Zimbra LDAP autoprovision, limit by group?

BloodyIron · Post by **BloodyIron** » Wed Jul 17, 2013 3:05 pm

So I am pretty sure I have enough to setup auto-provision based on LDAP/AD, however I don't want all accounts to have mailboxes. My google-fu has not yet turned up a result, but is there a way to limit auto-provisioning from LDAP/AD based on group or some other element of a user?

15337Raunaq · Post by **15337Raunaq** » Wed Jul 17, 2013 3:19 pm

Well You can use lazy mode , in which only those account which authenticate using the provided mechanism get provisioned.Let me know if that helps.

BloodyIron · Post by **BloodyIron** » Wed Jul 17, 2013 3:41 pm

Well, I'd prefer the EAGER mode, but in the case of LAZY, how do you restrict by group or OU or something like that for who can log in and who can't? So far as I can tell, in either EAGER or LAZY mode all accounts created will have access or be provisioned.
[quote user="15337Raunaq"]Well You can use lazy mode , in which only those account which authenticate using the provided mechanism get provisioned.Let me know if that helps.[/QUOTE]

BloodyIron · Post by **BloodyIron** » Wed Jul 17, 2013 4:14 pm

I'm thinking this may do the trick:
[QUOTE]Zmprov md domain.local zimbraAutoProvLdapSearchFilter “(&(objectCategory=mailgroup)”[/QUOTE]
Does this behave how I think it will? Make it so that only members of the "mailgroup" group will be provisioned?

BloodyIron · Post by **BloodyIron** » Wed Jul 17, 2013 5:52 pm

This is my latest attempt at the group filter:
[QUOTE]zmprov md domain.local zimbraAutoProvLdapSearchFilter "(memberOf=cn=mailtest,ou=Users,dc=domain,dc=local)"[/QUOTE]
mailtest is the group
this filter does not seem to work

BloodyIron · Post by **BloodyIron** » Wed Jul 17, 2013 6:08 pm

Okay so I have some success
First, I moved the group to the root of the domain, it was under the container (aka folder) "Users", the default one. Once I moved it the following LDAP filter worked:
[QUOTE]zmprov md testmail.idocz.net zimbraAutoProvLdapSearchFilter "(memberOf=cn=mailtest,dc=domain,dc=local)"[/QUOTE]
I'm now trying to figure out how to get it to search all containers or something. I may have to use OUs or something.
Btw this is a pretty good resource : Active Directory: LDAP Syntax Filters - TechNet Articles - United States (English) - TechNet Wiki
Oh and btw my Active Directory domain is running on a SAMBA4 installation on Ubuntu 13.04 with the package from the main repo (no compiling) if anyone was the slightest bit curious. Go OSS!

BloodyIron · Post by **BloodyIron** » Wed Jul 17, 2013 6:25 pm

Okay so to add some more detail, after setting up autoprovision I realized it was not also authenticating against the domain. I set that up, and the details are actually self-explanatory, just point it to the IP, give it login/password, yadda yadda. It was very surprising how easy it was.
Now, the user authenticates against the domain. If I disable the user on the domain, they cannot login. The error at login is "bad password" equivalent, but the log shows NT_STATUS_ACCOUNT_DISABLED so if I need to search logs I can check user vs result ezpz. Re-enabling lets them back in as expected.
The only thing that is curious is when I remove a user from the group, they can still login, and their mailbox isn't deleted. I'm not sure which behavior I want in this scenario though. It seems deleting a mailbox because you were removed from a group is a harsh mistress.
Additionally the LDAP filter in the logs keeps finding the same member of the group, but does not _appear_ to be creating the account infinitely. I created a mailbox folder, and the data didn't seem to get wiped, but it is concerning about unforseen complications.
All in all, solid.

BloodyIron · Post by **BloodyIron** » Wed Jul 17, 2013 6:38 pm

Argh auto provision isn't happening after reboot.
Disregard, it took like 10mins before auto provision started, and is now happening at the period I set (1 minute).