provisioning.adoc

Provisioning User Accounts

Table of Contents

• Creating a Single User Accounts
• Migrating Accounts and Importing Account Email
  • Migrating Accounts from a Zimbra Server
  • Migrating Accounts from Generic IMAP Servers
  • Migrating Accounts using an XML File
  • Importing Email for Selected Accounts
  • XML File Examples
• Auto Provisioning New Accounts from External LDAP
  • Overview
  • Auto-Provisioning Attributes
  • Place holders
  • Eager Mode Configuration
  • Lazy Mode Configuration
  • Manual Mode Configuration
• Managing Resources
  • Set Up the Scheduling Policy

When an account is provisioned, you create the mailbox, assign the primary account email address, and assign a class of service (COS) to enable {product-name} applications and features.

You can configure one account at a time or migrate multiple existing accounts from a server.

Creating a Single User Accounts

Before adding a user account, determine which features and access privileges should be assigned. You can either assign a class of service (COS) with the features enabled when you create the account or you can configure the features for the individual accounts. For a description of the features, see Class of Service and Accounts.

If the COS you assign has the correct functionality for the account, you do not need to perform any additional configuration.

Creating an account sets up the appropriate entries on the Zimbra LDAP directory server. When the user logs in for the first time or when an email is delivered to the user’s account, the mailbox is created on the mailbox server.

Admin Console

For basic user account setup:

Home > Add Accounts > click Add Account

1. In the Account Name section, enter the account name and the last name as a minimum to configure the account.

   The default COS is assigned to the account.

2. Click Finish to create the account.

You can continue to configure features and functionality for the individual account. Changes you make to the account override the COS that is assigned to the account.

Migrating Accounts and Importing Account Email

You can provision multiple accounts at one time using the Account Migration Wizard from the Administration Console. You can import accounts from either a generic IMAP server or from another {product-abbrev} server.

Note	Only accounts on {product-abbrev} 7.2 or later can be migrated to {product-abbrev} 8.0.

You can also import account names to provision from an XML file that you create.

Note	To migrate from other types of server, see the {product-abbrev} Migration Guides for Exchange and for Lotus Domino servers.

You can run the migration wizard one time to provision accounts and import data or you can run the migration wizard the first time to provision the accounts and then run the wizard again to import the provisioned accounts' data.

Whether you get the account records from an LDAP directory or use an XML file, you need to set the password requirements for the newly provisioned accounts. The options are to have {product-abbrev} randomly create passwords for each account or to set the same password on each account. You have the option to force users to change the password when they sign in the first time.

When the provisioning is complete, the wizard generates a .csv file with a list of new accounts. This includes the passwords that are generated. You should download this file for future reference. Choose a secure location to store the file as it can contain password information for the user accounts you provisioned.

If you running a split domain configuration, you can set the SMTP host and port in the wizard. For more information about split domains, see the wiki article about split domains at http://wiki.zimbra.com/wiki/Split_Domain.

Migrating Accounts from a Zimbra Server

Admin Console

To migrate accounts from a server running {product-abbrev} 7.2.0 or later to {product-abbrev} 8.0.

Home > Add Accounts > click Migration and Co-existence.

1. In the Type of mail server field, select {product-name}.

2. If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.

3. Click Next.

4. On the Overview dialog, Import from another Zimbra LDAP directory is selected. Click Next.

5. On the Bulk provisioning options page, select whether to generate random passwords or to assign the same password for each account.

   Table 1. Bulk Provisioning Features

   Bulk Provisioning Feature	Description
   Generate random password	If you select Generate a random password for each account, set the length for the password. The password can be from 6 to 64 characters. Default = 8 characters If you select to generate a random password, you must download the .csv file that is created so that you can give the password information to each user.
   Use same password	If you select Use same password for all new accounts, enter the password to use.
   Require users to change password after first login	It is recommended that this is checked to force users to change their passwords when they log on the first time.
   SMTP Host / SMTP Port	For split domain configurations, set the SMTP Host name and port.

