Daniel Berteaud
732d240885
|
3 years ago | |
---|---|---|
.. | ||
README.md | 3 years ago | |
zmldapsync.pl | 3 years ago | |
zmldapsync.yml | 6 years ago |
README.md
LDAP synchronisation and domain provisioning
This script brings a complete synchronization of user accounts and groups from an external LDAP server.
Zimbra (OSE) supports autoprovisioning, but this feature only takes care of user accounts creation. Several other scripts can be found, but none of them implemented what I needed, so I wrote this one.
The goals are :
- Do not only provision accounts, but update them if needed (eg : name changed)
- Support AD, OpenLDAP, or any custom LDAP schema
- Synchronize LDAP groups into distribution lists in Zimbra, preserving memberships
- Lock Zimbra accounts when the corresponding LDAP accounts are removed (or not matching the filter anymore)
- Handle email alias defined in LDAP, and translate them into aliases in Zimbra
- Allow objects (aliase, distribution list) to be created directly in Zimbra. Objects coming from LDAP are synchronized, including alias previously defined in LDAP which aren't anymore are removed from Zimbra. But aliases defined directly in Zimbra won't be touched. Same is true for distribution lists. So you can mix LDAP defined and Zimbra defined configuration
A few other features are included, like :
- Creating domains
- Creating / removing domain aliases
- Configure domain attributes
All from a simple yaml configuration file
Configuration
The configuration is stored in a single file in YAML format. The script will look for a config at /opt/zimbra/conf/zmldapsync.yml or the one specified in the --config argument.
The config has two main sections :
- general : settings which affect all domains, mainly to configure email notifications in case of error
- domains : list of domain to sync, and the settings for each of them
The general section looks like
general:
notify:
from: zimbra@example.org
to: admin@acme-corp.biz
Foreach each domain you define, you can configure 4 sections :
- ldap : defines where and how to connect to the external LDAP server(s)
- users : defines how to search for users in the external LDAP, and which attributes will be mapped to which ones in Zimbra
- groups : defines how to search for groups in external LDAP, and which attributes will be mapped to which ones in Zimbra
- zimbra : defines some settings about how the script should behave for this domain (eg, should it create the domain if missing, should it autoconfigure external authentication etc.)
In most case, the configuration can be minimal, as defaults values are provided. You just have to set the LDAP server, bind DN and password (if applicable), and the schema. The schema can be ad, rfc2307 or rfc2307bis. If one of these schema is specified, adapted defaults values will be used
Here are some examples of domains definition :
domains:
# A simple example, against an AD style directory
# Note that this example has no groups definition, and so,
# groups won't be synchronized to distribution lists
acme-corp.biz:
ldap:
servers:
- ldap://dc1.acme-corp.biz:389
- ldap://dc2.acme-corp.biz:389
start_tls: True
bind_dn: CN=Zimbra,CN=Users,DC=acme-corp,DC=biz
bind_pass: 'Sup3rS3cret.P@ssPhr4se'
schema: ad
users:
base: OU=CN=Users,DC=acme-corp,DC=biz
# Another simple example, against OpenLDAP using rfc2307bis schema
corp2.com:
ldap:
servers:
- ldap://ldap.corp2.com
schema: rfc2307bis
users:
base: ou=people,dc=corp2,dc=com
filter: '(memberOf=cn=mail_users,ou=Groups,dc=corp2,dc=com)'
groups:
base: ou=groups,dc=corp2,dc=com
# A more complete example, which shows all the available settings, with their meaning
corp3.net:
ldap:
# List of LDAP servers to try (in order)
servers:
- ldap://ldap1.corp3.net:389
- ldap://ldap3.corp3.net:389
# Use starttls. Do NOT set this if using ldaps:// URI
start_tls: True
# Optional bind DN and bind password for searches
bind_dn: CN=Zimbra,OU=Apps,DC=corp3,DC=net
bind_pass: 'p@ssw0rd'
# the schema used. Can be ad, rfc2307, rfc2307bis or simply ldap.
# ad, rfc2307 and rfc2307bis provides default values for attribute mapping. ldap is when you want
# a total control, and you'll have to configure the mapping yourself
schema: ad
users:
# Base DN where to look for users
base: OU=People,DC=corp3,DC=net
# Filter to look for users
filter: '(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Mail,OU=Roles,DC=corp3,DC=net)(mail=*))'
# The attribute which uniquely identify a user. Usually either uid or sAMAccountName
# This attribute will be used as the user name in Zimbra (with the domain appended)
key: sAMAccountName
# The attribute for the main email address
mail_attr: mail
# The attribute for email aliases
alias_attr: otherMailbox
# A dict of attributes to map from external LDAP to Zimbra.
# The format is ext_attr: zimbra_attr
attr_map:
displayName: displayName
description: description
cn: cn
sn: sn
givenName: givenName
telephoneNumber: telephoneNumber
homePhone: homePhone
mobile: mobile
streetAddress: street
l: l
st: st
co: co
title: title
company: company
groups:
# The base DN where to look for groups
base: OU=Groups,DC=corp3,DC=net
# An optional filter to apply to group searches
filter: (objectClass=group)
# The atribute which uniquely identify a group. Usually cn
# This attribute will be used as the distribution list name in Zimbra (with the domain appended)
key: cn
# The attribute which lists the group members
members_attr: member
# Are the members listed as full DN, or simply usernames (like memberUid with posixGroups)
members_as_dn: True
# The attribute for the main email address
mail_attr: mail
# The attribute for email aliases
alias_attr: null
# A dict of attributes to map from external LDAP to Zimbra.
# The format is ext_attr: zimbra_attr
attr_map:
displayName: displayName
description: description
zimbra:
# Should zmldapsync create the domain if missing ?
create_if_missing: False
# If the domain exists in Zimbra but is not configured
# for external auth (either LDAP or AD), should this script configure it ?
setup_ldap_auth: True
# If defined, domain aliases will be added to / removed from Zimbra according to this list
domain_aliases:
- mail.corp2.com
- corp4.net
# A list of attr which will be set using zmprov modifyDomain. The key is the Zimbra attr in LDAP, as you can get/set with zmprov
additional_domain_attrs:
zimbraVirtualHostname:
- zm.corp.com
- mail.corp2.com
zimbraPublicServicePort: 443
zimbraPublicServiceProtocol: https
zimbraPublicServiceHostname: mail.corp2.com
Command line
Once a configuration file is ready, the script can be called with the following command line arguments :
- --config : path to the config file (defaults to /opt/zimbra/conf/zmldapsync.yml)
- --quiet : will not print anything except errors
- --verbose : prints aditional info during the sync
- --dry-run : do not apply the changes. Can be used with --verbose to see what would be done