Previously, we have been configuring how to integration external AD with Zimbra as center of authentications of users. although we have been configuring authentication to external AD, we still need to create mailboxes in Zimbra manually. if you want to automatically create mailboxes in Zimbra which authentication to external AD, you can use the Zimbra Auto-Provisioning.
Zimbra Auto-Provisioning divided become 2 mode. Eager mode and Lazy mode. If using eager mode, zimbra will check users of external AD every certain times (example every 1 minutes) and create mailboxes Zimbra. if using lazy mode, Zimbra will not create mailboxes until users of external AD login via webmail and Zimbra will automatically create mailboxes for that users.
in this section, i will configure how to using eager mode auto-provisioning. Create file with name autoprovision.zmp on folder /srv/
vi /srv/autoprovision.zmp
fill with the following line
md imanudin.net zimbraAutoProvAccountNameMap "sAMAccountName" md imanudin.net zimbraAutoProvAttrMap "sn=sn" md imanudin.net +zimbraAutoProvAttrMap "description=description" md imanudin.net +zimbraAutoProvAttrMap "cn=displayName" md imanudin.net +zimbraAutoProvAttrMap "givenName=givenName" md imanudin.net zimbraAutoProvBatchSize "20" md imanudin.net zimbraAutoProvLdapAdminBindDn "cn=Administrator,cn=users,dc=imanudin,dc=net" md imanudin.net zimbraAutoProvLdapAdminBindPassword "VerySecret123" md imanudin.net zimbraAutoProvLdapBindDn "cn=Administrator,cn=users,dc=imanudin,dc=net" md imanudin.net zimbraAutoProvLdapSearchBase "dc=imanudin,dc=net" md imanudin.net zimbraAutoProvLdapSearchFilter "(&(ObjectCategory=person))" md imanudin.net zimbraAutoProvLdapURL "ldap://192.168.1.102:389" md imanudin.net zimbraAutoProvMode "EAGER" md imanudin.net zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}." md imanudin.net zimbraAutoProvNotificationFromAddress "admin@imanudin.net" md imanudin.net zimbraAutoProvNotificationSubject "New account auto provisioned" ms mail.imanudin.net zimbraAutoProvPollingInterval "1m" ms mail.imanudin.net zimbraAutoProvScheduledDomains "imanudin.net"
INFORMATION
imanudin.net = domain name on Zimbra
BatchSize = maximum create mailboxes at one-time process
LdapAdminBindDn/LdapBindDn = user Administrator at Active Directory/Samba4
LdapAdminBindPassword = password user Administrator
LdapSearchBase = attribute search AD/Samba4
LdapSearchFilter = attribute search filter results of LdapSearchBase
LdapURL = server external AD/Samba4
PollingInterval = time at one-time process
ScheduledDomains = domain name to be automated create mailboxes
After above file has been created, run the following command as Zimbra
su - zimbra zmprov < /srv/autoprovision.zmp
Please check process automatically create mailboxes at /opt/zimbra/log/mailbox.log. Please check also mailboxes which has been created at Zimbra Admin | Manage.
Good luck and hopefully useful 😀
Hi iman
When i run the command I got the message in the /opt/zimbra/log/mailbox.log
[root@mail ~]# tail -f /opt/zimbra/log/mailbox.log
2017-01-13 02:08:56,130 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyDomainRequest elapsed=1
2017-01-13 02:08:56,136 INFO [qtp509886383-195:https://127.0.0.1:7071/service/admin/soap/GetDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetDomainRequest elapsed=0
2017-01-13 02:08:56,144 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyDomainRequest elapsed=1
2017-01-13 02:08:56,150 INFO [qtp509886383-195:https://127.0.0.1:7071/service/admin/soap/GetDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetDomainRequest elapsed=1
2017-01-13 02:08:56,156 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyDomainRequest elapsed=2
2017-01-13 02:08:56,160 INFO [qtp509886383-195:https://127.0.0.1:7071/service/admin/soap/GetDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetDomainRequest elapsed=0
2017-01-13 02:08:56,166 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyDomainRequest elapsed=1
2017-01-13 02:08:56,173 INFO [qtp509886383-195:https://127.0.0.1:7071/service/admin/soap/GetServerRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetServerRequest elapsed=3
2017-01-13 02:08:56,200 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyServerRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyServerRequest elapsed=2
2017-01-13 02:09:41,059 INFO [qtp509886383-309:https://172.16.10.200:7071/service/admin/soap/NoOpRequest%5D [name=admin@abc.com;mid=2;ip=172.16.10.20;ua=ZimbraWebClient – GC38 (Win);] soap – NoOpRequest elapsed=1
2017-01-13 02:10:03,005 INFO [qtp509886383-312:https://127.0.0.1:7071/service/admin/soap/AuthRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – AuthRequest elapsed=3
2017-01-13 02:10:04,224 INFO [qtp509886383-311:https://127.0.0.1:7071/service/admin/soap/GetAllServersRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetAllServersRequest elapsed=2
2017-01-13 02:10:09,715 INFO [ScheduledTask-2] [name=galsync.g5ttost9@abc.com;mid=1;ds=InternalGAL;] datasource – Requested import.
