Autoprovisioning based on Group Membership.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
aglandorf
Posts: 2
Joined: Wed Feb 12, 2020 9:48 am

Autoprovisioning based on Group Membership.

Postby aglandorf » Wed Feb 12, 2020 11:48 am

Hi there,
I am completly new to Zimbra and but I was able to install it and get it working with autoprovisioning.
I got an AD server and used this https://wiki.zimbra.com/wiki/How_to_con ... ng_with_AD to enable the first users.

But I got 3 OU with differents users and for testing not all of them needs to have access to Zimbra so I wanted to use Groupmemeberships to solve this as there are some users in different 3 OU´s across the entire AD.

So I checked this https://wiki.zimbra.com/wiki/How_to_con ... _Directory) and thought it should be easy to configure it but I seem to run into an issue here.


I changed my configuration from:

Code: Select all

md home.local zimbraAutoProvAccountNameMap "samAccountName"
md home.local +zimbraAutoProvAttrMap description=description
md home.local +zimbraAutoProvAttrMap displayName=displayName
md home.local +zimbraAutoProvAttrMap givenName=givenName
md home.local +zimbraAutoProvAttrMap cn=cn
md home.local +zimbraAutoProvAttrMap sn=sn
md home.local zimbraAutoProvLastPolledTimestamp ""
md home.local zimbraAutoProvAuthMech LDAP
md home.local zimbraAutoProvBatchSize 40
md home.local zimbraAutoProvLdapAdminBindDn "CN=Zimbra Webmail,OU=Admins,DC=home,DC=local"
md home.local zimbraAutoProvLdapAdminBindPassword PasswordRightHere
md home.local zimbraAutoProvLdapBindDn "Administrator@home.local"
md home.local zimbraAutoProvLdapSearchBase "OU=Admins,DC=home,DC=local"
md home.local zimbraAutoProvLdapSearchFilter "(cn=%u)"
md home.local zimbraAutoProvLdapURL "ldap://10.120.40.10:389"
md home.local zimbraAutoProvMode EAGER
md home.local zimbraAutoProvNotificationBody "Your account has been auto provisioned.  Your email address is ${ACCOUNT_ADDRESS}."
md home.local zimbraAutoProvNotificationFromAddress zmail@home.local
md home.local zimbraAutoProvNotificationSubject "New account auto provisioned"
ms webmail.home.local zimbraAutoProvPollingInterval "3m"
ms webmail.home.local +zimbraAutoProvScheduledDomains "home.local"


to

Code: Select all

md home.local zimbraAutoProvAccountNameMap "samAccountName"
md home.local +zimbraAutoProvAttrMap description=description
md home.local +zimbraAutoProvAttrMap displayName=displayName
md home.local +zimbraAutoProvAttrMap givenName=givenName
md home.local +zimbraAutoProvAttrMap cn=cn
md home.local +zimbraAutoProvAttrMap sn=sn
md home.local zimbraAutoProvLastPolledTimestamp ""
md home.local zimbraAutoProvAuthMech LDAP
md home.local zimbraAutoProvBatchSize 40
md home.local zimbraAutoProvLdapAdminBindDn "CN=Zimbra Webmail,OU=Admins,DC=home,DC=local"
md home.local zimbraAutoProvLdapAdminBindPassword PasswordRightHere
md home.local zimbraAutoProvLdapBindDn "Administrator@home.local"
md home.local zimbraAutoProvLdapSearchBase "dc=example,dc=com"
md home.local zimbraAutoProvLdapSearchFilter "(memberOf=CN=Zimbra,CN=Users,DC=home,DC=local)"
md home.local zimbraAutoProvLdapURL "ldap://10.120.40.10:389"
md home.local zimbraAutoProvMode EAGER
md home.local zimbraAutoProvNotificationBody "Your account has been auto provisioned.  Your email address is ${ACCOUNT_ADDRESS}."
md home.local zimbraAutoProvNotificationFromAddress zmail@home.local
md home.local zimbraAutoProvNotificationSubject "New account auto provisioned"
ms webmail.home.local zimbraAutoProvPollingInterval "3m"
ms webmail.home.local +zimbraAutoProvScheduledDomains "home.local"


Now the task is running, but cant find new users. Old users still works. If Itry to make use of an account which is new and got the groupmembership nothing happens, the log will always be like either 0 new autoprovisioning or the account can´t be found within AD.

Any Ideas how to solve this?
Maybe it is possible if I could specify more then 1 OU as a SearchBase??

kind regards,
aglandorf


User avatar
DualBoot
Elite member
Elite member
Posts: 1165
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Autoprovisioning based on Group Membership.

Postby DualBoot » Wed Feb 12, 2020 4:20 pm

Hello,


if you use LDAP configuration memberOf you should try to test before with ldapsearch command line with the same configuration you have set.
As far as I know AD does not manage group of users the same way OpenLDAP does.
An other point is you should investigate into the log to detect error.

Regards,
aglandorf
Posts: 2
Joined: Wed Feb 12, 2020 9:48 am

Re: Autoprovisioning based on Group Membership.

Postby aglandorf » Thu Feb 13, 2020 9:53 am

Hi,

Code: Select all

ldapsearch -x -h 10.120.40.10 -p 389 -P 3 -b "DC=home,dc=local" -D "CN=Zimbra Webmail,OU=Admins,DC=support,DC=local" -w "PasswordRightHere" -b "CN=Zimbra,CN=Users,DC=home,DC=local"



seems to work and gives back 2 Users in different OU´s (which is true at the moment).
So I am going to change my current configuration:



Code: Select all

md home.local zimbraAutoProvLdapSearchBase "dc=home,dc=local"
md home.local zimbraAutoProvLdapSearchFilter "(memberOf=CN=Zimbra,CN=Users,DC=home,DC=local)"



to


Code: Select all

md home.local zimbraAutoProvLdapSearchFilter "(CN=Zimbra,CN=Users,DC=home,DC=local)"



which means I do not need to make use of the LdapSearchBase option.
Can I get rid of the current configuration by issuing?:



Code: Select all

md home.local zimbraAutoProvLdapSearchBase ""


kind regards,
Aglandorf

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 7 guests