Results 1 to 10 of 11

Thread: Create LDAP groups in Zimbra

Hybrid View

  1. #1
    Join Date
    Nov 2009
    Posts
    7
    Rep Power
    6

    Default Create LDAP groups in Zimbra

    Hello all,

    I am new to administering the Zimbra 7 server. I would like to create an LDAP group in which users would be "members" of this group. The Zimbra 7 server was set up by a previous administrator. I do not know much about it.

    I have already found our web site for the Zimbra admin console though. I notice that the VMWare icon is displayed on the web admin console page. Furthermore, the main headings on the left side of the admin page are:
    Addresses, Configuration, Monitoring, Tools, and Searches

    Under Accounts, I can see all of the users on this page. I can create a user here also. But, I cannot create a group.

    I have looked though some of the documentation also for administering a Zimbra 7 Server. I had not read everything, just skimmed. I have seen that there might be OpenLDAP also? I cannot find that anywhere either.

    Also, I used the Softerra LDAP browser to verify that the LDAP service was working to begin with. It is. I see the users all listed in the LDAP search returned by Softerra. However, I see no groups in the list of users returned in Softerra. The BaseDN, ObjectClass, etc. appear to be correct. This information was given to me also, but it worked in Softerra to return the LDAP search results.

    Any idea where I would go to create an LDAP group? ( Sorry for the long post, but usually the next question after a post like this is for a little bit more specific information which I tried to provide already the best I could. )

    Thanks, in advance

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by twhitehouse View Post
    I would like to create an LDAP group in which users would be "members" of this group.
    Why do you want to do this, what are you trying to achieve?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Nov 2009
    Posts
    7
    Rep Power
    6

    Default

    Thanks for the response Bill,

    I need to test a third party application to see if we can correctly identify groups as groups and users as users from different LDAP Servers. We would need to also identify that these specific users are indeed members of this certain group.
    Last edited by twhitehouse; 09-28-2012 at 12:33 PM. Reason: forgot to thank Bill

  4. #4
    Join Date
    Nov 2009
    Posts
    7
    Rep Power
    6

    Default

    I also have just noticed that Softerra LDAP Browser lists the LDAP type as OpenLDAP 2.4. I looked at some of the configurations for a few other mail servers, and they display different LDAP types based upon what they use.

    I have seen a lot of documentation on OpenLDAP 2.4. I will post back if I can find out how to create a group in OpenLDAP.

  5. #5
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Hello twhitehouse,

    In http://www.zimbra.com/forums/adminis...ough-ldap.html shows how to get distribution list members.

    However, it's not clear what are you trying at least about the Zimbra LDAP, as far as i know, Zimbra doesn't handle the "group" concept just distribution lists.

    ccelis

  6. #6
    Join Date
    Nov 2009
    Posts
    7
    Rep Power
    6

    Default LDAP Groups cannot be created but distribution lists can be created on Zimbra Server?

    For our purposes, we need the group concept. I cannot list the specific reason why as to protect confidentiality. But, in general, we need to use our code to query the LDAP server and then do other things with the groups that are returned to us from the LDAP Server. We have used Softerra as our base comparison with other LDAP Servers. Most of the time with other LDAP Servers like Microsoft Exchange 2007 or Novell Groupwise 2012, we do see both users and groups listed in Softerra after we enter all of the correct LDAP credentials and conduct the LDAP search in Softerra against those LDAP Servers.

    Here is an example of how we created a group and added users to it in Microsoft Exchange 2007:

    1. Log into Active Directory and Users
    2. Click on the plus sign next to the LDAP Server to expand it
    3. Click on "Uses" folder
    4. Click on symbol for "Create Group"
    5. Name the group and click Ok ( I have been leaving the default Group Type of Security selected at this point )
    6. In list of groups / users, right click group from step 5 and choose properties
    7. Click on "Members"
    8. Click "Add"
    9. Add users and click Ok

    Step 7 is where we would actually be adding the users into the group. That is the key for us.

    I was about to post that the above steps are not the same thing as a distribution list in Microsoft Exchange 2007 Server. However, I just now noticed at step 7 above, I saw there was a "General" tab also. On this "General" tab, I saw "Group type". For "Group type", I could choose "Security" or "Distribution". The option of "Distribution" made me think this could be a "Distribution List". So, this made me think that maybe groups are distribution lists in some cases. I don't think that groups are distribution lists in every case though. I know groups are not exactly distribution lists in Exchange or Groupwise. I will need some further investigation for the difference between "Security" and "Distribution" for the Microsoft Exchange 2007 Server also. However, this is a Zimbra forum, so we don't need to worry about that here unless it applies to the Zimbra Server as well.

