I've installed Scalix Enterprise Edition 11.1 on RHEL5. I have omldapsync configured to import users and groups from an existing Windows 2003 Active Directory server (no Exchange). The enterprise extensions have been installed on the AD server, and omldapsync is configured with a type 11 agreement. I'm using pam_ldap to authenticate users against an existing OpenLDAP server.
So far user accounts are syncing properly and PAM authentication works, but omldapysync fails to sync my AD groups. I created a Scalix Mailbox for my test distribution group, FakeGroup1, and set the Mailnode. Here are the errors from a forced reload with the "omldapsync -i AD_SX" command:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<scalix-caa:CAARequestMessage xmlns:scalix-caa="http://www.scalix.com/caa">
<ServiceType>scalix.res</ServiceType>
<Credentials id="12345">
<Identity name="sxadmin" passwd="xxxxxxxx"/>
</Credentials>
<FunctionName>AddGroup</FunctionName>
<AddGroupParameters>
<user type="MAIL"/>
<mailNode name="marge"/>
<userAttributes>
<entity name="ENTRY-DESC" value="Fake Group 1"/>
<entity name="FOREIGN-ADDR" value="CN=FakeGroup1,OU=Staff,OU=Company,DC=example,DC=com"/>
<entity name="CN" value="FakeGroup1"/>
<entity name="GLOBAL-UNIQUE-ID" value="Rg2MmMFh9UCY0eHInPnL1A=="/>
<entity name="UL-AUTHID" value="FakeGroup1"/>
<entity name="INTERNET-ADDR" value=""FakeGroup1" <FakeGroup1@example.com>"/>
<entity name="ADMINISTERED-BY" value="ldapsync-AD_SX"/>
</userAttributes>
</AddGroupParameters>
</scalix-caa:CAARequestMessage>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
>>>>>>>>SOAP Response
SOAP part:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>CAA Service Error</faultstring>
<detail>
<scalix-caa:fault-details xmlns:scalix-caa="http://www.scalix.com/caa">
<message>omaddpdl : [OM 4634] An attribute tag specified in the name/address is unknown or not allowed. :marge.example.com</message>
<errorcode>OM 4634</errorcode>
</scalix-caa:fault-details>
</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Here's the full omaddpdl command output from /var/opt/scalix/me/tomcat/logs/scalix-res.log:
Code: Select all
2007-07-18 17:05:16,915 DEBUG [CmdExecution.executeCmd:143] COMMAND: /opt/scalix/bin/omaddpdl -l CN=FakeGroup1/OU1=marge/UL-AUTHID=FakeGroup1/INTERNET-ADDR="FakeGroup1" <FakeGroup1@example.com>
<Command name="omaddpdl">
<Line value="omaddpdl : [OM 4634] An attribute tag specified in the name/address is unknown or not allowed."/>
and my sync.cfg:
Code: Select all
##################################################################
#
# Scalix LDAP Directory Synchronization configuration
# NOTE: this file must be edited with care before use
# Interactively editable fields are controlled by the following:
EDIT_PROMPT=JAVA_HOME EX_HOST EX_LOGON EX_PASS IM_HOST IM_CAA_URL IM_CAA_KEYSTORE IM_CAA_NAME IM_CAA_PASS EX_BASE1 EX_BASE2 EX_BASE3 IM_OMADDRESS
# Sync agreement type - see omldapsync man page
TYPE_ID=11
# Sync agreement id - set by argument
SYNC_ID=AD_SX
# NEXT_SYNCID: next sync agreement id to be executed after current
# agreement has completed, e.g. user sync followed by group sync
NEXT_SYNCID=
# JAVA_HOME: home directory of java installation
# e.g. "/usr/java/j2sdk1.4.2_02"
# 2007/07/17 - SAF: Changed path to Java below
JAVA_HOME=/usr/java/jre1.5.0_11
# The class path required by omldapagent java application (under
# /opt/scalix/svr/java/bin) is setup automatically by omldapsync to
# access dependent java libraries (under /opt/scalix/svr/java/lib)
##################################################################
#
# PART 1 General Configuration
##################################################################
# This section covers the settings required for tools to access
# both the remote and local systems for import or export.
# The general format is one or more line of <tag>=<value>
# Line starts with '#' is treated as comment
# When edited using omldaputil, do one of the followings:
# -presss <enter> to accept the default offered inside []
# -type in alternative <value> and press <enter>
# -do not quote the value with "" or ''
#
# PART 1.1 for IMPORT - remote host
##########################################
# EX_HOST: remote LDAP directory server name or IP address
# e.g. "remote_server.your_domain.com" or "192.168.1.216"
# 2007/07/17 - SAF: Added address for AD PDC below
EX_HOST=dawson.example.com
# EX_PORT: LDAP server port number
# e.g. "389" is normally used
EX_PORT=389
# EX_LOGON: user that can search/delete/add/modify directory
# your adminstrator or migration account is often used
# e.g. "cn=Export Admin,cn=users,dc=your_org,dc=com"
# 2007/07/17 - SAF: Added AD PDC administrator account below
EX_LOGON=cn=Administrator,cn=users,dc=example,dc=com
# EX_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
# 2007/07/17 - SAF: Added AD PDC administrator password below
EX_PASS=***************
#
# PART 1.2 for IMPORT - local host
#########################################
# IM_HOST: local Scalix directory server name
# must specify FQDN where internet and user group will be imported
# e.g. "local_server.your_domain.com"
# 2007/07/17 - SAF: Added Scalix server name below
IM_HOST=marge.example.com
# IM_CAA_URL: Scalix CAA service url - must end with "/"
# e.g. "http://local_server.your_domain.com:8080/caa/"
# 2007/07/17 - SAF: Added Scalix server name below
IM_CAA_URL=http://marge.example.com/caa/
# IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only
# e.g "/var/opt/scalix/ldapsync/keystore"
IM_CAA_KEYSTORE=
# IM_CAA_ID: service login session-id
# e.g. "12345"
IM_CAA_ID=12345
# IM_CAA_NAME: service login auth-id, must have Scalix admin capability
# e.g. "user_name@your_domain.com"
# 2007/07/17 - SAF: Added Scalix administrator account below
IM_CAA_NAME=sxadmin
# IM_CAA_PASS: service login password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
# 2007/07/17 - SAF: Added Scalix administrator password below
IM_CAA_PASS=**************
# IM_DELETE_MAILBOX: whether sync of mailbox delete will be applied to Scalix
# NOTE: set to "FALSE" to keep the mailbox and handle the deletion manually
IM_DELETE_MAILBOX=TRUE
# IM_FAIL2WARN_OPCODES: space separated list of opcodes that will be changed
# from failure to warning, a way to auto ignore certain type of error
# opcodes for add/modify/delete users=1/4/7 and groups=2/5/8
# opcodes for add/modify/delete members=3/3/9 and limits=12/12/-
# NOTE: should use a whole set, e.g. "3 9" to auto ignore all members error
IM_FAIL2WARN_OPCODES=
#
# PART 1.3 for IMPORT - ldap parameters
#######################################
