Zimbra + External AD : Automatically Create Mailboxes Zimbra with Eager Mode Auto-Provisioning

Posted by

Previously, we have been configuring how to integration external AD with Zimbra as center of authentications of users. although we have been configuring authentication to external AD, we still need to create mailboxes in Zimbra manually. if you want to automatically create mailboxes in Zimbra which authentication to external AD, you can use the Zimbra Auto-Provisioning.

Zimbra Auto-Provisioning divided become 2 mode. Eager mode and Lazy mode. If using eager mode, zimbra will check users of external AD every certain times (example every 1 minutes) and create mailboxes Zimbra. if using lazy mode, Zimbra will not create mailboxes until users of external AD login via webmail and Zimbra will automatically create mailboxes for that users.

in this section, i will configure how to using eager mode auto-provisioning. Create file with name autoprovision.zmp on folder /srv/

vi /srv/autoprovision.zmp

fill with the following line

md imanudin.net zimbraAutoProvAccountNameMap "sAMAccountName"
md imanudin.net zimbraAutoProvAttrMap "sn=sn"
md imanudin.net +zimbraAutoProvAttrMap "description=description"
md imanudin.net +zimbraAutoProvAttrMap "cn=displayName"
md imanudin.net +zimbraAutoProvAttrMap "givenName=givenName"
md imanudin.net zimbraAutoProvBatchSize "20"
md imanudin.net zimbraAutoProvLdapAdminBindDn "cn=Administrator,cn=users,dc=imanudin,dc=net"
md imanudin.net zimbraAutoProvLdapAdminBindPassword "VerySecret123"
md imanudin.net zimbraAutoProvLdapBindDn "cn=Administrator,cn=users,dc=imanudin,dc=net"
md imanudin.net zimbraAutoProvLdapSearchBase "dc=imanudin,dc=net"
md imanudin.net zimbraAutoProvLdapSearchFilter "(&(ObjectCategory=person))"
md imanudin.net zimbraAutoProvLdapURL "ldap://192.168.1.102:389"
md imanudin.net zimbraAutoProvMode "EAGER"
md imanudin.net zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
md imanudin.net zimbraAutoProvNotificationFromAddress "admin@imanudin.net"
md imanudin.net zimbraAutoProvNotificationSubject "New account auto provisioned"
ms mail.imanudin.net zimbraAutoProvPollingInterval "1m"
ms mail.imanudin.net zimbraAutoProvScheduledDomains "imanudin.net"

INFORMATION

imanudin.net = domain name on Zimbra
BatchSize = maximum create mailboxes at one-time process
LdapAdminBindDn/LdapBindDn = user Administrator at Active Directory/Samba4
LdapAdminBindPassword = password user Administrator
LdapSearchBase = attribute search AD/Samba4
LdapSearchFilter = attribute search filter results of LdapSearchBase
LdapURL = server external AD/Samba4
PollingInterval = time at one-time process
ScheduledDomains = domain name to be automated create mailboxes

After above file has been created, run the following command as Zimbra

su - zimbra
zmprov < /srv/autoprovision.zmp

Please check process automatically create mailboxes at /opt/zimbra/log/mailbox.log. Please check also mailboxes which has been created at Zimbra Admin | Manage.

