HowTos/AD-Contact-Sync

Scalix Wiki -> How-Tos -> Setting up Contact Sync between Scalix and AD

Synchronizing Contacts between Active Directory and Scalix

A common question lately has been how to get contacts synced correctly between Scalix and AD2003.

In many coexistence scenarios it's a requirement to have Scalix Users in Exchange's GAL as contacts and Exchange Users in Scalix's SYSTEM directory as Internet Users.

This mini-howto should clear up some confusion about getting the above set up. However, this is an extremely simple howto which assumes you understand Scalix, Exchange, LDAP and SMTP routing. Explaining the underlying concepts would be outside the scope of this document.

Please direct any corrections or suggestions to chris -att- scalix -dott- com

Requirements & Assumptions

Requirements

• Root-level access to Scalix Server
• Administrator access to Active Directory
• general knowledge of LDAP

Assumptions

• you need to share a single email domain between Exchange and Scalix (if you don't, the setup becomes easier. You can ignore everything involving a transport domain between Scalix and Exchange.)

Basic Information

Your goal is to create contacts in AD and internet users on Scalix from the user objects on the other sides. These users will all have email addresses in a single domain.

Scalix server supports the setup out-of-the-box, and routes any addresses that it does not recognize as local out through sendmail. Active Directory, however, needs to be setup to do the forwarding properly. Normally, when an Exchange server believes that it owns a domain completely, it will not forward any email addressed to that domain on to another machine.

In order to achieve this, the following LDAP attributes on the Exchange side are key:

• proxyAddresses --> these are rfc822 addresses for which mail will be forwarded to the address listed in
• targetAddress --> this is where the address in our transport domain will end up.

Because Exchange will not automatically forward email from a domain it considers its own to an external server, we will need to set up a transport domain between Exchange and Scalix. For the purposes of this document, I will assume you work with a domain called scalix.demo, and some users are on Scalix and others on Exchange. Our transport domain will be transport.scalix.demo. The function of the transport domain is to convince Exchange to route email off-server that was originally sent to a user on a domain "claimed" by Exchange.

Basic Methodology - Manual Testing

To start out, create a contact manually in AD and an Internet User manually in SAC, and ensure that they can send email to one another. Once that is working, you can automate the synchronization with omldapsync. Take a look at these users with the ldapbrowser of your choice (Softerra, JXplore, and lbe are some examples of ldap browsers I've used successfully) and look at the attributes. Of particular importance on the AD side are the attributes targetAddress, mail, and proxyAddress take a look at your test-contact once forwarding is working to see how those attributes are set.

contact on AD for a real user in Scalix

• Assume his email is scalixuser@company.com
• Add a secondary email address, scalixuser@transport.company.com to the user on Scalix
• Manually create a contact on AD, and assign this email address to the contact
• When the entry has propagated to the GAL, ensure that selecting the contact on OL/Exchange and sending works properly
• You may need to add an SMTP-connector to Exchange to ensure correct delivery of email @transport.company.com to Scalix-server

Ensure correct addressing on the contact in AD

• Make sure you have ADSI edit on your system, or connect to the AD with another LDAP browser as mentioned above.
• If you are missing ADSI edit, please install the Windows Server Support Tools. This installation is described by http://go.microsoft.com/fwlink/?LinkId=62270
• Open the contact in ADSI, and ensure that the public email address @company.com is entered in the value proxyAddresses and the transport address @transport.company.com is entered in the value targetAddress.
• If this is done correctly, your contact object in ADUC will have the @transport.company.com address listed in the General tab as email, and the both addresses listed in the E-Mail Addresses tab.

Add an SMTP connector to Exchange for the Transport Domain

• Open Exchange System Manager
• Right Click Connectors -> New -> SMTP Connector
• Select "Forward all mail through this connector to the following smart hosts"
• Enter either the name or [IP] of your Scalix Server
• Add your Exchange server as Local Bridgehead (Add -> Select Server -> OK)
• Click on the tab Address Space
• Add -> Type SMTP -> enter transport.scalix.demo as Email domain -> OK
• Check "Allow Messages to be relayed to these domains"
• OK to save the connector

Automagically adding Transport Addresses to Scalix Users

Add an Internet Address Mapping

You can automagically generate email addresses with IAM's on Scalix server

[root@integration scalix-11.0.1-GA]# omshowiam -s all
1                                  scalix.demo         "C" <G.S>

[root@integration scalix-11.0.1-GA]# omaddiam -s 2 -D transport.scalix.demo -N '"C" <G.S>'
omaddiam : Orn to Internet Address Mapping successfully added.

