Hi All,
Currently I'm working on my first Scalix installation and I'm having some problems with the AD integration.
Our situation is as follows:
In our AD domain (relate4u.esp) we have an OU Relate4U.
In the Relate4U OU there are a few other OU's based on the departments in our company. One of the departments is "Administratie".
I've installed both the AD schema extension and the AD GUI extensions on the Domain controller.
On our Scalix machine I edited the omldapsync configuration but when I try to test the data extraction I get the following Error:
INPUT: Attempt to test data extraction now y/n (n):y
2009-03-18 10:00:48 INFO: test searching from 10.31.5.10 ...
2009-03-18 10:00:48 INFO: search base is cn=Relate4U,cn=Administratie,dc=relate4u,dc=esp
ldap_search: No such object
ldap_search: matched: DC=relate4u,DC=esp
ldap_search: additional info: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=relate4u,DC=esp'
2009-03-18 10:00:48 ERROR: failed to run omldapsearch
2009-03-18 10:00:48 INFO: test listing servers from http://mailsrv.relate4u.com/caa/ ...
2009-03-18 10:00:49 INFO: ... found mailsrv.relate4u.com OK.
2009-03-18 10:00:49 INFO: test listing mailnodes on mailsrv.relate4u.com ...
2009-03-18 10:00:50 INFO: ... found mailnode OK.
2009-03-18 10:00:50 STATUS: Configuration of AD_SX1 completed ########
So it seems omldapsearch can't find the OU's
anyone got an idea what I'm doing wrong.
thanks in advance
Martijn
Active Directory integration
Moderators: ScalixSupport, admin
-
schmoe90
- Scalix
- Posts: 900
- Joined: Mon May 07, 2007 11:51 am
2009-03-18 10:00:48 INFO: search base is cn=Relate4U,cn=Administratie,dc=relate4u,dc=esp
ldap_search: No such object
ldap_search: matched: DC=relate4u,DC=esp
ldap_search: additional info: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=relate4u,DC=esp'
Looks like that CN isn't in your LDAP directory.
-
LeslieW
- Scalix
- Posts: 239
- Joined: Thu Jun 19, 2008 10:03 am
- Contact:
Re: Active Directory integration
Schmoe90 is right - you don't have that CN in your AD.
You said you'd created an org unit called Relate4U and inside that another org unit called Administratie.
CN is for containers, OU is for organizational units. So make sure these are org units and not containers that you have created. You can do that by going into ADUC and highlighting the domain name, then looking in the panel on the right-hand side. It will show "Users" which is a container, and "Relate4U" which hopefully is an organizational unit.
Also, I think you have your org units backwards.
Try a search base of OU=Administratie,OU=Relate4U,DC=relate4u,dc=esp
When in doubt about how AD is organizing things, I find it helpful to issue a command like the following (from the Scalix server):
$ omldapsearch -D "cn=Administrator,cn=Users,dc=mydomain,dc=net" -w <password> -h adhost.mydomain.net -b "dc=mydomain,dc=net" -L "" cn=* > /tmp/search.out
Then go look at the contents of /tmp/search.out and you'll see how AD is organizing things.
When you do an omldapsearch with a base of *only* the domain, you'll get a referral error at the end of the search. That doesn't matter because you already have what you need, and that is the data structure so you can construct valid searches.
You said you'd created an org unit called Relate4U and inside that another org unit called Administratie.
CN is for containers, OU is for organizational units. So make sure these are org units and not containers that you have created. You can do that by going into ADUC and highlighting the domain name, then looking in the panel on the right-hand side. It will show "Users" which is a container, and "Relate4U" which hopefully is an organizational unit.
Also, I think you have your org units backwards.
Try a search base of OU=Administratie,OU=Relate4U,DC=relate4u,dc=esp
When in doubt about how AD is organizing things, I find it helpful to issue a command like the following (from the Scalix server):
$ omldapsearch -D "cn=Administrator,cn=Users,dc=mydomain,dc=net" -w <password> -h adhost.mydomain.net -b "dc=mydomain,dc=net" -L "" cn=* > /tmp/search.out
Then go look at the contents of /tmp/search.out and you'll see how AD is organizing things.
When you do an omldapsearch with a base of *only* the domain, you'll get a referral error at the end of the search. That doesn't matter because you already have what you need, and that is the data structure so you can construct valid searches.
-
martijng
Re: Active Directory integration
Hi LeslieW,
Thanks for your reply.
I ran the following command:
In search.out I found this result:
dn: CN=Gname Lname,OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Gname Lname
sn: LName
givenName: Gname
distinguishedName: CN=Gname Lname,OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
instanceType: 4
I've changed my omldapsync configuration, but I still get the following error:
INPUT: Replace old config with new y/n (?):y
2009-04-07 10:28:33 STATUS: renamed old sync.cfg to sync.last
2009-04-07 10:28:33 STATUS: installed updated config sync.cfg
INPUT: Attempt to test data extraction now y/n (n):y
2009-04-07 10:28:34 INFO: test searching from 10.31.5.10 ...
2009-04-07 10:28:34 INFO: search base is OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
2009-04-07 10:28:34 WARNING: failed to find any matching entry
2009-04-07 10:28:34 INFO: test listing servers from http://mailsrv.relate4u.com/caa/ ...
