zimbra/zmldapsync/README.md

# LDAP synchronisation and domain provisioning

This script brings a complete synchronization of user accounts and groups from an external LDAP server.

Zimbra (OSE) supports autoprovisioning, but this feature only takes care of user accounts creation. Several other scripts can be found, but none of them implemented what I needed, so I wrote this one.

The goals are :
  * Do not only provision accounts, but update them if needed (eg : name changed)
  * Support AD, OpenLDAP, or any custom LDAP schema
  * Synchronize LDAP groups into distribution lists in Zimbra, preserving memberships
  * Lock Zimbra accounts when the corresponding LDAP accounts are removed (or not matching the filter anymore)
  * Handle email alias defined in LDAP, and translate them into aliases in Zimbra
  * Allow objects (aliase, distribution list) to be created directly in Zimbra. Objects coming from LDAP are synchronized, including alias previously defined in LDAP which aren't anymore are removed from Zimbra. But aliases defined directly in Zimbra won't be touched. Same is true for distribution lists. So you can mix LDAP defined and Zimbra defined configuration

A few other features are included, like :
  * Creating domains
  * Creating / removing domain aliases
  * Configure domain attributes

All from a simple yaml configuration file

## Configuration

The configuration is stored in a single file in YAML format. The script will look for a config at /opt/zimbra/conf/zmldapsync.yml or the one specified in the --config argument.

The config has two main sections :

  * general : settings which affect all domains, mainly to configure email notifications in case of error
  * domains : list of domain to sync, and the settings for each of them

The general section looks like

```
general:
  notify:
    from: zimbra@example.org
    to: admin@acme-corp.biz
```


Foreach each domain you define, you can configure 4 sections :
  * ldap   : defines where and how to connect to the external LDAP server(s)
  * users  : defines how to search for users in the external LDAP, and which attributes will be mapped to which ones in Zimbra
  * groups : defines how to search for groups in external LDAP, and which attributes will be mapped to which ones in Zimbra
  * zimbra : defines some settings about how the script should behave for this domain (eg, should it create the domain if missing, should it autoconfigure external authentication etc.)

In most case, the configuration can be minimal, as defaults values are provided. You just have to set the LDAP server, bind DN and password (if applicable), and the schema. The schema can be ad, rfc2307 or rfc2307bis. If one of these schema is specified, adapted defaults values will be used

Here are some examples of domains definition :

```
domains:
  # A simple example, against an AD style directory
  # Note that this example has no groups definition, and so,
  # groups won't be synchronized to distribution lists
  acme-corp.biz:
    ldap:
      servers:
        - ldap://dc1.acme-corp.biz:389
        - ldap://dc2.acme-corp.biz:389
      start_tls: True
      bind_dn: CN=Zimbra,CN=Users,DC=acme-corp,DC=biz
      bind_pass: 'Sup3rS3cret.P@ssPhr4se'
      schema: ad
    users:
      base: OU=CN=Users,DC=acme-corp,DC=biz

  # Another simple example, against OpenLDAP using rfc2307bis schema
  corp2.com:
    ldap:
      servers:
        - ldap://ldap.corp2.com
      schema: rfc2307bis
    users:
      base: ou=people,dc=corp2,dc=com
      filter: '(memberOf=cn=mail_users,ou=Groups,dc=corp2,dc=com)'
    groups:
      base: ou=groups,dc=corp2,dc=com

  # A more complete example, which shows all the available settings, with their meaning
  corp3.net:
    ldap:
      # List of LDAP servers to try (in order)
      servers:
        - ldap://ldap1.corp3.net:389
        - ldap://ldap3.corp3.net:389
      # Use starttls. Do NOT set this if using ldaps:// URI
      start_tls: True
      # Optional bind DN and bind password for searches
      bind_dn: CN=Zimbra,OU=Apps,DC=corp3,DC=net
      bind_pass: 'p@ssw0rd'
      # the schema used. Can be ad, rfc2307, rfc2307bis or simply ldap.
      # ad, rfc2307 and rfc2307bis provides default values for attribute mapping. ldap is when you want
      # a total control, and you'll have to configure the mapping yourself
      schema: ad
    users:
      # Base DN where to look for users
      base: OU=People,DC=corp3,DC=net
      # Filter to look for users. Note that this filter exclude locked user in AD. So if you lock it in AD it'll correctly be locked in Zimbra
      filter: '(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Mail,OU=Roles,DC=corp3,DC=net)(mail=*))'
      # The attribute which uniquely identify a user. Usually either uid or sAMAccountName
      # This attribute will be used as the user name in Zimbra (with the domain appended)
      key: sAMAccountName
      # The attribute for the main email address
      mail_attr: mail
      # The attribute for email aliases
      alias_attr: otherMailbox
      # A dict of attributes to map from external LDAP to Zimbra.
      # The format is ext_attr: zimbra_attr
      attr_map:
        displayName: displayName
        description: description
        cn: cn
        sn: sn
        givenName: givenName
        telephoneNumber: telephoneNumber
        homePhone: homePhone
        mobile: mobile
        streetAddress: street
        l: l
        st: st
        co: co
        title: title
        company: company
    groups:
      # The base DN where to look for groups
      base: OU=Groups,DC=corp3,DC=net
      # An optional filter to apply to group searches
      filter: (objectClass=group)
      # The atribute which uniquely identify a group. Usually cn
      # This attribute will be used as the distribution list name in Zimbra (with the domain appended)
      key: cn
      # The attribute which lists the group members
      members_attr: member
      # Are the members listed as full DN, or simply usernames (like memberUid with posixGroups)
      members_as_dn: True
      # The attribute for the main email address
      mail_attr: mail
      # The attribute for email aliases
      alias_attr: null
      # A dict of attributes to map from external LDAP to Zimbra.
      # The format is ext_attr: zimbra_attr
      attr_map:
        displayName: displayName
        description: description
    zimbra:
      # Should zmldapsync create the domain if missing ?
      create_if_missing: False
      # If the domain exists in Zimbra but is not configured
      # for external auth (either LDAP or AD), should this script configure it ?
      setup_ldap_auth: True
      # If defined, domain aliases will be added to / removed from Zimbra according to this list
      domain_aliases:
        - mail.corp2.com
        - corp4.net
      # A list of attr which will be set using zmprov modifyDomain. The key is the Zimbra attr in LDAP, as you can get/set with zmprov
      additional_domain_attrs:
        zimbraVirtualHostname:
          - zm.corp.com
          - mail.corp2.com
        zimbraPublicServicePort: 443
        zimbraPublicServiceProtocol: https
        zimbraPublicServiceHostname: mail.corp2.com
```

## Command line

Once a configuration file is ready, the script can be called with the following command line arguments :

  * --config : path to the config file (defaults to /opt/zimbra/conf/zmldapsync.yml)
  * --quiet : will not print anything except errors
  * --verbose : prints aditional info during the sync
  * --dry-run : do not apply the changes. Can be used with --verbose to see what would be done