Integrate With Active Directory

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
danielb
Posts: 35
Joined: Mon Jul 15, 2019 6:08 pm

Re: Integrate With Active Directory

Post by danielb »

zimico wrote: Because i configure AD authentication so when an account is disabled in AD, end user can not login zimbra using this account. Do you think that it is useful if we can sync the account status from AD to zimbra also?
It's probably something that'd make sense. I'd need to find some time to think about it and implement it in a generic way (as it should not only work with AD schema)
zimico wrote: zmldapsync only creates distribution list members when group type in AD is distribution and not security. I think it's better if in the configuration file we have additional option setting to allow sync and create meember for security group also.
It should sync security groups, as long as they match the configured group filters. I do not use distribution groups in my samba4 domain, and security groups are mapped to Zimbra distribution list correctly.

Regards,
Daniel
danielb
Posts: 35
Joined: Mon Jul 15, 2019 6:08 pm

Re: Integrate With Active Directory

Post by danielb »

As for the terminal hang, I noticed the issue too, which is provoked by the zmprov command. I used to work arround it by running the tset command at the end of the script, but it interacts badly when running in a systemd unit (sometimes, the script wouldn't finish, blocking the unit in a running state)
danielb
Posts: 35
Joined: Mon Jul 15, 2019 6:08 pm

Re: Integrate With Active Directory

Post by danielb »

In order to disable Zimbra users when you lock them in AD, you should be able to just set your user filter to something like

Code: Select all

(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
(combine it with any other group membership or other criterias). With this, once users are locked in AD, they should fall out of the search results from zmldapsync, and they should have their Zimbra account locked accordingly
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Integrate With Active Directory

Post by zimico »

Hello,
Thank for your advice. I confirm that the script run well with both security and distribution group in AD.
I used you search filter for ldapsearch command and got bad search filter error.

Code: Select all

[zimbra@mail scripts]$ ldapsearch -x -h dc.zimilab.com:389 -D zimbra -w123456 -b "OU=Technical,DC=zimilab,DC=com" '(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))'
# extended LDIF
#
# LDAPv3
# base <OU=Technical,DC=zimilab,DC=com> with scope subtree
# filter: (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
# requesting: ALL
#

ldap_search_ext: Bad search filter (-7)
So I adjusted it and the result is ok.

Code: Select all

[zimbra@mail scripts]$ ldapsearch -x -h dc.zimilab.com:389 -D zimbra -w123456 -b "OU=Technical,DC=zimilab,DC=com" '(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))'
# extended LDIF
#
# LDAPv3
# base <OU=Technical,DC=zimilab,DC=com> with scope subtree
# filter: (&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
# requesting: ALL
#

# Minh Hoang, Technical, zimilab.com
dn: CN=Minh Hoang,OU=Technical,DC=zimilab,DC=com
...
Minh.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Integrate With Active Directory

Post by zimico »

Dear Danielb,
Did you test the scenario that account in Zimbra is locked and account in AD is enable/active? I test and see that our script does not unlock the account in Zimbra after we enable this account in AD. However, the scripts re-adds the account into zimbra distribution list.
My full zmldapsync.yml is:

Code: Select all

[zimbra@mail scripts]$ cat zmldapsync.yml
---

# General settings, which affect all domain you sync
general:
  notify:
    from: admin@zimilab.com
    to: admin@zimilab.com

