Zimbra Auto Provisioning with AD group filter not working after first sync

[stalker]

Environment
Zimbra: Release 10.1.11.GA.4655.UBUNTU22_64 NETWORK edition.
Active Directory: Windows Server 2022 Standard 21H2

I am trying to configure Zimbra Auto Provisioning with Active Directory.
The goal is to have automatic synchronization of new AD users into Zimbra, but only if they are members of a specific AD group (e.g., ZimbraUsers).

I am using the domain configuration file with the following settings.
File autoprov.txt

Code: Select all

md zimbra.example.com zimbraAutoProvAccountNameMap "sAMAccountName"
md zimbra.example.com zimbraAutoProvAttrMap "sn=sn"
md zimbra.example.com +zimbraAutoProvAttrMap "description=description"
md zimbra.example.com +zimbraAutoProvAttrMap "cn=displayName"
md zimbra.example.com +zimbraAutoProvAttrMap "givenName=givenName"
md zimbra.example.com zimbraAutoProvBatchSize "20"
md zimbra.example.com zimbraAutoProvLdapAdminBindDn "CN=zimbra-sync,CN=Users,DC=example,DC=local"
md zimbra.example.com zimbraAutoProvLdapAdminBindPassword "password"
md zimbra.example.com zimbraAutoProvLdapBindDn "CN=zimbra-sync,CN=Users,DC=example,DC=local"
md zimbra.example.com zimbraAutoProvLdapSearchBase "DC=example,DC=local"
md zimbra.example.com zimbraAutoProvLdapSearchFilter "(&(ObjectCategory=person)(memberOf=CN=ZimbraUsers,CN=Users,DC=example,DC=local))"
md zimbra.example.com zimbraAutoProvLdapURL "ldap://10.0.0.10:389"
md zimbra.example.com zimbraAutoProvMode "EAGER"
md zimbra.example.com zimbraAutoProvNotificationBody "Your account has been created automatically. Your email address ${ACCOUNT_ADDRESS}."
md zimbra.example.com zimbraAutoProvNotificationFromAddress "admin@zimbra.example.com"
md zimbra.example.com zimbraAutoProvNotificationSubject "Account ${ACCOUNT_ADDRESS} auto provisioned"
ms mail.zimbra.example.com zimbraAutoProvPollingInterval "1m"
ms mail.zimbra.example.com zimbraAutoProvScheduledDomains "zimbra.example.com"

Code: Select all

zmprov < /tmp/autoprov.txt

On the first run, provisioning works — Zimbra creates accounts for AD users that are members of the ZimbraUsers group.
On subsequent runs, no new accounts are added even if we put new AD users into the group.
The log always shows 0 external LDAP entries returned:

Code: Select all

2025-09-12 18:07:58,801 INFO  [AutoProvision] [] autoprov - Auto provisioning accounts on domain zimbra.example.com
2025-09-12 18:07:58,830 INFO  [AutoProvision] [] autoprov - 0 external LDAP entries returned as search result
2025-09-12 18:07:58,830 INFO  [AutoProvision] [] autoprov - Auto Provisioning has finished for now, setting last polled timestamp: 20250912150758.804Z
2025-09-12 18:07:58,834 INFO  [AutoProvision] [] autoprov - Sleeping for 60000 milliseconds.

Changing the filter to a generic one like:

Code: Select all

zmprov md zimbra.example.com zimbraAutoProvLdapSearchFilter "(&(objectCategory=person))"

provisioning works every time. But then I get users that I don't need.

With the group-based filter (memberOf=CN=ZimbraUsers,...) it works only once.
Manual ldapsearch with the same filter and service account returns the expected results.

How can we configure Zimbra AutoProv so that group-based LDAP filters (with memberOf) work consistently on every poll, not only on the very first run?

[stalker]

I figured out the issue. It’s not the group filter itself, but the way Zimbra builds the LDAP query.

Zimbra adds an extra condition automatically based on the last poll timestamp. For example, my query looked like this in Wireshark:

Code: Select all

(&(&(ObjectCategory=person)(memberOf=CN=ZimbraUsers,OU=Groups,DC=domain,DC=local))
   (createTimestamp>=20250912172559.231Z))

This means that only users created after the last provisioning check will be returned.

So, if a user account was created before the last poll, but the user was added to the group later, the LDAP search will not return that account. That’s why the new group members were missing during subsequent syncs.

In short: provisioning depends not only on the group filter, but also on the createTimestamp>=lastPolledTimestamp condition.

[Klug]

This might need a bug/RFE...

[justindev]

I figured out the issue. It’s not the group filter itself, but the way Zimbra builds the LDAP query.grade calculator

Zimbra adds an extra condition automatically based on the last poll timestamp. For example, my query looked like this in Wireshark:

Code: Select all

(&(&(ObjectCategory=person)(memberOf=CN=ZimbraUsers,OU=Groups,DC=domain,DC=local))
   (createTimestamp>=20250912172559.231Z))

This means that only users created after the last provisioning check will be returned.

So, if a user account was created before the last poll, but the user was added to the group later, the LDAP search will not return that account. That’s why the new group members were missing during subsequent syncs.

In short: provisioning depends not only on the group filter, but also on the createTimestamp>=lastPolledTimestamp condition.

Thanks for sharing this detailed explanation! It’s a crucial insight into how Zimbra handles LDAP queries during provisioning. I’ll keep this in mind when troubleshooting similar issues in the future.

[adrian.gibanel.btactic]

Zimbra adds an extra condition automatically based on the last poll timestamp. For example, my query looked like this in Wireshark:

Code: Select all

(&(&(ObjectCategory=person)(memberOf=CN=ZimbraUsers,OU=Groups,DC=domain,DC=local))
   (createTimestamp>=20250912172559.231Z))

This means that only users created after the last provisioning check will be returned.

That's right. This ensures the AD is not returning more accounts than it needs.
I think there is a domain attribute ( zmprov getDomain domain.com ) that saves that timestamp.

You might want to set to empty so that a new filter is taken into account or when you are doing tests till you put the final filter into production.

Unfortunately I don't remember the domain attribute name.