    Anyways, there must be something that identifies a group as a group in the LDAP world. How do we know this? First, we consider the results returned to us when using the Softerra LDAP Browser as being the correct results for an LDAP search ( meaning that we assume that the Softerra LDAP Browser gets it correct every time when LDAP searches are done since it is an actual LDAP Browser ). As long as this is true, then we can check for groups in the list of users / groups that are returned in the LDAP searches we set up using Softerra. If all of that is true, when we do an LDAP search, using Softerra, against the Zimbra Server, we never see groups listed. This also includes when distribution lists have been set up in Zimbra as well. Distribution lists in Zimbra do not display as groups in the LDAP search that is returned to us. Also, distribution lists do not show up as distribution lists in Softerra either. Distribution lists just do not show up in Softerra. So, I am thinking in the LDAP world, that distribution lists are not LDAP type objects. As long as I understand this correctly, distribution lists are just for sending email to large groups of people at the same time. Basically, instead of typing in 100 email addresses every time every time you want to email those 100 people, you can add all of these 100 email addresses to 1 distribution list. Then, you send type in the email address of that 1 distribution list and all 100 people receive the email at their email address that was entered into the distribution list.

    While I still have to protect our confidentiality, I will say that sending emails to large groups of users is not what we are trying to do with our code.

    So, from looking back at the posts on this thread so far, it looks like LDAP groups cannot be created but distribution lists can be. I'm going with this assumption unless someone can prove that LDAP groups can be created on the Zimbra Server.

    ================================================== =============================================

    Quote Originally Posted by ccelis5215 View Post
    Hello twhitehouse,

    In http://www.zimbra.com/forums/adminis...ough-ldap.html shows how to get distribution list members.

    However, it's not clear what are you trying at least about the Zimbra LDAP, as far as i know, Zimbra doesn't handle the "group" concept just distribution lists.

    ccelis

  7. #7
    Join Date
    Nov 2009
    Posts
    7
    Rep Power
    6

    Default

    I need to make one correction. I ran the LDAP search again using Softerra. I did actually see the distribution list show up in the search results. So, to be more specific, I saw all the users in the list along with the distribution lists. However, when I looked at the distribution lists, there was no "memberof" LDAP field. I did add members to the distribution list on Zimbra though. This is where groups would list "memberof" in Microsoft Exchange 2007 or Groupwise 2012. Then, you could do things with the "members" of the groups indirectly with code ( again leaving specifics out ). The whole point is that there is no "memberof" displayed for a distribution list. This is why I was looking for groups in Zimbra. I need to see the users I added to the group on any LDAP Server show as a "memberof" the group in the LDAP search results in Softerra.

    Also, the distribution list has the same LDAP attribute as a user. I named a user "user1'. I named a distribution list as "distributionList1". In Softerra, after the LDAP search is returned, they both have the following LDAP attributes:

    uid=user1
    uid=distributionList1

    Normally, an LDAP group would have LDAP attributes like:

    CN=ldapGroup1

    Cn stands for "common name" in LDAP. uid stands for something like user name identifier in LDAP. So, when the distribution list has "uid=" for its LDAP attribute, that seems incorrect to me. Or, it is correct but indicates that this is only just a bunch of users in a list and not a true "LDAP Group". I hope this makes sense...lol.

    Also, I found this information on other people having issues with uid vs cn.

    Cool Solutions: UID and CN mapping with LDAP
    ldapconnection - What's the difference in using distinguished name with cn or uid when logging into LDAP? - Stack Overflow

  8. #8
    Join Date
    Nov 2009
    Posts
    7
    Rep Power
    6

    Default

    Also, I do not want a distribution list.

    http://www.zimbra.com/forums/adminis...roups-zcs.html

    Just to see what would happen, I did try to create one of these in Zimbra 7. I added a few users as "Members". This made no difference. I did not see this distribution list in the Softerra LDAP browser search results. I did see the users in Softerra, but they appeared no differently. They did not even mention being a member of the distribution list.

    Here would be an example of what I would put into Softerra as a BaseDN to return users and possibly groups:

    cn=username,cn=myGroupname,ou=myOrganizationalUnit ,o=myOrganization

    That 'cn=myGroupname' does not exist since there are no groups right now though.

Similar Threads

  1. Replies: 1
    Last Post: 08-26-2009, 01:35 PM
  2. warning failed create ou=groups and ou=machines...
    By aurfalien in forum Administrators
    Replies: 5
    Last Post: 08-06-2009, 02:57 PM
  3. Replies: 5
    Last Post: 08-03-2009, 04:35 PM
  4. command line interface to create Posix Groups?
    By todd_dsm in forum Administrators
    Replies: 0
    Last Post: 06-04-2009, 09:32 PM
  5. [SOLVED] How to create User Groups in zcs?
    By nishith in forum Administrators
    Replies: 3
    Last Post: 06-06-2008, 04:40 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •