Auto provisioning with Active Directory not working

[ragesh]

Hi ...I had enabled auto provisioning against our Active directory and it was working fine on LAZY mode..the script was placed on /tmp directory as per the zimbra documentation ( https://wiki.zimbra.com/wiki/How_to_con ... ng_with_AD) .but as it was /tmp its got deleted after a month...I had tried to recreate the script and its not working ....I had verified the script against one of the back up i had and looks fine ...As we have almost 6000 AD users now i doubt LDAP query may causing the issue I had increased LDAP session count on AD to 10000...still no luck...can any on helping where I m missing ..? ..i need to have on LAZY mode as i just need to create user in AD .

Pls see my script and help.

md xxxx.com zimbraAutoProvMode LAZY
md xxxx.com zimbraAutoProvAccountNameMap "samAccountName"
md xxxx.com +zimbraAutoProvAttrMap description=description
md xxxx.com +zimbraAutoProvAttrMap displayName=displayName
md xxxx.com +zimbraAutoProvAttrMap givenName=givenName
md xxxx.com +zimbraAutoProvAttrMap cn=cn
md xxxx.com +zimbraAutoProvAttrMap sn=sn
md xxxx.com zimbraAutoProvAuthMech LDAP
md xxxx.com zimbraAutoProvBatchSize 40
md xxxx.com zimbraAutoProvLdapAdminBindDn "CN=zimbraldap,OU=GLOBAL,DC=xxxx,DC=com"
md xxxx.com zimbraAutoProvLdapAdminBindPassword "password"
md xxxx.com zimbraAutoProvLdapBindDn "zimbraldap@xxxx.com"
md xxxx.com zimbraAutoProvLdapSearchBase "dc=xxxx,dc=com"
md xxxx.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
md xxxx.com zimbraAutoProvLdapURL "ldap://192.168.xx.xxx:389"
md xxxx.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}. Password will be same as your windows password"
md xxxx.com zimbraAutoProvNotificationFromAddress prov-admin@xxxx.com
md xxxx.com zimbraAutoProvNotificationSubject "New account auto provisioned"
ms zimbramail.xxxx.com zimbraAutoProvPollingInterval "1m"
ms zimbramail.xxxx.com +zimbraAutoProvScheduledDomains "xxxx.com"

[pup_seba]

Hi,

Try changing this (regardless of what documentation says) 'zimbraAutoProvLdapBindDn "zimbraldap@xxxx.com"' for this 'zimbraAutoProvLdapBindDn '"CN=zimbraldap,OU=GLOBAL,DC=xxxx,DC=com"'.

Also, it is always a good idea to try some ldapsearch from command line just to verify that you can actually connect to your ldap server using that info.

Are you able to see anything in your zimbra logs? I think I used to parse for "autoprovision" or similar (grep -i "autoprovision") but I'm not completly sure and I have no access to a lab env right now to see it by myself. Usually autoprovisioning is quite informative in logs.

Regards,

[ragesh]

Thanks Sebastian....I had tried your suggestion..still no luck...please see the log entry....i had crated an new user in AD named as "boat"...but that not able to authenticate to mail server using auto provision.Log says authentication failed for [boat@kimshisnet.com], account not found...!

new auto provision script.