Good luck and hopefully useful 😀

46 comments

    1. Hi iman
      When i run the command I got the message in the /opt/zimbra/log/mailbox.log
      [root@mail ~]# tail -f /opt/zimbra/log/mailbox.log
      2017-01-13 02:08:56,130 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyDomainRequest elapsed=1
      2017-01-13 02:08:56,136 INFO [qtp509886383-195:https://127.0.0.1:7071/service/admin/soap/GetDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetDomainRequest elapsed=0
      2017-01-13 02:08:56,144 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyDomainRequest elapsed=1
      2017-01-13 02:08:56,150 INFO [qtp509886383-195:https://127.0.0.1:7071/service/admin/soap/GetDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetDomainRequest elapsed=1
      2017-01-13 02:08:56,156 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyDomainRequest elapsed=2
      2017-01-13 02:08:56,160 INFO [qtp509886383-195:https://127.0.0.1:7071/service/admin/soap/GetDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetDomainRequest elapsed=0
      2017-01-13 02:08:56,166 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyDomainRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyDomainRequest elapsed=1
      2017-01-13 02:08:56,173 INFO [qtp509886383-195:https://127.0.0.1:7071/service/admin/soap/GetServerRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetServerRequest elapsed=3
      2017-01-13 02:08:56,200 INFO [qtp509886383-306:https://127.0.0.1:7071/service/admin/soap/ModifyServerRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – ModifyServerRequest elapsed=2
      2017-01-13 02:09:41,059 INFO [qtp509886383-309:https://172.16.10.200:7071/service/admin/soap/NoOpRequest%5D [name=admin@abc.com;mid=2;ip=172.16.10.20;ua=ZimbraWebClient – GC38 (Win);] soap – NoOpRequest elapsed=1
      2017-01-13 02:10:03,005 INFO [qtp509886383-312:https://127.0.0.1:7071/service/admin/soap/AuthRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – AuthRequest elapsed=3
      2017-01-13 02:10:04,224 INFO [qtp509886383-311:https://127.0.0.1:7071/service/admin/soap/GetAllServersRequest%5D [name=zimbra;ip=127.0.0.1;ua=zmprov/8.6.0_GA_1153;] soap – GetAllServersRequest elapsed=2
      2017-01-13 02:10:09,715 INFO [ScheduledTask-2] [name=galsync.g5ttost9@abc.com;mid=1;ds=InternalGAL;] datasource – Requested import.
      2017-01-13 02:10:09,717 INFO [ScheduledTask-2] [name=galsync.g5ttost9@abc.com;mid=1;ds=InternalGAL;] datasource – Importing data for data source ‘InternalGAL’
      2017-01-13 02:10:09,720 WARN [ScheduledTask-2] [name=galsync.g5ttost9@abc.com;mid=1;ds=InternalGAL;] ldap – unknown GAL op
      2017-01-13 02:10:09,728 INFO [ScheduledTask-2] [name=galsync.g5ttost9@abc.com;mid=1;ds=InternalGAL;] datasource – Import completed for data source ‘InternalGAL’

      1. Hi Joanquin,

        Your mailbox.log not related into provision process. You can check from Zimbra Admin | Manage if provision process have been execute/finish.

  1. hi i have zimbra 8.6 and the file zmp give me some errors.
    [zimbra@zim srv]$ zmprov < /srv/autoprovision.zmp
    [4] 10491
    bash: lt: command not found
    /srv/autoprovision.zmp: line 1: md: command not found
    /srv/autoprovision.zmp: line 2: md: command not found
    /srv/autoprovision.zmp: line 3: md: command not found
    /srv/autoprovision.zmp: line 4: md: command not found
    /srv/autoprovision.zmp: line 5: md: command not found
    /srv/autoprovision.zmp: line 6: md: command not found
    /srv/autoprovision.zmp: line 7: md: command not found
    /srv/autoprovision.zmp: line 8: md: command not found
    /srv/autoprovision.zmp: line 9: md: command not found
    /srv/autoprovision.zmp: line 10: md: command not found
    /srv/autoprovision.zmp: line 11: md: command not found
    /srv/autoprovision.zmp: line 12: md: command not found
    /srv/autoprovision.zmp: line 13: md: command not found
    /srv/autoprovision.zmp: line 14: md: command not found
    /srv/autoprovision.zmp: line 15: md: command not found
    /srv/autoprovision.zmp: line 16: md: command not found
    /srv/autoprovision.zmp: line 17: ms: command not found
    /srv/autoprovision.zmp: line 18: ms: command not found

    1. sorry, but i fixed.
      i have to insert the command zmprov and then
      in mode prov> i paste everything.
      thanks so much!..
      only one thing, if i want to give email access for only a few members of a group.
      for example if i want to give access to the members of group executive but not the rest of domain user in the ou “users”
      ¿how it be?

      1. Hi Santiago,

        Glad to hear that for fixed your problem :D.

        Did you mean want to autoprov with spesific groups? if yes, you can modify this attribute : zimbraAutoProvLdapSearchFilter and adjust with your environment

  2. Hi, When I execute the below command, I am facing the below error:
    [zimbra@zimbra root]$ zmprov < /srv/autoprovision.zmp
    [1] 25034
    bash: lt: command not found
    /srv/autoprovision.zmp: line 1: md: command not found
    /srv/autoprovision.zmp: line 2: md: command not found
    /srv/autoprovision.zmp: line 3: md: command not found
    /srv/autoprovision.zmp: line 4: md: command not found
    /srv/autoprovision.zmp: line 5: md: command not found
    /srv/autoprovision.zmp: line 6: md: command not found
    /srv/autoprovision.zmp: line 7: md: command not found
    /srv/autoprovision.zmp: line 8: md: command not found
    /srv/autoprovision.zmp: line 9: md: command not found
    /srv/autoprovision.zmp: line 10: md: command not found
    /srv/autoprovision.zmp: line 11: md: command not found
    /srv/autoprovision.zmp: line 12: md: command not found
    /srv/autoprovision.zmp: line 13: md: command not found
    /srv/autoprovision.zmp: line 14: md: command not found
    /srv/autoprovision.zmp: line 15: md: command not found
    /srv/autoprovision.zmp: line 16: md: command not found
    /srv/autoprovision.zmp: line 17: ms: command not found
    /srv/autoprovision.zmp: line 18: ms: command not found

    1. Hi Shiva,

      Could you please give me more information about error or something else on the log? you can check the log in /opt/zimbra/log/mailbox.log

  3. Hi Iman,
    Thanks for supporting me,
    When I Sync zimbra with AD, when I create a new users in that domain, I am not getting the password field to give password to the user. And the users that are created in zimbra are not showing in AD.
    Please suggest me.

  4. Hi friend.

    I have this query:

    zimbraAutoProvLdapSearchFilter “(&(sAMAccountName=*)(objectClass=user)(givenName=*)(memberOf=cn=Zimbra_Intranet,ou=ZIMBRA,ou=Grupos,dc=hmsc,dc=com,dc=br))”

    But this create user only if I create and put new user in “ZIMBRA” OU
    If I add old users to “Zimbra_Intranet” group, whitout changing the OU, the account cannot auto create.

    What might be happening?

    Thanks

    1. Hi Julio,

      Are you could view all users with search filter like that? please try run the following command on Your Zimbra whether users can views/filter or not :

      /opt/zimbra/bin/ldapsearch -LLL -x -h IP-of-AD -p 389 -D “cn=Administrator,cn=users,dc=yourdomain,dc=com” -w “password-administrator-AD” -b “(&(sAMAccountName=*)(objectClass=user)(givenName=*)(memberOf=cn=Zimbra_Intranet,ou=ZIMBRA,ou=Grupos,dc=hmsc,dc=com,dc=br))”

      1. Hello, I’m having a problem similar to Julio’s, but my search via ldap search is returning me the value I want, which is the user within the specific group. When I play inside the filter in zimbra, it does not fetch the user, I do not know what else to do.

  5. When you use Zentyal as Active Directory, you must use the “CN = Domain Administrator, CN = users, dc = domain, DC = local”

  6. Hi Iman,
    I configured LAZY mode of auto provisioning and when I try to use it, I am getting the below error in mailbox.log:

    2015-05-21 12:42:32,288 INFO [qtp509886383-295:http://127.0.0.1:8080/service/soap/AuthRequest%5D [oip=192.168.10.66;ua=zclient/8.5.0_GA_3042;] autoprov – unable to authenticate abc@bcits.co.in for auto provisioning
    com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException: authentication failed for []
    ExceptionId:qtp509886383-295:http://127.0.0.1:8080/service/soap/AuthRequest:1432192352288:a10d45054c36c059
    Code:account.AUTH_FAILED
    at com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException.AUTH_FAILED(AccountServiceException.java:142)
    at com.zimbra.cs.account.ldap.LdapProvis…….
    Caused by: com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException: authentication failed for [N/A]
    ExceptionId:qtp509886383-295:http://127.0.0.1:8080/service/soap/AuthRequest:1432192352288:a10d45054c36c059
    Code:account.AUTH_FAILED
    at com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException.AUTH_FAILED(AccountServiceException.java:154)
    at com.zimbra.cs.account.ldap.LdapProvisioning.ldapAuthenticate(LdapProvisioning.java:5138)

