Omldapsync HowTo - One
Contents
About This Document
This document is intended to assist you in synchronizing a Scalix server with an LDAP directory. OpenLDAP and Sun ONE Directory Server are used for examples; in the future it would be nice to include examples of omldapsync with Active Directory.
We'll cover configuration of the LDAP server, creation of the omldapsync agreement, using the LDAP directory for authentication, and there will be an overview of how omldapsync works.
While writing this paper, the following software was used:
- Scalix 11.3.0 running on RedHat Enterprise 5.1 (Tikanga)
- OpenLDAP 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon)
- Sun ONE Directory Server Version 5 2005Q4 (5.2 P6) running on Solaris 10 for X86
Many, many thanks to Karl Buchner for his paper Using omldapsync with OpenLDAP and Scalix 11. A significant portion of this text was stolen directly from that document, with his permission.
Preparing to synchronize with Scalix
Configure the Remote Directory
In order to synchronize the remote directory with Scalix, we must configure the remote server so that it is aware of some special Scalix attributes. This is done via extending the remote directory's schema. We must also ensure that the remote server is configured so that it will send back all the relevant entries.
OpenLDAP
The OpenLDAP schema files are typically located in /etc/ldap/schema or /etc/openldap/schema.
The OpenLDAP slapd.conf file is typically located in /etc/ldap or /etc/openldap.
- Stop the OpenLDAP slapd server.
- Copy /var/opt/scalix/??/s/sys/ldapsync13.schema from the Scalix server to your OpenLDAP server's schema directory and ensure that the copied file is world readable.
- Add an "include" statement to the slapd.conf file as follows, using a path appropriate to your environment:
include /etc/ldap/schema/ldapsync13.schema
- After the database directive for the directory you wish to synchronize with Scalix, ensure the following values are set in slapd.conf according to your environment:
database bdb suffix "dc=mydomain,dc=net" rootdn "cn=admin,dc=mydomain,dc=net" rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa directory "/var/lib/ldap/mydomain"
- To generate an encrypted password, use the slappasswd command and enter the password when prompted.
- If you have multiple databases, they must each have their own directory.
- Ensure the sizelimit in slapd.conf is large enough for LDAP to return all the matching entries to omldapsync.
- Restart slapd.
The ldapsync13.schema file does not require editing.
Sun ONE Directory Server
- Ensure the sizelimit is large enough for LDAP to return all the matching entries to omldapsync.
- Login to the System Server Console and double-click the Directory Server for your host.
- Select the Configuration tab -> Performance node -> Client Control tab
- Set the Size limit and save.
- Update the schema so Sun ONE Directory Server is aware of the special Scalix attributes. There are two methods for updating the schema file. You may use the Directory Server Console, or you may edit the schema files directly.
Editing the schema via the Directory Server Console (preferred method)
- Login to the System Server Console and double-click the Directory Server for your host.
- Select the Configuration tab -> Schema node -> Attributes tab -> Create button
- Create the attributes according to the following table:
Attribue Name | OID | Separate | Description | Syntax | Multi-valued |
---|---|---|---|---|---|
scalixScalixObject | 1.1.10 | boolean TRUE or FALSE for creating scalix mailbox/PDL object. If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true | Boolean | no | |
scalixMailnode | 1.1.11 | , | Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created. | DirectoryString | no |
scalixAdministrator | 1.1.12 | Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites. | Boolean | no | |
scalixMailboxAdministrator | 1.1.13 | Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP. | Boolean | no | |
scalixServerLanguage | 1.1.14 | Message catalog language for client. This is one of the Scalix-sup
ported languages found in /var/opt/scalix/nls/om_langs |
DirectoryString | no | |
scalixEmailAddress | 1.1.15 | List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user. | DirectoryString | yes | |
scalixLimitMailboxSize | 1.1.16 | mailbox size limit for the user in MB | Integer | no | |
scalixLimitOutboundMail | 1.1.17 | As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE | Boolean | no | |
scalixLimitInboundMail | 1.1.18 | As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE | Boolean | no | |
scalixLimitNotifyUser | 1.1.19 | As Sanction on Mailbox quota overuse, notify the User by eMail.
Set to TRUE or FALSE |
Boolean | no | |
scalixHideUserEntry | 1.1.20 | Hide User Entry from Addressbook. Set to TRUE or FALSE | Boolean | no | |
scalixMailboxClass | 1.1.21 | Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy | DirectoryString | no |
- Select the Object Classes tab and create the Object Classes according to the following table
Name | Parent | OID | Required | Allowed |
---|---|---|---|---|
scalixUserClass | top | 1.2.10 | scalixMailnode
scalixScalixObject |
scalixAdministrator
scalixEmailAddress scalixHideUserEntry scalixLimitInboundMail scalixLimitMailboxSize scalixLimitNotifyUser scalixLimitOutboundMail scalixMailboxAdministrator scalixMailboxClass scalixServerLanguage |
scalixGroupClass | top | 1.2.11 | scalixMailnode
scalixScalixObject |
displayname
scalixEmailAddress scalixHideUserEntry |
- Immediately after making the above changes, stop and restart the Directory Server.
