Howto Integration to MS ActiveDirectory?

[stony007_de]

Hey

i am a scalix greenhorn and installed the Community Edition at the first.
The OS in my case a Debian Etch on a VirtualMachine. To use the Collaboration-Plattform of Scalx in our Domain, i must connect to the Actice Dirctory to use the existing user accounts?

is there any "White-Papers" witch describes the integration to a microsoft domain?

[Valerion]

There's no need to connect to AD. You can have Scalix pull user accounts and passwords from the AD, but it works fine without it.

For information on how to get it running look in the Installation Guide and the Setup and Configuration Guide.

[stony007_de]

The Guide to Setup and Configuration describes that the AD Connection will only run with the Enterprise or Small Business Edition.
is there any posibility to use the AD in the Community Edition???

[Valerion]

The only part that doesn't work in CE is the AD LDAP Schema Extension. You can create your own schema in AD for the Scalix attributes, then adapt the omldapsync config file appropriately. Have a look at the schema definition in /var/opt/scalix/??/s/sys/ldapsync13.schema for inspiration.

Otherwise it works as described.

[stony007_de]

gread!

after some fights with the omldapsync and the sync.conf, my scalix server synchronized with my AD. Now, the AD created Users, appear in my SAC.

for example created user is "sst"
every time i want to login with a synced user, i get an error about my pass.

If i check the user on the scalix console, get the following informations

-----------------------------------------------------------------------------------------------
~# omshowu sst@SCALDOM.LOCAL

>> Authentication ID: sst@SCALDOM.LOCAL
>> Globally Unique ID: mgKCp1Kn9E+TwZJmR6HQBw==
>> User Name : Stephan Stein /CN=Stephan Stein
>> MailNode : scaldom
>> Internet Address : unset
>> System Login : 60536
>> Password : unset
>> Admin Capabilities : NO
>> Mailbox Admin Capabilities : NO
>> Language : GERMAN
>> Mail Account: Unlocked
>> Last Signon : Never.
>> Receipt of mail : ENABLED
>> Service level : 0
>> Excluded from Tidying : NO
>> Recovery Folder visible : NO
>> User Class : Full
>> SIS URL : sxidx://scalix.scaldom.local/0310000093 ... 51.3.05.01

-----------------------------------------------------------------------------------------------

what config ,is missing to login with the ad user?
i think the user is able to login only over ldap, without configure a kerberos etc....

please help

[Valerion]

As far as I am aware, AD only allows login via Kerberos. If any case, whether you use Kerberos or LDAP, you will have to tell Scalix where to find the passwords. It is not synced across with the LDAP sync agreement - only the user information is.

[stony007_de]

OK,

to auth with LDAP, the setup guide describes the "Configuration LDAP for Clients" (page59)
In this topic i must have to edit the ~/sys/pam.d/ual.remote file, because i only want to use the webclient and the outlook connector.

--------------------------------
~/sys/pam.d/ual.remote

>>auth sufficient om_ldap
>>auth required pam_deny
>>account required om_auth
>>password required om_auth
>>session required om_auth
--------------------------------

In the next step i create the om_ldap.conf in ~/sys an configure it to:
(my scalix user are store in the ad under the OU=SCALIXDOM)
--------------------------------
~/sys/om_ldap.conf

host=AD.SCALDOM.LOCAL:389
search=subtree
base=OU=SCALIXDOM,DC=SCALDOM,DC=LOCAL
filter=cn=%s
--------------------------------

--> with this configuration i can´t login, the possible reason is, that the om_ladp is could not use authentication to get information from the ldap server. a option that i´ll give the anonymous user right to read from the ad.

