Zimbra + External AD : Automatically Create Mailboxes Zimbra with Lazy Mode Auto-Provisioning

Posted by

Previously had been explain how to automatically create mailboxes in Zimbra with eager mode auto-provisioning. In this section, we can try to using lazy mode auto-provisioning. What difference between eager mode and lazy mode?

Difference of both is process automatically create mailboxes. If using eager mode, Zimbra will process create mailboxes every certain time (example every 5 minutes) and if using lazy mode, Zimbra will process create mailboxes every users of external AD login for first time.

You can choose which method suitable with your system. But on this section, i will explain how to using lazy mode auto-provisioning.

Create file with name autoprovision.zmp and put at folder /srv/

vi /srv/autoprovision.zmp

fill with the following line

md imanudin.net zimbraAutoProvAttrMap "cn=displayName"
md imanudin.net +zimbraAutoProvAttrMap "givenName=givenName"
md imanudin.net +zimbraAutoProvAttrMap "sn=sn"
md imanudin.net +zimbraAutoProvAttrMap "description=description"
md imanudin.net zimbraAutoProvAuthMech "LDAP"
md imanudin.net zimbraAutoProvLdapAdminBindDn "cn=Administrator,cn=users,dc=imanudin,dc=net"
md imanudin.net zimbraAutoProvLdapAdminBindPassword "VerySecret123"
md imanudin.net zimbraAutoProvLdapBindDn "cn=Administrator,cn=users,dc=imanudin,dc=net"
md imanudin.net zimbraAutoProvLdapSearchBase "dc=imanudin,dc=net"
md imanudin.net zimbraAutoProvLdapURL "ldap://192.168.1.102:389"
md imanudin.net zimbraAutoProvMode "LAZY"
md imanudin.net zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
md imanudin.net zimbraAutoProvNotificationFromAddress "admin@imanudin.net"
md imanudin.net zimbraAutoProvNotificationSubject "New account auto provisioned"

INFORMATION :

imanudin.net = domain name at Zimbra
LdapAdminBindDn/LdapBindDn = User Administrator at Active Directory/Samba4
LdapAdminBindPassword = Password user Administrator
LdapSearchBase = Attribute search AD/Samba4
LdapSearchFilter = Attribute search which has been filtered

LdapURL = IP Server external AD/Samba4

After above file has been created, run the following command as Zimbra

su - zimbra
zmprov < /srv/autoprovision.zmp

Please check process automatically create mailboxes at /opt/zimbra/log/mailbox.log. Please check also mailboxes which has been created at Zimbra Admin | Manage.

Good luck and hopefully useful 😀

18 comments

  1. Hello

    It’s a pleasure to read this tutorial!!
    But i have a question, this method is available only for NE version of zimbra 8.6 or NE and OSE version?

    Thanks

  2. HI, thank you for your job.
    When i connect with a new account, Display Name is Administrator, name is fill with no value and firstname is empty.
    THis is my autoprovision.zmp:
    md myzimbradomainname zimbraAutoProvAttrMap “cn=displayName”
    md myzimbradomainname +zimbraAutoProvAttrMap “givenName=givenName”
    md myzimbradomainname +zimbraAutoProvAttrMap “sn=sn”
    md myzimbradomainname +zimbraAutoProvAttrMap “description=description”
    md myzimbradomainname zimbraAutoProvAuthMech “LDAP”
    md myzimbradomainname zimbraAutoProvLdapAdminBindDn “cn=Administrateur,cn=users,dc=myADdomainname”
    md myzimbradomainname zimbraAutoProvLdapAdminBindPassword “myADpassword”
    md myzimbradomainname zimbraAutoProvLdapBindDn “cn=administrateur,cn=users,dc=myADdomainname”
    md myzimbradomainname zimbraAutoProvLdapSearchBase “dc=myADdomainname”
    md myzimbradomainname zimbraAutoProvLdapURL “ldap://myIPAD:389”
    md myzimbradomainname zimbraAutoProvMode “LAZY”
    md myzimbradomainname zimbraAutoProvNotificationBody “Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.”
    md myzimbradomainname zimbraAutoProvNotificationFromAddress “admin@myzimbradomainname”
    md myzimbradomainname zimbraAutoProvNotificationSubject “New account auto provisioned”

  3. Thanks for the precision 😉 I tested it but it’s doesn’t work.. i gonna search why (yn) 🙂

  4. i have an other question ^^’
    Does it works with an OpenLdap or only with Active Directory LDAP??

  5. Hi Iman,
    I have configured the following regarding auto provisioning:

    [zimbra@m1 log]$ zmprov gd onlinebcits.com | grep AutoProv
    zimbraAutoProvBatchSize: 20
    zimbraAutoProvLdapAdminBindDn: cn=Directory Manager,dc=bcits,dc=co,dc=in
    zimbraAutoProvLdapAdminBindPassword: xxxxx
    zimbraAutoProvLdapBindDn: cn=Directory Manager,dc=bcits,dc=co,dc=in
    zimbraAutoProvLdapSearchBase: dc=bcits,dc=co,dc=in
    zimbraAutoProvLdapURL: ldap://192.168.10.230:389
    zimbraAutoProvMode: LAZY
    zimbraAutoProvNotificationBody: Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.
    zimbraAutoProvNotificationFromAddress: admin@onlinebcits.com
    zimbraAutoProvNotificationSubject: New account auto provisioned

    The mailbox.log shows authentication error and invalid credentials. I am sure about the credentials, am I making any mistake in configuration? How to debug it?