    How do I know what I have configured incorrectly (I am pretty sure about the credentials). My auto provisioning configurations are:

    md onlinebcits.com zimbraAutoProvMode “LAZY”
    md onlinebcits.com zimbraAutoProvLdapURL “ldap://192.168.10.230:389”
    md onlinebcits.com zimbraAutoProvLdapAdminBindDn “cn=Directory Manager”
    md onlinebcits.com zimbraAutoProvLdapAdminBindPassword “xxxxx”
    md onlinebcits.com zimbraAutoProvLdapSearchFilter “%u”
    md onlinebcits.com zimbraAutoProvLdapSearchBase “dc=bcits,dc=co,dc=in”
    md onlinebcits.com zimbraAutoProvLdapBindDn “uid=%u”
    md onlinebcits.com zimbraAutoProvNotificationBody “Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.”
    md onlinebcits.com zimbraAutoProvNotificationFromAddress “admin@onlinebcits.com”
    md onlinebcits.com zimbraAutoProvNotificationSubject “New account auto provisioned”

    Also, the log shows that auto provisioning is being happening only for certain accounts, any idea why it is not happening for all the accounts? (I am using zcs 8.5.0).

    Regards,
    Seenu.

    1. hi Seenu,

      I am not yet try if using LDAP/OpenLDAP. I will try in my environment and update the progress

  7. I have one question.

    When the account is automatically created, it uses the AD password.

    The option to enable the fallback in case of AD failure, but I would have to set the password manually .

    Is there a way to password fallback be the same synchronized password AD ?

  8. Great work Iman… I got this message when I try to execute the
    3] 8548
    Usage: lt `parameters’ [versionkey]
    computes the n-point one-loop integrals
    n depends on `parameters’:
    n = 1: m
    n = 2: p m1 m2
    n = 3: p1 p2 p1p2 m1 m2 m3
    n = 4: p1 p2 p3 p4 p1p2 p2p3 m1 m2 m3 m4
    n = 5: p1 p2 p3 p4 p5 p1p2 p2p3 p3p4 p4p5 p5p1 m1 m2 m3 m4 m5
    versionkey can be one of:
    0 = compute version a (same as no versionkey)
    1 = compute version b
    2 = compute a and b, compare, return a
    3 = compute a and b, compare, return b
    -su: /srv/autoprovision.zmp: Permission denied
    zimbra@pms:~$ zmprov < /srv/autoprovision.zmp
    -su: /srv/autoprovision.zmp: Permission denied

  9. Hi Iman,
    Thanks for your great article.
    but i have one query about how to change zimbra active directory webmail password.

  10. Hello, I have successfully configured the auto-provisioning, I would now like to be able to automatically remove them from Zimbra as I delete them in my active directory.

  11. Hi Iman, need your help.

    I’ve followed all of your instruction, still got an error ‘invalid credential’. I’ve been tested it with zimbra external auth using esternal AD and it passed.

    here is the log
    Caused by: LDAPException(resultCode=49 (invalid credentials), errorMessage=’80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1′, diagnosticMessage=’80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1′)

    ps: sorry for my bad english

    rgrd,

    hamboro

    1. Hi mas Hamboro,
      Untuk user dan password harus Administrator mas. Bisa juga testing eksternal autentikasi dan login ke Zimbra dengan user dan password Administrator AD

  12. Hi …I had enabled auto provisioning against our Active directory and it was working fine on LAZY mode..the script was placed on /tmp directory as per the zimbra documentation ( https://wiki.zimbra.com/wiki/How_to_con … ng_with_AD) .but as it was /tmp its got deleted after a month…I had tried to recreate the script and its not working ….I had verified the script against one of the back up i had and looks fine …As we have almost 6000 AD users now i doubt LDAP query may causing the issue I had increased LDAP session count on AD to 10000…still no luck…can any on helping where I m missing ..? ..i need to have on LAZY mode as i just need to create user in AD .