6. Click Next.

7. On the Directory connection dialog enter the information to connect to the server.

   Table 2. Directory Connection Options

   Directory Connection Options	Description
   Automatically create missing domains	Enable this option to create a domain when an account is imported and the domain they were on is not created. If you do not enable this, accounts from domains that do not exist on the server are not created. Disabling this option makes it easy to import accounts from specific domains that have been pre-created.
   Maximum records to fetch	Enter the maximum number of accounts to import at one time. The default is 0, which means that no limits are set.
   Server name, LDAP URL, Port, and Use of SSL	The LDAP URL is entered as ldap://<ldapdirectory.example.com>. The default port is 389, but you can change this. Check SSL if this is used.
   Bind DN	The Zimbra setting is in the field by default as uid=zimbra,cn=admins,cn=zimbra
   Bind password	Enter the password for the server.
   LDAP filter	In this field enter the LDAP search filter to run. Here you can define search criteria to collect the type of account information you want to import. The default filter in the field is (objectclass-zimbraAccount). This filter includes the emailaddress, the account ID, and attributes for the account.
   LDAP search base	Configure the subsections of the LDAP forest to search.

8. Click Next.

   The Account Migration Wizard connects to the directory server and generates a report showing the number of domains found; number of accounts found on the server and how many of those accounts are already created on {product-abbrev}. This dialog also shows the password options you configured.

9. Review the report generated and then click Next. The accounts are provisioned on the {product-name} server.

10. Download the .csv file that lists the provisioned accounts and their passwords. The .csv file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.

Migrating Accounts from Generic IMAP Servers

Admin Console

Use steps in this section to provision accounts on the Zimbra server.

Home> Add Accounts > click Migration and Co-existence.

1. In the Type of mail server field, select Generic IMAP Server.

2. If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.

3. Click Next.

4. On the Overview dialog, Import from another LDAP directory is selected. Click Next.

5. On the Bulk provisioning options page, select whether to generate random passwords or to assign the same password for each account.

   Table 3. Bulk Provisioning Features

   Bulk Provisioning Feature	Description
   Generate random password	If you select Generate a random password for each account, set the length for the password. The password can be from 6 to 64 characters. Default = 8 characters If you select to generate a random password, you must download the .csv file that is created so that you can give the password information to each user.
   Use same password	If you select Use same password for all new accounts, enter the password to use.
   Require users to change password after first login	It is recommended that this is checked to force users to change their passwords when they log on the first time.
   SMTP Host / SMTP Port	For split domain configurations, set the SMTPHost name and port.

6. Click Next.

7. On the Directory connection dialog enter the information to connect to the server.

   Table 4. Directory Connection Options

   Directory Connection Options	Description
   Automatically create missing domains	Enable this option to create a domain when an account is imported and the domain they were on is not created. If you do not enable this, accounts from domains that do not exist on the server are not created. Disabling this option makes it easy to import accounts from specific domains that have been pre-created.
   Maximum records to fetch	Enter the maximum number of accounts to import at one time. The default is 0, which means that no limits are set.
   Server name, LDAP URL, Port, and Use of SSL	The LDAP URL is entered as ldap://<ldapdirectory.example.com>. The default port is 389, but you can change this. Check SSL if this is used.
   Bind DN	The Zimbra setting is in the field by default as uid=zimbra,cn=admins,cn=zimbra
   Bind password	Enter the password for the server.
   LDAP filter	In this field enter the LDAP search filter to run. Here you can define search criteria to collect the type of account information you want to import. The default filter in the field is (objectclass-zimbraAccount). This filter includes the emailaddress, the account ID, and attributes for the account.
   LDAP search base	Configure the subsections of the LDAP forest to search.

8. Click Next.

   The Migration Wizard connects to the directory server and generates a report showing the number of domains found; number of accounts found on the server and how many of those accounts are already created on {product-abbrev}. This dialog also shows the password options you configured.

