Difference between revisions of "HowTos/Novell eDirectory Sync"

From Scalix Wiki
Jump to: navigation, search
m (added naviagtion to top of page)
(Adjusting OpenLDAP link.)
 
Line 16: Line 16:
  
 
== Extending the eDirectory schema. ==
 
== Extending the eDirectory schema. ==
Getting the schema mentioned in [[OpenLDAP User Management]] is quite difficult for eDirectory. After some searching and parsing, we created an LDIF file that can be imported into edirectory.
+
Getting the schema mentioned in [[HowTos/OpenLDAP User Management]] is quite difficult for eDirectory. After some searching and parsing, we created an LDIF file that can be imported into edirectory.
  
 
Grab this file and name it scalix.11.4.1.ldif. This file below is from version 11.4.1
 
Grab this file and name it scalix.11.4.1.ldif. This file below is from version 11.4.1

Latest revision as of 18:08, 21 March 2012

Scalix Wiki -> How-Tos -> Using Novell eDirectory for user management

Some have talked about eDirectory integration and Scalix, however its not very well documented. I intend to document how we synced scalix and edirectory together. - japerry

This document has much to do, as we're still configuring eDirectory and Scalix. This document will change! You'll notice it looks very similar to OpenLDAP in many parts

Summary of Setup

Have an existing eDirectory server running without any mail services. In my particular case, I used the postfix howto so we could use Maia Mailscanner, per this cool solution: Maia Mail scanner document

We were originally using groupwise on this server, so we had eDirectory and groupwise installed. Groupwise has been totally uninstalled and removed in prep for Scalix.

Main Goals: 

* Use eDirectory for user administration
* Modify most email settings from eDirectory
* Don't use SAC for user admin tasks

Extending the eDirectory schema.

Getting the schema mentioned in HowTos/OpenLDAP User Management is quite difficult for eDirectory. After some searching and parsing, we created an LDIF file that can be imported into edirectory.

Grab this file and name it scalix.11.4.1.ldif. This file below is from version 11.4.1 

#This LDIF file was generated by Novell's ICE and the LDIF destination handler.
version: 1

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.10 NAME 'scalixScalixObject' DESC 'boolean TR
 UE or FALSE for creating scalix mailbox/PDL object If this is set to FALSE 
 and the object is matched by the omldapsync filter, a Contact entry/Interne
 t user is created. If set to true, a mailbox is setup. For Group/PDL object
 s, this must always be set to true' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.7 SINGLE-VALUE )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.11 NAME 'scalixMailnode' DESC 'Comma-separate
 d org units for object.s mailnode. This is the  Mailnode name as defined wh
 en the Scalix server was setup. In Multi-server environments, this is used 
 to select on which server the object is to be created.' EQUALITY caseIgnore
 Match ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYN
 TAX 1.3.6.1.4.1.1466.115.121.1.15{1024} SINGLE-VALUE )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.12 NAME 'scalixAdministrator' DESC 'Boolean T
 RUE or FALSE for admin capability. If set to TRUE, the user created will ha
 ve full Scalix admin capabilites.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1
 .1466.115.121.1.7 SINGLE-VALUE )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.13 NAME 'scalixMailboxAdministrator' DESC 'Bo
 olean TRUE or FALSE for Mailbox Admin capability. A user with this flag set
  to TRUE can access ANY mailbox on a server through mboxadmin signon. This 
 is usually only used for migration tools and typically not exposed through 
 LDAP' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALU
 E )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.14 NAME 'scalixServerLanguage' DESC 'Message 
 catalog language for client. This is one of the Scalix-supported languages 
 found in /var/opt/scalix/nls/om_langs' EQUALITY caseIgnoreMatch ORDERING ca
 seIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1
 466.115.121.1.15{1024} SINGLE-VALUE )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.15 NAME 'scalixEmailAddress' DESC 'List of SM
 TP addresses of user. This is a multi-valued attribute. The order is import
 ant as the first of these values is used as the outgoing from address of th
 e user.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR c
 aseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.16 NAME 'scalixLimitMailboxSize' DESC 'mailbo
 x size limit for the user in MB' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
 466.115.121.1.27 SINGLE-VALUE )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.17 NAME 'scalixLimitOutboundMail' DESC 'As Sa
 nction on Mailbox quota overuse, stop user from sending mail. Set to TRUE o
 r FALSE' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-V
 ALUE )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.18 NAME 'scalixLimitInboundMail' DESC 'As San
 ction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE 
 or FALSE' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-
 VALUE )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.19 NAME 'scalixLimitNotifyUser' DESC 'As Sanc
 tion on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FAL
 SE' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE 
 )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.20 NAME 'scalixHideUserEntry' DESC 'Hide User
  Entry from Addressbook. Set to TRUE or FALSE' EQUALITY booleanMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
-


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.19049.1.1.21 NAME 'scalixMailboxClass' DESC 'Class of U
 ser Mailbox FULL or LIMITED. This maps to  Premium or Standard users as def
 ined by Scalix User licensing policy' EQUALITY caseIgnoreMatch ORDERING cas
 eIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.14
 66.115.121.1.15{1024} SINGLE-VALUE )
-


dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.19049.1.2.10 NAME 'scalixUserClass' DESC 'Supplemental c
 lass containing the Scalix User-related attributes' AUXILIARY MUST (scalixS
 calixObject $ scalixMailnode ) MAY (scalixAdministrator $ scalixMailboxAdmi
 nistrator $ scalixServerLanguage $ scalixEmailAddress $ scalixLimitMailboxS
 ize $ scalixLimitOutboundMail $ scalixLimitInboundMail $ scalixLimitNotifyU
 ser $ scalixHideUserEntry $ scalixMailboxClass ) )
-


dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.19049.1.2.11 NAME 'scalixGroupClass' DESC 'Supplemental 
 class containing the Scalix Group-related attributes' AUXILIARY MUST (scali
 xScalixObject $ scalixMailnode ) MAY (displayName $ scalixEmailAddress $ sc
 alixHideUserEntry ) )
-

Using SSL authentication (if eDir is setup to not use certificates, you can eliminate -Lcert2.der and -p636. This document assumes you know how to get eDirectory certificates for the purposes of using ldap_modify and ice. 

ice -S LDIF -f scalix.11.4.1.ldif -D LDAP -s LDAPSERVERIPADDRESS -p 636 -Lcert2.der -d cn=admin,o=novell -v

Now in my situation I already had eDirectory working so I now needed to add all these "new" attributes into existing users with some default values. I have lost the script I used but here is what I was able to recover. First create a list of users to modify: 

ldapsearch -x |grep ou=Users > userlist

This search can obviously be modified to get what you need out of OpenLDAP. Sample Output is: 

dn: uid=user1,ou=Users,dc=foo,dc=com
dn: uid=user2,ou=Users,dc=foo,dc=com
dn: uid=user3,ou=Users,dc=foo,dc=com
dn: uid=user4,ou=Users,dc=foo,dc=com

I then ran this overly simple perl script to process the user list: 

#!/usr/bin/perl

$infile="userlist";

open (INFILE, $infile);
@mylines=<INFILE>;

foreach $line (@mylines) {
chop ($line);
$outfile="modifyusers";
open (OUT, ">$outfile");

#Next line is what changes for each value in array above...
print OUT "$line\n";
print OUT <<EOM;
changetype: modify
add: objectClass
objectClass: exScalixClass
-
add: scalixScalixObject
scalixScalixObject: TRUE
-
add: scalixMailnode
scalixMailnode: server,domain
-
add: scalixServerLanguage
scalixServerLanguage: ENGLISH
-
add: scalixAdministrator
scalixAdministrator: FALSE
-
add: scalixMailboxAdministrator
scalixMailboxAdministrator: FALSE
-
add: scalixLimitOutboundMail
scalixLimitOutboundMail: FALSE
-
add: scalixLimitInboundMail
scalixLimitInboundMail: FALSE
-
add: scalixLimitMailboxSize
scalixLimitMailboxSize: 25
-
add: scalixLimitNotifyUser
scalixLimitNotifyUser: TRUE
-
add: scalixHideUserEntry
scalixHideUserEntry: FALSE
-
add: scalixMailboxClass
scalixMailboxClass: LIMITED
-
EOM

close (OUT);
# The first line just prints the output to the screen, the second will do the operation
# Uncomment the one you want to do.  I use the first to test then actually do it.
#print "$line\n";
#print "ldapmodify -x -D \"uid=Manager,ou=Users,dc=foo,dc=com\" -W -v -f $outfile\n";

} #end for loop

Scalix System Modifications

First thing I did was to get Scalix 100% working without worrying about LDAP. So after that has been established these are the changes I made.

First there are four files that you have to change to tell Scalix to look at the eDirectory server for it's authentication not itself. They are located in: /var/opt/scalix/XX/s/sys/pam.d/

  • ual.remote
  • smtpd.auth
  • pop3
  • omslapdeng

Comment everything and add: 

auth sufficient om_ldap
auth sufficient om_auth
account required om_auth
password required om_auth
session required om_auth

After that it, it's time to start getting the sync.cfg up and running. I started with running: 

omldapsync -i syncname

This will launch omldapsync in interactive mode. I don't have the step by step instructions for interactive mode, but it's pretty self explanatory. Use agreement type 13 I only use it to initially setup the sync anyway, after that I edited it by hand. So in /var/opt/scalix/XX/s/ldapsync/SYNCNAME you can edit sync.cfg.

Here is what mine looks like after it's been edited to sync all the new OpenLDAP attributes to the proper names.

Note this file has been edited for privacy. 

##################################################################
#
# Scalix LDAP Directory Synchronization configuration
# NOTE: this file must be edited with care before use
# Interactively editable fields are controlled by the following:
EDIT_PROMPT=JAVA_HOME EX_HOST EX_LOGON EX_PASS IM_HOST IM_CAA_URL IM_CAA_KEYSTORE IM_CAA_NAME IM_CAA_PASS EX_BASE1 EX_BASE2 EX_BASE3 IM_OMADDRESS
# Sync agreement type - see omldapsync man page
TYPE_ID=13
# Sync agreement id - set by argument
SYNC_ID=serverNEW
# JAVA_HOME: home directory of java installation
# e.g. "/usr/java/j2sdk1.4.2_02"
JAVA_HOME=/usr/java/jre1.5.0_06
# The class path required by omldapagent java application (under
# /opt/scalix/svr/java/bin) is setup automatically by omldapsync to
# access dependent java libraries (under /opt/scalix/svr/java/lib)
##################################################################
#
# PART 1 General Configuration
##################################################################
# This section covers the settings required for tools to access
# both the remote and local systems for import or export.
# The general format is one or more line of <tag>=<value>
# Line starts with '#' is treated as comment
# When edited using omldaputil, do one of the followings:
#       -presss <enter> to accept the default offered inside []
#       -type in alternative <value> and press <enter>
#       -do not quote the value with "" or ''
#
# PART 1.1 for IMPORT - remote host
##########################################
# EX_HOST: remote LDAP directory server name or IP address
# e.g. "remote_server.your_domain.com" or "192.168.1.216"
EX_HOST=ldapserver.domain.com
# EX_PORT: LDAP server port number
# e.g. "389" is normally used
EX_PORT=389
# EX_LOGON: user that can search/delete/add/modify directory
# your adminstrator or migration account is often used
# e.g. "cn=Export Admin,cn=users,dc=your_org,dc=com"
EX_LOGON=uid=root,ou=Users,dc=DOMAIN,dc=COM
# EX_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
EX_PASS=secret
#
# PART 1.2 for IMPORT - local host
#########################################
# IM_HOST: local Scalix directory server name
# must specify FQDN where internet and user group will be imported
# e.g. "local_server.your_domain.com"
IM_HOST=mailserver.domain.com
# IM_PORT: LDAP server port number
# e.g. "389" is normally used
#<na>IM_PORT=389
# IM_LOGON: user that can search/delete/add/modify directory
# your Scalix administrator account is often used
# e.g. "Import Admin" for user with this common name
#<na>IM_LOGON=Import Admin
# IM_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
#<na>IM_PASS=
# IM_CAA_URL: Scalix CAA service url - must end with "/"
# e.g. "http://local_server.your_domain.com:8080/caa/"
IM_CAA_URL=http://mailserver.domain.com/caa/
# IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only
# e.g "/var/opt/scalix/ldapsync/keystore"
IM_CAA_KEYSTORE=
# IM_CAA_ID: service login session-id
# e.g. "12345"
IM_CAA_ID=12345
# IM_CAA_NAME: service login auth-id, must have Scalix admin capability
# e.g. "user_name@your_domain.com"
IM_CAA_NAME=sxadmin@mailserver.domain.com
# IM_CAA_PASS: service login password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
IM_CAA_PASS=secret
# IM_DELETE_MAILBOX: whether sync of mailbox delete will be applied to Scalix
# NOTE: set to "FALSE" to keep the mailbox and handle the deletion manually
IM_DELETE_MAILBOX=TRUE
#
# PART 1.3 for IMPORT - ldap parameters
#######################################
# EX_SCALIX_ATTRS: list of resersed Scalix attributes in external directory
# to administer Scalix user/group from this remote master source
# e.g. "EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG ..."
#EX_SCALIX_ATTRS=EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG EX_SCALIX_ADMIN EX_SCALIX_MBOXADMIN
EX_SCALIX_ATTRS=SCALIXHIDEUSERENTRY SCALIXMAILBOXCLASS SCALIXLIMITMAILBOXSIZE SCALIXLIMITOUTBOUNDMAIL SCALIXLIMITINBOUNDMAIL SCALIXLIMITNOTIFYUSER
 EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG EX_SCALIX_ADMIN EX_SCALIX_MBOXADMIN
# SCALIXHIDEUSERENTRY: name of attribute to specify whether the user entry
# should be hidden from Outlook address book
# e.g. "scalixHideUserEntry"
SCALIXHIDEUSERENTRY=scalixHideUserEntry
# SCALIXMAILBOXCLASS: name of attribute to specify whether the mailbox class
# should have full or limited features
# e.g. "scalixMailboxClass"
SCALIXMAILBOXCLASS=scalixMailboxClass
# SCALIXLIMITMAILBOXSIZE: name of attribute to specify whether Scalix limit
# on mailbox size is required, must use a numerical value >= zero
# e.g. "scalixLimitMailboxSize"
SCALIXLIMITMAILBOXSIZE=scalixLimitMailboxSize
# SCALIXLIMITOUTBOUNDMAIL: name of attribute to specify whether Scalix limit
# on outbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitOutboundMail"
SCALIXLIMITOUTBOUNDMAIL=scalixLimitOutboundMail
 # SCALIXLIMITINBOUNDMAIL: name of attribute to specify whether Scalix limit
# on inbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitInboundMail"
SCALIXLIMITINBOUNDMAIL=scalixLimitInboundMail
# SCALIXLIMITNOTIFYUSER: name of attribute to specify whether Scalix limit
# on notify user is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitNotifyUser"
SCALIXLIMITNOTIFYUSER=scalixLimitNotifyUser
# EX_SCALIX_MAILBOX: name of attribute to specify whether Scalix object
# is required, yes if value is set to "TRUE"
# e.g. "exScalixObject"
EX_SCALIX_MAILBOX=scalixScalixObject
# EX_SCALIX_MAILNODE: name of attribute to specify which Scalix mailnode
# to add the mailbox, must use "<ou1>,<ou2>,<ou3>,<ou4>" format
# e.g. "exScalixMailnode"
EX_SCALIX_MAILNODE=scalixMailnode
# EX_SCALIX_MSGLANG: name of attribute to specify which Scalix message
# catalog language to use for client, default to "C" if not set
# e.g. "exScalixMsglang"
EX_SCALIX_MSGLANG=scalixServerLanguage
# EX_SCALIX_ADMIN: name of attribute to specify whether to give the user
# Scalix admin capability, yes if value is set to "TRUE"
# e.g. "exScalixAdmin"
EX_SCALIX_ADMIN=scalixAdministrator
# EX_SCALIX_MBOXADMIN: name of attribute to specify whether to give the user
# Scalix mailbox-admin capability, yes if value is set to "TRUE"
# e.g. "exScalixMboxadmin"
EX_SCALIX_MBOXADMIN=scalixMailboxAdministrator
# EX_ATTR: attributes to extract from remote system for import
# e.g. "member dn uid objectClass displayName sn givenname initials mail entryUUID cn <etc>"
#EX_ATTR=exScalixObject exScalixMailnode exScalixMsglang exScalixAdmin exScalixMboxadmin member dn uid objectClass displayName sn givenname initia
ls mail entryUUID cn facsimileTelephoneNumber homephone street st telephoneNumber title co company departmentNumber description l mobile pager phy
sicalDeliveryOfficeName postalCode
EX_ATTR=scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNotifyUser scalixS
calixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator member dn uid objectClass displayName sn givenname
initials mail entryUUID cn scalixEmailAddress facsimileTelephoneNumber homephone streetAddress st telephoneNumber title company department descrip
tion  mobile pager physicalDeliveryOfficeName postalCode secretary
# EX_BASEn: search base(s) to extract entries from remote system
# specify a container name and its full LDAP suffix
# e.g. "cn=users,dc=your_org,dc=com"
EX_BASE1=ou=Users,dc=DOMAIN,dc=COM
EX_BASE2=
EX_BASE3=
EX_BASE4=
EX_BASE5=
EX_BASE6=
EX_BASE7=
EX_BASE8=
EX_BASE9=
# EX_FILTER: search filter to include/exclude entries to import
# e.g.   "(|(&(objectclass=inetOrgPerson)(mail=*))(&(objectclass=groupOfNames)(mail=*)))"
EX_FILTER=(|(&(objectclass=inetOrgPerson)(mail=*))(&(objectclass=groupOfNames)(mail=*)))
# IM_DN_SUFFIX: set the dn suffix (location) for the imported entries
# NOTE: by default all rdns from the remote dn will be retained & encoded
# for maximum uniqueness. To only use the first <N> rdns for this, specify
# the argument in the format "<N>|<suffix>" instead of "<suffix>".
# e.g. "o=Scalix" for all rdns, or "2|o=Scalix" for first 2 rdns.
#<na>IM_DN_SUFFIX=2|o=Scalix
# IM_OMADDRESS: Scalix address where where entries are imported
# NOTE: this is a route which you configure for coexistence
# e.g. "/internet" or "internet"
IM_OMADDRESS=/internet
# IM_MV_ATTR: mapped attributes that can be imported with multi values
# e.g. "objectClass INTERNET-ADDR omMemberForeignAddr"
IM_MV_ATTR=objectClass INTERNET-ADDR omMemberForeignAddr
# EX_GUID: the remote tag name for extracting Foreign GUID
# e.g. "entryUUID"
EX_GUID=entryUUID
# LDAPCT_BIN_ATT: must set value to EX_GUID if it is a binary attribute
# e.g. ""
LDAPCT_BIN_ATT=
# EX_PAGESIZE: use pagesize control extension to overcome search limit
# e.g. "100"
EX_PAGESIZE=1000
#
# PART 1.4 for EXPORT - ldap parameters
#######################################
# NOTE: export is not supported for this agreement type
#
# PART 2 Mapping Configuration
#################################################################
# WARNING: refer to documentation before editing the tables.
# This section defines the mappings required in order to map data
# between the remote and local LDAP systems for import or export.
# The general format is <lines of value> enclosed by markers.
# When edited using omldaputil, do one of the followings:
#       -presss <enter> to accept the default offered inside []
#       -type in alternative value and press <enter>
#       -type in '-' to remove the line offered
#       -type in '+<value> to insert it before current line
# For more details on all mapping rules see omldaputil man page.
#
# PART 2.1 for IMPORT - mapping table
#####################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in IM_MV_ATTR, only keep first instances
#####################################
# primary mapping table
IM_MAPPING_TABLE=
# scalix reserved attributes
#${SCALIXHIDEUSERENTRY}|scalixHideUserEntry|TRUE|1
#${SCALIXHIDEUSERENTRY}|scalixHideUserEntry|FALSE|
#${SCALIXMAILBOXCLASS}|omUlClass|*|*
#${SCALIXHIDEUSERENTRY}|EX-CDA-DIRECTORY|TRUE|1
#${SCALIXHIDEUSERENTRY}|EX-CDA-DIRECTORY|FALSE|
#${SCALIXMAILBOXCLASS}|UL-CLASS|*|*
#${SCALIXLIMITMAILBOXSIZE}|scalixLimitMailboxSize|*|*
#${SCALIXLIMITOUTBOUNDMAIL}|scalixLimitOutboundMail|*|*
#${SCALIXLIMITINBOUNDMAIL}|scalixLimitInboundMail|*|*
#${SCALIXLIMITNOTIFYUSER}|scalixLimitNotifyUser|*|*
#${EX_SCALIX_MAILBOX}|omMailbox|*|*
#${EX_SCALIX_MAILNODE}|omMailnode|*|*
#${EX_SCALIX_MSGLANG}|UL-IL|*|*
#${EX_SCALIX_ADMIN}|ADMIN|*|*
#${EX_SCALIX_MBOXADMIN}|MBOXADMIN|*|*
scalixHideUserEntry|EX-CDA-DIRECTORY|TRUE|1
scalixHideUserEntry|EX-CDA-DIRECTORY|FALSE|
scalixMailboxClass|UL-CLASS|*|*
scalixLimitMailboxSize|scalixLimitMailboxSize|*|*
scalixLimitOutboundMail|scalixLimitOutboundMail|*|*
scalixLimitInboundMail|scalixLimitInboundMail|*|*
scalixLimitNotifyUser|scalixLimitNotifyUser|*|*
scalixScalixObject|omMailbox|*|*
scalixMailnode|omMailnode|*|*
scalixServerLanguage|UL-IL|*|*
scalixAdministrator|ADMIN|*|*
scalixMailboxAdministrator|MBOXADMIN|*|*
#scalix object classes
objectClass|*|groupOfNames|distributionList
objectClass|*|inetOrgPerson|organizationalPerson
objectClass||*|#ignore others
# distinguished name
dn|*|*|*
# global unique id
entryUUID|GLOBAL-UNIQUE-ID|*|*
# common name
displayName|CN|*,1,64|*
# use cn for common name if displayName is missing
cn|CN|*,1,64!ISMISSING=displayName|*
cn||*|#suppress it otherwise
# initial
initials|I|*,1,5|*
# surname
sn|S|*,1,40|*
# use cn for surname if sn is missing
cn|S|*,1,40!ISMISSING=sn|*
# given name is mapped if surname is present
givenName|G|*,1,16!ISPRESENT=sn|*
givenName||*|#suppress it otherwise
# internet addresses
mail|INTERNET-ADDR|*,1,512|*
# no mapping for ALIAS
# the DN of the entry
dn|FOREIGN-ADDR|*,1,512|*
# the DN of the group members
member|omMemberForeignAddr|*|*
# authentication id
uid|UL-AUTHID|*|*
# informational attributes
facsimileTelephoneNumber|FAX|*,1,32|!CUSTOM=TO_PS_STR
homephone|HOME-PHONE|*,1,32|!CUSTOM=TO_PS_STR
street|STREET-ADDRESS|*,1,128|!REPLACE=\033J|\012
st|STATE-OR-PROVINCE|*,1,128|*
telephoneNumber|PHONE-1|*,1,32|!CUSTOM=TO_PS_STR
title|TITLE|*,1,128|*
co|CNTRY|*,1,2|*
company|EMPL-ORG|*,1,64|*
departmentNumber|EMPL-DEPT|*,1,32|*
description|ENTRY-DESC|*,1,1024|!REPLACE=\033J|\012
l|L|*,1,128|*
mobile|MOBILE-PHONE|*,1,32|!CUSTOM=TO_PS_STR
pager|PAGER-PHONE|*,1,32|!CUSTOM=TO_PS_STR
physicalDeliveryOfficeName|PD-OFFICE-NAME|*,1,128|*
postalCode|POSTAL-CODE|*,1,40|*
# no mapping for ASSISTANT-PHONE
# no mapping for PHONE-2
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#IM_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# PART 2.2 for EXPORT - mapping tables
######################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in EX_MV_ATTR, only keep first instances
#####################################
# primary mapping table
EX_MAPPING_TABLE=
*|*|*|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#EX_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# END
#################################################################

If you want your users to be able to use their existing LDAP password to authenticate to their mailboxes you must create the file /var/opt/scalix/xx/s/sys/om_ldap.conf 

## LDAP server address - Should be same as EX_HOST setting in the sync.cfg file.
host=ldapserver.domain.com
search=subtree

## Base DN for our LDAP tree.
base=dc=DOMAIN,dc=COM

filter=uid=%s

Added by computernay:
The above config for om_ldap.conf did not work on our system. Trying to log in always gave an error about username or password being incorrect. This is the config that worked for us: 

host=ldapserver.domain.com
search=none
dn=uid=%s,ou=people,dc=DOMAIN,dc=COM
tls=off

I believe this assumes your users are in ou=people. Just wanted to share it for others who may be having the same problem.


Conclusion

This is a very brief explanation of how to setup a Scalix server syncing to an external LDAP server. There is much detail that has been ommitted (mainly because it was over a year ago that I set this up originally), hopefully other can fill in the details as they work through the process.

Good Luck.


Troubleshooting

I experienced trouble when trying to use TLS(SSL) with my LDAP. I was not able to login to webmail at all using any user accounts created via the ldapsync process. Disabling TLS on my LDAP server solved it. I'm not sure if it was an improperly configured LDAP server or if Scalix can't speak SSL over LDAP.

Retrieved from "https://www.scalix.com/wiki/index.php?title=HowTos/Novell_eDirectory_Sync&oldid=15500"