Page 1 of 2

omldapsync

Posted: Thu Oct 19, 2006 12:08 pm
by cswihart
I'm looking for help from the Scalix community as I'm currently evaluating the product for eventual integration into our production environment. My existing setup is scalix v. 10 running on SLES 9.1. Our organizaton runs Novell eDirectory, and I'm attempting to sync the Scalix LDAP against the LDAP on a test Novell OES server. I'm able to get scalix to authenticate against OES, but am receiving the following error when trying to run omldapsync.

error 1005: Entry must have a valid global unique id

Also here is a copy of omldapsync text

Code: Select all

2006-10-19 09:16:13 STATUS: LDAP dir sync import sync01 started ###############
2006-10-19 09:16:15 INFO: work dir is /var/opt/scalix/ldapsync/sync01/import
2006-10-19 09:16:15 STATUS: reprocess search results from 192.168.254.3 ...
2006-10-19 09:16:15 STATUS: find delta and perform mapping ...
2006-10-19 09:16:15 INFO: ... 0 entries to delete
2006-10-19 09:16:15 INFO: ... 2 entries to add

2006-10-19 09:16:15 INFO: ... 0 entries to modify
2006-10-19 09:16:15 STATUS: apply membdelete data against Scalix ...
2006-10-19 09:16:15 INFO: ... 0 entries passed for member.curr
2006-10-19 09:16:15 INFO: ... 0 entries failed for member.curr
2006-10-19 09:16:15 INFO: ... 0 entries warned for member.curr
2006-10-19 09:16:15 STATUS: apply delete data against Scalix ...
2006-10-19 09:16:15 INFO: ... 0 entries passed for delete.curr
2006-10-19 09:16:16 INFO: ... 0 entries failed for delete.curr
2006-10-19 09:16:16 INFO: ... 0 entries warned for delete.curr
2006-10-19 09:16:16 STATUS: apply add data against Scalix ...
error 1005: Entry must have a valid global unique id
>>>>>>>>SOAP Request
SOAP part:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header/>
    <SOAP-ENV:Body>
        <scalix-caa:CAARequestMessage xmlns:scalix-caa="http://www.scalix.com/caa">
            <ServiceType>scalix.res</ServiceType>
            <Credentials id="12345">
                <Identity name="admin" passwd="xxxxxxxx"/>
            </Credentials>
            <FunctionName>AddUser</FunctionName>
            <AddUserParameters>
                <user type="MAIL"/>
                <mailNode name="scalix,my domain"/>
                <userAttributes>
                    <entity name="FOREIGN-ADDR" value="uid=testuser,ou=users,o=my domain"/>
                    <entity name="CN" value="testuser"/>
                    <entity name="INTERNET-ADDR" value="testuser@ip6.my domain.org"/>
                    <entity name="UL-AUTHID" value="testuser"/>
                    <entity name="G" value="test"/>
                    <entity name="S" value="user"/>
                </userAttributes>
            </AddUserParameters>
        </scalix-caa:CAARequestMessage>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
0 entries passed
1 entries failed
0 entries warned
2006-10-19 09:16:16 ERROR: failed to run omldapagent
error 1005: Entry must have a valid global unique id
>>>>>>>>SOAP Request
SOAP part:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header/>
    <SOAP-ENV:Body>
        <scalix-caa:CAARequestMessage xmlns:scalix-caa="http://www.scalix.com/caa">
            <ServiceType>scalix.res</ServiceType>
            <Credentials id="12345">
                <Identity name="admin" passwd="xxxxxxxx"/>
            </Credentials>
            <FunctionName>AddGroup</FunctionName>
            <AddGroupParameters>
                <user type="MAIL"/>
                <mailNode name="scalix,my domain"/>
                <userAttributes>
                    <entity name="FOREIGN-ADDR" value="cn=Scalixgrp,ou=users,o=my domain"/>
                    <entity name="CN" value="scalixgrp"/>
                    <entity name="INTERNET-ADDR" value="scalixgrp@ip6.my domain.org"/>
                    <entity name="S" value="Scalixgrp"/>
                </userAttributes>
            </AddGroupParameters>
        </scalix-caa:CAARequestMessage>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
0 entries passed
1 entries failed
0 entries warned
2006-10-19 09:16:17 ERROR: failed to run omldapagent
2006-10-19 09:16:17 INFO: ... 0 entries passed for add.curr
2006-10-19 09:16:17 INFO: ... 2 entries failed for add.curr
2006-10-19 09:16:17 INFO: ... 0 entries warned for add.curr
2006-10-19 09:16:17 STATUS: apply limit data against Scalix ...
2006-10-19 09:16:18 INFO: ... 0 entries passed for add.curr
2006-10-19 09:16:18 INFO: ... 0 entries failed for add.curr
2006-10-19 09:16:18 INFO: ... 0 entries warned for add.curr
2006-10-19 09:16:18 STATUS: apply modify data against Scalix ...
2006-10-19 09:16:18 INFO: ... 0 entries passed for modify.curr
2006-10-19 09:16:18 INFO: ... 0 entries failed for modify.curr
2006-10-19 09:16:18 INFO: ... 0 entries warned for modify.curr
2006-10-19 09:16:18 STATUS: apply limit data against Scalix ...
2006-10-19 09:16:18 INFO: ... 0 entries passed for modify.curr
2006-10-19 09:16:18 INFO: ... 0 entries failed for modify.curr
2006-10-19 09:16:18 INFO: ... 0 entries warned for modify.curr
2006-10-19 09:16:18 STATUS: apply membadd data against Scalix ...
error 1005: Entry must have a valid global unique id
>>>>>>>>SOAP Request
SOAP part:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header/>
    <SOAP-ENV:Body>
        <scalix-caa:CAARequestMessage xmlns:scalix-caa="http://www.scalix.com/caa">
            <ServiceType>scalix.res</ServiceType>
            <Credentials id="12345">
                <Identity name="admin" passwd="xxxxxxxx"/>
            </Credentials>
            <FunctionName>AddMembersToGroup</FunctionName>
            <AddMembersToGroupParameters id="">
                <member fa="uid=testuser,ou=users,o=my domain"/>
                <member fa="uid=pbrosnan,ou=users,o=my domain"/>
                <member fa="cn=sconnery,ou=users,o=my domain"/>
                <member fa="cn=rmoore,ou=users,o=my domain"/>
            </AddMembersToGroupParameters>
        </scalix-caa:CAARequestMessage>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
0 entries passed
1 entries failed
0 entries warned
2006-10-19 09:16:19 ERROR: failed to run omldapagent
2006-10-19 09:16:19 INFO: ... 0 entries passed for member.curr
2006-10-19 09:16:19 INFO: ... 1 entries failed for member.curr
2006-10-19 09:16:19 INFO: ... 0 entries warned for member.curr
2006-10-19 09:16:19 STATUS: apply membmodify data against Scalix ...
2006-10-19 09:16:19 INFO: ... 0 entries passed for member.curr
2006-10-19 09:16:19 INFO: ... 0 entries failed for member.curr
2006-10-19 09:16:19 INFO: ... 0 entries warned for member.curr
2006-10-19 09:16:19 STATUS: LDAP dir sync import failed, error=2 ###########
2006-10-19 09:16:19 STATUS: LDAP dir sync export sync01 started ###############
2006-10-19 09:16:19 INFO: agreement type 13 only supports import operation
2006-10-19 09:16:19 STATUS: LDAP dir sync export sync01 completed #############
Common tasks menu for syncid sync01


I've changed entryUUID in my sync.cfg to = GUID as mentioned in a previous post but am still receiving the same error.

Thanks in advance for the help!
-Chris

Posted: Fri Oct 20, 2006 3:49 am
by chris
Hi Chris,

I just happened to setup a test environment with eDirectory this week - so I'm sure we can get to the bottom of this quickly.

First off, did you add guid to the line of attributes that will be requested from eDir? EX_ATTR is the variable in the conf, make sure guid is one of the listed attributes.

If that doesn't fix things, post again with your new log.

Chris

Posted: Fri Oct 20, 2006 9:04 am
by cswihart
Hi Chris,

Thanks for the quick reply!