9. Review the report generated and then click Next. The accounts are provisioned on the {product-name} server.

10. Download the .csv file that lists the provisioned accounts and their passwords. The .csv file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.

Migrating Accounts using an XML File

Admin Console

Use steps in this section to create an XML file with the account information and save it to a computer you can access.

Home > Add Accounts > click Migration and Co-existence.

1. In the Type of mail server field, select the type of server your are migrating from.

2. If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.

3. Click Next.

4. On the Overview dialog, select Import from an XML file.

5. Click Next.

6. The Review options dialog displays the number of domains; number of accounts and the password options configured in the XML file.

7. If this information is correct, click Next. If this information is not correct, fix your XML file before proceeding.

   If you clicked Next, the accounts are provisioned on the {product-name} server.

8. Download the .csv file that lists the provisioned accounts and their passwords. The .csv file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.

Importing Email for Selected Accounts

Admin Console

Use steps in this section to specify the list of accounts whose mail you want to import by either selecting the accounts to import data or by using an XML file to select the accounts.

Note	Ensure that accounts are provisioned on the {product-abbrev} server before attempting this procedure.

Home > Add Accounts > click Migration and Co-existence.

1. In the Typ*e *of mail server field, select the type of server your are importing the data from.

2. In the Would you like to import account records menu, select No.

3. In the Would you like to import mail menu, select Yes.

4. Click Next.

5. On the Import options dialog box, select which way you are going to specify the accounts whose mail is being imported.

6. Click Next.

   If you are selecting accounts, go to step 7. If you are using an XML file go to step 9.

7. If you are selecting the accounts to import, on the Selected Accounts dialog box, search for the accounts to add. You can search by domain or user name. If you click Search without entering text, all accounts are returned.

   Add the accounts to the Accounts for data import column.

8. Click Next.

9. If you are using an XML file with the accounts listed, browse to the XML file to use.

10. Click Next.

11. In the IMAP Connection details dialog box, enter the information necessary to connect to the exporting server’s IMAP, this includes the IMAP host name, port and administrator login information.

12. Click Next.

13. Review the data import options. If the information is correct, click Next.

XML File Examples

This section contains three examples of the XML file structure to provision accounts and import data.

Example 1. Using an XML file to provision accounts

The following example shows an XML file that is used to provision multiple email accounts without importing mail:

<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>[email protected]</RemoteEmailAddress>
<password>test123</password>
<zimbraPasswordMustChange>TRUE</zimbraPasswordMustChange>
</User>
<User>
<sn>Zackry</sn>
<givenName>Zak</givenName>
<displayName>Zak Zackry</displayName>
<RemoteEmailAddress>[email protected]</RemoteEmailAddress>
<password>test123</password>
<zimbraPasswordMustChange>TRUE</zimbraPasswordMustChange>
</User>
</ImportUsers>
</ZCSImport>

Example 2. Using an XML file to provision accounts from externally hosted domains

The following example shows an XML file that is used to provision multiple email accounts for externally hosted domain without importing mail.

In this example, the zimbraMailTransport attribute of newly provisioned accounts will be set to point to external SMTP server instead of the {product-abbrev} server.

<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<SMTPHost>smtp.example.com</SMTPHost>
<SMTPPort>25</SMTPPort>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>[email protected]</RemoteEmailAddress>
</User>
<User>
<sn>Zackry</sn>
<givenName>Zak</givenName>
<displayName>Zak Zackry</displayName>
<RemoteEmailAddress>[email protected]</RemoteEmailAddress>
</User>
</ImportUsers>
</ZCSImport>

Example 3. Using an XML file to import email

The following example shows an XML file that is used to import email for one account via IMAP from a gmail account without provisioning the email account in {product-abbrev}. The account must be provisioned on {product-abbrev} before running this type of XML file.

