syncing with openldap - UPDATE!

[ausyvr]

I managed to get Scalix syncing perfectly with LDAP.

I now have 2 questions about the syncing:
1. If I update an attribute in OpenLdap, how do i 'update' that one attribute to Scalix? So far we have tried using 2 and 3 in the Interactive Menu for ldapsync13.cfg, but this did not update Scalix. The onlyway we have it working is to delete the record in Scalix and re run the sync. This is something we do not want to do.
2: When you edit the ldapsync13.cfg file via the interactive menu this creates what is essentially a 'second copy' of the cfg file. I noticed this file is placed in the /ldapsync/13 directory (callec sync.cfg).
Why does Scalix do this? Why not use the ldapsync13.cfg file located in /scalix/xx/s/sys?

--------------------------
I'm new at Scalix and currently playing with test server before we roll out a production server.
We are running Scalix 11 on CentOS 4.4.
So far i have authentication against OpenLdap working, and now i want to sync OpenLdap with Scalix. Obviously the objective is to use OpenLdap to create Scalix mail boxes.

I have worked out to use ldapsync13.cfg, and I have loaded the schema to the test ldap server.
After configuring ldapsync13.cfg and attempting to run the file omldapsync

Code: Select all

 omldapsync  -d3 -l ldapsync13.cfg

I received a

Code: Select all

2007-01-25 15:29:50 ERROR: please configure ldapsync13.cfg first.

My questions are:
Do all the fields need information or can they be commented out where I dont have info? Where do I obtain the syncid? Is this something I need to run before or with omldapsync?

I have done lots of reading on forums and the man pages, but after many hours things are blurry and I need a little push.

Thank you

[hughesjr]

Here is my sync.cfg file (with example.com stuck in and passwds removed)