    Regards,
    Seenu.

  6. Hi Below is my configuration…. I had tried server referral documents on net ..But no luck…!!…left a hope on this forum..please help.

    Steps i had done

    1.on Zimbra admin log in , configure > Domain>selected already added domain and right click ‘configure Authentication” .

    2.Selected “external Active Directory” click “next”

    3.Provided AD domain name IP of AD ldap server with port 389 clicked “next ” rest all DN/password bind, Filters etc on that wizard left empty.

    4.Tested with AD user name and password. its successfully authenticated.. click finish

    5.Created a txt file in /srv/autoprov.txt with below entries and run “zmprov < /srv/autoprov.txt"
    command .

    6.Try to login from zimbra user interface it says "The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password."

    7.Also checked in zimbra admin login …no new account provisioned there.

    Zimbra version 8.8.12_GA_3866.FOSS

    autoprov.txt entries

    md test.com zimbraAutoProvMode LAZY
    md test.com zimbraAutoProvAccountNameMap "sAMAccountName"
    md test.com zimbraAutoProvAttrMap "sn=sn"
    md test.com +zimbraAutoProvAttrMap "description=description"
    md test.com +zimbraAutoProvAttrMap "cn=cn"
    md test.com +zimbraAutoProvAttrMap "givenName=givenName"
    md test.com zimbraAutoProvBatchSize "20"
    md test.com zimbraAutoProvLdapAdminBindDn "cn=ldaptest,dc=test,dc=com"
    md test.com zimbraAutoProvLdapAdminBindPassword "xxxxx"
    md test.com zimbraAutoProvLdapBindDn "ldaptest@test.com"
    md test.com zimbraAutoProvLdapSearchBase "dc=test,dc=com"
    md test.com zimbraAutoProvLdapSearchFilter "(objectClass=*)"
    md test.com zimbraAutoProvLdapURL "ldap://192.xxx.xxx.xxx:389"
    md test.com zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
    md test.com zimbraAutoProvNotificationFromAddress "admin@test.com"
    md test.com zimbraAutoProvNotificationSubject "New account auto provisioned"
    ms mailnew.test.com zimbraAutoProvPollingInterval "1m"
    ms mailnew.test.com zimbraAutoProvScheduledDomains "test.com"

    mail .log entries

    Caused by: com.zimbra.common.service.ServiceException: system failure: unable to send or receive startTLS extended operation
    ExceptionId:qtp1647809929-85982:http://localhost:8080/service/soap/AuthRequest:1572074505045:586f6a60daacca2c
    Code:service.FAILURE
    at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:288)
    at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.ldapAuthenticate(UBIDLdapContext.java:857)
    at com.zimbra.cs.ldap.unboundid.UBIDLdapContext.externalLdapAuthenticate(UBIDLdapContext.java:892)
    at com.zimbra.cs.ldap.unboundid.UBIDLdapClient.externalLdapAuthenticateImpl(UBIDLdapClient.java:124)
    at com.zimbra.cs.ldap.LdapClient.externalLdapAuthenticate(LdapClient.java:190)
    at com.zimbra.cs.account.ldap.LdapProvisioning.ldapAuthenticate(LdapProvisioning.java:5643)
    at com.zimbra.cs.account.ldap.LdapProvisioning.externalLdapAuth(LdapProvisioning.java:5832)
    … 60 more
    2019-10-26 12:51:45,049 INFO [qtp1647809929-85982:http://localhost:8080/service/soap/AuthRequest%5D [oip=192.168.1.55;ua=zclient/8.8.12_GA_3866;soapId=54a112de;] SoapEngine – handler exception: authentication failed for [636@test.com], account not found
    2019-10-26 12:51:45,049 INFO [qtp1647809929-85982:http://localhost:8080/service/soap/AuthRequest%5D [oip=192.168.1.55;ua=zclient/8.8.12_GA_3866;soapId=54a112de;] soap – AuthRequest elapsed=15018
    2019-10-26 12:51:45,066 INFO [qtp1647809929-85981:https:https://localhost:7071/service/admin/soap/GetDomainInfoRequest%5D [ua=ZCS/8.8.12_GA_3866;soapId=54a112df;] soap – GetDomainInfoRequest elapsed=0
    2019-10-26 12:51:55,003 INFO [MailboxPurge] [name=ham.fwu9mgssf@mailnew.kimshisnet.com;mid=3;] purge – Purging messages.

    1. Hello,
      Please check on this section “zimbraAutoProvLdapAdminBindDn “cn=ldaptest,dc=test,dc=com”. AFAIK, AD using cn=Adminuser and so on for Administrator User

  7. Thanks for your replay…I had tried to move to another OU that is “cn=ldaptest,cn=Users,dc=test,dc=com”…still no luck…also give admin privilege to the user “ldaptest”………..also create a user like u mentioned Administrator (cn=Administrator,cn=Users,dc=test,dc=com”…still no luck…any hope?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.