[Samba] Samba4 AD and Zimbra LDAP server

Lorenzo Faleschini lorenzo.faleschini at nordestsystems.com
Wed Feb 26 01:59:04 MST 2014

Here are my notes on how to set up auto provision of accounts from 
Samba4 LDAP (tested on Samba 4.1.4 and Zimbra 8.0.6 both on CentOS 6.5)
it's working like a charm (a little bug for auto provision is fixed with 
a workaround, working good on small domains)


$ su zimbra

$ zmprov

md your.domain.com zimbraAutoProvAccountNameMap samAccountName

md your.domain.com zimbraAutoProvBatchSize 250

md your.domain.com zimbraAutoProvLdapAdminBindDn 

md your.domain.com zimbraAutoProvLdapAdminBindPassword 

md your.domain.com zimbraAutoProvLdapBindDn "%u@%d"

md your.domain.com zimbraAutoProvLdapSearchBase "dc=your,dc=domain,dc=com"

md your.domain.com zimbraAutoProvLdapSearchFilter "(&(objectClass=user))"

md your.domain.com zimbraAutoProvLdapURL 

md your.domain.com zimbraAutoProvMode EAGER

ms zimbra.your.domain.com zimbraAutoProvScheduledDomains your.domain.com

ms zimbra.your.domain.com zimbraAutoProvPollingInterval: 15m

$ zmprov gd your.domain.com | grep AutoProv

zimbraAutoProvAccountNameMap: samAccountName
zimbraAutoProvBatchSize: 250
zimbraAutoProvLastPolledTimestamp: 20130717173313Z
zimbraAutoProvLdapAdminBindPassword: YourAdministratorPassword
zimbraAutoProvLdapBindDn: %u@%d
zimbraAutoProvLdapSearchBase: dc=your,dc=domain,dc=com
zimbraAutoProvLdapSearchFilter: (&(objectClass=user))
zimbraAutoProvLdapURL: ldap://yoursambaserver.your.domain.com:389
zimbraAutoProvMode: EAGER
zimbraAutoProvNotificationBody: Your account has been auto provisioned. 
Your email address is ${ACCOUNT_ADDRESS}.
zimbraAutoProvNotificationSubject: New account auto provisioned

$ zmprov gs zimbra.your.domain.com | grep AutoProv

zimbraAutoProvPollingInterval: 15m
zimbraAutoProvScheduledDomains: your.domain.com

$ cat /opt/zimbra/log/mailbox.log | grep AutoProv

to add in crontab after #ZIMBRAEND

*/15 * * * * /opt/zimbra/bin/zmprov md your.domain.com 
zimbraAutoProvLastPolledTimestamp "" > /dev/null 2>&1

zimbraAutoProvAttrMap {external attribute}={zimbra attribute}
IMPORTANT: Invalid mapping configuration will cause the account creating 
to fail. To map the “sn” value on the external entry to “displayName” on 
the Zimbra account and map description value on the external entry to 
description on the ZCS account, type
zmprov md <domain.com> zimbraAutoProvAttrMap sn=displayName


zmprov md your.domain.com zimbraAutoProvAttrMap givenName=givenName 
+zimbraAutoProvAttrMap sn=sn +zimbraAutoProvAttrMap displayName=displayName





__Lorenzo Faleschini_____IT Manager @___
                __       __
|\ | _  _ _|  |_  _|_  (_    _|_ _ _  _
| \|(_)| (_|  |___)|_  __)\/_)|_(-|||_)
m: +39 335 6055225 | skype: falegalizeit

Il 26/02/2014 01:50, Petros ha scritto:
> Hi all,
> I plan to upgrade Samba to be a AD server (using FreeBSD)
> I also have a Zimbra mail server using internal LDAP (it is OpenLDAP
> with a schema suitable for the mail server)
> At the moment I bind a few other web applications (Redmine, a wiki etc)
> to the Zimbra server for LDAP authorisation.
> Of course, I would like to simplify user experience by using the same
> user/password for the Samba domain too.
> Zimbra using Samba4 LDAP or the other way around.. all seems to be
> tricky and it all feels unsupported/experimental..
> I also thought about a password synchronisation as a "poor man's
> solution" but I am not sure whether this is achievable, e.g. using
> ldapsearch and friends. I am also not sure about the format used by both
> LDAP servers yet, vaguely remembering Windows using MD4 in the past or so.
> Any help and recommendation would be appreciated.
> Regards
> Peter

More information about the samba mailing list