Hello.
As an example, for customization I used this article:
https://wiki.zimbra.com/wiki/How_to_con ... ng_with_AD
Now there are two questions.
1. Is it possible to change the "zimbraAutoProvLdapSearchBase" parameter?
Ie, after creating mail accounts for users in AD OU-1 ("CN=HOME_Users-1,dc=home,dc=local"), create mailboxes for users AD OU-2 ("CN=HOME_Users-2,dc=home,dc=local ")?
2. The script tracks the emergence of new users in the OU, and automatically creates mailboxes for them. Is it possible to track the removal of users from AD, so that the mailboxes created for them are automatically deleted?
Thank.
Zimbra auto-provisioining
Re: Zimbra auto-provisioining
1) You might be able to set your base to dc=home,dc=local and create a search filter to better limit your users. I’m a big fan of managing everything using AD groups, so my base is pretty close to the root but no one gets an account unless they are members of the group.
The base OU just helps limiting how much walking ldap has to do, thus reducing memory requirements. The true filtering power comes from your filter.
2) doubt it, not sure may people would want it to automatically delete accounts anyways.
I doubt the script really tracks anything, my guess would be each time it runs if it finds a user in AD it checks if there is an account already, if not create it.
The base OU just helps limiting how much walking ldap has to do, thus reducing memory requirements. The true filtering power comes from your filter.
2) doubt it, not sure may people would want it to automatically delete accounts anyways.
I doubt the script really tracks anything, my guess would be each time it runs if it finds a user in AD it checks if there is an account already, if not create it.
Re: Zimbra auto-provisioining
Jordack wrote:1) You might be able to set your base to dc=home,dc=local and create a search filter to better limit your users. I’m a big fan of managing everything using AD groups, so my base is pretty close to the root but no one gets an account unless they are members of the group.
The base OU just helps limiting how much walking ldap has to do, thus reducing memory requirements. The true filtering power comes from your filter.
2) doubt it, not sure may people would want it to automatically delete accounts anyways.
I doubt the script really tracks anything, my guess would be each time it runs if it finds a user in AD it checks if there is an account already, if not create it.
Hello Jordack! Thanks for the answer.
If you propose to put all domain users in one OU, then the issue with import to Zimbrа will certainly be solved, but many others will appear. For example, how to deal with policies for different groups AD, etc. ?
Unfortunately, I apparently did not understand you.
Thank.
Re: Zimbra auto-provisioining
Then do not have to be in the same OU, mine are not. If you use dc=home,dc=local the ldap uses that as a starting point to start searching for users. It will walk your entire structure from the base down.
You use the filter to to select what accounts you really want added.
There is noting special Zimbra does, it’s basic LDAP.
I generally do not browse the forums while in front of any of my systems. Otherwise I would give some examples. I would do some research AD ldap filtering base on group membership.
You use the filter to to select what accounts you really want added.
There is noting special Zimbra does, it’s basic LDAP.
I generally do not browse the forums while in front of any of my systems. Otherwise I would give some examples. I would do some research AD ldap filtering base on group membership.
Re: Zimbra auto-provisioining
(Wife told me to get off the PS4, So i jumped on the computer)
Here are my Auto Provisioning settings
zimbraAutoProvAccountNameMap: samAccountName
zimbraAutoProvAttrMap: description=description
zimbraAutoProvAttrMap: displayName=displayName
zimbraAutoProvAttrMap: givenName=givenName
zimbraAutoProvAttrMap: cn=cn
zimbraAutoProvAttrMap: sn=sn
zimbraAutoProvAuthMech: LDAP
zimbraAutoProvBatchSize: 160
zimbraAutoProvLdapAdminBindDn: svc-ldapsearch@network.domain.org
zimbraAutoProvLdapAdminBindPassword: Long@ssRandomStringofCrap
zimbraAutoProvLdapBindDn: %u@network.domain.org
zimbraAutoProvLdapSearchBase: OU=MyUsers,DC=network,DC=domain,DC=org
zimbraAutoProvLdapSearchFilter: (&(sAMAccountName=%u)(memberOf=CN=Application Users - Zimbra,OU=Software Access,OU=Groups,OU=MyUsers,DC=network,DC=domain,DC=org))
zimbraAutoProvLdapURL: ldaps://dc01.network.domain.org:3269
zimbraAutoProvMode: LAZY
zimbraAutoProvNotificationBody: Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.
zimbraAutoProvNotificationFromAddress: support@domain.org
zimbraAutoProvNotificationSubject: New account provisioned
As long as the user is somewhere under OU=MyUsers,DC=network,DC=domain,DC=org and is a MemberOf "Application Users - Zimbra" The account will get created upon logon. I went with Lazy provisioning I often get asked to create account for people that will never login, no need eating the license.
Here are my Auto Provisioning settings
zimbraAutoProvAccountNameMap: samAccountName
zimbraAutoProvAttrMap: description=description
zimbraAutoProvAttrMap: displayName=displayName
zimbraAutoProvAttrMap: givenName=givenName
zimbraAutoProvAttrMap: cn=cn
zimbraAutoProvAttrMap: sn=sn
zimbraAutoProvAuthMech: LDAP
zimbraAutoProvBatchSize: 160
zimbraAutoProvLdapAdminBindDn: svc-ldapsearch@network.domain.org
zimbraAutoProvLdapAdminBindPassword: Long@ssRandomStringofCrap
zimbraAutoProvLdapBindDn: %u@network.domain.org
zimbraAutoProvLdapSearchBase: OU=MyUsers,DC=network,DC=domain,DC=org
zimbraAutoProvLdapSearchFilter: (&(sAMAccountName=%u)(memberOf=CN=Application Users - Zimbra,OU=Software Access,OU=Groups,OU=MyUsers,DC=network,DC=domain,DC=org))
zimbraAutoProvLdapURL: ldaps://dc01.network.domain.org:3269
zimbraAutoProvMode: LAZY
zimbraAutoProvNotificationBody: Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.
zimbraAutoProvNotificationFromAddress: support@domain.org
zimbraAutoProvNotificationSubject: New account provisioned
As long as the user is somewhere under OU=MyUsers,DC=network,DC=domain,DC=org and is a MemberOf "Application Users - Zimbra" The account will get created upon logon. I went with Lazy provisioning I often get asked to create account for people that will never login, no need eating the license.