Syncing ScalixLDAP to OpenLDAP

stephan.klein · Postby **stephan.klein** » Thu Jun 07, 2007 7:36 am

Hi @all,

is there a way to export (better: sync) the scalix ldap directory to openldap?

I am trying to use scalix as single point of user administration. Many services on my machines rely on ldap as authentication subsystem (sendmail, apache, ...).

I installed openldap on the scalix server listening on port 3890. This openldap server should get the ldap data that is stored in scalix ldap thus openldap can replicate its directory to the openldap serverfs on my other machines via slurpd.

The services on the other machines should be able to use the local openldap to authenticate against thus I do not get a single point of failiure if the scalix server is down or unreachable (local authentication against openldap is already working :-)

).

I searched the forum, the docs and the manpage of omldapsync, but I could not find any hint, if this is possible. I only found information about using openldap as the single point of user administration.

Thank you for any help!

Kind regards
Stephan

grahamk · Postby **grahamk** » Thu Jun 07, 2007 11:36 pm

You're better off to sync the Scalix LDAP with OpenLDAP data. This is mentioned on a few other posts, and it is a much better way to do things. There's a few posts around which give direction, but post here again and I will help where i can.

grahamk · Postby **grahamk** » Thu Jun 07, 2007 11:58 pm

This might also help you

viewtopic.php?t=7724

stephan.klein · Postby **stephan.klein** » Sat Jun 09, 2007 6:28 am

Hello grahamk,

thank you for your advice.

I have read in many posts about the option to manage user accounts and groups in openldap and to use password stored in openldap to authenticate scalix users.

What is not clear to me if I go this way: when I add a new user or group via sac, do these additions sync to openldap? If a user changes it's password in webmail, does this new password sync to openldap? What about the attributes, scallix does not know about ('shadow expire' for example)?

Or is the better way not to touch sac any more and do any administrative tasks within an openldap browser?

Do I need to run a cronjob to do an update of ldap data periodically? Or is there a push mechanism available as if I run slurpd with multiple openldap servers?

Thank you & kind regards
Stephan

grahamk · Postby **grahamk** » Mon Jun 11, 2007 12:27 am

Sounds to me like you know more about ldap that I do, so you might know of better ways of doing things.

When using LDAP for user management, I have found the console to be a good way to administer users. SAC is greyed out, which you can ungrey, but i'm almost certain taht when making changes in SAC, openldap is not updated.

You can use omldapsync to sync from openldap and make changes directly to the ldap store, and use a cronjob to update scalix, or, I have found that using the console commands on the scalix server (ommodu, for example) updates the openldap attributes.

davidz · Postby **davidz** » Mon Jun 11, 2007 2:13 pm

stephan.klein wrote:What is not clear to me if I go this way: when I add a new user or group via sac, do these additions sync to openldap? If a user changes it's password in webmail, does this new password sync to openldap? What about the attributes, scallix does not know about ('shadow expire' for example)?

I have not seen many posts on running it this way. Most all the documentation and recommended way that I know of is to do it the other way. OpenLDAP --> ScalixLDAP

stephan.klein wrote:Or is the better way not to touch sac any more and do any administrative tasks within an openldap browser?

This is how we run our system of about 200 users. Before we had Scalix we already had an OpenLDAP Samba Domain Controller. So this way works great for us. We do everything from OpenLDAP. Change passwords, mailbox size limits, email aliases, etc.

stephan.klein wrote:Do I need to run a cronjob to do an update of ldap data periodically? Or is there a push mechanism available as if I run slurpd with multiple openldap servers?

We run a cronjob on the Scalix box every 30 minutes that runs omldapsync -u syncName, then if I change like a mailbox storage limit size, it takes effect is roughly 30 minutes.

Good Luck,
David

stephan.klein · Postby **stephan.klein** » Fri Jun 15, 2007 10:14 am

OK, I will try to set it up the other way this weekend.

Graham, I read in an other thread (http://www.scalix.com/forums/viewtopic.php?t=7011) that you have this setup running fine.

Can you pleae provide me the basic steps of integration or point me to a relating document?

Thank you & regards
Stephan

fb · Postby fb » Fri Jul 20, 2007 1:30 pm

davidz wrote:
stephan.klein wrote:What is not clear to me if I go this way: when I add a new user or group via sac, do these additions sync to openldap? If a user changes it's password in webmail, does this new password sync to openldap? What about the attributes, scallix does not know about ('shadow expire' for example)?

I have not seen many posts on running it this way. Most all the documentation and recommended way that I know of is to do it the other way. OpenLDAP --> ScalixLDAP
stephan.klein wrote:Or is the better way not to touch sac any more and do any administrative tasks within an openldap browser?