<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<IMAPHost>imap.gmail.com</IMAPHost>
<IMAPPort>993</IMAPPort>
<ConnectionType>ssl</ConnectionType>
<UseAdminLogin>0</UseAdminLogin>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>[email protected]</RemoteEmailAddress>
<RemoteIMAPLogin>[email protected]</RemoteIMAPLogin>
<remoteIMAPPassword>test123</remoteIMAPPassword>
</User>
</ImportUsers>
</ZCSImport>

Auto Provisioning New Accounts from External LDAP

Auto provisioning of new accounts from external LDAP is supported via the CLI. This section describes the supported CLI attributes and auto provisioning methods.

Overview

When an external LDAP authentication mechanism - such as external LDAP authentication, preauth, or SPNEGO - is configured for a {product-abbrev} domain, you can set up {product-abbrev} to automatically create user accounts on {product-abbrev}. Primary email address and account attributes are mapped from an external directory.You can configure how and when new accounts should be created from the external directory data.

Three modes are supported for auto-provisioning configuration.

Mode	Description
Eager	{product-abbrev} polls the external directory for accounts to auto provision. For this mode, you configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and which domains are scheduled for account auto provision on specified servers. Guidelines are provided in Eager Mode Configuration.
Lazy	If a user logs into ZWC the first time through one of the authentication mechanisms supported for auto provisioning, and if the user does not exist in the {product-abbrev} directory, a new account is automatically created in {product-abbrev} for this user. Guidelines are provided in Lazy Mode Configuration.
Manual	Auto provisioning does not occurs: instead, the administrator manually searches from the configured external auto-provisioning LDAP source and selects an entry from the search result to create the corresponding Zimbra account for the external entry. Guidelines are provided in Manual Mode Configuration.

When an account is created, the account name (consisting of the characters alongside the @ symbol) is mapped from a user attribute on the external directory that you define in zimbraAutoProvAccountNameMap. Other account information, such as first and last name, phone numbers, and address, is populated from the attributes mapped from the external directory based on zimbraAutoProvAttrMap. You can review the external directory’s attributes to determine those that should be mapped to a Zimbra attribute.

The COS assignment for auto-provisioned accounts is identical to the way that COS is determined for manually provisioned accounts:

• If a COS is defined for the domain, this COS is assigned to the accounts that are created.

• If a domain COS is not defined, the {product-abbrev} default COS is assigned.

You can configure a Welcome email message to be sent to newly created accounts. The subject and body of this email can be configured with AutoProvNotification* attributes on the domain.

Auto-Provisioning Attributes

The attributes listed in this section can be used with the zmprov command to configure auto provisioning of new accounts with an external LDAP directory.

zimbraAutoProvMode

Set auto provision mode as either EAGER, LAZY, and/or MANUAL. Multiple auto-provisioning modes can be enabled on a domain.

zimbraAutoProvAuthMech

Set type of authentication mechanism - as either LDAP, PREAUTH, KRB^, or SPNEGO - to enable for LAZY mode. Once a user authenticates via the specified authentication mechanism, and if the user account does not yet exist in the Zimbra directory, an account will be automatically created in the Zimbra directory.

zimbraAutoProvLdapURL

Set the LDAP URL of the external LDAP source for auto provisioning

zimbraAutoProvLdapStartTlsEnabled

Enable (TRUE) or disable (FALSE) the StartTLS protocol when accessing the external LDAP server for auto provisioning.

Default = FALSE.

zimbraAutoProvLdapAdminBindDn

Defines the LDAP search bind DN for auto provisioning.

zimbraAutoProvLdapAdminBindPassword

Set the LDAP search admin bind password for auto provisioning.

zimbraAutoProvLdapSearchBase

Set the LDAP search base for auto provisioning, used in conjunction with zimbra zimbraAutoProvLdapSearchFilter.

If not set, LDAP root DSE will be used.

zimbraAutoProvLdapSearchFilter

Defines the LDAP search filter template for account auto provisioning. For LAZY mode, either zimbraAutoProvLdapSearchFilter

or

zimbraAutoProvLdapBindDn must be set.

If both are set, zimbraAutoProvLdapSearchFilter will take precedence. See Place Holders for supported placeholders.

zimbraAutoProvLdapBindDn

Defines the LDAP external DN template for account auto provisioning. For LAZY mode, either zimbraAutoProvLdapSearchFilter

or

zimbraAutoProvLdapBindDn must be set.

If both are set, zimbraAutoProvLdapSearchFilter will take precedence. See Place Holders for supported placeholders.

zimbraAutoProvAccountNameMap

Defines the attribute name in the external directory that contains local part of the account name. This is the name used to create the Zimbra account. If this is not specified, the local part of the account name is the principal user used to authenticated to Zimbra.

zimbraAutoProvAttrMap

Defines the attribute map for mapping attribute values from the external entry to Zimbra account attributes. Values are in the format of {external attribute}={zimbra attribute}. If this is not set, no attributes from the external directory are populated in Zimbra account.

Important

Invalid mapping configuration will cause the account creation to fail. Bad mapping may be due to conditions such as: Invalid external attribute name. Invalid Zimbra attribute name. External attribute contains multiple values; the Zimbra attribute contains only a single value. Syntax violation (such as external attribute=string, but Zimbra attribute=integer).

zimbraAutoProvNotificationFromAddress

Defines the email address to put in the From header for the Welcome email sent to the newly created account. If not set, no notification email is sent to the newly created account.

zimbraAutoProvNotificationSubject

Template used to construct the subject of the notification message sent to the user when the user’s account is auto provisioned.

Supported variables: ${ACCOUNT_ADDRESS}, ${ACCOUNT_DISPLAY_NAME}

zimbraAutoProvNotificationBody

Template used to construct the subject of the notification message sent to the user when the user’s account is auto provisioned.

Supported variables: ${ACCOUNT_ADDRESS}, ${ACCOUNT_DISPLAY_NAME}

zimbraAutoProvListenerClass

Domain setting to define the class name of auto provision listener. The class must implement the com.zimbra.cs.account.Account.AutoProvisionListener interface. The singleton listener instance is invoked after each account is auto created in Zimbra. Listener can be pluthe gged in as a server extension to handle tasks like updating the account auto provision status in the external LDAP directory.

At each eager provision interval, {product-abbrev} does an LDAP search based on the value configured in zimbraAutoProvLdapSearchFilter. Returned entries from this search are candidates to be auto provisioned in this batch. The zimbraAutoProvLdapSearchFilter should include an assertion that will only hit entries in the external directory that have not yet been provisioned in {product-abbrev}, otherwise it’s likely the same entries will be repeated pulled in to {product-abbrev}. After an account is auto provisioned in {product-abbrev}, com.zimbra.cs.account.Account.AutoProvisionListener.postCreate (Domain domain, Account acct, String external DN) will be called by the auto provisioning framework. Customer can implement the AutoProvisionListener interface in a {product-abbrev} server extension and get their AutoProvisionListener.postCreate() get called. The implementation of customer’s post Create method can be, for example, setting an attribute in the external directory on the account just provisioned in {product-abbrev}. The attribute can be included as a condition in the zimbraAutoProvLdapSearchFilter, so the entry won’t be returned again by the LDAP search in the next interval.

zimbraAutoProvBatchSize

Domain | Global setting to define the maximum number of accounts to process in each interval for EAGER auto provision.

zimbraAutoProvScheduledDomains

Server attribute that lists the domains scheduled for EAGER auto provision on this server. Scheduled domains must have EAGER mode enabled in zimbraAutoProvMode. Multiple domains can be scheduled on a server for EAGER auto provision. Also, a domain can be scheduled on multiple servers for EAGER auto provision.

zimbraAutoProvPollingInterval

Domain | Global setting to define the interval between successive polling and provisioning accounts in EAGER mode. The actual interval might take longer since it can be affected by two other factors: zimbraAutoProvBatchSize and number of domains configured in zimbraAutoProvScheduledDomains.