md kimshisnet.com zimbraAutoProvMode LAZY
md kimshisnet.com zimbraAutoProvAccountNameMap "samAccountName"
md kimshisnet.com +zimbraAutoProvAttrMap description=description
md kimshisnet.com +zimbraAutoProvAttrMap displayName=displayName
md kimshisnet.com +zimbraAutoProvAttrMap givenName=givenName
md kimshisnet.com +zimbraAutoProvAttrMap cn=cn
md kimshisnet.com +zimbraAutoProvAttrMap sn=sn
md kimshisnet.com zimbraAutoProvAuthMech LDAP
md kimshisnet.com zimbraAutoProvBatchSize 40
md kimshisnet.com zimbraAutoProvLdapAdminBindDn "CN=doveldap,OU=GLOBAL,DC=kimshisnet,DC=com"
md kimshisnet.com zimbraAutoProvLdapAdminBindPassword "xxxxx"
md kimshisnet.com zimbraAutoProvLdapBindDn "CN=doveldap,OU=GLOBAL,DC=kimshisnet,DC=com"
md kimshisnet.com zimbraAutoProvLdapSearchBase "dc=kimshisnet,dc=com"
md kimshisnet.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
md kimshisnet.com zimbraAutoProvLdapURL "ldap://192.168.x.xx:389"
md kimshisnet.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}. Password will be same as your windows password"
md kimshisnet.com zimbraAutoProvNotificationFromAddress prov-admin@kimshisnet.com
md kimshisnet.com zimbraAutoProvNotificationSubject "New account auto provisioned"
ms mailnew.kimshisnet.com zimbraAutoProvPollingInterval "1m"
ms mailnew.kimshisnet.com +zimbraAutoProvScheduledDomains "kimshisnet.com"



MAIL LOG ENTRY


2019-03-05 10:51:43,631 INFO [MailboxPurge] [name=ham.a2oidgww@mailnew.kimshisnet.com;mid=7;] purge - Purging messages.
2019-03-05 10:51:53,421 INFO [qtp509886383-67968:http://127.0.0.1:80/service/soap/AuthRequest] [oip=192.168.1.7;ua=zclient/8.6.0_GA_1153;] account - unable to auto provisioing acct boat@kimshisnet.com
com.zimbra.cs.ldap.LdapException: LDAP error: - unable to search ldap: referral
ExceptionId:qtp509886383-67968:http://127.0.0.1:80/service/soap/AuthRe ... 7638371840
Code:ldap.LDAP_ERROR
at com.zimbra.cs.ldap.LdapException.LDAP_ERROR(LdapException.java:90)
at com.zimbra.cs.ldap.unboundid.UBIDLdapException.mapToLdapException(UBIDLdapException.java:74)
at com.zimbra.cs.ldap.unboundid.UBIDLdapException.mapToExternalLdapException(UBIDLdapException.java:84)
at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.mapToLdapException(UBIDLdapContext.java:225)
at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.searchDir(UBIDLdapContext.java:568)
at com.zimbra.cs.account.ldap.ZLdapHelper.searchForEntry(ZLdapHelper.java:207)
at com.zimbra.cs.account.ldap.LdapHelper.searchForEntry(LdapHelper.java:155)
at com.zimbra.cs.account.ldap.AutoProvision.getExternalAttrsByName(AutoProvision.java:382)
at com.zimbra.cs.account.ldap.AutoProvisionLazy.createAccount(AutoProvisionLazy.java:83)
at com.zimbra.cs.account.ldap.AutoProvisionLazy.handle(AutoProvisionLazy.java:73)
at com.zimbra.cs.account.ldap.LdapProvisioning.autoProvAccountLazy(LdapProvisioning.java:1017)
at com.zimbra.cs.service.account.Auth.handle(Auth.java:164)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:569)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:432)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:266)
at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:303)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:213)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:209)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:738)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1651)
at com.zimbra.cs.servlet.CsrfFilter.doFilter(CsrfFilter.java:168)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at com.zimbra.cs.servlet.RequestStringFilter.doFilter(RequestStringFilter.java:54)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:59)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:83)
at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:351)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at com.zimbra.cs.servlet.ETagHeaderFilter.doFilter(ETagHeaderFilter.java:47)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at com.zimbra.cs.servlet.ContextPathBasedThreadPoolBalancerFilter.doFilter(ContextPathBasedThreadPoolBalancerFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at com.zimbra.cs.servlet.ZimbraInvalidLoginFilter.doFilter(ZimbraInvalidLoginFilter.java:131)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:457)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:326)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:299)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1622)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:549)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:544)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1111)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:478)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1045)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:309)
at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:81)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:462)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:279)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:232)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:534)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
at java.lang.Thread.run(Thread.java:745)
Caused by: LDAPSearchException(resultCode=10 (referral), numEntries=2040, numReferences=1, errorMessage='referral')
at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3310)
at com.zimbra.cs.ldap.unboundid.UBIDLdapOperation$Search.execute(UBIDLdapOperation.java:284)
at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.searchDir(UBIDLdapContext.java:564)
... 60 more
2019-03-05 10:51:53,426 INFO [qtp509886383-67968:http://127.0.0.1:80/service/soap/AuthRequest] [oip=192.168.1.7;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [boat@kimshisnet.com], account not found
2019-03-05 10:51:53,427 INFO [qtp509886383-67968:http://127.0.0.1:80/service/soap/AuthRequest] [oip=192.168.1.7;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=3372
2019-03-05 10:51:53,427 INFO [qtp509886383-67968:http://127.0.0.1:80/service/soap/AuthRequest] [] misc - Invalid login filter, checking if this was an auth req and authentication failed.
2019-03-05 10:51:53,492 INFO [qtp509886383-67969:https://127.0.0.1:7071/service/admin/so ... nfoRequest] [ip=127.0.0.1;ua=ZCS/8.6.0_GA_1153;] soap - GetDomainInfoRequest elapsed=1
2019-03-05 10:52:43,662 INFO [MailboxPurge] [name=galsync.ygwzgijo@mailnew.kimshisnet.com;mid=1;] purge - Purging messages.