# EX_SCALIX_ATTRS: list of resersed Scalix attributes in external directory
# to administer Scalix user/group from this remote master source
# e.g. "EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG ..."
EX_SCALIX_ATTRS=SCALIXHIDEUSERENTRY SCALIXMAILBOXCLASS SCALIXLIMITMAILBOXSIZE SCALIXLIMITOUTBOUNDMAIL SCALIXLIMITINBOUNDMAIL SCALIXLIMITNOTIFYUSER EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG EX_SCALIX_ADMIN EX_SCALIX_MBOXADMIN
# SCALIXHIDEUSERENTRY: name of attribute to specify whether the user entry
# should be hidden from Outlook address book
# e.g. "scalixHideUserEntry"
SCALIXHIDEUSERENTRY=scalixHideUserEntry
# SCALIXMAILBOXCLASS: name of attribute to specify whether the mailbox class
# should have full or limited features
# e.g. "scalixMailboxClass"
SCALIXMAILBOXCLASS=scalixMailboxClass
# SCALIXLIMITMAILBOXSIZE: name of attribute to specify whether Scalix limit
# on mailbox size is required, must use a numerical value >= zero
# e.g. "scalixLimitMailboxSize"
SCALIXLIMITMAILBOXSIZE=scalixLimitMailboxSize
# SCALIXLIMITOUTBOUNDMAIL: name of attribute to specify whether Scalix limit
# on outbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitOutboundMail"
SCALIXLIMITOUTBOUNDMAIL=scalixLimitOutboundMail
# SCALIXLIMITINBOUNDMAIL: name of attribute to specify whether Scalix limit
# on inbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitInboundMail"
SCALIXLIMITINBOUNDMAIL=scalixLimitInboundMail
# SCALIXLIMITNOTIFYUSER: name of attribute to specify whether Scalix limit
# on notify user is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitNotifyUser"
SCALIXLIMITNOTIFYUSER=scalixLimitNotifyUser
# EX_SCALIX_MAILBOX: name of attribute to specify whether Scalix mailbox
# is required, yes if value is set to "true" or "scalix"
# e.g. "scalixScalixObject"
EX_SCALIX_MAILBOX=scalixScalixObject
# EX_SCALIX_MAILNODE: name of attribute to specify which Scalix mailnode
# to add the mailbox, must use "<ou1>,<ou2>,<ou3>,<ou4>" format
# e.g. "scalixMailnode"
EX_SCALIX_MAILNODE=scalixMailnode
# EX_SCALIX_MSGLANG: name of attribute to specify which Scalix message
# catalog language to use for client, default to "C" if not set
# e.g. "scalixServerLanguage"
EX_SCALIX_MSGLANG=scalixServerLanguage
# EX_SCALIX_ADMIN: name of attribute to specify whether to give the user
# Scalix admin capability, yes if value is set to "true"
# e.g. "scalixAdministrator"
EX_SCALIX_ADMIN=scalixAdministrator
# EX_SCALIX_MBOXADMIN: name of attribute to specify whether to give the user
# Scalix mailbox-admin capability, yes if value is set to "true"
# e.g. "scalixMailboxAdministrator"
EX_SCALIX_MBOXADMIN=scalixMailboxAdministrator
# EX_ATTR: attributes to extract from remote system for import
# e.g. "objectclass displayName sn givenname initials mail proxyAddresses mailNickname <etc>"
EX_ATTR=scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNotifyUser scalixScalixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator userAccountControl member distinguishedName userPrincipalName objectclass name displayName sn givenname initials mail scalixEmailAddress mailNickname objectGUID textEncodedORaddress facsimileTelephoneNumber homephone streetAddress st telephoneNumber title c company department description l mobile pager physicalDeliveryOfficeName postalCode secretary sAMAccountName
# 2007/07/17 - SAF: Appended "sAMAccountName" above
# EX_BASEn: search base(s) to extract entries from remote system
# specify a container name and its full LDAP suffix
# e.g. "cn=users,dc=your_org,dc=com"
# 2007/07/17 - SAF: Added four base values below
EX_BASE1=ou=Faculty,ou=Company,dc=example,dc=com
EX_BASE2=ou=Staff,ou=Company,dc=example,dc=com
EX_BASE3=ou=Student,ou=Company,dc=example,dc=com
EX_BASE4=ou=Other,ou=Company,dc=example,dc=com
EX_BASE5=
EX_BASE6=
EX_BASE7=
EX_BASE8=
EX_BASE9=
# NOTE: extra EX_BASE10 upto EX_BASE200 can be defined here
# EX_FILTER: search filter to include/exclude entries to import
# e.g. "(&(cn=*)(mail=*))" for any cn AND mail
EX_FILTER=(&(cn=*)(scalixScalixObject=TRUE))
