Setting up Carbonio CE user authentication in Active Directory implies that Carbonio CE LDAP already has accounts, each of which corresponds to an account entered in AD. Given that the list of accounts is constantly changing, the account creation process in Carbonio CE needs to be automated. The AutoProv utility allows you to do this, which can automatically search for accounts in the Active Directory and copy their data to Carbonio CE. In this article, we will talk about how to properly configure AutoProv for your tasks.
We assume that you already have user authentication configured and working in Carbonio CE using Active Directory. The AutoProv script is configured on the command line.
There are three modes of operation of the AutoProv script:
- LAZY – The setup happens automatically when the user logs in for the first time. After successful authentication, the script pulls up the settings associated with the given user and registers them in Carbonio CE.
- EAGER – the setting also happens automatically. The script accesses AD on a schedule and pulls up user information, adding the accounts that appear in it to Carbonio CE with the settings specified in the Active Directory
- MANUAL – user configuration is done manually. Used to disable the AutoProv script.
Lazy Mode Setting
AutoProv is configured at the domain level. For its operation, you will need to set the mapping of user attributes, the search base, as well as the credentials of the Active Directory administrator, on whose behalf search requests will be made.
AutoProv LAZY setting examples:
carbonio prov modifyDomain domain.tld zimbraAutoProvAccountNameMap “sAMAccountName”
carbonio prov modifyDomain domain.tld zimbraAutoProvAttrMap “cn=displayName”
carbonio prov modifyDomain domain.tld +zimbraAutoProvAttrMap “givenName=givenName”
carbonio prov modifyDomain domain.tld +zimbraAutoProvAttrMap “sn=sn”
carbonio prov modifyDomain domain.tld +zimbraAutoProvAttrMap “description=description”
carbonio prov modifyDomain domain.tld zimbraAutoProvAuthMech “LDAP”
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapAdminBindDn “admin@ad.domain.tld”
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapAdminBindPassword “P@$$w0rD”
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapBindDn “%u@ad.domain.tld”
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapSearchBase “ou=allusers,DC=ad,DC=domain,DC=tld”
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapSearchFilter "(&(ObjectCategory=person))"
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapURL “ldap://ad.domain.tld:389”
carbonio prov modifyDomain domain.tld zimbraAutoProvMode “LAZY”
carbonio prov modifyDomain domain.tld zimbraAutoProvNotificationBody "Your account auto-configuration was successful"
carbonio prov modifyDomain domain.tld zimbraAutoProvNotificationFromAddress “zextras@domain.tld”
carbonio prov modifyDomain domain.tld zimbraAutoProvNotificationSubject "Your account has been automatically configured"
Let’s explain what each of the entered settings means:
- zimbraAutoProvAttrMap – maps attributes in Active Directory and Carbonio CE LDAP. Thanks to it, you can automatically fill in the fields with names, phone numbers, office numbers, and other contact information
- zimbraAutoProvAuthMech – sets the protocol for accessing Active Directory
- zimbraAutoProvLdapAdminBindDn – allows you to set the administrator account name
- zimbraAutoProvLdapAdminBindPassword – allows you to set an administrator account password
- zimbraAutoProvLdapBindDn – defines the AD account name that maps to the Carbonio CE account
- zimbraAutoProvLdapSearchBase – allows you to set the search base for user discovery
- zimbraAutoProvLdapSearchFilter – allows you to set a search filter so that only users are included in the search results
- zimbraAutoProvLdapURL – used to specify the server address with Active Directory
- zimbraAutoProvMode – determines the mode of the AutoProv script
- zimbraAutoProvNotificationSubject – defines the content of the subject of the email with a successful account auto-configuration report
- zimbraAutoProvNotificationBody – defines the content of the body of the email with a successful account auto-configuration report. It can contain a link to the user manual and other useful information.
- zimbraAutoProvNotificationFromAddress – here you specify the email address from which the email with a report on successful account autoconfiguration is sent
After applying the above settings, there is no need to restart individual services or the entire server.
To check the correctness of the settings, it is enough to log in under an account that obviously exists in Active Directory and does not exist in Carbonio CE. The login should succeed, and the auto-created account should have a notification in the mailbox.
Eager Mode Setting
It is carried out both at the domain level and at the server level. In addition to the basic settings, the administrator will also need to configure the frequency of Active Directory polling. Too short a polling interval can lead to an increase in the load on the infrastructure due to constant calls to AD.
AutoProv EAGER setting examples:
carbonio prov modifyDomain domain.tld zimbraAutoProvAccountNameMap "sAMAccountName"
carbonio prov modifyDomain domain.tld zimbraAutoProvAttrMap "sn=sn"
carbonio prov modifyDomain domain.tld +zimbraAutoProvAttrMap "description=description"
carbonio prov modifyDomain domain.tld +zimbraAutoProvAttrMap "cn=displayName"
carbonio prov modifyDomain domain.tld +zimbraAutoProvAttrMap "givenName=givenName"
carbonio prov modifyDomain domain.tld zimbraAutoProvBatchSize "20"
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapAdminBindDn "admin@ad.domain.tld"
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapAdminBindPassword "P@$$w0rD"
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapBindDn "admin@ad.domain.tld"
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapSearchBase "dc=ad,dc=domain,dc=tld"
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapSearchFilter "(&(ObjectCategory=person))"
carbonio prov modifyDomain domain.tld zimbraAutoProvLdapURL "ldap://ad.domain.tld:389"
carbonio prov modifyDomain domain.tld zimbraAutoProvMode "EAGER"
carbonio prov modifyDomain domain.tld zimbraAutoProvNotificationBody "Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}."
carbonio prov modifyDomain domain.tld zimbraAutoProvNotificationFromAddress "zextras@domain.tld"
carbonio prov modifyDomain domain.tld zimbraAutoProvNotificationSubject "New account auto provisioned"
carbonio prov modifyDomain mailstore.domain.tld zimbraAutoProvPollingInterval "5m"
carbonio prov modifyDomain mailstore.domain.tld zimbraAutoProvScheduledDomains "domain.tld"
Most of the settings duplicate the settings of the LAZY mode, but several new ones have been added to them.
- zimbraAutoProvBatchSize – defines the maximum number of users that will be configured per call to AD.
- zimbraAutoProvPollingInterval – the setting is applied not to the domain, but to the mail server and determines the time interval with which Carbonio CE accesses Active Directory
- zimbraAutoProvScheduledDomains – the setting is also applied not for the domain, but for the mail server and domains for which the AutoProv script will work.
Manual Mode Setting
This setting is done at the domain level. After switching AutoProv to this mode, accounts from AD are no longer copied. This mode allows you to stop the user autoconfiguration process.
To enable it, enter the command:
modifyDomain domain.tld zimbraAutoProvMode "MANUAL"
Note that creating a new account is not the fastest process, and in the case of a large number of users, it can take several days. You can monitor the appearance of new users in the /opt/zextras/log/mailbox.log
logs, as well as by entering the carbonio prov -l getAllAccounts
command, which displays a list of all users on the server. By changing it, you can judge how AutoProv works in Carbonio CE.