Tips : Export-Import Zimbra Account Data Into LDAP Data

About 2-3 month ago, Excellent team was invited by a government institution in Bogor, Indonesia, to setup Zimbra Mail Server and upgrade an existing Zimbra mail server to use external LDAP authentication. Although Zimbra itself already using LDAP, our client asked me to setup a separated LDAP Server. This server will  be used as a central account/authentication server for  SSO/Single Sign On

Configuring LDAP Server using SUSE Linux Enterprise Server (SLES) or openSUSE is not too difficult because YAST has it’s own module to be configure via YAST | Network Services | LDAP Server menu. The difficult part is to import the Zimbra account data into an LDIF file that can be imported to the SLES LDAP server.

Below is the script modified from articles Script for Export-Import Zimbra Account + Password. I modify the script to insert some attribute, such as home directory, GID, UID and others required by Posix Schema.

#!/bin/sh

#Hapus Layar
clear

echo -e "###################################################################################"
echo -e "# Zimbra export-ldap.sh ver 0.0.1                                                 #"
echo -e "# Skrip untuk export account Zimbra berikut profile dan password                  #"
echo -e "# Masim 'Vavai' Sugianto - vavai@vavai.com - http://www.vavai.com                 #"
echo -e "# PT. Excellent Infotama Kreasindo : http://www.excellent.co.id                   #"
echo -e "###################################################################################"

# /* Variable untuk bold */
ibold="\033[1m""\n===> "
ebold="\033[0m"

# /* Parameter */
echo ""
echo -n "Enter Domain Name (ex : vavai.com) : "
read NAMA_DOMAIN
echo -n "Enter path folder for exported account (ex : /home/vavai/) : "
read FOLDER

# /* Membuat file hasil export dan mengisi nama domain */
MOD_FILE="$FOLDER/zcs-acc-mod.ldif"
LDIF_FILE="$FOLDER/acc-add.ldif"

vUID=1004

rm -f $MOD_FILE
rm -f $LDIF_FILE

touch $MOD_FILE
touch $LDIF_FILE


# /* Check versi Zimbra yang digunakan */
VERSION=`su - zimbra -c 'zmcontrol -v'`;
ZCS_VER="/tmp/zcsver.txt"
# get Zimbra LDAP password
ZIMBRA_LDAP_PASSWORD=`su - zimbra -c "zmlocalconfig -s zimbra_ldap_password | cut -d ' ' -f3"`

touch $ZCS_VER
echo $VERSION > $ZCS_VER

echo -e $ibold"Retrieve Zimbra User.............................."$ebold

grep "Release 5." $ZCS_VER
if [ $? = 0 ]; then
USERS=`su - zimbra -c 'zmprov gaa'`;
LDAP_MASTER_URL=`su - zimbra -c "zmlocalconfig -s ldap_master_url | cut -d ' ' -f3"`
fi

grep "Release 7." $ZCS_VER
if [ $? = 0 ]; then
USERS=`su - zimbra -c 'zmprov -l gaa'`;
LDAP_MASTER_URL="ldapi:///"
fi

echo -e $ibold"Processing account, please wait.............................."$ebold
# /* Proses insert account kedalam file hasil export */
for ACCOUNT in $USERS; do
NAME=`echo $ACCOUNT`;
DOMAIN=`echo $ACCOUNT | awk -F@ '{print $2}'`;
ACCOUNT=`echo $ACCOUNT | awk -F@ '{print $1}'`;
ACC=`echo $ACCOUNT | cut -d '.' -f1`

if [ $NAMA_DOMAIN == $DOMAIN ] ;
then
OBJECT="(&(objectClass=zimbraAccount)(mail=$NAME))"
dn=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT | grep dn:`


displayName=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT | grep displayName: | cut -d ':' -f2 | sed 's/^ *//g' | sed 's/ *$//g'`


givenName=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT | grep givenName: | cut -d ':' -f2 | sed 's/^ *//g' | sed 's/ *$//g'`

userPassword=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT | grep userPassword: | cut -d ':' -f3 | sed 's/^ *//g' | sed 's/ *$//g'`

cn=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT | grep cn: | cut -d ':' -f2 | sed 's/^ *//g' | sed 's/ *$//g'`

initials=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT | grep initials: | cut -d ':' -f2 | sed 's/^ *//g' | sed 's/ *$//g'`

sn=`/opt/zimbra/bin/ldapsearch -H $LDAP_MASTER_URL -w $ZIMBRA_LDAP_PASSWORD -D uid=zimbra,cn=admins,cn=zimbra -x $OBJECT | grep sn: | cut -d ':' -f2 | sed 's/^ *//g' | sed 's/ *$//g'`


if [ "$giveName" == "" ]; then
        echo "
dn: uid=$ACCOUNT,ou=people,dc=excellent,dc=co,dc=id
cn: $displayName
sn: $sn
uid: $ACCOUNT
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
gidNumber: 100
uidNumber: $vUID
homeDirectory: /home/$ACCOUNT
loginShell: /bin/bash
" >> $LDIF_FILE

echo "$dn
changetype: modify
replace: userPassword
userPassword:: $userPassword
" >> $MOD_FILE

else

                echo "
dn: uid=$ACCOUNT,ou=people,dc=excellent,dc=co,dc=id
cn: $displayName
givenName: $givenName
sn: $sn
uid: $ACCOUNT
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
gidNumber: 100
uidNumber: $vUID
homeDirectory: /home/$ACCOUNT
loginShell: /bin/bash
" >> $LDIF_FILE

echo "$dn
changetype: modify
replace: userPassword
userPassword:: $userPassword
" >> $MOD_FILE

fi

                echo "Adding account $NAME"
fi
let vUID=vUID+1
done
echo -e $ibold"All account has been exported sucessfully into $MOD_FILE and $LDIF_FILE..."$ebold

The script will produce two pieces of files : add.ldif and zcs-acc-acc-mod.ldif. The first one can be used for LDAP data input with the following command:
[/code lang="bash"]
ldapadd -Wx -D “cn=Administrator,dc=excellent,dc=co,dc=id” -H ldap://localhost -f acc-add.ldif
[/code]
Use the second file to match LDAP user password with an existing password in Zimbra
[/code lang="bash"]
ldapmodify -f zcs-acc-mod.ldif -x -H ldapi:/// -D "cn=Administrator,dc=excellent,dc=co,dc=id" -w PasswordLDAPServer
[/code]
If you wish to include another attribute or schema, simply edit the script and made necessary modification.