Automating creation of account through LDAP/AD authentication

At the time of writing this post there is no native support creation of mailboxes for externally authenticated users on ZCS. Certain Zimbra support companies like 01.com have their own proprietary software for which you have to make a payment.

While googling, the following python script was found on Edugeek Wiki. Direct link to the wiki page is: http://www.edugeek.net/wiki/index.php/Zimbra_autocreate_accounts_with_Active_Directory_or_LDAP

The accounts are created automatically from Active Directory. There are a couple of pre-requisites for the way we do it. 1) the username must be ‘sensible’ – no apostrophes, dashes etc otherwise my scripts break 2)The students employeeTypemust be set to STUDENT in active directory 3) you have an ldap bind account 4) the account is enabled 5) there is a ‘banned’ group – and the student isn’t in it 6) you need to read the script really

I run this from cron.daily

#!/bin/sh
/usr/bin/python /usr/local/sbin/zimbra.py | mail -s "Zimbra account creation"        
admin@email.address.com


edit this and copy it to /usr/local/sbin/zimbra.py

#!/usr/bin/python
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; GPLv3
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# To obtain a copy of the GNU General Public License, write to the Free  Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
#
#--------------------------------------------------------------------------------------------------
# Notes:
# This script automatically creates zimbra accounts from active directory, the  actrive directory account must have
# the employeeType=STUDENT attributed set. If accounts are in the 'banned' active directory group then the
# account will automatically be locked when the script is run, and unlocked if they are no longer in the AD
# banned group
#--------------------------------------------------------------------------------------------------
# Variables can be changed here:
banned =  'CN=Banned,CN=yourschool,DC=sch,DC=uk'
# an OU for banned users
scope   = 'ou=users,dc=yourschool,dc=sch,dc=uk'
#the search scope
domain = "yourschool.sch.uk" # "example.com"
ldapserver="server1"
#ldap server
port="389"
#ldap port (389 default)
emaildomain="yourschool.sch.uk"
#the email domain
ldapbinddomain="student-domain"
#the domain of the ldap bind account
ldapbind="ldap"
#the account name of the account to bind to ldap
ldappassword="password"
#the ldap password
pathtozmprov="/opt/zimbra/bin/zmprov"
#--------------------------------------------------------------------------------------------------
import ldap, string, os, time, sys 
#output the list of all accounts from zmprov gaa (get all accounts)
f = os.popen(pathtozmprov +' gaa')
zmprovgaa= []
zmprovgaa = f.readlines() 
l=ldap.initialize("ldap://"+ldapserver+"."+domain+":"+port)
l.simple_bind_s(ldapbinddomain+"\\"+ldapbind,ldappassword) #bind to the ldap  server using name/password
try:
    res = l.search_s(scope,
    ldap.SCOPE_SUBTREE, "(&(ObjectCategory=user)  (userAccountControl=512)(employeeType=STUDENT))",  ['sAMAccountName','givenName','sn','memberOf'])
#userAccountControl  512 = normal , 514 = disabled account
    for (dn, vals) in res:
      accountname = vals['sAMAccountName'][0].lower()
      try:
        sirname = vals['sn'][0].lower()
      except:
        sirname = vals['sAMAccountName'][0].lower()
      try:
        givenname = vals['givenName'][0]
      except:
        givenname = vals['sAMAccountName'][0].lower()
      try:
        groups = vals['memberOf']
      except:
        groups = 'none'
      initial = givenname[:1].upper()
      sirname = sirname.replace(' ', )
      sirname = sirname.replace('\, )
      sirname = sirname.replace('-', )
      sirname = sirname.capitalize()
      name = initial + "." + sirname
      accountname = accountname + "@" + emaildomain
      password = "  \'\' "
      sys.stdout.flush()
      # if the account doesn't exist in the output of zmprov gaa create the  account
      if accountname +"\n" not in zmprovgaa:
        print  accountname," exists in active directory but not in zimbra, the   account is being created\n"
        time.sleep(1)
        os.system(pathtozmprov +' ca %s %s displayName %s' %  (accountname,password,name))
     # if the account is in the group 'banned' check to see if account already  locked
      if banned in groups:
        zmprovga = os.popen(pathtozmprov + ' ga %s' % (accountname))
        ga= []
        ga = zmprovga.readlines()
        locked = "zimbraAccountStatus: locked\n"
        if locked not in ga: #if account not locked then lock it
          print accountname, " has been BANNED from the internet. The email  account has been locked "
          os.system(pathtozmprov + ' ma %s zimbraAccountStatus locked' % (accountname))
          time.sleep(1)
        else:
          print accountname, " has a locked email account because they are in  the 'banned' group"
       #set any accounts to 'active' if they are not in the banned group and the account is currently locked
      else:
        zmprovga = os.popen(pathtozmprov + ' ga %s' % (accountname))
        ga= []
        ga = zmprovga.readlines()
        locked = "zimbraAccountStatus: locked\n"
        if locked in ga:
          os.system(pathtozmprov + ' ma %s zimbraAccountStatus active' %  (accountname))
          time.sleep(1)
          print accountname, " is no longer in the 'banned' group, therefore  the account has been activated"                    
except ldap.LDAPError, error_message:
  print error_message
l.unbind_s()