[pup_seba]

I can see that there is some info about that "unable to search ldap: referral" showing in your logs. Somethings related to microsoft kbs. You could try to read those to see if that apply to your case, but I insist in that a fast way to test your ldap configuration, is to perform ldapsearches directly from your command line. Once you are able to perform ldapsearches, then go to autoprovision. Otherwise, you could end up tryting to fix "autoprovision" when something else could be failing.

Regards,

[ragesh]

Hi Sebastian,

I had tried to do ldap search manually on the Mail server using below command...Its gives a result as below....Still when i try to do the auto provision its give the ldap error..pls see the mail log entries....any idea where i have to look in to this..? I dont get any idea what causes the issue...I had also increased LDAP session count on active directory from 1000 to 10000 o the basis of assumption it may due to the LDAP query limitations....an guidance or help wold be appreciated.


ldapsearch -D "CN=doveldap,OU=GLOBAL,DC=kimshisnet,DC=com" -W -p 389 -h kimshisnet.com -b "dc=kimshisnet,dc=com"

RESULT ...
Skip........
instanceType: 4
whenCreated: 20080223070855.0Z
whenChanged: 20150603120613.0Z
uSNCreated: 26443
uSNChanged: 26443
showInAdvancedViewOnly: TRUE
name: DD61D4386D074770812EC2AD0B0A66A6B025F6B7999311DCB0FB00142A18941D
objectGUID:: zo/n1idCFkyTDZfptJbRYQ==
currentLocation:: jJY/LgzbHkyhvcvIfsDS57f2JbCTmdwRsPsAFCoYlB0=
timeRefresh: 1870
objectCategory: CN=Link-Track-OMT-Entry,CN=Schema,CN=Configuration,DC=kimshisn
et,DC=com
dSCorePropagationData: 20190212183816.0Z
dSCorePropagationData: 20190202095104.0Z
dSCorePropagationData: 20190124063516.0Z
dSCorePropagationData: 20181211112413.0Z
dSCorePropagationData: 16010714223649.0Z

# search reference
ref: ldap://DomainDnsZones.kimshisnet.com/DC=DomainDnsZones,DC=kimshisnet,DC=c
om

# search reference
ref: ldap://ForestDnsZones.kimshisnet.com/DC=ForestDnsZones,DC=kimshisnet,DC=c
om

# search reference
ref: ldap://kimshisnet.com/CN=Configuration,DC=kimshisnet,DC=com

# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 10004
# numEntries: 10000
# numReferences: 3