    Pls see my script and help.

    md xxxx.com zimbraAutoProvMode LAZY
    md xxxx.com zimbraAutoProvAccountNameMap “samAccountName”
    md xxxx.com +zimbraAutoProvAttrMap description=description
    md xxxx.com +zimbraAutoProvAttrMap displayName=displayName
    md xxxx.com +zimbraAutoProvAttrMap givenName=givenName
    md xxxx.com +zimbraAutoProvAttrMap cn=cn
    md xxxx.com +zimbraAutoProvAttrMap sn=sn
    md xxxx.com zimbraAutoProvAuthMech LDAP
    md xxxx.com zimbraAutoProvBatchSize 40
    md xxxx.com zimbraAutoProvLdapAdminBindDn “CN=zimbraldap,OU=GLOBAL,DC=xxxx,DC=com”
    md xxxx.com zimbraAutoProvLdapAdminBindPassword “password”
    md xxxx.com zimbraAutoProvLdapBindDn “zimbraldap@xxxx.com”
    md xxxx.com zimbraAutoProvLdapSearchBase “dc=xxxx,dc=com”
    md xxxx.com zimbraAutoProvLdapSearchFilter “(cn=%u)”
    md xxxx.com zimbraAutoProvLdapURL “ldap://192.168.xx.xxx:389”
    md xxxx.com zimbraAutoProvNotificationBody “Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}. Password will be same as your windows password”
    md xxxx.com zimbraAutoProvNotificationFromAddress prov-admin@xxxx.com
    md xxxx.com zimbraAutoProvNotificationSubject “New account auto provisioned”
    ms zimbramail.xxxx.com zimbraAutoProvPollingInterval “1m”
    ms zimbramail.xxxx.com +zimbraAutoProvScheduledDomains “xxxx.com”

    1. Hello,
      The script only runs once. So, if your script in / tmp is deleted, is not change the configuration that was made. About the problem, maybe query/filter did not match and point into samAccount on AD

  13. Thanks for your work here. Makes live with zimbra a lot easier.

    One question: When I have autoprovisioned a user from AD and afterwards deleted, can I somehow retrigger autoprovisioning said user?

  14. Hi Iman
    I created the autoprov.zmp
    only it creates 6 user in zimbra while the AD has 1200 users
    What could be the problem
    md sis.com zimbraAutoProvAccountNameMap “sAMAccountName”
    md sis.com +zimbraAutoProvAttrMap “description=description”
    md sis.com +zimbraAutoProvAttrMap “cn=displayName”
    md sis.com +zimbraAutoProvAttrMap “givenName=givenName”
    md sis.com +zimbraAutoProvAttrMap “cn=cn”
    md sis.com +zimbraAutoProvAttrMap “sn=sn”
    md sis.com zimbraAutoProvAuthMech “LDAP”
    md sis.com zimbraAutoProvBatchSize “200”
    md sis.com zimbraAutoProvLdapAdminBindDn “CN=Administrator,CN=Users,DC=sis,DC=com”
    md sis.com zimbraAutoProvLdapAdminBindPassword “Tur_f@201_8”
    md sis.com zimbraAutoProvLdapBindDn “CN=Administrator,CN=Users,DC=sis,DC=com”
    md sis.com zimbraAutoProvLdapSearchBase “DC=sis,DC=com”
    md sis.com zimbraAutoProvLdapSearchFilter “(cn=%u)”
    md sis.com zimbraAutoProvLdapURL “ldap://10.15.7.2:389”
    md sis.com zimbraAutoProvMode EAGER
    md sis.com zimbraAutoProvNotificationBody “Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.”
    md sis.com zimbraAutoProvNotificationFromAddress admin@sis.com
    md sis.com zimbraAutoProvNotificationSubject “New account auto provisioned”
    ms mail.sis.com zimbraAutoProvPollingInterval “10m”
    ms mail.sis.com +zimbraAutoProvScheduledDomains “sis.com”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.