This is how we run our system of about 200 users. Before we had Scalix we already had an OpenLDAP Samba Domain Controller. So this way works great for us. We do everything from OpenLDAP. Change passwords, mailbox size limits, email aliases, etc.
stephan.klein wrote:Do I need to run a cronjob to do an update of ldap data periodically? Or is there a push mechanism available as if I run slurpd with multiple openldap servers?

We run a cronjob on the Scalix box every 30 minutes that runs omldapsync -u syncName, then if I change like a mailbox storage limit size, it takes effect is roughly 30 minutes.

Good Luck,
David

Hello David,

I think it would be a really cool thing if you could write a small howto for the scenario you described as not everybody is that deep into the subject and it definitely sounds like an elegant solution...

Cheers

davidz · Postby **davidz** » Fri Jul 20, 2007 2:34 pm

fb wrote:Hello David,

I think it would be a really cool thing if you could write a small howto for the scenario you described as not everybody is that deep into the subject and it definitely sounds like an elegant solution...

Cheers

Just getting started...
http://www.scalix.com/wiki/index.php?title=HowTos/OpenLDAP_User_Management

--David

stephan.klein · Postby **stephan.klein** » Thu Jul 26, 2007 5:37 am

Great - thank you very much!

I will try this weekend.

BTW: I read that the OpenLDAP user administration could be done by LDAPAccountManager (LAM). Has anyone tried it?

Regrads
Stephan

pratat · Postby **pratat** » Thu Aug 09, 2007 4:21 pm

davidz wrote:
fb wrote:Hello David,

I think it would be a really cool thing if you could write a small howto for the scenario you described as not everybody is that deep into the subject and it definitely sounds like an elegant solution...

Cheers

Just getting started...
http://www.scalix.com/wiki/index.php?title=HowTos/OpenLDAP_User_Management

--David

Hi David

good how to you got there.

but i am still facing some problems, Maybe you can shed some lights.

if i am to run this command "omldapsync -i syncname -d 15" with option 2

I will get this error messages

2007-08-10 04:17:40 ^^^^^^^^
2007-08-10 04:17:40 DEBUG: >>>>>>>>ActionId=membadd
2007-08-10 04:17:40 INFO: ... 0 entries passed for member.curr
2007-08-10 04:17:40 INFO: ... 0 entries failed for member.curr
2007-08-10 04:17:40 INFO: ... 0 entries warned for member.curr
2007-08-10 04:17:40 STATUS: apply membmodify data against Scalix ...
2007-08-10 04:17:40 DEBUG: >>>>>>>>ActionId=membmodify
2007-08-10 04:17:40 INFO: ... 0 entries passed for member.curr
2007-08-10 04:17:40 INFO: ... 0 entries failed for member.curr
2007-08-10 04:17:40 INFO: ... 0 entries warned for member.curr
2007-08-10 04:17:40 DEBUG: >>>>>>>>ExitCode=2
2007-08-10 04:17:40 STATUS: LDAP dir sync import failed, error=2 ###########
2007-08-10 04:17:40 STATUS: LDAP dir sync export syncname started ###############
2007-08-10 04:17:40 STATUS: load all records from scalix.abc.net ...
2007-08-10 04:17:40 INFO: agreement type 13 only supports import operation
2007-08-10 04:17:40 STATUS: LDAP dir sync export syncname completed #############

I tried with out option 8

these are the error messages.