2017-01-13 02:10:09,717 INFO [ScheduledTask-2] [name=galsync.g5ttost9@abc.com;mid=1;ds=InternalGAL;] datasource – Importing data for data source ‘InternalGAL’
2017-01-13 02:10:09,720 WARN [ScheduledTask-2] [name=galsync.g5ttost9@abc.com;mid=1;ds=InternalGAL;] ldap – unknown GAL op
2017-01-13 02:10:09,728 INFO [ScheduledTask-2] [name=galsync.g5ttost9@abc.com;mid=1;ds=InternalGAL;] datasource – Import completed for data source ‘InternalGAL’
Hope you will help me on this.
Hi Joanquin,
Your mailbox.log not related into provision process. You can check from Zimbra Admin | Manage if provision process have been execute/finish.
On my enviroment, auto-provisioning works when I changed ldap port from 389 to 3268.
Thanks for guide. 🙂
Hi Renato,
Thanks for your information. it would be a note for me 🙂
hi i have zimbra 8.6 and the file zmp give me some errors.
[zimbra@zim srv]$ zmprov < /srv/autoprovision.zmp
[4] 10491
bash: lt: command not found
/srv/autoprovision.zmp: line 1: md: command not found
/srv/autoprovision.zmp: line 2: md: command not found
/srv/autoprovision.zmp: line 3: md: command not found
/srv/autoprovision.zmp: line 4: md: command not found
/srv/autoprovision.zmp: line 5: md: command not found
/srv/autoprovision.zmp: line 6: md: command not found
/srv/autoprovision.zmp: line 7: md: command not found
/srv/autoprovision.zmp: line 8: md: command not found
/srv/autoprovision.zmp: line 9: md: command not found
/srv/autoprovision.zmp: line 10: md: command not found
/srv/autoprovision.zmp: line 11: md: command not found
/srv/autoprovision.zmp: line 12: md: command not found
/srv/autoprovision.zmp: line 13: md: command not found
/srv/autoprovision.zmp: line 14: md: command not found
/srv/autoprovision.zmp: line 15: md: command not found
/srv/autoprovision.zmp: line 16: md: command not found
/srv/autoprovision.zmp: line 17: ms: command not found
/srv/autoprovision.zmp: line 18: ms: command not found
sorry, but i fixed.
i have to insert the command zmprov and then
in mode prov> i paste everything.
thanks so much!..
only one thing, if i want to give email access for only a few members of a group.
for example if i want to give access to the members of group executive but not the rest of domain user in the ou “users”
¿how it be?
Hi Santiago,
Glad to hear that for fixed your problem :D.