At each interval, the auto provision thread iterates through all domains in zimbraAutoProvScheduledDomains and auto creates accounts up to domain.zimbraAutoProvBatchSize. If that process takes longer than zimbraAutoProvPollingInterval than the next iteration starts immediately instead of waiting for zimbraAutoProvPollingInterval amount of time.

• If set to 0 when server starts up, the auto provision thread will not start.

• If changed from a non-0 value to 0 while server is running, the auto provision thread will be shutdown.

• If changed from 0 to a non-0 value while server is running, the auto provision thread will be started.

Place holders

Table 22: Place holders for use with auto provisioning attributes

Tag	Description	Result
%/n	User name and the @ symbol	This returns [email protected]
%u	User name without the @ symbol	This returns user1.
%d	Domain	This returns domain.com
%D	Domain as dc	This returns domain,dc=com

Eager Mode Configuration

CLI

With Eager mode, {product-abbrev} polls the external directory for accounts to auto provision. You configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and the domains to be scheduled for account auto-provisioning on specified servers.

1. Log in to the {product-abbrev} server as zimbra and type zmprov at the command prompt.

2. Enable EAGER mode on the domain.

   md <domain.com> zimbraAutoProvMode EAGER

3. Set the maximum number of accounts to process in each interval

   md <domain.com> zimbraAutoProvBatchSize <#>

4. Configure the interval (in minutes) between polling and provisioning of accounts. This must be set to a non-0 value for the auto provisioning thread to start.

   Default =15 minutes.

   ms <server.com> zimbraAutoProvPollingInterval <x minutes>

5. Select the domains to be scheduled for auto provisioning. Multiple domains can be scheduled on the server.

   A domain can be scheduled on multiple servers.

   ms <server.com> +zimbraAutoProvScheduledDomains <domain1.com> +zimbraAutoProvScheduledDomains <domain2.com>

6. Configure the external LDAP settings:

   1. LDAP URL

      md <domain.com> zimbraAutoProvLdapURL “ldap:// xxx.xxx.xxx.xxx:<port>

      The LDAP port is typically 389.

   2. (Optional) Enable StartTls.

      md <domain.com> zimbraAutoProvLdapStartTlsEnabled TRUE

   3. LDAP admin bind DN for auto provision:

      md <domain.com> zimbraAutoProvLdapAdminBindDn "cn=admin, dc=autoprov, dc=company, dc=com"

   4. Administrator’s LDAP search bind password for auto provision.

      md <example.com> zimbraAutoProvLdapAdminBindPassword <password>

   5. Search template to use when searching for users to auto provision.

      Example using the LDAP search filter:

      md <domain.com> zimbraAutoProvLdapSearchFilter “(uid=<%placeholder>)”

      Refer to Place Holders for supported placeholders.

   6. LDAP search base for auto provisioning

      This is the location in the directory from which the LDAP search begins. This is used with zimbraAutoProvLdapSearchFilter. If this is not set, the LDAP directory root, rootDSE, is the starting point.

      md <domain.com> zimbraAutoProvLdapSearchBa
      
      md <domain.com> zimbraAutoProvLdapBindDn <“placeholder1”>

      Refer to Place Holders for supported placeholders.

7. (Optional) Define the attribute name that is mapped to the local part of the account name on the external directory. This is used to define the account name on {product-abbrev}. If this is not specified, the local part of the account name is the principal user name used to authenticate to {product-abbrev}.

   md <domain.com> zimbraAutoProvAccountNameMap < value>

8. (Optional) Map the attribute values from the external entry to the {product-abbrev} account attributes. If this is not set up, no attributes from the external directory are populated in the {product-abbrev} directory. The value is mapped in the form of {external attribute}={zimbra attribute}.

