[Samba] Samba4 AD and Zimbra LDAP server
Lorenzo Faleschini
lorenzo.faleschini at nordestsystems.com
Wed Feb 26 01:59:04 MST 2014
Here are my notes on how to set up auto provision of accounts from
Samba4 LDAP (tested on Samba 4.1.4 and Zimbra 8.0.6 both on CentOS 6.5)
it's working like a charm (a little bug for auto provision is fixed with
a workaround, working good on small domains)
cheers
$ su zimbra
$ zmprov
md your.domain.com zimbraAutoProvAccountNameMap samAccountName
md your.domain.com zimbraAutoProvBatchSize 250
md your.domain.com zimbraAutoProvLdapAdminBindDn
"cn=administrator,cn=users,dc=your,dc=domain,dc=com
md your.domain.com zimbraAutoProvLdapAdminBindPassword
"YourAdministratorPassword"
md your.domain.com zimbraAutoProvLdapBindDn "%u@%d"
md your.domain.com zimbraAutoProvLdapSearchBase "dc=your,dc=domain,dc=com"
md your.domain.com zimbraAutoProvLdapSearchFilter "(&(objectClass=user))"
md your.domain.com zimbraAutoProvLdapURL
"ldap://yoursambaserver.your.domain.com:389";
md your.domain.com zimbraAutoProvMode EAGER
ms zimbra.your.domain.com zimbraAutoProvScheduledDomains your.domain.com
ms zimbra.your.domain.com zimbraAutoProvPollingInterval: 15m
$ zmprov gd your.domain.com | grep AutoProv
zimbraAutoProvAccountNameMap: samAccountName
zimbraAutoProvBatchSize: 250
zimbraAutoProvLastPolledTimestamp: 20130717173313Z
zimbraAutoProvLdapAdminBindDn:
cn=administrator,cn=users,dc=your,dc=domain,dc=com
zimbraAutoProvLdapAdminBindPassword: YourAdministratorPassword
zimbraAutoProvLdapBindDn: %u@%d
zimbraAutoProvLdapSearchBase: dc=your,dc=domain,dc=com
zimbraAutoProvLdapSearchFilter: (&(objectClass=user))
zimbraAutoProvLdapURL: ldap://yoursambaserver.your.domain.com:389
zimbraAutoProvMode: EAGER
zimbraAutoProvNotificationBody: Your account has been auto provisioned.
Your email address is ${ACCOUNT_ADDRESS}.
zimbraAutoProvNotificationSubject: New account auto provisioned
$ zmprov gs zimbra.your.domain.com | grep AutoProv
zimbraAutoProvPollingInterval: 15m
zimbraAutoProvScheduledDomains: your.domain.com
$ cat /opt/zimbra/log/mailbox.log | grep AutoProv
to add in crontab after #ZIMBRAEND
# BUG 82789 WORKAROUND
*/15 * * * * /opt/zimbra/bin/zmprov md your.domain.com
zimbraAutoProvLastPolledTimestamp "" > /dev/null 2>&1
FIELD MAPPING
zimbraAutoProvAttrMap {external attribute}={zimbra attribute}
IMPORTANT: Invalid mapping configuration will cause the account creating
to fail. To map the “sn” value on the external entry to “displayName” on
the Zimbra account and map description value on the external entry to
description on the ZCS account, type
zmprov md <domain.com> zimbraAutoProvAttrMap sn=displayName
http://wiki.zimbra.com/wiki/Zimbra_Attributes_ZCS8
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm
zmprov md your.domain.com zimbraAutoProvAttrMap givenName=givenName
+zimbraAutoProvAttrMap sn=sn +zimbraAutoProvAttrMap displayName=displayName
LDAP GAL SYNC
http://wiki.zimbra.com/wiki/GAL_Sync_Account
DYNAMIC DISTRIBUTION LISTS
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2038098
__Lorenzo Faleschini_____IT Manager @___
__ __
|\ | _ _ _| |_ _|_ (_ _|_ _ _ _
| \|(_)| (_| |___)|_ __)\/_)|_(-|||_)
__________________________/_____________
m: +39 335 6055225 | skype: falegalizeit
Il 26/02/2014 01:50, Petros ha scritto:
> Hi all,
>
> I plan to upgrade Samba to be a AD server (using FreeBSD)
>
> I also have a Zimbra mail server using internal LDAP (it is OpenLDAP
> with a schema suitable for the mail server)
>
> At the moment I bind a few other web applications (Redmine, a wiki etc)
> to the Zimbra server for LDAP authorisation.
>
> Of course, I would like to simplify user experience by using the same
> user/password for the Samba domain too.
>
> Zimbra using Samba4 LDAP or the other way around.. all seems to be
> tricky and it all feels unsupported/experimental..
>
> I also thought about a password synchronisation as a "poor man's
> solution" but I am not sure whether this is achievable, e.g. using
> ldapsearch and friends. I am also not sure about the format used by both
> LDAP servers yet, vaguely remembering Windows using MD4 in the past or so.
>
> Any help and recommendation would be appreciated.
>
> Regards
> Peter
>
>
More information about the samba
mailing list