|Daniel Berteaud b7f24f9136||2 weeks ago|
|README.md||3 months ago|
|zmldapsync.pl||2 weeks ago|
|zmldapsync.yml||1 year ago|
This script brings a complete synchronization of user accounts and groups from an external LDAP server.
Zimbra (OSE) supports autoprovisioning, but this feature only takes care of user accounts creation. Several other scripts can be found, nut noone of them implemented what I need, so I wrote this one.
The goals are :
A few other features are included, like :
All from a simple yaml configuration file
The configuration is stored in a single file in YAML format. The script will look for a config at /opt/zimbra/conf/zmldapsync.yml or the one specified in the --config argument.
The config has two main sections :
The general section looks like
general: notify: from: firstname.lastname@example.org to: email@example.com
Foreach each domain you define, you can configure 4 sections :
In most case, the configuration can be minimal, as defaults values are provided. You just have to set the LDAP server, bind DN and password (if applicable), and the schema. The schema can be ad, rfc2307 or rfc2307bis. If one of these schema is specified, adapted defaults values will be used
Here are some examples of domains definition :
domains: # A simple example, against and AD style directory # Note that this example has no groups definition, and so, # groups won't be synchronized to distribution lists acme-corp.biz: ldap: servers: - ldap://dc1.acme-corp.biz:389 - ldap://dc2.acme-corp.biz:389 start_tls: True bind_dn: CN=Zimbra,CN=Users,DC=acme-corp,DC=biz bind_pass: 'Sup3rS3cret.P@ssPhr4se' schema: ad users: base: OU=CN=Users,DC=acme-corp,DC=biz # Another simple example, against OpenLDAP using rfc2307bis schema corp2.com: ldap: servers: - ldap://ldap.corp2.com schema: rfc2307bis users: base: ou=people,dc=corp2,dc=com filter: '(memberOf=cn=mail_users,ou=Groups,dc=corp2,dc=com)' groups: base: ou=groups,dc=corp2,dc=com # A more complete example, which shows all the available settings, with their meaning corp3.net: ldap: # List of LDAP servers to try (in order) servers: - ldap://ldap1.corp3.net:389 - ldap://ldap3.corp3.net:389 # Use starttls. Do NOT set this if using ldaps:// URI start_tls: True # Optional bind DN and bind password for searches bind_dn: CN=Zimbra,OU=Apps,DC=corp3,DC=net bind_pass: 'p@ssw0rd' # the schema used. Can be ad, rfc2307, rfc2307bis or simply ldap. # ad, rfc2307 and rfc2307bis provides default values for attribute mapping. ldap is when you want # a total control, and you'll have to configure the mapping yourself schema: ad users: # Base DN where to look for users base: OU=People,DC=corp3,DC=net # Filter to look for users filter: '(&(objectClass=user)(memberOf:1.2.840.113522.214.171.1241:=CN=Role_Mail,OU=Roles,DC=corp3,DC=net)(mail=*))' # The attribute which uniquely identify a user. Usually either uid or sAMAccountName # This attribute will be used as the user name in Zimbra (with the domain appended) key: sAMAccountName # The attribute for the main email address mail_attr: mail # The attribute for email aliases alias_attr: otherMailbox # A dict of attributes to map from external LDAP to Zimbra. # The format is ext_attr: zimbra_attr attr_map: displayName: displayName description: description cn: cn sn: sn givenName: givenName telephoneNumber: telephoneNumber homePhone: homePhone mobile: mobile streetAddress: street l: l st: st co: co title: title company: company groups: # The base DN where to look for groups base: OU=Groups,DC=corp3,DC=net # An optional filter to apply to group searches filter: (objectClass=group) # The atribute which uniquely identify a group. Usually cn # This attribute will be used as the distribution list name in Zimbra (with the domain appended) key: cn # The attribute which lists the group members members_attr: member # Are the members listed as full DN, or simply usernames (like memberUid with posixGroups) members_as_dn: True # The attribute for the main email address mail_attr: mail # The attribute for email aliases alias_attr: null # A dict of attributes to map from external LDAP to Zimbra. # The format is ext_attr: zimbra_attr attr_map: displayName: displayName description: description zimbra: # Should zmldapsync create the domain if missing ? create_if_missing: False # If the domain exists in Zimbra but is not configured # for external auth (either LDAP or AD), should this script configure it ? setup_ldap_auth: True # If defined, domain aliases will be added to / removed from Zimbra according to this list domain_aliases: - mail.corp2.com - corp4.net # A list of attr which will be set using zmprov modifyDomain. The key is the Zimbra attr in LDAP, as you can get/set with zmprov additional_domain_attrs: zimbraVirtualHostname: - zm.corp.com - mail.corp2.com zimbraPublicServicePort: 443 zimbraPublicServiceProtocol: https zimbraPublicServiceHostname: mail.corp2.com
Once a configuration file is ready, the script can be called with the following command line arguments :