   Important

   Invalid mapping configuration will cause the account creating to fail.

   To map the "sn" value on the external entry to "displayName" on the Zimbra account and map description value on the external entry to description on the {product-abbrev} account, type

   md <domain.com> +zimbraAutoProvAttrMap sn=displayName +zimbraAutoProvAttrMap description=description

9. (Optional) If you want to send a Welcome email to new accounts, enter the from address of the originator.

   md <domain.com> zimbraAutoProvNotificationFromAddress <[email protected]>

10. To exit zmprov, type

    exit

Lazy Mode Configuration

CLI

Lazy mode auto provisioning automatically creates a new account after a user authenticates from an external authentication mechanisms (LDAP, preauth, Kerberos 5, and/or Spnego).

1. Log in to the {product-abbrev} server as zimbra and type zmprov at the command prompt.

2. Enable LAZY mode,

   md <domain.com> zimbraAutoProvMode LAZY

3. Select the external authentication mechanism for the LAZY mode: LDAP, PREAUTH, KRB5, SPNEGO. You can specify multiple authentication mechanisms.

   md <example.com> zimbraAutoProvAuthMech <type> +zimbraAutoProvAuthMech <type2>

4. Configure the external LDAP settings

   1. LDAP URL:

      md <domain.com> zimbraAutoProvLdapURL "ldap:// xxx.xxx.xxx.xxx:<port>"

      The LDAP port is usually 389.

   2. (Optional) Enable StartTls

      md <domain.com> zimbraAutoProvLdapStartTlsEnabled TRUE

   3. LDAP Admin bind DN for auto provision in the format cn=<LDAPadmin_name>, dc=autoprov, dc=<company_name>, dc=<com>

      md <domain.com> zimbraAutoProvLdapAdminBindDn <"bindDN">

      For example, "cn=admin, dc=autoprov, dc=company, dc=com"

   4. Administrator’s LDAP search bind password for auto provision.

      md <example.com> zimbraAutoProvLdapAdminBindPassword <password>

   5. (Optional) Search template to use when searching for users to auto provision.

      Example: using LDAP search filter:

      md <domain.com> zimbraAutoProvLdapSearchFilter <"placeholder">

      Refer to Place Holders for supported placeholders.

      Note	zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn MUST be configured for LAZY mode.

   6. LDAP search base for auto provision. This is the location in the directory from which the LDAP search begins. This is used with zimbraAutoProvLdapSearchFilter. If this is not set, the LDAP directory root, rootDSE, is the starting point.

      md <domain.com> zimbraAutoProvLdapSearchBase <"location">

      For example, "dc=autoprov,dc=company,dc-com"

   7. (Optional) Define the LDAP external DN template for account provisioning.

      md <domain.com> zimbraAutoProvLdapBindDn "uid=%<placeholder1>, %<placeholder2>"

      Refer to Place Holders for supported placeholders.

5. (Optional) Identify the attribute name on the external entry that contains the local part of the account name to be provisioned in {product-abbrev}. If this is not specified, the local part of the account name is the principal user used to authenticate to {product-abbrev}.

   md <domain.com> zimbraAutoProvAccountNameMap <value>

6. (Optional) Map the attribute values from the external entry to the {product-abbrev} account attributes. If this is not set up, no attributes from the external directory are populated in the {product-abbrev} directory. Value is in the form of {external attribute}={zimbra attribute}.

   To map the sn value on the external entry to displayName on the Zimbra account and map description value on the external entry to description on the {product-abbrev} account, type as

   md <domain.com> +zimbraAutoProvAttrMap sn=displayName +zimbraAutoProvAttrMap description=description

7. (Optional) If you want to send a Welcome email to new accounts, enter the from address of the originator.

   md <domain.com> zimbraAutoProvNotificationFromAddress <[email protected]>

8. Exit zmprov, type exit.

Manual Mode Configuration

CLI

Use the Manual Mode setting to disable auto provisioning with an external LDAP server.