MAIL LOG


2019-03-08 09:20:31,104 INFO [AutoProvision] [] autoprov - Auto provisioning accounts on domain kimshisnet.com
2019-03-08 09:20:34,490 WARN [AutoProvision] [] autoprov - Unable to auto provision accounts for domain kimshisnet.com
com.zimbra.cs.ldap.LdapException: LDAP error: - unable to search ldap: referral
ExceptionId:AutoProvision:1552017034487:16af2e44e3c0dcd2
Code:ldap.LDAP_ERROR
at com.zimbra.cs.ldap.LdapException.LDAP_ERROR(LdapException.java:90)
at com.zimbra.cs.ldap.unboundid.UBIDLdapException.mapToLdapException(UBIDLdapException.java:74)
at com.zimbra.cs.ldap.unboundid.UBIDLdapException.mapToExternalLdapException(UBIDLdapException.java:84)
at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.mapToLdapException(UBIDLdapContext.java:225)
at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.searchPaged(UBIDLdapContext.java:543)
at com.zimbra.cs.account.ldap.AutoProvision.searchAutoProvDirectory(AutoProvision.java:672)
at com.zimbra.cs.account.ldap.AutoProvisionEager.searchAccounts(AutoProvisionEager.java:250)
at com.zimbra.cs.account.ldap.AutoProvisionEager.createAccountBatch(AutoProvisionEager.java:152)
at com.zimbra.cs.account.ldap.AutoProvisionEager.handleBatch(AutoProvisionEager.java:132)
at com.zimbra.cs.account.ldap.AutoProvisionEager.handleScheduledDomains(AutoProvisionEager.java:103)
at com.zimbra.cs.account.ldap.LdapProvisioning.autoProvAccountEager(LdapProvisioning.java:1008)
at com.zimbra.cs.account.AutoProvisionThread.run(AutoProvisionThread.java:150)
Caused by: LDAPSearchException(resultCode=10 (referral), numEntries=3003, numReferences=1, errorMessage='referral', responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})
at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3310)
at com.zimbra.cs.ldap.unboundid.UBIDLdapOperation$Search.execute(UBIDLdapOperation.java:284)
at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.searchPaged(UBIDLdapContext.java:501)
... 7 more
2019-03-08 09:20:34,492 INFO [AutoProvision] [] autoprov - Sleeping for 60000 milliseconds.
2019-03-08 09:20:37,070 INFO [MailboxPurge] [name=telnetclients@kimshisnet.com;mid=47;] purge - Purging messages.

[andymvp]

Hi Ragesh. Any luck solving the issue? I'm facing the same problem for Zimbra (version 8.8.12, Open Source) autoprovisioning with Samba AD (v 4.9.1). I'm using same config I previously used for Zimbra 8.6 (as stated here: https://wiki.zimbra.com/wiki/How_to_con ... ng_with_AD), which used to work OK; but after Zimbra upgrade, it doesn't.
I tried pup_seba's suggestions with no success. Also ldapsearch works OK for users queried from Zimbra server to Samba AD server.
Authentication Zimbra - Samba AD works OK for previously provisioned users (my config uses LAZY zimbraAutoProvMode); and password changes in AD are reflected in Zimbra just fine. But none new account in AD is provisioned to Zimbra.
Any clue? Maybe last Zimbra version need some special config for this to work?
Thanks in advance.

[Andre13]

Hello I trying search a thread with my specific problem but I can't find it, so my problem is I created a .txt file with configuration for auto-provisioning, I ran zmprov and succeed, after that no one user can authenticate with AD because zimbra say wrong pass, in Admin console I tried connect with Ldap external again but said it failed because connection with the port it's refused, the port is 3268, please I need help urgent, greetings