2009-04-07 10:28:34 INFO: ... found mailsrv.relate4u.com OK.
2009-04-07 10:28:34 INFO: test listing mailnodes on mailsrv.relate4u.com ...
2009-04-07 10:28:35 INFO: ... found mailnode OK.
2009-04-07 10:28:35 STATUS: Configuration of AD_SX1 completed ########
I really haven't got a clue how to fix this.
any help would be appreciated.
Martijn
Thanks for your reply.
I ran the following command:
Code: Select all
omldapsearch -D "cn=Administrator,cn=Users,dc=relate4u,dc=esp" -w <passwd> -h obelix.relate4u.esp -b "dc=relate4u,dc=esp" -L "" cn=* > /tmp/search.out
In search.out I found this result:
dn: CN=Gname Lname,OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Gname Lname
sn: LName
givenName: Gname
distinguishedName: CN=Gname Lname,OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
instanceType: 4
I've changed my omldapsync configuration, but I still get the following error:
INPUT: Replace old config with new y/n (?):y
2009-04-07 10:28:33 STATUS: renamed old sync.cfg to sync.last
2009-04-07 10:28:33 STATUS: installed updated config sync.cfg
INPUT: Attempt to test data extraction now y/n (n):y
2009-04-07 10:28:34 INFO: test searching from 10.31.5.10 ...
2009-04-07 10:28:34 INFO: search base is OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
2009-04-07 10:28:34 WARNING: failed to find any matching entry
2009-04-07 10:28:34 INFO: test listing servers from http://mailsrv.relate4u.com/caa/ ...
2009-04-07 10:28:34 INFO: ... found mailsrv.relate4u.com OK.
2009-04-07 10:28:34 INFO: test listing mailnodes on mailsrv.relate4u.com ...
2009-04-07 10:28:35 INFO: ... found mailnode OK.
2009-04-07 10:28:35 STATUS: Configuration of AD_SX1 completed ########
I really haven't got a clue how to fix this.
any help would be appreciated.
Martijn
-
LeslieW
- Scalix
- Posts: 239
- Joined: Thu Jun 19, 2008 10:03 am
- Contact:
Re: Active Directory integration
Martijn,
You only had one result in search.out? Or you only posted one to use as an example?
I hope you had more than one entry returned by omldapsearch!
Okay the one entry was
dn: CN=Gname Lname,OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
And your sync.log shows you're searching a base that should include that user
2009-04-07 10:28:34 INFO: search base is OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
The reason you probably failed to find any matching entry is that the user you showed is not a Scalix entry.
By default, omldapsync only imports Scalix entries. If you look in /var/opt/scalix/??/s/ldapsync/<agreement>/sync.cfg you'll see the following:
# EX_FILTER: search filter to include/exclude entries to import
# e.g. "(&(cn=*)(mail=*))" for any cn AND mail
EX_FILTER=(&(cn=*)(scalixScalixObject=TRUE))
This means you're searching only for entries that have a CN and that also have scalixScalixObject=TRUE.
The example you showed (if you showed all of it) does not have scalixScalixObject=TRUE.
This attribute gets set when, in ADUC, you opt to create a scalix mailbox for the user or group.
If the user already exists, you can right-click the user name and then select "Create Scalix mailbox".
You only had one result in search.out? Or you only posted one to use as an example?
I hope you had more than one entry returned by omldapsearch!
Okay the one entry was
dn: CN=Gname Lname,OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
And your sync.log shows you're searching a base that should include that user
2009-04-07 10:28:34 INFO: search base is OU=Users,OU=Administratie,OU=Relate4U,DC=relate4u,DC=esp
The reason you probably failed to find any matching entry is that the user you showed is not a Scalix entry.
By default, omldapsync only imports Scalix entries. If you look in /var/opt/scalix/??/s/ldapsync/<agreement>/sync.cfg you'll see the following:
# EX_FILTER: search filter to include/exclude entries to import
# e.g. "(&(cn=*)(mail=*))" for any cn AND mail
EX_FILTER=(&(cn=*)(scalixScalixObject=TRUE))
This means you're searching only for entries that have a CN and that also have scalixScalixObject=TRUE.
The example you showed (if you showed all of it) does not have scalixScalixObject=TRUE.
This attribute gets set when, in ADUC, you opt to create a scalix mailbox for the user or group.
If the user already exists, you can right-click the user name and then select "Create Scalix mailbox".
-
martijng
Re: Active Directory integration
Leslie,
Thanks for your help. I finally got the sync working.
The problem was that I hadn't created a scalix mailbox in our AD.
The search.out file contained 13000 lines so I picked one out as example.
Again thanks for your help.
Martijn
Thanks for your help. I finally got the sync working.
The problem was that I hadn't created a scalix mailbox in our AD.
The search.out file contained 13000 lines so I picked one out as example.
Again thanks for your help.
Martijn
-
LeslieW
- Scalix
- Posts: 239
- Joined: Thu Jun 19, 2008 10:03 am
- Contact:
Re: Active Directory integration
Martijn,
Excellent! I'm glad it's working for you now
Leslie
Excellent! I'm glad it's working for you now
Leslie
Who is online
Users browsing this forum: No registered users and 6 guests