1. Log in to the {product-abbrev} server as zimbra and type zmprov at the command prompt.

2. Enable MANUAL mode:

   md <domain.com> zimbraAutoProvMode MANUAL

Managing Resources

A resource is a location or equipment that can be scheduled for a meeting. Each meeting room location and other non-location specific resources such as AV equipment is set up as a resource account. The Addresses > Resources section in the Administration Console shows all resources that are configured for {product-name}.

User accounts with the Calendar feature can select these resources for their meetings. The resource accounts automatically accept or reject invitations based on availability.

Administrators do not need to monitor these mailboxes on a regular basis. The contents of the resource mailboxes are purged according to the mail purge policies.

A Resource Wizard guides you through the resource configuration. You can configure the account with the following details about the resource:

• Type of resource, either location or equipment

• Scheduling policy

• Forwarding address to receive a copy of the invite

• Description of the resource

• Contact information, which can be a person to contact if there are issues

• Location information, including room name, specific building location including building and address, and room capacity

• Customize auto response message and signatures to be used in the reply email messages

When you create a resource account, a directory account is created in the LDAP server.

To schedule a resource, users invite the equipment resource and/or location to a meeting. When they select the resource, they can view the description of the resource, contact information and free/busy status for the resource, if these are set up.

When the meeting invite is sent, an email is sent to the resource account, and, based on the scheduling policy, if the resource is free the meeting is automatically entered in the resource’s calendar and the resource is shown as Busy.

Set Up the Scheduling Policy

The scheduling policy establishes how the resource’s calendar is maintained. The following resource scheduling values can be set up:

• Auto decline all recurring appointments. This value is enabled when theresource can be scheduled for only one meeting at a time. No recurring appointments can be scheduled for this resource.

• Auto accept if available, auto-decline on conflict. When this option isselected, the resource account automatically accepts appointments unless the resource is already scheduled. The free/busy times can be viewed. You can modify the auto-decline rule to accept some meetings that conflict.

• Manual accept, auto decline on conflict. When this option is selected, theresource account automatically declines all appointments that conflict. Appointment requests that do not conflict are marked as tentative in the resource calendar and must be manually accepted. If you set this up, configure the forwarding address so a copy of the invite is sent to the account that can manually accept the invitation. You can modify the auto-decline rule to accept some meetings that conflict.

• Auto accept always. The resource account automatically accepts allappointments that are scheduled. In this case, free/busy information is not maintained, thus more than one meeting could schedule the resource at the same time. Because the resource always accepts the invitation, the suggested use for this policy would be for a frequently used location off premises that you want the location address to be included in the invite to attendees.

• No auto accept or decline. The resource account is manually managed. Adelegated user must log into the resource account and accept or decline all requests.

Conflict Rules For accounts that include the auto decline on conflict value, youcan set up a threshold, either as a number of conflicts or as a percentage of all the recurring appointments to partially accept recurring appointments.

Maximum allowed number of conflicts and/or Maximum allowed percent of conflicts are configured to allow a recurring resource to be scheduled even if itis not available for all the requested recurring appointment dates.

The resource accepts appointments even if there are conflicts until either the number of conflicts reaches the maximum allowed or the maximum percentage of conflicts allowed. In order for partial acceptance of a series to work, both fields must be set to nonzero values.

Manage Resource Accounts

You can log on to the resource account and set preferences for the resource. The Resource Accounts Preference > Calendar can be configured to let users manage the Resource’s Calendar. You can configure the following options to manage the resource.

• An address to forward invites. If the forwarding address was set up when the account was provisioned, you can change the address

• Who can use this resource. In the Permissions section, Invites, select Allow only the following internal users to invite me to meetings and add *theappropriate users' email addresses to the list.

You can share the resource calendar with a user and give the user Manager rights. Users delegated as Manager have full administrative rights for that calendar. They can view, edit, add, remove, accept or decline the invites.