Did you mean want to autoprov with spesific groups? if yes, you can modify this attribute : zimbraAutoProvLdapSearchFilter and adjust with your environment
Hi, When I execute the below command, I am facing the below error:
[zimbra@zimbra root]$ zmprov < /srv/autoprovision.zmp
[1] 25034
bash: lt: command not found
/srv/autoprovision.zmp: line 1: md: command not found
/srv/autoprovision.zmp: line 2: md: command not found
/srv/autoprovision.zmp: line 3: md: command not found
/srv/autoprovision.zmp: line 4: md: command not found
/srv/autoprovision.zmp: line 5: md: command not found
/srv/autoprovision.zmp: line 6: md: command not found
/srv/autoprovision.zmp: line 7: md: command not found
/srv/autoprovision.zmp: line 8: md: command not found
/srv/autoprovision.zmp: line 9: md: command not found
/srv/autoprovision.zmp: line 10: md: command not found
/srv/autoprovision.zmp: line 11: md: command not found
/srv/autoprovision.zmp: line 12: md: command not found
/srv/autoprovision.zmp: line 13: md: command not found
/srv/autoprovision.zmp: line 14: md: command not found
/srv/autoprovision.zmp: line 15: md: command not found
/srv/autoprovision.zmp: line 16: md: command not found
/srv/autoprovision.zmp: line 17: ms: command not found
/srv/autoprovision.zmp: line 18: ms: command not found
Hi shiva,
If command doesn’t work, please try to use zmprov first and paste all command above
Thanks Iman, It working.
But the users that are created in AD are showing in ZImbra Admin console?
sorry,But the users that are created in AD are not
showing in ZImbra Admin console?
Hi Shiva,
Could you please give me more information about error or something else on the log? you can check the log in /opt/zimbra/log/mailbox.log
Hi Iman,
Thanks for supporting me,
When I Sync zimbra with AD, when I create a new users in that domain, I am not getting the password field to give password to the user. And the users that are created in zimbra are not showing in AD.
Please suggest me.
Hi friend.
I have this query:
zimbraAutoProvLdapSearchFilter “(&(sAMAccountName=*)(objectClass=user)(givenName=*)(memberOf=cn=Zimbra_Intranet,ou=ZIMBRA,ou=Grupos,dc=hmsc,dc=com,dc=br))”
But this create user only if I create and put new user in “ZIMBRA” OU
If I add old users to “Zimbra_Intranet” group, whitout changing the OU, the account cannot auto create.
What might be happening?
Thanks
Hi Julio,
Are you could view all users with search filter like that? please try run the following command on Your Zimbra whether users can views/filter or not :
/opt/zimbra/bin/ldapsearch -LLL -x -h IP-of-AD -p 389 -D “cn=Administrator,cn=users,dc=yourdomain,dc=com” -w “password-administrator-AD” -b “(&(sAMAccountName=*)(objectClass=user)(givenName=*)(memberOf=cn=Zimbra_Intranet,ou=ZIMBRA,ou=Grupos,dc=hmsc,dc=com,dc=br))”
Thanks imam, it´s working now.
Hello, I’m having a problem similar to Julio’s, but my search via ldap search is returning me the value I want, which is the user within the specific group. When I play inside the filter in zimbra, it does not fetch the user, I do not know what else to do.
Hi Vinicius,
I will try in my lab first. This guidance not specified into group or another attribute
When you use Zentyal as Active Directory, you must use the “CN = Domain Administrator, CN = users, dc = domain, DC = local”
Hi Renato,
Thanks for your information. Your information is useful. Appreciated 😀
Hi Iman,
I configured LAZY mode of auto provisioning and when I try to use it, I am getting the below error in mailbox.log:
2015-05-21 12:42:32,288 INFO [qtp509886383-295:http://127.0.0.1:8080/service/soap/AuthRequest%5D [oip=192.168.10.66;ua=zclient/8.5.0_GA_3042;] autoprov – unable to authenticate abc@bcits.co.in for auto provisioning
com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException: authentication failed for []
ExceptionId:qtp509886383-295:http://127.0.0.1:8080/service/soap/AuthRequest:1432192352288:a10d45054c36c059
Code:account.AUTH_FAILED
at com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException.AUTH_FAILED(AccountServiceException.java:142)
at com.zimbra.cs.account.ldap.LdapProvis…….