# /usr/sbin/directoryserver restart
NOTE: If you choose to use the Directory Server Console to define the Scalix attributes, you must restart the server immediatley after making your changes. Restarting the server saves your modifications to the 99user.ldif file permanently and prevents other modifications made from the command line or the console from overwriting your changes.
Editing the Schema File Directly
The Sun ONE Directory Server schema files are typically located in ServerRoot/slapd-serverID/config/schema.
- Edit the 90Scalix.ldif file in the appendix of this document, replacing fubar with your host name and mydomain and net with values appropriate to your own domain. You must also update the userdn and groupdn values.
- Stop the Sun ONE Directory Server.
- Copy the 90Scalix.ldif to your Sun ONE Directory Server's schema directory.
- Ensure that the file is world readable.
- Restart the Sun ONE Directory Server.
# /usr/sbin/directoryserver restart
NOTE: If you replicate your schema amongst multiple servers, the replicated schemas will store the definitions from 90Scalix.ldif in their 99user.ldif file.
Active Directory
The steps for setting up Active Directory for synchronization with Scalix are documented in the Scalix Setup and Configuration Guide, in the chapter entitled "Integrating with Active Directory".
Basically the steps are as follows:
- Installing the Schema Extensions
- Installing the GUI Extensions
- Setting Up Synchronization Agreements
NOTE: There are a couple of errors in the section that describes how to set up the synchronization agreement; bugs have been logged. The errors are described below in " Create omldapsync Agreement" under the type 11 agreement.
Create omldapsync Agreement
The man page for omldapsync is very good; refer to it for more complete information.
omldapsync agreements can be of several different types, depending on whether you want to synchronize with an Exchange 5.5 directory, Sun ONE Directory Server, Active Directory, OpenLDAP, etc. The commonly used types are
- 11 - Import from Acitve Directory to Scalix
- 13 - Import from OpenLDAP or Sun ONE Directory Server to Scalix
- 21 - Import/Export address information between Exchange 5.5 and Scalix
These types are discussed in more detail below.
The import-only agreements are used for managing all users from a central (LDAP) directory. The import/export agreement is used to keep address books synchronized between disparate systems.
It is advisable to name your agreements according to what type of agreement it is and the LDAP host with which it is associated. This makes it easy to tell at a glance what the agreement is intended to do.
The type 11 Agreement
This is documented in the AD Integration HowTo.
The Type 13 Agreement
Assuming we are going to synchronize with a host named fubar.mydomain.net, we would create our agreement as follows. On the Scalix server:
omldapsync -c 13fubar INPUT: Select sync agreement type to create (21): 13 INPUT: Edit config file now y/n (n): y INPUT: Use vi to edit y/n (n): y
Update the following with values appropriate to your environment; values given are for illustration only. The purpose of these fields is explained in the configuration file you are editing.
JAVA_HOME=/usr/java/jre1.5.0_13 EX_HOST=fubar.mydomain.net EX_LOGON=cn=admin,dc=mydomain,dc=net (for synchronizing with OpenLDAP servers) EX_LOGON=cn=Directory Manager (for synchronizing with Sun ONE Directory Servers) EX_PASS=secret IM_HOST=sxlab.mydomain.net IM_CAA_URL=http://sxlab.mydomain.net/caa/ IM_CAA_NAME=sxadmin IM_CAA_PASS=sxpass EX_ATTR (for synchronizing with Sun ONE Directory Servers only, change entryUUID to nsUniqueId) EX_BASE1=cn=users,dc=mydomain,dc=net EX_GUID=entryUUID (for synchronizing with OpenLDAP servers) EX_GUID=nsUniqueId (for synchronizing with Sun ONE Directory Servers)
You may also want to modify the following values:
IM_DELETE_MAILBOX
For synchronizing with Sun ONE Directory Servers only, change the following line
from entryUUID|GLOBAL-UNIQUE-ID|*|* to nsUniqueId|GLOBAL-UNIQUE-ID|*|*
INPUT: Compare old config to new y/n (n): n INPUT: Replace old config with new y/n (?): y INPUT: Attempt to test data extraction now y/n (n): n
The type 21 agreement
To be written - feel free to contribute!
Synchronize the Directories
You can synchronize in interactive mode or with a single command. The interactive mode is friendlier and easier to understand ; the single command is useful for scheduling synchronization from cron. You must be root to run omldapsync.
Interactively:
# omldapsync -i 13fubar 2008-02-07 09:16:17 INFO: command line is /opt/scalix/bin/omldapsync -i 13fubar 2008-02-07 09:16:18 STATUS: Interactive for 13fubar started ######## Common tasks menu for syncid 13fubar 0. Display this menu 1. Configure the LDAP dir sync settings 2. Force a complete (re)load of the directory 3. Update the directory after some changes 4. Accept previous error and update directory 5. Skip previous error and update directory 6. Update the directory and prompt for error 7. Modify all sync records from the directory 8. Delete all sync records in the directory d. Toggle debug mode from current setting <0> n. Toggle test mode from current setting <> q. Quit INPUT: Please enter an option (0): 3
Single command:
There are command line equivalents for the above; see the man page for more detailed information on these and other command line options. To update the directory after some changes (option 3 above), you would run
$ omldapsync -u 13fubar