Code: Select all

##################################################################
#
# Scalix LDAP Directory Synchronization configuration
# NOTE: this file must be edited with care before use
# Interactively editable fields are controlled by the following:
EDIT_PROMPT=JAVA_HOME EX_HOST EX_LOGON EX_PASS IM_HOST IM_CAA_URL IM_CAA_KEYSTORE IM_CAA_NAME IM_CAA_PASS EX_BASE1 EX_BASE2 EX_BASE3 IM_OMADDRESS
# Sync agreement type - see omldapsync man page
TYPE_ID=13
# Sync agreement id - set by argument
SYNC_ID=${2}
# NEXT_SYNCID: next sync agreement id to be executed after current
# agreement has completed, e.g. user sync followed by group sync
NEXT_SYNCID=
# JAVA_HOME: home directory of java installation
# e.g. "/usr/java/j2sdk1.4.2_02"
JAVA_HOME=/usr/java/jre1.5.0_06
# The class path required by omldapagent java application (under
# /opt/scalix/svr/java/bin) is setup automatically by omldapsync to
# access dependent java libraries (under /opt/scalix/svr/java/lib)
##################################################################
#
# PART 1 General Configuration
##################################################################
# This section covers the settings required for tools to access
# both the remote and local systems for import or export.
# The general format is one or more line of <tag>=<value>
# Line starts with '#' is treated as comment
# When edited using omldaputil, do one of the followings:
#   -presss <enter> to accept the default offered inside []
#   -type in alternative <value> and press <enter>
#   -do not quote the value with "" or ''
#
# PART 1.1 for IMPORT - remote host
##########################################
# EX_HOST: remote LDAP directory server name or IP address
# e.g. "remote_server.your_domain.com" or "192.168.1.216"
EX_HOST=ldap.crm.example.com
# EX_PORT: LDAP server port number
# e.g. "389" is normally used
EX_PORT=389
# EX_LOGON: user that can search/delete/add/modify directory
# your adminstrator or migration account is often used
# e.g. "cn=Export Admin,cn=users,dc=your_org,dc=com"
EX_LOGON=cn=Manager,dc=example,dc=com
# EX_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
EX_PASS=manager_passwd
#
# PART 1.2 for IMPORT - local host
#########################################
# IM_HOST: local Scalix directory server name
# must specify FQDN where internet and user group will be imported
# e.g. "local_server.your_domain.com"
IM_HOST=scalix.crm.example.com
# IM_CAA_URL: Scalix CAA service url - must end with "/"
# e.g. "http://local_server.your_domain.com:8080/caa/"
IM_CAA_URL=http://scalix.crm.example.com/caa/
# IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only
# e.g "/var/opt/scalix/ldapsync/keystore"
IM_CAA_KEYSTORE=
# IM_CAA_ID: service login session-id
# e.g. "12345"
IM_CAA_ID=12345
# IM_CAA_NAME: service login auth-id, must have Scalix admin capability
# e.g. "user_name@your_domain.com"
IM_CAA_NAME=admin
# IM_CAA_PASS: service login password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
IM_CAA_PASS=scalix_admin_passwd
# IM_DELETE_MAILBOX: whether sync of mailbox delete will be applied to Scalix
# NOTE: set to "FALSE" to keep the mailbox and handle the deletion manually
IM_DELETE_MAILBOX=TRUE
# IM_FAIL2WARN_OPCODES: space separated list of opcodes that will be changed
# from failure to warning, a way to auto ignore certain type of error
# opcodes for add/modify/delete users=1/4/7 and groups=2/5/8
# opcodes for add/modify/delete members=3/3/9 and limits=12/12/-
# NOTE: should use a whole set, e.g. "3 9" to auto ignore all members error
IM_FAIL2WARN_OPCODES=
#
# PART 1.3 for IMPORT - ldap parameters
#######################################
# EX_ATTR: attributes to extract from remote system for import
# e.g. "member dn uid objectClass displayName sn givenname initials mail entryUUID cn <etc>"
EX_ATTR=memberUid scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNotifyUser scalixScalixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator scalixEmailAddress member dn uid objectClass displayName sn givenname initials mail entryUUID cn facsimileTelephoneNumber homephone street st telephoneNumber title c company departmentNumber description l mobile pager physicalDeliveryOfficeName postalCode
#EX_ATTR=scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNotifyUser scalixScalixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator scalixEmailAddress member dn uid objectClass displayName sn givenname initials mail entryUUID cn facsimileTelephoneNumber homephone street st telephoneNumber title c company departmentNumber description l mobile pager physicalDeliveryOfficeName postalCode
# EX_BASEn: search base(s) to extract entries from remote system
# specify a container name and its full LDAP suffix
# e.g. "cn=users,dc=your_org,dc=com"
EX_BASE1=ou=Users,dc=example,dc=com
EX_BASE2=ou=Groups,dc=example,dc=com
#EX_BASE2=
EX_BASE3=
EX_BASE4=
EX_BASE5=
EX_BASE6=
EX_BASE7=
EX_BASE8=
EX_BASE9=
# NOTE: extra EX_BASE10 upto EX_BASE200 can be defined here
# EX_FILTER: search filter to include/exclude entries to import
# e.g. "(&(cn=*)(|(mail=*)(scalixEmailAddress=*))(|(objectClass=inetOrgPerson)(objectClass=groupOfNames)))"
EX_FILTER=(&(cn=*)(|(mail=*)(scalixEmailAddress=*))(|(objectClass=inetOrgPerson)(objectClass=posixGroup)))
#EX_FILTER=(&(cn=*)(|(mail=*)(scalixEmailAddress=*))(|(objectClass=inetOrgPerson)(objectClass=groupOfNames)))
# IM_OMADDRESS: Scalix address where where entries are imported
# NOTE: this is a route which you configure for coexistence
# e.g. "/internet" or "internet"
IM_OMADDRESS=/internet
# IM_MV_ATTR: mapped attributes that can be imported with multi values
# e.g. "objectClass INTERNET-ADDR omMemberForeignAddr"
IM_MV_ATTR=objectClass INTERNET-ADDR omMemberForeignAddr
#IM_MV_ATTR=objectClass INTERNET-ADDR omMemberForeignAddr
# EX_GUID: the remote tag name for extracting Foreign GUID
# e.g. "entryUUID"
EX_GUID=entryUUID
# LDAPCT_BIN_ATT: must set value to EX_GUID if it is a binary attribute
# e.g. ""
LDAPCT_BIN_ATT=
# EX_PAGESIZE: use pagesize control extension to overcome search limit
# e.g. "100"
EX_PAGESIZE=1000
# EX_SCOPE: use one of sub, one, base to control search scope
# e.g. "sub"
#EX_SCOPE=sub
#
# PART 1.4 for EXPORT - ldap parameters
#######################################
# NOTE: export is not supported for this agreement type
#
# PART 2 Mapping Configuration
#################################################################
# WARNING: refer to documentation before editing the tables.
# This section defines the mappings required in order to map data
# between the remote and local LDAP systems for import or export.
# The general format is <lines of value> enclosed by markers.
# When edited using omldaputil, do one of the followings:
#   -presss <enter> to accept the default offered inside []
#   -type in alternative value and press <enter>
#   -type in '-' to remove the line offered
#   -type in '+<value> to insert it before current line
# For more details on all mapping rules see omldaputil man page.
#
# PART 2.1 for IMPORT - mapping table
#####################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in IM_MV_ATTR, only keep first instances
#####################################
# primary mapping table
IM_MAPPING_TABLE=
# tag the entry using sync agreement name
|ADMINISTERED-BY|*|ldapsync-${2}
# scalix reserved attributes
scalixHideUserEntry|EX-CDA-DIRECTORY|TRUE|1
scalixHideUserEntry|EX-CDA-DIRECTORY|FALSE|
scalixMailboxClass|UL-CLASS|*|*
scalixLimitMailboxSize|*|*|*
scalixLimitOutboundMail|*|*|*
scalixLimitInboundMail|*|*|*
scalixLimitNotifyUser|*|*|*
scalixScalixObject|omMailbox|*|*
scalixMailnode|omMailnode|*|*
scalixServerLanguage|UL-IL|*|*
scalixAdministrator|ADMIN|*|*
scalixMailboxAdministrator|MBOXADMIN|*|*
# scalix object classes
objectClass|*|posixGroup|distributionList
objectClass|*|inetOrgPerson|organizationalPerson
objectClass||*|#ignore others
# distinguished name
dn|*|*|*
# global unique id
entryUUID|GLOBAL-UNIQUE-ID|*|*
# common name
cn|CN|*,1,64!ISMISSING=displayName|*
cn||*|#suppress it otherwise
displayName|CN|*,1,64|*
# initial
initials|I|*,1,5|*
# surname
sn|S|*,1,40|*
# use cn for surname if sn is missing
cn|S|*,1,40!ISMISSING=sn|*
# given name is mapped if surname is present
givenName|G|*,1,16!ISPRESENT=sn|*
givenName||*|#suppress it otherwise
# primary internet address for non-scalix user
mail|INTERNET-ADDR|*,1,512!ISMISSING=scalixEmailAddress|!CUSTOM=TX_IA_TO_QP_IA
mail||*|#suppress it otherwise
# all internet addresses for scalix user
scalixEmailAddress|INTERNET-ADDR|*,1,512|!CUSTOM=TX_IA_TO_QP_IA
# the DN of the entry
dn|FOREIGN-ADDR|*,1,512|*
# the DN of the group members
memberUid|omMemberForeignAddr|*|!SCRIPT=memberuid.map --ldifrec sourcefile
# authentication id
uid|UL-AUTHID|*|*
# informational attributes
facsimileTelephoneNumber|FAX|*,1,32|!CUSTOM=TO_PS_STR
homephone|HOME-PHONE|*,1,32|!CUSTOM=TO_PS_STR
street|STREET-ADDRESS|*,1,128|!REPLACE=\033J|\012
st|STATE-OR-PROVINCE|*,1,128|*
telephoneNumber|PHONE-1|*,1,32|!CUSTOM=TO_PS_STR
title|TITLE|*,1,128|*
c|CNTRY|*,1,2|*
company|EMPL-ORG|*,1,64|*
departmentNumber|EMPL-DEPT|*,1,32|*
description|ENTRY-DESC|*,1,1024|!REPLACE=\033J|\012
l|L|*,1,128|*
mobile|MOBILE-PHONE|*,1,32|!CUSTOM=TO_PS_STR
pager|PAGER-PHONE|*,1,32|!CUSTOM=TO_PS_STR
physicalDeliveryOfficeName|PD-OFFICE-NAME|*,1,128|*
postalCode|POSTAL-CODE|*,1,40|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#IM_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# PART 2.2 for EXPORT - mapping tables
######################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
#
#####################################
# primary mapping table
EX_MAPPING_TABLE=
*|*|*|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#EX_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# END
#################################################################

This is the way I call my normal sync is like this (example replaces the sync name):

Code: Select all

omldapsync -I -u example

In this case, I would have a directory called /var/opt/scalix/sx/s/ldapsync/example

(the sx/s could be different in another Scalix 11 install ... the ldapsync directory belongs in the same directory as rules and sys under /var/opt/scalix/)

The sync.cfg file would be there (in the example directory) ... then you would be able to run the automated script. I used example as my directory name name, yours currently would be ldapsync13 ... however, if the possibility exists that you will use more than one ldap server to bring in users, you should probably name it something else.

I use this along with my map script (memberuid.map) to allow posix groups to be converted to scalix groups ... see this link:

viewtopic.php?t=5405#23861

All the changes that I make in openldap to either scalix items (Premium or standard user, scalix-admin, etc.) OR changes like new/modified users or new/modified groups all come over to scalix.

[ausyvr]

Thanks for the replies.

I managed to get this working early last week. What i found was I had to remove the domain from the

Code: Select all

IM_CAA_NAME:

leaving just the username ie admin, and change this

Code: Select all

JAVA_HOME=/usr/java/j2sdk1.4.2_02

to

Code: Select all

JAVA_HOME=/usr/java/j2sdk1.4.2_09

Initially my logs showed an 'directory cannot be found' error for Java. So I installed J2sdk1.4.2_09 and then changed the cfg file to match the correct version of java. Issue resolved.

Despite the length of time this took me, when I look back at the changes I made it there really were not that many. I created a a KS config so all the extra packages, RAID info will be installed when I build the test production server.

Another major issue which took some time to resolve was authenticating against Open LDAP. I was following the document called 'OpenLDAP in a Scalix Environment', but still no authenticating. It would produced continuous errors. My boss even checked the cfg file and confirmed all was good.
As it turns out there was one config file missing from the 'om_ldap.conf' section of the documentation. The documentation contained this:

Code: Select all

host=ldaphost.acme.com
search=subtree
base=ou=people,dc=scalix,dc=com
filter=uid=%s


yet this Scalix article http://www.scalix.com/wiki/index.php?title=HowTos/Using_OpenLDAP_for_password_management&oldid=2921#Configuring_Scalix had this extra line

Code: Select all

tls=off

.
So i added the extra line and authentication worked fine.

Code: Select all

host=ldaphost.acme.com
search=subtree
base=ou=people,dc=scalix,dc=com
filter=uid=%s
tls=off

The last issue which was the make or break issue, was updating individual records from OpenLDAP to scalix. Should I add a new email address to user in OpenLDAP I only want to run an update in Scalix to sync the two records. My attempts were not successful and found that I would have to remove the user from Scalix and then resync with OpenLDAP. Clearly this was not on.

After many attempts I found what worked for me was this:

Code: Select all

omldapsync  -u 13 -d3.

I can then cronjob this cmd at a later date.

Thanks again.

[dwalexuk]

bump.
hughesjr what changes did you make in order to get separate fields in scalix directory updated?
My omldapsync works fine put it doesn't update separate fields in scalix directory even if they are modified in ldap. The only way to update userinfo - delete and recreate but it is not what I want.

[hughesjr]

mine does updates just fine ...

using the -u option when running omldapsync

omldapsync -I -u <name>

[dwalexuk]

thanks, in my case:
omldapsync -u example -d3
-I doesn't for some reasong