############################################

On the Page 63 it describet, how to configure the sclix to authenticate with kerberos

i add a user "scalix-ual" with pass "ual", in a new ou "SCALIX Services"

on AD Server in the commandline
>> ~\Support Tools>ktpass.exe -princ scalix-ual/scalix.scaldom.local@SCA
>> LDOM.LOCAL -mapuser scalix-ual -pass ual -out c:\install\scalix-ua
>> l.keytab -kvno 3

Result ---->
-------------------------------------
Targeting domain controller: AD.SCALDOM.LOCAL
Using legacy password setting method
Successfully mapped scalix-ual/scalix.scaldom.local to scalix-ual.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to c:\install\scalix-ual.keytab:
Keytab version: 0x502
keysize 80 scalix-ual/scalix.scaldom.local@SCALDOM.LOCAL ptype 0 (KRB5_NT_UNKNOW
N) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x52589b50c03965c687bca868e43a6a12)
-------------------------------------

i am not shure that is ok with the appeard warning. After some "googleing" i found an adjusted command:
>> ~\Support Tools>ktpass.exe -princ scalix-ual/scalix.scaldom.local@SCA
>> LDOM.LOCAL -mapuser scalix-ual -pass ual -out c:\install\scalix-ual.keytab -kvno
>> 3 -crypto DES-CBC-MD5 -desonly -ptype KRB5_NT_PRINCIPAL

Result ---->
-------------------------------------
Targeting domain controller: AD.SCALDOM.LOCAL
Using legacy password setting method
Successfully mapped scalix-ual/scalix.scaldom.local to scalix-ual.
Key created.
Output keytab to c:\install\scalix-ual.keytab:
Keytab version: 0x502
keysize 72 scalix-ual/scalix.scaldom.local@SCALDOM.LOCAL ptype 1 (KRB5_NT_PRINCI
PAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xad4c15f8131f1394)
-------------------------------------

copied the scalix-ual.keytab to the scalix server in /var/keytab
on the scalix console i exec the following command to merge the file:

# ommergekeys /var/keytab/scalix-ual.keytab

to modify the/etc/krb5.conf

# omkrbconf -r SCALDOM.LOCAL -s AD.SCALDOM.LOCAL -d SCALDOM.LOCAL

Result ---->
-------------------------------------
Warning: /etc/krb5.conf already contains SCALDOM.LOCAL.
-------------------------------------

i ignore this warning

# ommodu -o sst@SCALDOM.LOCAL --authid sst@SCALDOM.LOCAL

Result ---->
-------------------------------------
ommodu: The user was modified successfully
-------------------------------------

next step i edit the ual.remote

>>auth required om_krb5user user_unknown=ignore
>>auth optional om_auth use_first_pass
>>account required om_auth
>>password required om_auth

now i was thinking, that the login is ok.

summary:

my ad user informations:
user=sst pass=demopw

my scalix user informations
Authentication ID: sst@SCALDOM.LOCAL
Globally Unique ID: mgKCp1Kn9E+TwZJmR6HQBw==
User Name : Stephan Stein /CN=Stephan Stein
MailNode : scaldom
Internet Address : "Stephan Stein" <Stephan.Stein@scaldom.local>
System Login : 60536
Password : unset
Admin Capabilities : NO
Mailbox Admin Capabilities : NO
Language : C
Mail Account: Unlocked
Last Signon : 09.01.08 11:09:01
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidying : NO
Recovery Folder visible : NO
User Class : Limited
SIS URL : sxidx://scalix.scaldom.local/0510000093 ... 51.3.05.01

##############################

http://scalix/webmail
user: sst@SCALDOM.LOCAL
pass: demopw

result --->
ERROR!


any ideas

[Valerion]

Use the Scalix PAM debugging tools to see what the problem is.

1) Create a new PAM file called pamcheck
2) Start it with auth required om_debug file=stderr verbosity=3
3) Add the rest of your Kerberos info

Use sxpamauth to test the login and see what errors you get

[stony007_de]

Sorry,

1. i create a pam file (~/sys/pam.d/pamcheck)
2. i filled the pamcheck with the string "auth required om_debug file=stderr verbosity=3"
3. .....??
- what do you mean , with "Add the rest of your Kerberos info"
- what kind of Kerberos informations are needed??
- in what a format should be the infos

[stony007_de]

STOP!!!!

thank you!!!!!!

it run´s!!!


i configured my ual.remote again and the result --> "Authenticated"