Unfortunately GUID was already specified in the EX_ATTR of my conf.

Here is the code in case you need to look at it.

Code: Select all

##################################################################
#
# Scalix LDAP Directory Synchronization configuration
# NOTE: this file must be edited with care before use
# Interactively editable fields are controlled by the following:
EDIT_PROMPT=JAVA_HOME EX_HOST EX_LOGON EX_PASS IM_HOST IM_CAA_URL IM_CAA_KEYSTORE IM_CAA_NAME IM_CAA_PASS EX_BASE1 EX_BASE2 EX_BASE3 IM_OMADDRESS
# Sync agreement type - see omldapsync man page
TYPE_ID=13
# Sync agreement id - set by argument
SYNC_ID=sync01
# JAVA_HOME: home directory of java installation
# e.g. "/usr/java/j2sdk1.4.2_02"
JAVA_HOME=/usr/java/jre1.5.0_04
# The class path required by omldapagent java application (under
# /opt/scalix/svr/java/bin) is setup automatically by omldapsync to
# access dependent java libraries (under /opt/scalix/svr/java/lib)
##################################################################
#
# PART 1 General Configuration
##################################################################
# This section covers the settings required for tools to access
# both the remote and local systems for import or export.
# The general format is one or more line of <tag>=<value>
# Line starts with '#' is treated as comment
# When edited using omldaputil, do one of the followings:
#   -presss <enter> to accept the default offered inside []
#   -type in alternative <value> and press <enter>
#   -do not quote the value with "" or ''
#
# PART 1.1 for IMPORT - remote host
##########################################
# EX_HOST: remote LDAP directory server name or IP address
# e.g. "remote_server.your_domain.com" or "192.168.1.216"
EX_HOST=192.168.254.3
# EX_PORT: LDAP server port number
# e.g. "389" is normally used
EX_PORT=389
# EX_LOGON: user that can search/delete/add/modify directory
# your adminstrator or migration account is often used
# e.g. "cn=Export Admin,cn=users,dc=your_org,dc=com"
EX_LOGON=cn=admin,o=mydomain
# EX_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
EX_PASS=xxxxxxxxxx
#
# PART 1.2 for IMPORT - local host
#########################################
# IM_HOST: local Scalix directory server name
# must specify FQDN where internet and user group will be imported
# e.g. "local_server.your_domain.com"
IM_HOST=scalix.mydomain.org
# IM_PORT: LDAP server port number
# e.g. "389" is normally used
#<na>IM_PORT=389
# IM_LOGON: user that can search/delete/add/modify directory
# your Scalix administrator account is often used
# e.g. "Import Admin" for user with this common name
#<na>IM_LOGON=Import Admin
# IM_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
#<na>IM_PASS=
# IM_CAA_URL: Scalix CAA service url - must end with "/"
# e.g. "http://local_server.your_domain.com:8080/caa/"
IM_CAA_URL=http://scalix.mydomain.org/caa/
# IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only
# e.g "/var/opt/scalix/ldapsync/keystore"
IM_CAA_KEYSTORE=
# IM_CAA_ID: service login session-id
# e.g. "12345"
IM_CAA_ID=12345
# IM_CAA_NAME: service login auth-id, must have Scalix admin capability
# e.g. "user_name@your_domain.com"
IM_CAA_NAME=admin
# IM_CAA_PASS: service login password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
IM_CAA_PASS=xxxxxxxxxx
# IM_DELETE_MAILBOX: whether sync of mailbox delete will be applied to Scalix
# NOTE: set to "FALSE" to keep the mailbox and handle the deletion manually
IM_DELETE_MAILBOX=TRUE
#
# PART 1.3 for IMPORT - ldap parameters
#######################################
# EX_SCALIX_ATTRS: list of resersed Scalix attributes in external directory
# to administer Scalix user/group from this remote master source
# e.g. "EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG ..."
EX_SCALIX_ATTRS=EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG EX_SCALIX_ADMIN EX_SCALIX_MBOXADMIN
# EX_SCALIX_MAILBOX: name of attribute to specify whether Scalix object
# is required, yes if value is set to "TRUE"
# e.g. "exScalixObject"
EX_SCALIX_MAILBOX=exScalixObject
# EX_SCALIX_MAILNODE: name of attribute to specify which Scalix mailnode
# to add the mailbox, must use "<ou1>,<ou2>,<ou3>,<ou4>" format
# e.g. "exScalixMailnode"
EX_SCALIX_MAILNODE=exScalixMailnode
# EX_SCALIX_MSGLANG: name of attribute to specify which Scalix message
# catalog language to use for client, default to "C" if not set
# e.g. "exScalixMsglang"
EX_SCALIX_MSGLANG=exScalixMsglang
# EX_SCALIX_ADMIN: name of attribute to specify whether to give the user
# Scalix admin capability, yes if value is set to "TRUE"
# e.g. "exScalixAdmin"
EX_SCALIX_ADMIN=exScalixAdmin
# EX_SCALIX_MBOXADMIN: name of attribute to specify whether to give the user
# Scalix mailbox-admin capability, yes if value is set to "TRUE"
# e.g. "exScalixMboxadmin"
EX_SCALIX_MBOXADMIN=exScalixMboxadmin
# EX_ATTR: attributes to extract from remote system for import
# e.g. "member dn uid objectClass displayName sn givenname initials mail GUID cn <etc>"
EX_ATTR=exScalixObject exScalixMailnode exScalixMsglang exScalixAdmin exScalixMboxadmin member dn uid objectClass displayName sn givenname initials mail GUID cn facsimileTelephoneNumber homephone street st telephoneNumber title co company departmentNumber description l mobile pager physicalDeliveryOfficeName postalCode
# EX_BASEn: search base(s) to extract entries from remote system
# specify a container name and its full LDAP suffix
# e.g. "cn=users,dc=your_org,dc=com"
EX_BASE1=o=mydomain
EX_BASE2=
EX_BASE3=
EX_BASE4=
EX_BASE5=
EX_BASE6=
EX_BASE7=
EX_BASE8=
EX_BASE9=
# EX_FILTER: search filter to include/exclude entries to import
# e.g.   "(|(&(objectclass=inetOrgPerson)(mail=*))(&(objectclass=groupOfNames)(mail=*)))"
EX_FILTER=(|(&(objectclass=inetOrgPerson)(mail=*))(&(objectclass=groupOfNames)(mail=*)))
# IM_DN_SUFFIX: set the dn suffix (location) for the imported entries
# NOTE: by default all rdns from the remote dn will be retained & encoded
# for maximum uniqueness. To only use the first <N> rdns for this, specify
# the argument in the format "<N>|<suffix>" instead of "<suffix>".
# e.g. "o=Scalix" for all rdns, or "2|o=Scalix" for first 2 rdns.
#<na>IM_DN_SUFFIX=2|o=Scalix
# IM_OMADDRESS: Scalix address where where entries are imported
# NOTE: this is a route which you configure for coexistence
# e.g. "/internet" or "internet"
IM_OMADDRESS=/internet
# IM_MV_ATTR: mapped attributes that can be imported with multi values
# e.g. "objectClass INTERNET-ADDR omMemberForeignAddr"
IM_MV_ATTR=objectClass INTERNET-ADDR omMemberForeignAddr
# EX_GUID: the remote tag name for extracting Foreign GUID
# e.g. "GUID"
EX_GUID=GUID
# LDAPCT_BIN_ATT: must set value to EX_GUID if it is a binary attribute
# e.g. ""
LDAPCT_BIN_ATT=GUID
# EX_PAGESIZE: use pagesize control extension to overcome search limit
# e.g. "100"
EX_PAGESIZE=1000
#
# PART 1.4 for EXPORT - ldap parameters
#######################################
# NOTE: export is not supported for this agreement type
#
# PART 2 Mapping Configuration
#################################################################
# WARNING: refer to documentation before editing the tables.
# This section defines the mappings required in order to map data
# between the remote and local LDAP systems for import or export.
# The general format is <lines of value> enclosed by markers.
# When edited using omldaputil, do one of the followings:
#   -presss <enter> to accept the default offered inside []
#   -type in alternative value and press <enter>
#   -type in '-' to remove the line offered
#   -type in '+<value> to insert it before current line
# For more details on all mapping rules see omldaputil man page.
#
# PART 2.1 for IMPORT - mapping table
#####################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in IM_MV_ATTR, only keep first instances
#####################################
# primary mapping table
IM_MAPPING_TABLE=
# scalix reserved attributes
exScalixObject|omMailbox|*|*
exScalixMailnode|omMailnode|*|*
exScalixMsglang|UL-IL|*|*
exScalixAdmin|ADMIN|*|*
exScalixMboxadmin|MBOXADMIN|*|*
# scalix object classes
objectClass|*|groupOfNames|distributionList
objectClass|*|inetOrgPerson|organizationalPerson
objectClass||*|#ignore others
# distinguished name
dn|*|*|*
# global unique id
GUID|GLOBAL-UNIQUE-ID|*|*
# common name
displayName|CN|*,1,64|*
# use cn for common name if displayName is missing
cn|CN|*,1,64!ISMISSING=displayName|*
cn||*|#suppress it otherwise
# initial
initials|I|*,1,5|*
# surname
sn|S|*,1,40|*
# use cn for surname if sn is missing
cn|S|*,1,40!ISMISSING=sn|*
# given name is mapped if surname is present
givenName|G|*,1,16!ISPRESENT=sn|*
givenName||*|#suppress it otherwise
# internet addresses
mail|INTERNET-ADDR|*,1,512|*
# no mapping for ALIAS
# the DN of the entry
dn|FOREIGN-ADDR|*,1,512|*
# the DN of the group members
member|omMemberForeignAddr|*|*
# authentication id
uid|UL-AUTHID|*|*
# informational attributes
facsimileTelephoneNumber|FAX|*,1,32|!CUSTOM=TO_PS_STR
homephone|HOME-PHONE|*,1,32|!CUSTOM=TO_PS_STR
street|STREET-ADDRESS|*,1,128|!REPLACE=\033J|\012
st|STATE-OR-PROVINCE|*,1,128|*
telephoneNumber|PHONE-1|*,1,32|!CUSTOM=TO_PS_STR
title|TITLE|*,1,128|*
co|CNTRY|*,1,2|*
company|EMPL-ORG|*,1,64|*
departmentNumber|EMPL-DEPT|*,1,32|*
description|ENTRY-DESC|*,1,1024|!REPLACE=\033J|\012
l|L|*,1,128|*
mobile|MOBILE-PHONE|*,1,32|!CUSTOM=TO_PS_STR
pager|PAGER-PHONE|*,1,32|!CUSTOM=TO_PS_STR
physicalDeliveryOfficeName|PD-OFFICE-NAME|*,1,128|*
postalCode|POSTAL-CODE|*,1,40|*
# no mapping for ASSISTANT-PHONE
# no mapping for PHONE-2
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#IM_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# PART 2.2 for EXPORT - mapping tables
######################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in EX_MV_ATTR, only keep first instances
#####################################
# primary mapping table
EX_MAPPING_TABLE=
*|*|*|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#EX_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# END
#################################################################