# IM_OMADDRESS: Scalix address where where entries are imported
# NOTE: this is a route which you configure for coexistence
# e.g. "/internet,tnef" or "internet,tnef"
IM_OMADDRESS=/internet,tnef
# EX_GUID: the remote tag name for extracting Foreign GUID
# e.g. "objectGUID"
EX_GUID=objectGUID
# LDAPCT_BIN_ATT: must set value to EX_GUID if it is a binary attribute
# e.g. "objectGUID"
LDAPCT_BIN_ATT=objectGUID
# EX_PAGESIZE: use pagesize control extension to overcome search limit
# e.g. "100"
EX_PAGESIZE=1000
# EX_SCOPE: use one of sub, one, base to control search scope
# e.g. "sub"
#EX_SCOPE=sub
#
# PART 1.4 for EXPORT - ldap parameters
#######################################
# NOTE: export is not supported for this agreement type
#
# PART 2 Mapping Configuration
#################################################################
# WARNING: refer to documentation before editing the tables.
# This section defines the mappings required in order to map data
# between the remote and local LDAP systems for import or export.
# The general format is <lines of value> enclosed by markers.
# When edited using omldaputil, do one of the followings:
# -presss <enter> to accept the default offered inside []
# -type in alternative value and press <enter>
# -type in '-' to remove the line offered
# -type in '+<value> to insert it before current line
# For more details on all mapping rules see omldaputil man page.
#
# PART 2.1 for IMPORT - mapping table
#####################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in IM_MV_ATTR, only keep first instances
#####################################
# primary mapping table
IM_MAPPING_TABLE=
# tag the entry using sync agreement name
|ADMINISTERED-BY|*|ldapsync-AD_SX
# scalix reserved attributes
scalixHideUserEntry|EX-CDA-DIRECTORY|TRUE|1
scalixHideUserEntry|EX-CDA-DIRECTORY|FALSE|
# real classes full and limited are mapped as-is
# pseudo-class internet indicates "internet user"/contact type entry
scalixMailboxClass|UL-CLASS|FULL|*
scalixMailboxClass|UL-CLASS|LIMITED|*
scalixMailboxClass|UL-CLASS|INTERNET|
# for mailbox classes full and limited, set omMailbox to TRUE, false otherwise
scalixMailboxClass|omMailbox|FULL|TRUE
scalixMailboxClass|omMailbox|LIMITED|TRUE
scalixMailboxClass|omMailbox|INTERNET|FALSE
# ignore other values
scalixMailboxClass||*|
# Advanced Attributes
scalixLimitMailboxSize|scalixLimitMailboxSize|*|*
scalixLimitOutboundMail|scalixLimitOutboundMail|*|*
scalixLimitInboundMail|scalixLimitInboundMail|*|*
scalixLimitNotifyUser|scalixLimitNotifyUser|*|*
scalixMailnode|omMailnode|*|*
scalixServerLanguage|UL-IL|*|*
scalixAdministrator|ADMIN|*|*
scalixMailboxAdministrator|MBOXADMIN|*|*
# mailbox locking
userAccountControl|ACCOUNT_STATUS|*,1,10!FLAGUNSET=2|unlock
userAccountControl|ACCOUNT_STATUS|*,1,10!FLAGISSET=2|lock
# scalix object classes
objectClass|*|group|distributionList
objectClass|*|organizationalPerson|*
objectClass||*|#ignore others
# distinguished name
dn|*|*|*
# global unique id
objectGUID|GLOBAL-UNIQUE-ID|*|*
# common name
name|CN|*,1,64!ISMISSING=displayname|*
name||*|#suppress it otherwise
displayName|CN|*,1,64|*
# initial
initials|I|*,1,5|*
# surname
sn|S|*,1,40|*
# extract surname substitute if real is missing
textEncodedORaddress|S|*|!CUSTOM=EX_TEXT_EOA_TO_SN
# givenname if surname is present
givenName|G|*,1,16!ISPRESENT=surname|*
givenName||*|#suppress it otherwise
# primary internet address for non-scalix user
mail|INTERNET-ADDR|*,1,512!ISMISSING=scalixemailaddress|!CUSTOM=TX_IA_TO_QP_IA
mail||*|#suppress it otherwise
# all internet addresses for scalix user
scalixEmailAddress|INTERNET-ADDR|*,1,512|!CUSTOM=TX_IA_TO_QP_IA
# map to alias
mailNickname|ALIAS|*,1,16|*
# the DN of the entry
distinguishedName|FOREIGN-ADDR|*,1,512|*
# the DN of the group member
member|omMemberForeignAddr|*|*
# authentication id - note down/up shift the name/realm for SSO
# 2007/07/17 - SAF: Change 'userPrincipalName' to 'sAMAccountName' in line below
sAMAccountName|UL-AUTHID|*,1,256|!CUSTOM=TO_CANONICAL_PRINCIPAL
# informational attributes
facsimileTelephoneNumber|FAX|*,1,32|!CUSTOM=TO_PS_STR
homephone|HOME-PHONE|*,1,32|!CUSTOM=TO_PS_STR
streetAddress|STREET-ADDRESS|*,1,128|!REPLACE=\015\012|\012
st|STATE-OR-PROVINCE|*,1,128|*
telephoneNumber|PHONE-1|*,1,32|!CUSTOM=TO_PS_STR
title|TITLE|*,1,128|*
c|CNTRY|*,1,2|*
company|EMPL-ORG|*,1,64|*
department|EMPL-DEPT|*,1,32|*
description|ENTRY-DESC|*,1,1024|!REPLACE=\015\012|\012
l|L|*,1,128|*
mobile|MOBILE-PHONE|*,1,32|!CUSTOM=TO_PS_STR
pager|PAGER-PHONE|*,1,32|!CUSTOM=TO_PS_STR
physicalDeliveryOfficeName|PD-OFFICE-NAME|*,1,128|*
postalCode|POSTAL-CODE|*,1,40|*
secretary|ASSISTANT-PHONE|*,1,32|!CUSTOM=TO_PS_STR
#Telephone-Office2|PHONE-2|*,1,32|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#IM_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# PART 2.2 for EXPORT - mapping tables
######################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in EX_MV_ATTR, only keep first instances
#####################################
# primary mapping table
EX_MAPPING_TABLE=
*|*|*|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#EX_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# END
#################################################################
Through some trial and error, I learned that the omaddpdl doesn't like the "UL-AUTHID=FakeGroup1" part of the command issued by omldapsync. I tried commenting out the line in the sync.cfg that references "UL-AUTHID", but then my user accounts were imported with the wrong authentication IDs. The group was imported, but I was unable to add members to it. Any ideas what I should try next? Thanks!
--Steve