thr3ads.net - samba - [Samba] Samba4 AD and Zimbra LDAP server [Feb 2014]

If this information is useful, please help other people find it:
Share via:

Petros

2014-Feb-26 00:50 UTC

[Samba] Samba4 AD and Zimbra LDAP server

Hi all,

I plan to upgrade Samba to be a AD server (using FreeBSD)

I also have a Zimbra mail server using internal LDAP (it is OpenLDAP  
with a schema suitable for the mail server)

At the moment I bind a few other web applications (Redmine, a wiki  
etc) to the Zimbra server for LDAP authorisation.

Of course, I would like to simplify user experience by using the same  
user/password for the Samba domain too.

Zimbra using Samba4 LDAP or the other way around.. all seems to be  
tricky and it all feels unsupported/experimental..

I also thought about a password synchronisation as a "poor man's  
solution" but I am not sure whether this is achievable, e.g. using  
ldapsearch and friends. I am also not sure about the format used by  
both LDAP servers yet, vaguely remembering Windows using MD4 in the  
past or so.

Any help and recommendation would be appreciated.

Regards
Peter

Lorenzo Faleschini

2014-Feb-26 08:59 UTC

head link

[Samba] Samba4 AD and Zimbra LDAP server

Here are my notes on how to set up auto provision of accounts from 
Samba4 LDAP (tested on Samba 4.1.4 and Zimbra 8.0.6 both on CentOS 6.5)
it's working like a charm (a little bug for auto provision is fixed with 
a workaround, working good on small domains)

cheers



$ su zimbra

$ zmprov

md your.domain.com zimbraAutoProvAccountNameMap samAccountName

md your.domain.com zimbraAutoProvBatchSize 250

md your.domain.com zimbraAutoProvLdapAdminBindDn 
"cn=administrator,cn=users,dc=your,dc=domain,dc=com

md your.domain.com zimbraAutoProvLdapAdminBindPassword 
"YourAdministratorPassword"

md your.domain.com zimbraAutoProvLdapBindDn "%u@%d"

md your.domain.com zimbraAutoProvLdapSearchBase
"dc=your,dc=domain,dc=com"

md your.domain.com zimbraAutoProvLdapSearchFilter
"(&(objectClass=user))"

md your.domain.com zimbraAutoProvLdapURL 
"ldap://yoursambaserver.your.domain.com:389";

md your.domain.com zimbraAutoProvMode EAGER

ms zimbra.your.domain.com zimbraAutoProvScheduledDomains your.domain.com

ms zimbra.your.domain.com zimbraAutoProvPollingInterval: 15m



$ zmprov gd your.domain.com | grep AutoProv

zimbraAutoProvAccountNameMap: samAccountName
zimbraAutoProvBatchSize: 250
zimbraAutoProvLastPolledTimestamp: 20130717173313Z
zimbraAutoProvLdapAdminBindDn: 
cn=administrator,cn=users,dc=your,dc=domain,dc=com
zimbraAutoProvLdapAdminBindPassword: YourAdministratorPassword
zimbraAutoProvLdapBindDn: %u@%d
zimbraAutoProvLdapSearchBase: dc=your,dc=domain,dc=com
zimbraAutoProvLdapSearchFilter: (&(objectClass=user))
zimbraAutoProvLdapURL: ldap://yoursambaserver.your.domain.com:389
zimbraAutoProvMode: EAGER
zimbraAutoProvNotificationBody: Your account has been auto provisioned. 
Your email address is ${ACCOUNT_ADDRESS}.
zimbraAutoProvNotificationSubject: New account auto provisioned



$ zmprov gs zimbra.your.domain.com | grep AutoProv

zimbraAutoProvPollingInterval: 15m
zimbraAutoProvScheduledDomains: your.domain.com



$ cat /opt/zimbra/log/mailbox.log | grep AutoProv



to add in crontab after #ZIMBRAEND

# BUG 82789 WORKAROUND
*/15 * * * * /opt/zimbra/bin/zmprov md your.domain.com 
zimbraAutoProvLastPolledTimestamp "" > /dev/null 2>&1


FIELD MAPPING
zimbraAutoProvAttrMap {external attribute}={zimbra attribute}
IMPORTANT: Invalid mapping configuration will cause the account creating 
to fail. To map the ?sn? value on the external entry to ?displayName? on 
the Zimbra account and map description value on the external entry to 
description on the ZCS account, type
zmprov md <domain.com> zimbraAutoProvAttrMap sn=displayName
http://wiki.zimbra.com/wiki/Zimbra_Attributes_ZCS8

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

zmprov md your.domain.com zimbraAutoProvAttrMap givenName=givenName 
+zimbraAutoProvAttrMap sn=sn +zimbraAutoProvAttrMap displayName=displayName



LDAP GAL SYNC

http://wiki.zimbra.com/wiki/GAL_Sync_Account

DYNAMIC DISTRIBUTION LISTS

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2038098





__Lorenzo Faleschini_____IT Manager @___
                __       __
|\ | _  _ _|  |_  _|_  (_    _|_ _ _  _
| \|(_)| (_|  |___)|_  __)\/_)|_(-|||_)
__________________________/_____________
m: +39 335 6055225 | skype: falegalizeit

Il 26/02/2014 01:50, Petros ha scritto:> Hi all,
>
> I plan to upgrade Samba to be a AD server (using FreeBSD)
>
> I also have a Zimbra mail server using internal LDAP (it is OpenLDAP
> with a schema suitable for the mail server)
>
> At the moment I bind a few other web applications (Redmine, a wiki etc)
> to the Zimbra server for LDAP authorisation.
>
> Of course, I would like to simplify user experience by using the same
> user/password for the Samba domain too.
>
> Zimbra using Samba4 LDAP or the other way around.. all seems to be
> tricky and it all feels unsupported/experimental..
>
> I also thought about a password synchronisation as a "poor man's
> solution" but I am not sure whether this is achievable, e.g. using
> ldapsearch and friends. I am also not sure about the format used by both
> LDAP servers yet, vaguely remembering Windows using MD4 in the past or so.
>
> Any help and recommendation would be appreciated.
>
> Regards
> Peter
>
>

samba - Feb 2014 - Samba4 AD and Zimbra LDAP server

[Samba] Samba4 AD and Zimbra LDAP server

[Samba] Samba4 AD and Zimbra LDAP server

Reasonably Related Threads