openLDAP vs Active directory

[KKJensen]

Hi there,

If I have a <*cough windows cough*>) active directory server and we're migrating our email from a 3rd party ISP to an inhouse scalix machine...what options do I have to get my ads user info into scalix? I've seen support for openLDAP...can openLDAP import info (names, contact info & passwords) from ads? I'm using Scalix 11 CE beta 2with a potential of about 15-20 users so I'd like to avoid the fees associated with purchasing the enterprise edition until the company grows to that level...

thanks in advance.

[Valerion]

Well, you have a couple of options. Scalix will synchronize user information from an LDAP source and create users accordingly. I've tested this at a few clients and it works well. The password information is (of course) not pulled off, you have to get Scalix to authenticate against the password database (LDAP, Kerberos, etc). Scalix will periodically (via cron) read the LDAP directory and create / delete users or attributes (eg. email addresses) according to changes in that.

The hassle is that you have to write a mapping file to map the LDAP server's attributes (and they are often very different) to Scalix internal attributes. For OpenLDAP and AD such mapping files are already written, and is in the Scalix sys directory (omrealpath "~/sys"), together with the neccesart OpenLDAP schema file. So you can migrate from AD to OpenLDAP and use that.

However, if you want to use AD's LDAP server directly, you have to either extend the schema yourself, or use the Scalix tool to do this. However, this tool is only available to commercial subscribers.

If you decide to extend the schema yourself you will also need to edit the LDAP sync agreement properly to ensure it works with your attributes.

Have a look on the forum for omdlapsync - lots of discussion around this.

[dmayle]

Well, I don't know if this is a taboo subject, but that's not entirely true. It is possible to synchronize CE with AD without modifying the AD schema, and still getting AD single-sign on, you just can't manage your users in entirety from AD. (Meaning that you can't set mail quota limits, specify you're user class, admin capabilities, etc. from AD) If you follow the directions for setting up AD single sign on, and LDAP sync with AD, you can then edit the sync.cfg to add the values that are otherwise missing from AD. (You'll need to put in static values for UL-CLASS, omMailbox, omMailnode, CNTRY, UL-IL, ADMIN, and MBOXADMIN. You'll also have to fix the defalut mapping for G which expects surname to be present, but surname is simply called sn in my AD.

[Valerion]

You are correct

Sorry, I wasn't entirely clear up there. Yes, you can do this yourself, but then you have to do everything yourself (put in your own attributes for quotas, for example) and change the ldapsync files to match your AD. If you are a customer with SBE or EE then this gets done for you.

I am not a AD expert and as such would try to do this on my own. If you want to build your own, I would suggest looking at the OpenLDAP examples in Scalix, they helped me the most and also includes the exact attributes you need to add to LDAP in the included schema file.