How to integrate Zimbra Collaboration Suite with Active Directory | Zimbra

June 16, 2021 by Michele Ferron In Admin Guide , Customization , Zextras Suite & Zimbra OSE
Document
Alert! This article is written for Zimbra OSE users. As of December 2023, Synacor will no longer be providing support for Zimbra OSE. You might want to consider trying out Carbonio Community Edition – Zextras’s free and open-source email and collaboration platform.

For additional guidance, check out our community articles detailing the process of migrating from your current platform to Carbonio CE.

Many companies already have an established IT infrastructure where a tool such as Microsoft Active Directory is often used to manage and authenticate users. When these realities plan the implementation of Zimbra Collaboration Suite, the question arises if ZCS can adapt to their infrastructure and use Microsoft AD to authenticate users. The answer is yes. But let’s see in the continuation of the article how to do it.

Active Directory

So, let’s say that in your enterprise infrastructure, Active Directory is located on the domain.sample.com domain with an IP address of 192.168.1.101 , and Zimbra is supposed to be installed on mail.sample.com. In the process of integrating Zimbra and Active Directory, the latter will be connected as an external LDAP for Zimbra. For this reason, we recommend that you immediately prohibit users from changing their passwords on their own.

How it works

The connection between Active Directory and Zimbra Collaboration Suite is made by mailstore server. You have three different modes available:

  1. LAZY mode, where Zimbra provides the mailbox for user “A” at first login.
  2. EAGER mode, where Zimbra will query external AD every certain times (e.g. every hour) and create Zimbra mailboxes for newly created accounts.
  3. MANUAL mode, where a search is performed by the operator in the external source directory for accounts to be auto provisioned, then the account(s) to be auto-provisioned are selected.

Our advice, however, is to use the EAGER mode, which is more stable and reliable. You can learn more about how these three modes work in the file: “ /opt/zimbra/docs/autoprov.txt/

Configuration

From the left panel, select “Configure -> Domains”. In the list of domains, you need to select the one that you are going to use in conjunction with Active Directory and, by clicking on it with the right mouse button, select “Configure Authentication“. After that, the external LDAP configuration dialog will appear on the screen.
On the Authentification Mode page, select the “External Active Directory” item, and then on the Authentification Settings page, enter information about the server with Active Directory. You will need to enter the domain name, server ip-address and port through which you access AD. You can leave the next page called LDAP Bind blank.

Import

In the Authentification Config Summary window, you can check the success of the Zimbra connection to Active Directory by entering the correct login / password pair of any user. If the connection is successful, Zimbra will independently calculate the Bind DN for this user. You can then leave the External Group Settings and Domain Configuration Complete pages unchanged. 

Now that the process of integration between Zimbra and Active Directory is completed, all we have to do is to create existing users from AD in Zimbra to successfully import data from one system to another

Auto-Provisioning

With a small number of accounts, you can create users manually, but if there are really a lot of accounts, it would be best to automate this process using the Zimbra Auto-provisioning function. To do this, we need to go to the Zimbra server and create a file  /tmp/srv/autoprovisioning.txt with the following content:

md sample.com zimbraAutoProvAccountNameMap "samAccountName"
md sample.com +zimbraAutoProvAttrMap description=<description>
md sample.com +zimbraAutoProvAttrMap displayName=<displayName>
md sample.com +zimbraAutoProvAttrMap givenName=<givenName>
md sample.com +zimbraAutoProvAttrMap cn=cn
md sample.com +zimbraAutoProvAttrMap sn=sn
md sample.com zimbraAutoProvAuthMech LDAP
md sample.com zimbraAutoProvBatchSize 50
md sample.com zimbraAutoProvLdapAdminBindDn "CN=Administrator,CN=Users,DC=sample,DC=com"
md sample.com zimbraAutoProvLdapAdminBindPassword secret
md sample.com zimbraAutoProvLdapBindDn "Admin@sample.com"
md sample.com zimbraAutoProvLdapSearchBase "CN=Users,dc=sample,dc=com"
md sample.com zimbraAutoProvLdapSearchFilter "(cn=%u)"
md sample.com zimbraAutoProvLdapURL "ldap://192.168.1.101:389"
md sample.com zimbraAutoProvMode EAGER
md sample.com zimbraAutoProvNotificationBody "Account successfully auto-provisioned. The email address is ${ACCOUNT_ADDRESS}."
md sample.com zimbraAutoProvNotificationFromAddress prov-admin@sample.com
md sample.com zimbraAutoProvNotificationSubject "Auto-provisioned Account"
ms server.sample.com zimbraAutoProvPollingInterval "1h"
ms server.sample.com +zimbraAutoProvScheduledDomains "sample.com"

Then you must execute it:

su - zimbra
zmprov </tmp/srv/autoprovisioning.txt

With this configuration, Zimbra OSE will automatically pick up accounts on the Active Directory server every hour and create accounts of the same name on the Zimbra server. 

Note that in some cases, for the autotuning to work correctly, you may need to change the port number from 389 to 3268.

After completing all these steps, your users will be able to log into their mail on the server with Zimbra using a login / password pair from AD, which will greatly simplify the management of the IT infrastructure of the enterprise.

Download Zextras Suite for Zimbra OSE
0 4054
 Admin Guide Configuration Zimbra OSE

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

How to transfer mail from your mail server to Zimbra? | Zimbra
Improve the security using Zextras 2FA | Zimbra