[root@integration scalix-11.0.1-GA]# omshowiam -s all
1                                  scalix.demo         "C" <G.S>
2                                  transport.scalix.d  "C" <G.S>

Once you've added the mapping, you can automagically add the second address to your users. Use the -A switch in ommodu to achieve this. Here's an example:

[root@integration scalix-11.0.1-GA]# omshowu -m all
sxadmin /integration/CN=sxadmin
sxqueryadmin /integration/CN=sxqueryadmin
Premium User /integration/CN=Premium User

[root@integration scalix-11.0.1-GA]# omshowu -m all | while read line; do omshowu -n "$line" | grep "Internet Address"; done
Internet Address : sxadmin-integration@scalix.demo
Internet Address : sxqueryadmin-integration@scalix.demo
Internet Address : "Premium User" <Premium.User@scalix.demo>

[root@integration scalix-11.0.1-GA]# omshowu -m all | while read line; do ommodu -n "$line" -A; done
ommodu: The user was modified successfully
ommodu: The user was modified successfully
ommodu: The user was modified successfully

[root@integration scalix-11.0.1-GA]# omshowu -m all | while read line; do omshowu -n "$line" | grep "Internet Address"; done
Internet Address : "sxadmin" <sxadmin@scalix.demo>="sxadmin" <sxadmin@transport.scalix.demo>
Internet Address : "sxqueryadmin" <sxqueryadmin@scalix.demo>="sxqueryadmin" <sxqueryadmin@transport.scalix.demo>
Internet Address : "Premium User" <Premium.User@scalix.demo>="Premium User" <Premium.User@transport.scalix.demo>

Complete Manual Testing

At this point you should be able to send an email manually (via telnet for example) and it should be delivered correctly. Try this.

If it doesn't work, ensure that:

• The user on Scalix has both addresses
• The connector on Exchange is correctly configured
• The contact in AD has targetAddress and proxyAddresses set correctly
• Network connectivity between the servers is available
• You can telnet to the Scalix server port 25 from the Exchange server
• You followed all other instructions correctly

Setting up automatic synchronization

You should familiarize yourself with omldapsync a bit before continuing here. Check out the manpages for omldapsync and omldaputil. The sync is a bash script, and the util contains the binary logic called by the script.

There is an (almost) undocumented sync type 22, see http://www.scalix.com/wiki/index.php?title=HowTos/Advanced_omldapsync for more, which is designed to handle syncing to-and-from AD2003.

Use sync type 21 (for Exchange 5.5 as a template) and configure the normal information you have in any sync agreement for omldapsync. (Again, a full explanation of the sync logic is outside the scope of this document.)

Prepare your AD by creating an OU in which to keep contacts imported from Scalix

Set up your sync.cfg as you usually would, with the following exceptions:

Config Changes

• change sync type to 22
• in the Variable EX_ATTR, add objectGUID, otherTelephone and mail; remove Telephone-Office2 and rfc822Mailbox
• set EX_GUID and LDAPCT_BIN_ATTR both to objectGUID
• set EX_MV_ATTR to reflect multi-value attributes, in this case objectClass and proxyAddresses
• set IM_GUID=omGlobalUniqueId
• set IM_LOCAL_DOMAIN to your transport domain, in this case @transport.scalix.demo

Mapping Changes for IMPORT

• in order to create contacts rather than actual mailbox users on Scalix, set omMailbox to FALSE for all imported entries. Use the following syntax

|omMailbox|*|FALSE

• use the objectGUID as unique identifier

objectGUID|GLOBAL-UNIQUE-ID|*,1,512|*

• use mail rather than rfc822address importing

mail|INTERNET-ADDR|*,1,512|*

• map otherTelephone rather than Telephone-Office2

otherTelephone|PHONE-2|*,1,32|*

Mapping changes for EXPORT

• in order to create contacts on the Exchange side rather than users, we map user objects to contact objects. The following syntax should run correctly:

objectClass|*|top|*
objectClass|*|scalixPerson|person
objectClass|*|organizationalPerson|*
objectClass|*|organizationalPerson|contact
objectClass|*|scalixDistributionList|contact
objectClass|*|scalixResource|contact

• To find the correct suffixes for EX_TEXT_EOA check the value of proxyAddresses for the user you added manually, the values should be filled in there.
• Add a parameter objectCategory, check the contact you added manually for the correct value. The following is correct on my system:

|objectCategory|*|CN=Person,CN=Schema,CN=Configuration,DC=scalix,DC=demo

• Do not try to write a uid to the directory

#omGlobalUniqueId|uid|*,1,64!ISMISSING=omAlias|*

• ensure you are writing to the correct values for mail addresses in AD2003

rfc822Mailbox|mail|*|!CUSTOM=IM_LOCAL_DOMAIN
rfc822Mailbox|targetAddress|*|!CUSTOM=IM_LOCAL_DOMAIN
rfc822Mailbox|proxyAddresses|*|!CUSTOM=IM_LOCAL_DOMAIN

• set a mailNickname to ensure inclusion in Exchange's GAL

omCn|mailNickName|*|*

• correct the syntax for MAPI-Recipient to mAPIRecipient

|mAPIRecipient|*|TRUE

• correct Telephone-Office2 to otherTelephone

omPhone2|otherTelephone|*|*

Once these things have been changed, your sync agreement should be ready to run. Test it just the same as you would any other sync agreement.

Contacts should appear in ADS, and Internet Users should be created on Scalix.

Final Steps

Now that your contacts are being synced, you can set up a cron job for omldapsync, and go have a well deserved cup of coffee.