Howtos/AD Integration
Contents
Extending the Schema
The schema is what describes the attributes that Active Directory can use. It contains information such as attribute name, attribute size or length, data type, and relationship to other attributes. The schema must be extended to also include Scalix attributes such as mailnode, account type (premium or standard), and so on.
Extending the Schema is documented in the Scalix Setup and Configuration Guide, Integrating with Active Directory, Installing the Schema Extensions.
Extending the GUI
The GUI is the user interface used to administer users in Active Directory. It is called "Active Directory Users and Computers," or ADUC. After the GUI is extended, you will have two new tabs in the User Properties or Group Properties window, where you can add or modify Scalix attributes.
Extending the Schema is documented in the Scalix Setup and Configuration Guide, Integrating with Active Directory, Installing the GUI Extensions.
Updating Existing Entries
Generally speaking, if you have made the decision to integrate Scalix with Active Directory, you already have Active Directory installed and you are already administering user and group records in AD. The existing AD entries must be modified so that Scalix will import them and have the necessary data to administer the Scalix accounts. The section #Updating Active Directory Entries explains how to do this.
Frequently, you will have Scalix in full production and you'll need to modify the Scalix user data so that Scalix knows the user entries are "owned" by Active Directory. The section #Updating Scalix Entries will explain how to do this.
Updating Active Directory Entries
There are three Scalix attributes which must be populated in order for Scalix to be able to import and use the record. These attributes are scalixScalixObject, scalixMailnode, and scalixMailboxClass.
- scalixAdministrator - set to 'TRUE' if the user will have administration privileges on the Scalix server.
- scalixHideUserEntry - set to 'TRUE' if the user's information will be hidden from the email clients' address books.
- scalixLimitMailboxSize - set to the maximum size, in MB, that the user account can be.
- scalixLimitOutboundMail - set to 'TRUE' if the user will not be allowed to send messages when over quota.
- scalixLimitInboundMail - set to 'TRUE' if the user will not be allowed to receive new messages when over quota.
- scalixLimitNotifyUser - set to 'TRUE' if the system should send the user an email letting him know when he's over quota.
- scalixMailboxAdministrator - set to 'TRUE' if the user will have mailbox administration privileges on the Scalix server.
- scalixMailboxClass - set to 'FULL' for a premium account or 'LIMITED' for a standard account.
- scalixMailnode - the mailnode with which the account will be associated. Usually this is the default mailnode (run 'omshowmn' on the Scalix server; default mailnode will have two asterisks beside it).
- scalixScalixObject - set to TRUE if the entry is to be imported into Scalix. You can set this to TRUE by modifying the contents of the AD entry, or by right-clicking the user name and then "Create Scalix Mailbox," or by checking the box "Create Scalix Mailbox" when you're first creating an ADUC user or group.
- scalixServerLanguage - defaults to 'C' but can be set to other values.
Updating AD Entries Manually
If you have only a few entries in Active Directory that correspond to Scalix accounts (either already created or to be created via omldapsync) you can edit the entries manually. Simply go into ADUC, right-click the user's name, select "Create Scalix Mailbox" and enter the relevant data in the wizard. The act of creating a Scalix mailbox will set scalixSalixObject to TRUE. The only other attributes you have to fill in are mailnode and mailbox class.
Updating AD Entries with a Script
If you have several hundred entries, you will find it more convenient to script the changes. Below is a sample script but it is provided simply as a guideline. It is not warranted an ANY way.
ModUsers.swf:
<job> <script language="VBScript"> Option Explicit On Error Resume Next Dim objConn, objComm, objRS, objUser Dim strBase, strFilter, strAttrs, strScope strBase = "<LDAP://dc=mydomain,dc=net>;" strFilter = "(&(objectclass=user)(objectcategory=person));" strAttrs = "ADsPath;" strScope = "Subtree" Set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open Set objComm = CreateObject("ADODB.Command") Set objComm.ActiveConnection = objConn objComm.CommandText = strBase & strFilter & strAttrs & strScope objComm.Properties("Page Size") = 1000 Set objRS = objComm.Execute() While not objRS.EOF Set objUser = GetObject( objRS.Fields.Item("ADsPath").Value ) objUser.scalixScalixObject = "TRUE" objUser.scalixMailboxClass = "FULL" objuser.scalixMailnode = "sxlab" objUser.SetInfo if Err.Number <> 0 Then Wscript.Echo objUser.Name & " error occurred" Err.Clear Else Wscript.Echo objUser.Name & " modified" End if objRS.MoveNext Wend </script> </job>
The above will turn ALL AD users in to Scalix users so you'll need to go back and manually undo some of the ADUC users like ISUR_EXLAB and IWAM_EXLAB. Or perhaps modify the script so it doesn't affect ADUC users with a description containing the string "Built-in account".