# Now, define the list of domain to sync
# and for each of them, the settings. See README.md for examples

domains:
  zimilab.com:
    ldap:
      # List of LDAP servers to try (in order)
      servers:
        - ldap://dc.zimilab.com:389
      # Use starttls. Do NOT set this if using ldaps:// URI
      start_tls: False
      # Optional bind DN and bind password for searches. Create a user named zimbra in AD first as read only account.
      bind_dn: CN=zimbra,CN=Users,DC=zimilab,DC=com
      bind_pass: '123456'
      # the schema used. Can be ad, rfc2307, rfc2307bis or simply ldap.
      # ad, rfc2307 and rfc2307bis provides default values for attribute mapping. ldap is when you want
      # a total control, and you'll have to configure the mapping yourself
      schema: ad
    users:
      # Base DN where to look for users
      base: OU=Technical,DC=zimilab,DC=com
      # Filter to look for users
      #filter: '(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Role_Mail,OU=Technical,DC=zimilab,DC=com)(mail=*))'
      filter: '(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))'
      # The attribute which uniquely identify a user. Usually either uid or sAMAccountName
      # This attribute will be used as the user name in Zimbra (with the domain appended)
      key: sAMAccountName
      # The attribute for the main email address
      mail_attr: mail
      # The attribute for email aliases
      alias_attr: otherMailbox
      # A dict of attributes to map from external LDAP to Zimbra.
      # The format is ext_attr: zimbra_attr
      attr_map:
        displayName: displayName
        description: description
        cn: cn
        sn: sn
        givenName: givenName
        telephoneNumber: telephoneNumber
        homePhone: homePhone
        mobile: mobile
        streetAddress: street
        l: l
        st: st
        co: co
        title: title
        company: company
    groups:
      # The base DN where to look for groups
      base: OU=Technical,DC=zimilab,DC=com
      # An optional filter to apply to group searches
      filter: (objectClass=group)
      # The atribute which uniquely identify a group. Usually cn
      # This attribute will be used as the distribution list name in Zimbra (with the domain appended)
      key: cn
      # The attribute which lists the group members
      members_attr: member
      # Are the members listed as full DN, or simply usernames (like memberUid with posixGroups)
      members_as_dn: True
      # The attribute for the main email address
      mail_attr: mail
      # The attribute for email aliases
      alias_attr: null
      # A dict of attributes to map from external LDAP to Zimbra.
      # The format is ext_attr: zimbra_attr
      attr_map:
        displayName: displayName
        description: description
    zimbra:
      # Should zmldapsync create the domain if missing ?
      create_if_missing: False
      # If the domain exists in Zimbra but is not configured
      # for external auth (either LDAP or AD), should this script configure it ?
      setup_ldap_auth: True
      # If defined, domain aliases will be added to / removed from Zimbra according to this list
      #domain_aliases:
      #  - mail.corp2.com
      #  - corp4.net
      # A list of attr which will be set using zmprov modifyDomain. The key is the Zimbra attr in LDAP, as you can get/set with zmprov
      additional_domain_attrs:
        zimbraVirtualHostname:
          - mail.zimilab.com
        zimbraPublicServicePort: 443
        zimbraPublicServiceProtocol: https
        zimbraPublicServiceHostname: mail.zimilab.com

Regards,
Minh.
danielb
Posts: 35
Joined: Mon Jul 15, 2019 6:08 pm

Re: Integrate With Active Directory

Post by danielb »

Just pushed a new commit to enable this : https://git.lapiole.org/dani/zimbra/com ... d3d9f9474e
Now if a user is locked in Zimbra but active in LDAP (= matching the search filter), then it'll be enabled in ZImbra by zmldapsync. Note that the account will only be set to active if it was locked (the state won't change if it's manually set to maintenance or closed status).
I've also updated the default filter for AD to exclude locked users.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Integrate With Active Directory

Post by zimico »

You are wonderful Danielb!
Could you please let me know howto create/modify zimbra account with specific COS? In fact I want sync from, for example, OU1 account to COS1; OU2 acount to COS2. However, I think we can use filter and specify the zimbra COS ID when running the script. Then we can rerun the script with different filters and corresponding COS.
Regards,
Minh.
danielb
Posts: 35
Joined: Mon Jul 15, 2019 6:08 pm

Re: Integrate With Active Directory

Post by danielb »

Mmmhh, this is not handled at the moment. The only way to achieve it is to map the cos in an existing attr in LDAP
  • Retrieve the ID of the cos you want with

    Code: Select all

    zmprov gc my_cos zimbraId
  • Set this cos UUID in an LDAP single valued attr you do not use otherwise (eg employeeType)
  • Configure this in the attr mapping like

Code: Select all

  users:
      base: OU=People,DC=corp3,DC=net
      filter: '(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Mail,OU=Roles,DC=corp3,DC=net)(mail=*))'
      key: sAMAccountName
      mail_attr: mail
      alias_attr: otherMailbox
      attr_map:
        displayName: displayName
        description: description
        employeeType: zimbraCOSId
But you need to be sure every user has the employeType defined (otherwise, zmldapsync will delete the cos of the users).
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Integrate With Active Directory

Post by zimico »

Thank Danielb for your advice. I confirm that now we can map an AD attr (employeeType) into Zimbra COS.
I am very appreciated you contribution and help with very nice solution which I have been looking for a long time when I knew about Zimbra auto provisioning function. Hope that you continue to improve or add more feature in the future.
My warmest regards,
Minh.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Integrate With Active Directory

Post by zimico »

Dear Danielb,

In case we only want to use your script to sync the distribution list between AD and Zimbra (we don't want to sync account automatically and will do it manually), Which modification do we have to make?

Regards,
Minh.
Post Reply