Automatically create accounts from AD in Zimbra Collaboration Suite

    In one of our past articles, we talkedabout how you can "make friends" Zimbra and MS Active Directory, which is used at most Russian enterprises to manage user accounts. In it, we suggested that Zimbra users use the simplest and safest way to create mailboxes in Zimbra based on data from AD called LAZY Mode. This mode of operation allows you to automatically create a new Zimbra user with a username and password from AD right at the moment of his first login to the Zimbra web client. However, thanks to the discussion that unfolded in the comments, it became clear that not all administrators would use this method of auto-tuning Zimbra users from AD. Therefore, now we will talk about an alternative way to automate the creation of user accounts based on data from AD called EAGER Mode.


    LAZY and EAGER Mode differ in their approaches to creating new accounts. If in the case of LAZY, the system waits for the user to log into the Zimbra web client to create a new user, in the case of c EAGER, the system periodically polls the server with AD for new users, and, in the case of an affirmative answer, creates a new one on its own account based on data provided by Active Directory. An insignificant, at first glance, difference may make the use of LAZY Mode completely unacceptable for a number of IT managers.

    One of these cases could be a direct ban on the use of the Zimbra web client. The reason for this may be a reduction in server computing power (when using a web client, a server with Zimbra can provide high-quality service for 2500 users, and when using desktop and mobile clients up to 5-6 thousand users), or an enterprise security policy that directly prohibits the use of the web -client for work with mail. The lack of a web client makes it impossible to use the LAZY Mode, which works only in it, which means that IT managers of such enterprises have no choice but to use the EAGER Mode.

    First of all, we need to connect AD as an external LDAP to Zimbra. To do this, go to the administration console, which is located at , and then select Configure in the left side panel and then the Domains sub-item . In the list of domains now you need to select the one that we will use in conjunction with AD and, right-clicking on the selected domain, select "Configure Authentification" . After that, the external LDAP configuration dialog will appear on the screen, in which we enter all the necessary data for integrating Zimbra with AD.

    After entering all the necessary data, you should create a configuration file, for example touch ~ / Documents / autoprov.cfg, in which we will introduce a series of commands that must be entered to activate the auto-configuration of accounts from AD in the EAGER Mode. Unlike LAZY Mode, where the configuration process is extremely simple and all settings can be entered as commands in the CLI, in the case of EAGER Mode it is better to play it safe and store all settings in a separate file. So it will be easier to make changes in them if something suddenly goes wrong.

    So, after creating the ~ / Documents / autoprov.cfg file , you should enter the following lines into it, after adapting them to your infrastructure:

    md zimbraAutoProvAccountNameMap "samAccountName"
    md +zimbraAutoProvAttrMap description=description
    md +zimbraAutoProvAttrMap displayName=displayName
    md +zimbraAutoProvAttrMap givenName=givenName
    md +zimbraAutoProvAttrMap cn=cn
    md +zimbraAutoProvAttrMap sn=sn
    md zimbraAutoProvAuthMech LDAP
    md zimbraAutoProvBatchSize 40
    md zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=company,DC=ru"
    md zimbraAutoProvLdapAdminBindPassword *********
    md zimbraAutoProvLdapBindDn ""
    md zimbraAutoProvLdapSearchBase "CN=Users,dc=company,dc=ru"
    md zimbraAutoProvLdapSearchFilter "(cn=%u)"
    md zimbraAutoProvLdapURL "ldap://"
    md zimbraAutoProvMode EAGER
    md zimbraAutoProvNotificationBody "Ваша учетная запись была создана автоматически. Адрес вашей электронной почты ${ACCOUNT_ADDRESS}."
    md zimbraAutoProvNotificationFromAddress
    md zimbraAutoProvNotificationSubject "Новая учетная запись была создана автоматически"
    ms zimbraAutoProvPollingInterval "1m"
    ms +zimbraAutoProvScheduledDomains ""

    Thanks to these settings, we force the Zimbra server to access AD every minute and receive information about the appearance of new users in the database, and if they are found, create an account for them and send a welcome message.

    As our reader noted, when setting up, it is very important to pay attention to the following nuances:

    • Lines of the form “md” - make changes to the domain, which is located inside the mail server. There can be several domains on one mail server.
    • Lines of the form “ms” - make changes to the mail server itself.
    • Two methods for automatically setting up accounts from AD can coexist on one domain. That is, you can execute + zimbraAutoProvMode LAZY and + zimbraAutoProvMode EAGER one after another. Due to this, you can increase the interval of access to the server up to one hour or more.

    After all changes to the file are saved, it will be necessary to apply the settings specified in it using the command zmprov <~ / Documents / autoprov.cfg . All the changes made will work immediately, the need to restart the server should not arise.

    In the event that the auto-configuration of accounts from AD to EAGER Mode works , the progress of auto- configuration of accounts will be displayed in the /opt/zimbra/log/mailbox.log file as follows:

    [AutoProvision] [] autoprov - Auto provisioning accounts on domain
    [AutoProvision] [] autoprov - 1 external LDAP entries returned as search result
    [AutoProvision] [] autoprov - auto creating account in EAGER mode:, dn="CN=example,OU=zimbrausers,DC=company,DC=ru"

    If account auto-tuning does not work, then the problem is most likely on the AD server side. In this case, you need to look at the error code that appears. We give the most common of them:

    525 - User not found
    52e - Invalid credentials
    530 - No permission to log in now
    531 - No permission to log in from this computer
    532 - Password expired
    533 - Account action stopped
    534 - User does not have sufficient privileges to log in from this computer
    701 - Account expired
    773 - User must reset password
    775 - Account is temporarily limited
    8350 - wrong format Distinguished Name

    For all questions related to the Zextras Suite, you can contact the representative of the company "Zextras" Katerina Triandafilidi by e-mail

    Also popular now: