You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
154 lines
6.5 KiB
154 lines
6.5 KiB
5 years ago
|
# LDAP synchronisation
|
||
|
|
||
|
This script brings a complete synchronization of user accounts and groups from an external LDAP server.
|
||
|
|
||
|
Zimbra (OSE) supports autoprovisioning, but this feature only takes care of user accounts creation. Several other scripts can be found, nut noone of them implemented what I need, so I wrote this one.
|
||
|
|
||
|
The goals are :
|
||
|
* Do not only provision accounts, but update them if needed (eg : name changed)
|
||
|
* Support AD, OpenLDAP, or any custom LDAP schema
|
||
|
* Synchronize LDAP groups into distribution lists in Zimbra, preserving memberships
|
||
|
* Lock Zimbra accounts when the corresponding LDAP accounts are removed (or not matching the filter anymore)
|
||
|
* Handle email alias defined in LDAP, and translate them into aliases in Zimbra
|
||
|
* Allow objects (aliase, distribution list) to be created directly in Zimbra. Objects coming from LDAP are synchronized, including alias previously defined in LDAP which aren't anymore are removed from Zimbra. But aliases defined directly in Zimbra won't be touched. Same is true for distribution lists. So you can mix LDAP defined and Zimbra defined configuration
|
||
|
|
||
|
## Configuration
|
||
|
|
||
5 years ago
|
The configuration is stored in a single file in YAML format. The script will look for a config at /opt/zimbra/conf/zmldapsync.yml or trhe one specified in the --config argument.
|
||
5 years ago
|
|
||
|
The config has two main section :
|
||
|
|
||
|
* general : settings which affects all domains, mainly to configure email notification in case of error
|
||
|
* domains : list of domain to sync, and the settings for each of them
|
||
|
|
||
|
The general section looks like
|
||
|
|
||
|
```
|
||
|
general:
|
||
|
notify:
|
||
|
from: zimbra@example.org
|
||
|
to: admin@acme-corp.biz
|
||
|
```
|
||
|
|
||
|
|
||
|
Foreach each domain you defined, you can configure 4 sections :
|
||
|
* ldap : defined where and how to connect to the external LDAP server
|
||
|
* users : define how to search for users in the external LDAP, and which attributes will be mapped to which one in Zimbra
|
||
|
* groups : define how to search for groups in external LDAP, and which attributes will be mapped to which one in Zimbra
|
||
|
* zimbra : define some settings about how the script should behave for this domain (eg, should it create the domain if missing, should it autoconfigure external authentication etc.)
|
||
|
|
||
|
In most case, the configuration can be minimal, as defaults values are provided. You just have to set the LDAP server, bind DN and password (if applicable), and the schema. The schema can be ad, rfc2307 or rfc2307bis. If one of these schema is specified, adapted defaults values will be used
|
||
|
|
||
|
Here are some examples of domains definition :
|
||
|
|
||
|
```
|
||
|
domains:
|
||
|
# A simple example, against and AD style directory
|
||
|
# Note that this example has no groups definition, and so,
|
||
|
# groups won't be synchronized to distribution lists
|
||
|
acme-corp.biz:
|
||
|
ldap:
|
||
|
servers:
|
||
|
- ldap://dc1.acme-corp.biz:389
|
||
|
- ldap://dc2.acme-corp.biz:389
|
||
|
start_tls: True
|
||
|
bind_dn: CN=Zimbra,CN=Users,DC=acme-corp,DC=biz
|
||
|
bind_pass: 'Sup3rS3cret.P@ssPhr4se'
|
||
|
schema: ad
|
||
|
users:
|
||
|
base: OU=CN=Users,DC=acme-corp,DC=biz
|
||
|
|
||
|
# Another simple example, against OpenLDAP using rfc2307bis schema
|
||
|
corp2.com:
|
||
|
ldap:
|
||
|
servers:
|
||
|
- ldap://ldap.corp2.com
|
||
|
schema: rfc2307bis
|
||
|
users:
|
||
|
base: ou=people,dc=corp2,dc=com
|
||
|
filter: '(memberOf=cn=mail_users,ou=Groups,dc=corp2,dc=com)'
|
||
|
groups:
|
||
|
base: ou=groups,dc=corp2,dc=com
|
||
|
|
||
5 years ago
|
# A more complete example, which shows all the available settings, with their meaning
|
||
5 years ago
|
corp3.net:
|
||
|
ldap:
|
||
5 years ago
|
# List of LDAP servers to try (in order)
|
||
5 years ago
|
servers:
|
||
|
- ldap://ldap1.corp3.net:389
|
||
|
- ldap://ldap3.corp3.net:389
|
||
5 years ago
|
# Use starttls/ Do not set this if using ldaps:// URI
|
||
5 years ago
|
start_tls: True
|
||
5 years ago
|
# Optional bind DN and bind password for searches
|
||
5 years ago
|
bind_dn: CN=Zimbra,OU=Apps,DC=corp3,DC=net
|
||
|
bind_pass: 'p@ssw0rd'
|
||
5 years ago
|
# the schema used. Can be ad, rfc2307, rfc2307bis or simply ldap.
|
||
|
# ad, rfc2307 and rfc2307bis provides default values for attribute mapping. ldap is when you want
|
||
|
# a complete control, and you'll have to configure the mapping yourself
|
||
5 years ago
|
schema: ad
|
||
|
users:
|
||
5 years ago
|
# Base DN where to look for users
|
||
5 years ago
|
base: OU=People,DC=corp3,DC=net
|
||
5 years ago
|
# Filter to look for users
|
||
5 years ago
|
filter: '(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Mail,OU=Roles,DC=corp3,DC=net)(mail=*))'
|
||
5 years ago
|
# The attribute which uniquely identify a user. Usually either uid or sAMAccountName
|
||
|
# This attribute will be used as the user name in Zimbra (with the domain appended)
|
||
5 years ago
|
key: sAMAccountName
|
||
5 years ago
|
# The attribute for the main email address
|
||
5 years ago
|
mail_attr: mail
|
||
5 years ago
|
# The attribute for email aliases
|
||
5 years ago
|
alias_attr: otherMailbox
|
||
5 years ago
|
# A dict of attribute to map from external LDAP to Zimbra.
|
||
|
# The format is ext_attr: zimbra_attr
|
||
5 years ago
|
attr_map:
|
||
|
displayName: displayName
|
||
|
description: description
|
||
|
cn: cn
|
||
|
sn: sn
|
||
|
givenName: givenName
|
||
|
telephoneNumber: telephoneNumber
|
||
|
homePhone: homePhone
|
||
|
mobile: mobile
|
||
|
streetAddress: street
|
||
|
l: l
|
||
|
st: st
|
||
|
co: co
|
||
|
title: title
|
||
|
company: company
|
||
|
groups:
|
||
5 years ago
|
# The base DN where to look for groups
|
||
5 years ago
|
base: OU=Groups,DC=corp3,DC=net
|
||
5 years ago
|
# An optional filter to apply to group searches
|
||
5 years ago
|
filter: (objectClass=group)
|
||
5 years ago
|
# The atribute which uniquely identify a group. Usually cn
|
||
|
# This attribute will be used as the distribution list name in Zimbra (with the domain appended)
|
||
5 years ago
|
key: cn
|
||
5 years ago
|
# The attribute which lists the group members
|
||
5 years ago
|
members_attr: member
|
||
5 years ago
|
# Are the members listed as full DN, or simply usernames (like memberUid with posixGroups)
|
||
5 years ago
|
members_as_dn: True
|
||
5 years ago
|
# The attribute for the main email address
|
||
5 years ago
|
mail_attr: mail
|
||
5 years ago
|
# The attribute for email aliases
|
||
5 years ago
|
alias_attr: null
|
||
5 years ago
|
# A dict of attribute to map from external LDAP to Zimbra.
|
||
|
# The format is ext_attr: zimbra_attr
|
||
5 years ago
|
attr_map:
|
||
|
displayName: displayName
|
||
|
description: description
|
||
|
zimbra:
|
||
5 years ago
|
# Should zmldapsync create the domain if missing ?
|
||
5 years ago
|
create_if_missing: False
|
||
5 years ago
|
# If the domain in Zimbra exists but is not configured
|
||
|
# for external auth (either LDAP or AD), should this script configure it ?
|
||
5 years ago
|
setup_ldap_auth: True
|
||
|
```
|
||
|
|
||
|
## Command line
|
||
|
|
||
|
Once a configuration file is ready, the script can be called with the following command line arguments :
|
||
|
|
||
5 years ago
|
* --config : path to the config file (defaults to /opt/zimbra/conf/zmldapsync.yml)
|
||
5 years ago
|
* --quiet : will not print anything except errors
|
||
|
* --verbose : prints aditional info during the sync
|