2007-08-10 04:18:42 ERROR: failed to run omldapagent
2007-08-10 04:18:42 DEBUG: >>>>>>>>cat rawdata.entry >>delete.fail
2007-08-10 04:18:42 INFO: ... 0 entries passed for delete.curr
2007-08-10 04:18:42 INFO: ... 13 entries failed for delete.curr
2007-08-10 04:18:42 INFO: ... 0 entries warned for delete.curr
2007-08-10 04:18:42 STATUS: apply add data against Scalix ...
2007-08-10 04:18:42 DEBUG: >>>>>>>>ActionId=add
2007-08-10 04:18:42 INFO: ... 0 entries passed for add.curr
2007-08-10 04:18:42 INFO: ... 0 entries failed for add.curr
2007-08-10 04:18:42 INFO: ... 0 entries warned for add.curr
2007-08-10 04:18:42 STATUS: apply limit data against Scalix ...
2007-08-10 04:18:42 DEBUG: >>>>>>>>ActionId=limit
2007-08-10 04:18:42 INFO: ... 0 entries passed for add.curr
2007-08-10 04:18:42 INFO: ... 0 entries failed for add.curr
2007-08-10 04:18:42 INFO: ... 0 entries warned for add.curr
2007-08-10 04:18:42 STATUS: apply modify data against Scalix ...
2007-08-10 04:18:42 DEBUG: >>>>>>>>ActionId=modify
2007-08-10 04:18:42 INFO: ... 0 entries passed for modify.curr
2007-08-10 04:18:42 INFO: ... 0 entries failed for modify.curr
2007-08-10 04:18:42 INFO: ... 0 entries warned for modify.curr
2007-08-10 04:18:42 STATUS: apply limit data against Scalix ...
2007-08-10 04:18:42 DEBUG: >>>>>>>>ActionId=limit
2007-08-10 04:18:43 INFO: ... 0 entries passed for modify.curr
2007-08-10 04:18:43 INFO: ... 0 entries failed for modify.curr
2007-08-10 04:18:43 INFO: ... 0 entries warned for modify.curr
2007-08-10 04:18:43 STATUS: apply membadd data against Scalix ...
2007-08-10 04:18:43 DEBUG: >>>>>>>>ActionId=membadd
2007-08-10 04:18:43 INFO: ... 0 entries passed for member.curr
2007-08-10 04:18:43 INFO: ... 0 entries failed for member.curr
2007-08-10 04:18:43 INFO: ... 0 entries warned for member.curr
2007-08-10 04:18:43 STATUS: apply membmodify data against Scalix ...
2007-08-10 04:18:43 DEBUG: >>>>>>>>ActionId=membmodify
2007-08-10 04:18:43 INFO: ... 0 entries passed for member.curr
2007-08-10 04:18:43 INFO: ... 0 entries failed for member.curr
2007-08-10 04:18:43 INFO: ... 0 entries warned for member.curr
2007-08-10 04:18:43 DEBUG: >>>>>>>>ExitCode=2
2007-08-10 04:18:43 STATUS: LDAP dir sync import failed, error=2 ###########
2007-08-10 04:18:43 STATUS: LDAP dir sync export syncname started ###############
2007-08-10 04:18:43 INFO: agreement type 13 only supports import operation
2007-08-10 04:18:43 STATUS: LDAP dir sync export syncname completed #############

Am i missing out something?

davidz · Postby **davidz** » Thu Aug 09, 2007 4:28 pm

I don't recognize those errors. Can you post your sync file? Also what is the output when you do not use debug mode?

--David

pratat · Postby **pratat** » Thu Aug 09, 2007 5:14 pm

davidz wrote:I don't recognize those errors. Can you post your sync file? Also what is the output when you do not use debug mode?

--David

Hi

I guess my error was with my MailNode. Did a change on the ldap side.

Belows are the error

2007-08-10 05:04:00 STATUS: update sync data files with partial results ...
2007-08-10 05:04:01 INFO: ... 13 entries modified in search.last
2007-08-10 05:04:01 STATUS: LDAP dir sync import failed, error=2 ########### <== i assume this is just a warning
2007-08-10 05:04:01 STATUS: LDAP dir sync export syncname started ###############
2007-08-10 05:04:01 STATUS: load all records from scalix.abc.net ...
2007-08-10 05:04:01 INFO: agreement type 13 only supports import operation
2007-08-10 05:04:01 STATUS: LDAP dir sync export syncname completed #############
2007-08-10 05:04:27 STATUS: Configuration of syncname started ########
2007-08-10 05:04:30 STATUS: Configuration of syncname completed ########
2007-08-10 05:04:33 STATUS: Interactive for syncname completed ########

I am able to see the 13 users via the admin console.

but the next problem i am facing is users are not able to log into the webmail.

"The username or password is incorrect, bla bla bla"

Any other advise?

davidz · Postby **davidz** » Thu Aug 09, 2007 5:29 pm

What do you get with a ldapsearch -x on your mail server?

--David

maginoc · Postby **maginoc** » Thu Aug 09, 2007 5:49 pm

davidz wrote:What do you get with a ldapsearch -x on your mail server?

--David

my ldap server is running on another machine.

By doing omshowu -n monkey
Authentication ID: monkey
Globally Unique ID: 2c3478fa-daf3-102b-9c98-274415ad1c39
User Name : monkey /CN=monkey mo
MailNode : scalix
Internet Address : monkey@abc.net
System Login : 55004
Password : unset
Admin Capabilities : YES
Mailbox Admin Capabilities : YES
Language : ENGLISH
Mail Account: Unlocked
Last Signon : Never.
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidying : NO
Recovery Folder visible : NO
User Class : Full
SIS URL : sxidx://scalix.abc.net/097000008d995b64-62.82.61.271

The password is unset while the admin show password: set

Scalix Forums

Syncing ScalixLDAP to OpenLDAP

Syncing ScalixLDAP to OpenLDAP

Who is online