Caused by: com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException: authentication failed for [N/A]
ExceptionId:qtp509886383-295:http://127.0.0.1:8080/service/soap/AuthRequest:1432192352288:a10d45054c36c059
Code:account.AUTH_FAILED
at com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException.AUTH_FAILED(AccountServiceException.java:154)
at com.zimbra.cs.account.ldap.LdapProvisioning.ldapAuthenticate(LdapProvisioning.java:5138)
How do I know what I have configured incorrectly (I am pretty sure about the credentials). My auto provisioning configurations are:
md onlinebcits.com zimbraAutoProvMode “LAZY”
md onlinebcits.com zimbraAutoProvLdapURL “ldap://192.168.10.230:389”
md onlinebcits.com zimbraAutoProvLdapAdminBindDn “cn=Directory Manager”
md onlinebcits.com zimbraAutoProvLdapAdminBindPassword “xxxxx”
md onlinebcits.com zimbraAutoProvLdapSearchFilter “%u”
md onlinebcits.com zimbraAutoProvLdapSearchBase “dc=bcits,dc=co,dc=in”
md onlinebcits.com zimbraAutoProvLdapBindDn “uid=%u”
md onlinebcits.com zimbraAutoProvNotificationBody “Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.”
md onlinebcits.com zimbraAutoProvNotificationFromAddress “admin@onlinebcits.com”
md onlinebcits.com zimbraAutoProvNotificationSubject “New account auto provisioned”
Also, the log shows that auto provisioning is being happening only for certain accounts, any idea why it is not happening for all the accounts? (I am using zcs 8.5.0).
Regards,
Seenu.
hi Seenu,
I am not yet try if using LDAP/OpenLDAP. I will try in my environment and update the progress
I have one question.
When the account is automatically created, it uses the AD password.
The option to enable the fallback in case of AD failure, but I would have to set the password manually .
Is there a way to password fallback be the same synchronized password AD ?
Hi Julio,
For this time. I am not yet found how to do that
Thanks 🙁
Great work Iman… I got this message when I try to execute the
3] 8548
Usage: lt `parameters’ [versionkey]
computes the n-point one-loop integrals
n depends on `parameters’:
n = 1: m
n = 2: p m1 m2
n = 3: p1 p2 p1p2 m1 m2 m3
n = 4: p1 p2 p3 p4 p1p2 p2p3 m1 m2 m3 m4
n = 5: p1 p2 p3 p4 p5 p1p2 p2p3 p3p4 p4p5 p5p1 m1 m2 m3 m4 m5
versionkey can be one of:
0 = compute version a (same as no versionkey)
1 = compute version b
2 = compute a and b, compare, return a
3 = compute a and b, compare, return b
-su: /srv/autoprovision.zmp: Permission denied
zimbra@pms:~$ zmprov < /srv/autoprovision.zmp
-su: /srv/autoprovision.zmp: Permission denied
Hey, I fixed it. Thanks for your great article.
Hi Suresh,
Glad to hear that 😀
Hi Iman,
Thanks for your great article.
but i have one query about how to change zimbra active directory webmail password.
Hi Raj,
Please take a look my article this one : https://imanudin.net/2015/02/03/how-to-change-password-users-active-directorysamba4-via-web-using-ldap-toolbox/
Hello, I have successfully configured the auto-provisioning, I would now like to be able to automatically remove them from Zimbra as I delete them in my active directory.
HI Alexei,
I will try in my lab and wrote on the blog for the results
Hi Iman, need your help.
I’ve followed all of your instruction, still got an error ‘invalid credential’. I’ve been tested it with zimbra external auth using esternal AD and it passed.
here is the log
Caused by: LDAPException(resultCode=49 (invalid credentials), errorMessage=’80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1′, diagnosticMessage=’80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1′)
ps: sorry for my bad english
rgrd,
hamboro
Hi mas Hamboro,
Untuk user dan password harus Administrator mas. Bisa juga testing eksternal autentikasi dan login ke Zimbra dengan user dan password Administrator AD
Hi Mas Iman,
if domain at dns and mail different, how ?
cause i get msg error 52e invalid credentials
in Active Directory i use local.domain.co.id but at mail i use domain.co.id
Thanks
Hello,
No problem. The error log that refers to your credentials is invalid. Please check the Admin and password in your AD
Hi …I had enabled auto provisioning against our Active directory and it was working fine on LAZY mode..the script was placed on /tmp directory as per the zimbra documentation ( https://wiki.zimbra.com/wiki/How_to_con … ng_with_AD) .but as it was /tmp its got deleted after a month…I had tried to recreate the script and its not working ….I had verified the script against one of the back up i had and looks fine …As we have almost 6000 AD users now i doubt LDAP query may causing the issue I had increased LDAP session count on AD to 10000…still no luck…can any on helping where I m missing ..? ..i need to have on LAZY mode as i just need to create user in AD .
