Dear Danielb,
Did you test the scenario that account in Zimbra is locked and account in AD is enable/active? I test and see that our script does not unlock the account in Zimbra after we enable this account in AD. However, the scripts re-adds the account into zimbra distribution list.
My full zmldapsync.yml is:
Code: Select all
[zimbra@mail scripts]$ cat zmldapsync.yml
---
# General settings, which affect all domain you sync
general:
notify:
from: admin@zimilab.com
to: admin@zimilab.com
# Now, define the list of domain to sync
# and for each of them, the settings. See README.md for examples
domains:
zimilab.com:
ldap:
# List of LDAP servers to try (in order)
servers:
- ldap://dc.zimilab.com:389
# Use starttls. Do NOT set this if using ldaps:// URI
start_tls: False
# Optional bind DN and bind password for searches. Create a user named zimbra in AD first as read only account.
bind_dn: CN=zimbra,CN=Users,DC=zimilab,DC=com
bind_pass: '123456'
# the schema used. Can be ad, rfc2307, rfc2307bis or simply ldap.
# ad, rfc2307 and rfc2307bis provides default values for attribute mapping. ldap is when you want
# a total control, and you'll have to configure the mapping yourself
schema: ad
users:
# Base DN where to look for users
base: OU=Technical,DC=zimilab,DC=com
# Filter to look for users
#filter: '(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Role_Mail,OU=Technical,DC=zimilab,DC=com)(mail=*))'
filter: '(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))'
# The attribute which uniquely identify a user. Usually either uid or sAMAccountName
# This attribute will be used as the user name in Zimbra (with the domain appended)
key: sAMAccountName
# The attribute for the main email address
mail_attr: mail
# The attribute for email aliases
alias_attr: otherMailbox
# A dict of attributes to map from external LDAP to Zimbra.
# The format is ext_attr: zimbra_attr
attr_map:
displayName: displayName
description: description
cn: cn
sn: sn
givenName: givenName
telephoneNumber: telephoneNumber
homePhone: homePhone
mobile: mobile
streetAddress: street
l: l
st: st
co: co
title: title
company: company
groups:
# The base DN where to look for groups
base: OU=Technical,DC=zimilab,DC=com
# An optional filter to apply to group searches
filter: (objectClass=group)
# The atribute which uniquely identify a group. Usually cn
# This attribute will be used as the distribution list name in Zimbra (with the domain appended)
key: cn
# The attribute which lists the group members
members_attr: member
# Are the members listed as full DN, or simply usernames (like memberUid with posixGroups)
members_as_dn: True
# The attribute for the main email address
mail_attr: mail
# The attribute for email aliases
alias_attr: null
# A dict of attributes to map from external LDAP to Zimbra.
# The format is ext_attr: zimbra_attr
attr_map:
displayName: displayName
description: description
zimbra:
# Should zmldapsync create the domain if missing ?
create_if_missing: False
# If the domain exists in Zimbra but is not configured
# for external auth (either LDAP or AD), should this script configure it ?
setup_ldap_auth: True
# If defined, domain aliases will be added to / removed from Zimbra according to this list
#domain_aliases:
# - mail.corp2.com
# - corp4.net
# A list of attr which will be set using zmprov modifyDomain. The key is the Zimbra attr in LDAP, as you can get/set with zmprov
additional_domain_attrs:
zimbraVirtualHostname:
- mail.zimilab.com
zimbraPublicServicePort: 443
zimbraPublicServiceProtocol: https
zimbraPublicServiceHostname: mail.zimilab.com
Regards,
Minh.