Moving to OpenLDAP at a later point?
Posted: Sun Dec 18, 2005 8:57 pm
by mephisto
Hi,
currently we have two samba domains connected by an VPN. I am considering using OpenLDAP for authenticating both my samba servers and scalix. We are not using scalix yet, so this might seem the perfect time to introduce LDAP authentication. My problem is, that the budget probably only covers the new scalix server, but not the LDAP installation costs. Also I am planning to use Samba4 (having an own LDAP server included) when it becomes stable, another reason to wait with the LDAP move.
Now my question is, whether installing Scalix with local users now and changing to LDAP authentification at a later point would be possible and painless.
Regards,
Frederik
Re: Moving to OpenLDAP at a later point?
Posted: Mon Dec 19, 2005 5:43 am
by ScalixSupport
mephisto wrote:Hi,
currently we have two samba domains connected by an VPN. I am considering using OpenLDAP for authenticating both my samba servers and scalix. We are not using scalix yet, so this might seem the perfect time to introduce LDAP authentication. My problem is, that the budget probably only covers the new scalix server, but not the LDAP installation costs. Also I am planning to use Samba4 (having an own LDAP server included) when it becomes stable, another reason to wait with the LDAP move.
Now my question is, whether installing Scalix with local users now and changing to LDAP authentification at a later point would be possible and painless.
Regards,
Frederik
Hello,
it is possible and rather painless. One obvious caveat though is that users may need to use a different password when you switch to OpenLDAP. The switch itself is a mere change in the PAM stack. I am pasting the necessary doc here:
Cheers,
Sascha.
Code: Select all
Configuring Scalix to Use LDAP Authentication with PAM
This Scalix Technical Note (STN) describes how to allow users to authenticate with their LDAP passwords against an LDAP-compliant directory when accessing their Scalix mailboxes.
Steps
1. Determine the LDAP field used for uniqueness for all users (typically this is UID), and record this for all users, by simply capturing to a file.
ldapsearch -xh localhost -b dc=company,dc=com
2. Using ommodu, add the value from the uniqueness field into each users "authid" field in the Scalix directory
ommodu -o "Al Alpha" --authid Aalpha
3. Modify UAL.REMOTE in the var/opt/scalix/sys/pam.d directory
auth sufficient om_ldap
auth sufficient om_auth
auth required pam_deny
account required om_auth
password optional om_ldap
password required om_auth
password required om_sasl
session required om_auth
Note: the second line “auth sufficient om_auth” will provide a secondary opportunity to access the mailbox if invalid credentials are passed to the LDAP source. The second line however compares the credentials to the Scalix directory. Remove this line if you do not wish to provide this.
4. In the /var/opt/scalix/sys directory create your om_ldap.conf.
host=oldmail.company.local
search=subtree
base=dc=company,dc=local
filter=uid=%s
Note: in this example the LDAP “uid” field is used for uniqueness
5. Stop, then start Scalix services.
The authentication logic implemented through PAM will first attempt to use the LDAP directory, but if this fails, will attempt authentication against the Scalix directory. Since users who have "use stored password" checked have already been able to log in using the Scalix directory, there would be no way to tell which directory they authenticated against. To validate the functionality is working properly choose a user who has a different LDAP password then their Scalix password. Use the following sequence of steps.
a. Login to Outlook, and on the Scalix logon screen enter the LDAP password. The user should be able to log in successfully.
b. Login to Outlook, and on the Scalix logon screen enter the Scalix password. The user should be able to log in successfully.
c. Login to Outlook, and on the Scalix logon screen enter an incorrect password. The login should fail.
Posted: Mon Dec 19, 2005 7:16 am
by mephisto
Beautiful. Thank you.