Automatic account creation from AD in Zimbra Collaboration Suite
In one of our past articles, we talked about how you can “make friends” with Zimbra and MS Active Directory, which is used by most Russian enterprises to manage user accounts. In it, we suggested Zimbra users to use the easiest and safest way to create mailboxes in Zimbra based on data from AD called LAZY Mode. This mode of operation allows you to automatically create a new Zimbra user with the name and password from AD right at the time of his first login to the Zimbra web client. However, thanks to the discussion that has developed in the comments, it became clear that not all administrators are suited by this method of auto-tuning Zimbra users from AD. So now we will talk about an alternative way to automate the creation of user accounts based on data from AD called EAGER Mode.
LAZY and EAGER Mode are different approaches to creating new accounts. If, in the case of LAZY, the system waits for the user to log in to the Zimbra web client to create a new user, in the case of the EAGER, the system periodically polls the server with AD for new users and, in the case of an affirmative answer, creates a new one account based on data provided by Active Directory. The seemingly insignificant difference may make the use of LAZY Mode for a number of IT managers completely unacceptable.
One such case could be a direct ban on using the Zimbra web client. The reason for this may be the savings in server computing capacity (using a web client, a server with Zimbra can provide quality service for 2500 users, and using desktop and mobile clients up to 5-6 thousand users), or an enterprise security policy that directly prohibits the use of web client to work with the mail. The lack of a web client leads to the impossibility of using LAZY Mode, which only works in it, which means that IT managers of such enterprises have no choice but to use EAGER Mode.
')
First of all, we need to connect AD as an external LDAP to Zimbra. To do this, go to the administration console, which is located at mail.company.ru:7071/zimbraAdmin/ , then in the left sidebar select Configure , and then the Domains item. In the list of domains, now we need to select the one that we will use in conjunction with AD, and by clicking on the selected domain right mouse button, select the item “Configure Authentification” . After that, the external LDAP configuration dialog will appear on the screen in which we will enter all the necessary data for integrating Zimbra with AD.
After entering all the necessary data, you should create a configuration file, for example, touch ~ / Documents / autoprov.cfg , into which we will enter a series of commands that must be entered in order to activate the auto-tuning of accounts from AD in EAGER Mode. Unlike LAZY Mode, where the configuration process is extremely simple and all settings can be entered as commands in the CLI, in the case of EAGER Mode it is better to be safe and all settings should be stored in a separate file. So it will be easier to make changes to them in the event that something suddenly goes wrong.
So, after creating the file ~ / Documents / autoprov.cfg , the following lines should be entered into it, having previously adapted them for your infrastructure:
Thanks to these settings, we force the Zimbra server to contact AD every minute and receive information about new users appearing in the database, and if they are found, create an account for them and send a greeting message.
After all changes in the file are saved, you will need to apply the settings specified in it using the command zmprov <~ / Documents / autoprov.cfg . All changes will work immediately, the need to restart the server should not arise.
In the event that the auto-tuning of accounts from AD to EAGER Mode works, in the /opt/zimbra/log/mailbox.log file you will see the progress of auto-tuning of accounts in the following form:
If auto-tuning of accounts does not work, then the problem is most likely on the server side of AD. In this case, you need to look at the error code. We list the most common ones:
LAZY and EAGER Mode are different approaches to creating new accounts. If, in the case of LAZY, the system waits for the user to log in to the Zimbra web client to create a new user, in the case of the EAGER, the system periodically polls the server with AD for new users and, in the case of an affirmative answer, creates a new one account based on data provided by Active Directory. The seemingly insignificant difference may make the use of LAZY Mode for a number of IT managers completely unacceptable.
One such case could be a direct ban on using the Zimbra web client. The reason for this may be the savings in server computing capacity (using a web client, a server with Zimbra can provide quality service for 2500 users, and using desktop and mobile clients up to 5-6 thousand users), or an enterprise security policy that directly prohibits the use of web client to work with the mail. The lack of a web client leads to the impossibility of using LAZY Mode, which only works in it, which means that IT managers of such enterprises have no choice but to use EAGER Mode.