Pls see my script and help.
md xxxx.com zimbraAutoProvMode LAZY
md xxxx.com zimbraAutoProvAccountNameMap “samAccountName”
md xxxx.com +zimbraAutoProvAttrMap description=description
md xxxx.com +zimbraAutoProvAttrMap displayName=displayName
md xxxx.com +zimbraAutoProvAttrMap givenName=givenName
md xxxx.com +zimbraAutoProvAttrMap cn=cn
md xxxx.com +zimbraAutoProvAttrMap sn=sn
md xxxx.com zimbraAutoProvAuthMech LDAP
md xxxx.com zimbraAutoProvBatchSize 40
md xxxx.com zimbraAutoProvLdapAdminBindDn “CN=zimbraldap,OU=GLOBAL,DC=xxxx,DC=com”
md xxxx.com zimbraAutoProvLdapAdminBindPassword “password”
md xxxx.com zimbraAutoProvLdapBindDn “zimbraldap@xxxx.com”
md xxxx.com zimbraAutoProvLdapSearchBase “dc=xxxx,dc=com”
md xxxx.com zimbraAutoProvLdapSearchFilter “(cn=%u)”
md xxxx.com zimbraAutoProvLdapURL “ldap://192.168.xx.xxx:389”
md xxxx.com zimbraAutoProvNotificationBody “Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}. Password will be same as your windows password”
md xxxx.com zimbraAutoProvNotificationFromAddress prov-admin@xxxx.com
md xxxx.com zimbraAutoProvNotificationSubject “New account auto provisioned”
ms zimbramail.xxxx.com zimbraAutoProvPollingInterval “1m”
ms zimbramail.xxxx.com +zimbraAutoProvScheduledDomains “xxxx.com”
Hello,
The script only runs once. So, if your script in / tmp is deleted, is not change the configuration that was made. About the problem, maybe query/filter did not match and point into samAccount on AD
My AD environment is Windows Server 2012
Thanks for your work here. Makes live with zimbra a lot easier.
One question: When I have autoprovisioned a user from AD and afterwards deleted, can I somehow retrigger autoprovisioning said user?
Hi Frank Scherrer,
Yes, Autoprovision will trigger automatically and re-create user again
Hi Iman
I created the autoprov.zmp
only it creates 6 user in zimbra while the AD has 1200 users
What could be the problem
md sis.com zimbraAutoProvAccountNameMap “sAMAccountName”
md sis.com +zimbraAutoProvAttrMap “description=description”
md sis.com +zimbraAutoProvAttrMap “cn=displayName”
md sis.com +zimbraAutoProvAttrMap “givenName=givenName”
md sis.com +zimbraAutoProvAttrMap “cn=cn”
md sis.com +zimbraAutoProvAttrMap “sn=sn”
md sis.com zimbraAutoProvAuthMech “LDAP”
md sis.com zimbraAutoProvBatchSize “200”
md sis.com zimbraAutoProvLdapAdminBindDn “CN=Administrator,CN=Users,DC=sis,DC=com”
md sis.com zimbraAutoProvLdapAdminBindPassword “Tur_f@201_8”
md sis.com zimbraAutoProvLdapBindDn “CN=Administrator,CN=Users,DC=sis,DC=com”
md sis.com zimbraAutoProvLdapSearchBase “DC=sis,DC=com”
md sis.com zimbraAutoProvLdapSearchFilter “(cn=%u)”
md sis.com zimbraAutoProvLdapURL “ldap://10.15.7.2:389”
md sis.com zimbraAutoProvMode EAGER
md sis.com zimbraAutoProvNotificationBody “Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.”
md sis.com zimbraAutoProvNotificationFromAddress admin@sis.com
md sis.com zimbraAutoProvNotificationSubject “New account auto provisioned”
ms mail.sis.com zimbraAutoProvPollingInterval “10m”
ms mail.sis.com +zimbraAutoProvScheduledDomains “sis.com”
is there any command to identify my search filter in AD
How can i go to identify the search filter
Hello Jose,
I usually use ldapsearch to filter. Please see the guidance here: https://linux.die.net/man/1/ldapsearch