.zimbra.com/show_bug.cgi?id=106107

Jump to: navigation, search