')
First of all, we need to connect AD as an external LDAP to Zimbra. To do this, go to the administration console, which is located at mail.company.ru:7071/zimbraAdmin/ , then in the left sidebar select Configure , and then the Domains item. In the list of domains, now we need to select the one that we will use in conjunction with AD, and by clicking on the selected domain right mouse button, select the item “Configure Authentification” . After that, the external LDAP configuration dialog will appear on the screen in which we will enter all the necessary data for integrating Zimbra with AD.
After entering all the necessary data, you should create a configuration file, for example, touch ~ / Documents / autoprov.cfg , into which we will enter a series of commands that must be entered in order to activate the auto-tuning of accounts from AD in EAGER Mode. Unlike LAZY Mode, where the configuration process is extremely simple and all settings can be entered as commands in the CLI, in the case of EAGER Mode it is better to be safe and all settings should be stored in a separate file. So it will be easier to make changes to them in the event that something suddenly goes wrong.
So, after creating the file ~ / Documents / autoprov.cfg , the following lines should be entered into it, having previously adapted them for your infrastructure:
md company.ru zimbraAutoProvAccountNameMap "samAccountName" md company.ru +zimbraAutoProvAttrMap description=description md company.ru +zimbraAutoProvAttrMap displayName=displayName md company.ru +zimbraAutoProvAttrMap givenName=givenName md company.ru +zimbraAutoProvAttrMap cn=cn md company.ru +zimbraAutoProvAttrMap sn=sn md company.ru zimbraAutoProvAuthMech LDAP md company.ru zimbraAutoProvBatchSize 40 md company.ru zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=company,DC=ru" md company.ru zimbraAutoProvLdapAdminBindPassword ********* md company.ru zimbraAutoProvLdapBindDn "Administrator@company.ru" md company.ru zimbraAutoProvLdapSearchBase "CN=Users,dc=company,dc=ru" md company.ru zimbraAutoProvLdapSearchFilter "(cn=%u)" md company.ru zimbraAutoProvLdapURL "ldap://192.168.0.1:389" md company.ru zimbraAutoProvMode EAGER md company.ru zimbraAutoProvNotificationBody " . ${ACCOUNT_ADDRESS}." md company.ru zimbraAutoProvNotificationFromAddress Administrator@company.ru md company.ru zimbraAutoProvNotificationSubject " " ms mail.company.ru zimbraAutoProvPollingInterval "1m" ms mail.company.ru +zimbraAutoProvScheduledDomains "company.ru" Thanks to these settings, we force the Zimbra server to contact AD every minute and receive information about new users appearing in the database, and if they are found, create an account for them and send a greeting message.
After all changes in the file are saved, you will need to apply the settings specified in it using the command zmprov <~ / Documents / autoprov.cfg . All changes will work immediately, the need to restart the server should not arise.
In the event that the auto-tuning of accounts from AD to EAGER Mode works, in the /opt/zimbra/log/mailbox.log file you will see the progress of auto-tuning of accounts in the following form:
[AutoProvision] [] autoprov - Auto provisioning accounts on domain company.ru [AutoProvision] [] autoprov - 1 external LDAP entries returned as search result [AutoProvision] [] autoprov - auto creating account in EAGER mode: example@company.ru, dn="CN=example,OU=zimbrausers,DC=company,DC=ru" If auto-tuning of accounts does not work, then the problem is most likely on the server side of AD. In this case, you need to look at the error code. We list the most common ones:
525 - User not found
52e - Invalid credentials
530 - Not currently authorized to enter
531 - No permission to log in from this computer
532 - The password has expired.
533 - Account Action Stopped
534 - User has insufficient rights to log in from this computer
701 - Account Expired
773 - User must reset password
775 - Account Temporarily Restricted
8350 - Incorrect Distinguished Name Format
Source: https://habr.com/ru/post/443838/
All Articles