Hope this helps and let me know if you need anything else.

Thanks Again,

Chris

Posted: Fri Oct 20, 2006 10:12 am
by chris
Hi Chris,

please replace

Code: Select all

exScalixObject|omMailbox|*|*
exScalixMailnode|omMailnode|*|*


with

Code: Select all

|omMailbox|*|*
|omMailnode|*|*


and let me know if it runs.

Chris

Posted: Fri Oct 20, 2006 10:53 am
by cswihart
I replaced the code in the sync.cfg, but no change.

I'm not sure if this is related, but when I look at the test.curr file that's created when I do a test sync the GUID is listed.

Code: Select all

dn: uid=jbond,ou=users,o=mydomain
exScalixMailnode: scalix,mydomain
exScalixObject: TRUE
displayName: jbond
mail: jbond@ip6.mydomain.org
uid: jbond
GUID:: gKNqzbVI2wGA7QAAAAAAAA==
givenname: James
sn: Bond
objectClass: inetOrgPersonobjectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: exScalixClass
cn: jbond

dn: uid=pbrosnan,ou=users,o=mydomain
exScalixMailnode: scalix,mydomain
exScalixObject: TRUE
displayName: pbrosnan
mail: pbrosnan@ip6.mydomain.org
uid: pbrosnan
GUID:: 0L6q7epM2wGA7QAAAAAAAA==
givenname: Pierce
sn: Brosnan
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: posixAccount
objectClass: exScalixClass
cn: pbrosnan

dn: cn=Scalixgrp,ou=users,o=mydomain
exScalixMailnode: scalix,mydomain
exScalixObject: TRUE
displayName: scalixgrp
mail: scalixgrp@ip6.mydomain.org
GUID:: sEIoAL1e2wGAzQAAAAAAAA==
objectClass: groupOfNames
objectClass: Top
objectClass: exScalixClass
member: uid=jbond,ou=users,o=mydomain
member: uid=pbrosnan,ou=users,o=mydomain
member: cn=sconnery,ou=users,o=mydomain
member: cn=rmoore,ou=users,o=mydomain
cn: Scalixgrp


However after I perform the actual sync. I looked at the add.curr.user in the /sync/import directory and GUID isn't listed under the user attributes.

Code: Select all

dn: uid=jbond,ou=users,o=mydomain
exScalixMailnode: scalix,mydomain
exScalixObject: TRUE
displayName: jbond
mail: jbond@ip6.mydomain.org
uid: jbond
givenname: James
sn: Bond
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: exScalixClass
cn: jbond

dn: uid=jbond,ou=users,o=mydomain
FOREIGN-ADDR: uid=jbond,ou=users,o=mydomain
exScalixMailnode: scalix,mydomain
exScalixObject: TRUE
CN: jbond
INTERNET-ADDR: jbond@ip6.mydomain.org
UL-AUTHID: jbond
G: James
S: Bond
objectClass: organizationalPerson
omMailbox:
omMailnode:



-Chris

Posted: Fri Oct 20, 2006 11:09 am
by chris
Hi Chris,

ok, a couple of things to do - have you run omldapsearch before? It's similar to ldapsearch, just specific to our software.

Can you run an omldapsearch command to try and see if you get a guid for the user?

Here's a starting point based on your config:

omldapsearch -h 192.168.254.3 -D cn=admin,o=mydomain -w xxxxxxxxxxx -b o=mydomain '(|(&(objectclass=inetOrgPerson)(mail=*))(&(objectclass=groupOfNames)(mail=*)))' guid

Do you get anything out?

You should get binary data which will look silly and random in ASCII.

While reviewing your config to find this, I noticed that your LDAPCT_BIN_ATT is set to GUID - please set that to EX_GUID

Let me know,

Chris

Posted: Fri Oct 20, 2006 11:19 am
by cswihart
Hey Chris,

I think I found my mistake. When I was trying to test the sync I was using option 3. "update the directory" instead of option 2. "force a complete load". When I selected option 2 everything worked correctly and my users now appear in Scalix. I guess I misunderstood the process.

Thanks for all your help,

Chris

Posted: Fri Oct 20, 2006 11:22 am
by chris
Excellent!

Please change your binary attribute anyway!

If you don't, your users' mailboxes may randomly be fubared at any time.

Seriously, it can be catastrophic. The reasoning is, that the binary data will not be the same in ASCII every time, so the import will think one user is gone, delete him and his mailboxes, and then insert a new user with the new ASCII-guid and an empty mailbox. Crucial things!

Cheers!

Chris

Posted: Fri Oct 20, 2006 11:30 am
by cswihart
I made the change to the binary attribute and will continue to do my testing.

Thanks for all your insight.

I work for a county government and we are seriously evaluating Scalix as a mail solution for our 1000+ userbase. I have been very impressed with your product so far, but my ability to integrate the product into eDirectory has really been the only thing holding us back. Hopefully after further testing we can move ahead with the transition of Scalix into our production environment. Thanks again for all your help and a Great! product.

Chris

P.S.

I hate when my user's mailboxes get fubared :)!

Posted: Fri Oct 20, 2006 11:55 am
by cswihart
Any insight on getting passwords to sync? When I perform the sync, blank passwords are being created in Scalix. Is this a ldap mapping issue?

-Chris

Posted: Sat Oct 21, 2006 3:31 am
by florian
Hi Chris,

passwords are never synced. Most source directories (e.g. eDirectory) would not allow an LDAP task to read it and they would be in an encrypted format anyway.

Also, while delays in updates of user data are usually acceptable (think of a phone # change in the master directory which is only synced into your Scalix address book 10 minutes later due to the fact that you might want to execute omldapsync every 10 minutes using cron - no big deal! If you think through the same with the password, this is rather unpleasant because right after a password change [and we have our users change their passwords at regular intervals for good security practice, right?] the user wouldn't know which of the passwords to use to logon to which system)

Having said that, what we can do is actually have the Scalix system perform the authentication/password check online against eDirectory.

There is a thread on the Scalix Wiki http://www.scalix.com/wiki/index.php?ti ... management that explains most of that. Disregard the first part which talks about how to setup OpenLDAP to create your users and the schema change - you have already done that.

The two entries in eDirectory and Scalix Directory are "linked" for authentication purposes by the login name - your sync agreement contains a line reading

Code: Select all

# authentication id
uid|UL-AUTHID|*|*


where the eDirectory attribute uid is mapped into Scalix' UL-AUTHID, which is our login name.

If you then setup LDAP-based authentication through PAM (as per the second part of that Wiki), your Scalix server will perform online authentication against your eDirectory.

I know that Chris (that is our Chris) is planning to udate the Wiki with information about eDirectory as we speak.

Hope this helps,
Florian.

Posted: Sat Oct 21, 2006 4:38 am
by chris
florian wrote:
I know that Chris (that is our Chris) is planning to udate the Wiki with information about eDirectory as we speak.



Password synchronisation as in the Wiki article is also correct for eDirectory. The updates I'm working on have more to do with what you already have done, the ldadsync ffrom eDir.

For the password sync:

- make sure pam_ldap is installed
- follow the article starting at this point: http://www.scalix.com/wiki/index.php?ti ... ing_Scalix

and you should do fine.

As always, post if anything comes up, and we'll try to get things resolved as quickly as possible.

Chris

Posted: Mon Oct 23, 2006 2:16 pm
by cswihart
Florian & Chris

Thank you for all the helpful information. I have read through the wiki and made the changes to my scalix server, but am still working through some issues. When I log into SWA I can see the user authenticate against eDirectory, but Scalix fails to login generating a username or password incorrect error. Also when I run the sxpampasswd command I receive

Code: Select all

pam_start_om:  User not known to the underlying authentication module.


I assume I have problem in one of my config files and am slowly trying to work through it.

Thank you again.

Chris

Posted: Mon Oct 23, 2006 2:27 pm
by chris
Hi Chris,

please check the following things.

1. Fill these files:

Code: Select all

/var/opt/scalix/sys/pam.d/ual.remote
/var/opt/scalix/sys/pam.d/smtpd.auth
/var/opt/scalix/sys/pam.d/pop3
/var/opt/scalix/sys/pam.d/omslapdeng


with exactly these contents:

Code: Select all

auth    required om_om2authid
auth    sufficient om_auth
auth    required /lib/security/pam_ldap.so
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so


2. Create /var/opt/scalix/sys/om_ldap.conf and fill it with:

Code: Select all

host=edir.domain
search=subtree
base=ou=people,dc=scalix,dc=com
filter=uid=%s
tls=off


while replacing host and base with your hostname and basedn.

3. Create /var/opt/scalix/sys/pam.d/pamcheck and fill it with:

Code: Select all

auth required om_debug
account required om_debug
session required om_debug
password required om_debug
auth    required om_om2authid
auth    required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so


4. Make absolutely sure the file /lib/security/pam_ldap.so exists. If not, you need the pam_ldap package.

5. Then try sxpamauth again and let me know if it works.

Cheers,

Chris

Posted: Mon Oct 23, 2006 2:57 pm
by cswihart
Chris,

I double checked each of the files and they are exactly as you listed.

I also confirmed that lib/security/pam_ldap.so is present.

Still no luck with sxpamauth.

-Chris