Integrate scalix over existing infraestructue OpenLDAP/Samba

Best practice information from Scalix users relating to integration of Scalix with other products.

Moderator: ScalixSupport

at4net

Integrate scalix over existing infraestructue OpenLDAP/Samba

Postby at4net » Mon Feb 16, 2009 12:11 pm

Hi all,

I'm evaluating Scalix to install in my organization.

Our directory infraestructure is based in a OpenLDAP server to Unix and Samba Accounts.

My openLDAP server is fully functionaly and only accepts binds if the connection is over TLS (SSL connection over port 389)

I've tried to use my openLDAP installation as central user managemente but the omldapsync returns the error:

ldap_bind: Not an LDAP errno 13

Viewing the logs in my openLDAP server seems that the omldapsync not start a TLS connection.

Attach my sync.cfg
##################################################################
#
# Scalix LDAP Directory Synchronization configuration
# NOTE: this file must be edited with care before use
# Interactively editable fields are controlled by the following:
EDIT_PROMPT=JAVA_HOME EX_HOST EX_LOGON EX_PASS IM_HOST IM_CAA_URL IM_CAA_KEYSTORE IM_CAA_NAME IM_CAA_PASS EX_BASE1 EX_BASE2 EX_BASE3
IM_OMADDRESS
# Sync agreement type - see omldapsync man page
TYPE_ID=13
# Sync agreement id - set by argument
SYNC_ID=at4sync
# NEXT_SYNCID: next sync agreement id to be executed after current
# agreement has completed, e.g. user sync followed by group sync
NEXT_SYNCID=
# JAVA_HOME: home directory of java installation
# e.g. "/usr/java/j2sdk1.4.2_02"
#JAVA_HOME=/usr/java/j2sdk1.4.2_02
JAVA_HOME=/usr/java/jre1.5.0_17
# The class path required by omldapagent java application (under
# /opt/scalix/svr/java/bin) is setup automatically by omldapsync to
# access dependent java libraries (under /opt/scalix/svr/java/lib)
##################################################################
#
# PART 1 General Configuration
##################################################################
# This section covers the settings required for tools to access
# both the remote and local systems for import or export.
# The general format is one or more line of <tag>=<value>
# Line starts with '#' is treated as comment
# When edited using omldaputil, do one of the followings:
# -presss <enter> to accept the default offered inside []
# -type in alternative <value> and press <enter>
# -do not quote the value with "" or ''
#
# PART 1.1 for IMPORT - remote host
##########################################
# EX_HOST: remote LDAP directory server name or IP address
# e.g. "remote_server.your_domain.com" or "192.168.1.216"
EX_HOST=ldap-cluster.in.at4.net
# EX_PORT: LDAP server port number
# e.g. "389" is normally used
EX_PORT=389
# EX_LOGON: user that can search/delete/add/modify directory
# your adminstrator or migration account is often used
# e.g. "cn=Export Admin,cn=users,dc=your_org,dc=com"
EX_LOGON=cn=root,dc=in,dc=at4,dc=net
# EX_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
EX_PASS=
#
# PART 1.2 for IMPORT - local host
#########################################
# IM_HOST: local Scalix directory server name
# must specify FQDN where internet and user group will be imported
# e.g. "local_server.your_domain.com"
IM_HOST=correo.in.at4.net
# IM_CAA_URL: Scalix CAA service url - must end with "/"
# e.g. "http://local_server.your_domain.com:8080/caa/"
# IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only
# e.g "/var/opt/scalix/ldapsync/keystore"
IM_CAA_KEYSTORE=
# IM_CAA_ID: service login session-id
# e.g. "12345"
IM_CAA_ID=12345
# IM_CAA_NAME: service login auth-id, must have Scalix admin capability
# e.g. "user_name@your_domain.com"
IM_CAA_NAME=sxadmin
# IM_CAA_PASS: service login password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
IM_CAA_PASS=
# IM_DELETE_MAILBOX: whether sync of mailbox delete will be applied to Scalix
# NOTE: set to "FALSE" to keep the mailbox and handle the deletion manually
IM_DELETE_MAILBOX=FALSE
# IM_DELETE_LIMIT: absolute or percentage of total object deletions allowed
# NOTE: if delete count exceeds the limit then report error and terminate
# e.g. "50" for 50 deletions or "50%" for 50% deletions from the total
IM_DELETE_LIMIT=50%
# IM_FAIL2WARN_OPCODES: space separated list of opcodes that will be changed
# from failure to warning, a way to auto ignore certain type of error
# opcodes for add/modify/delete users=1/4/7 and groups=2/5/8
# opcodes for add/modify/delete members=3/3/9 and limits=12/12/-
# NOTE: should use a whole set, e.g. "3 9" to auto ignore all members error
IM_FAIL2WARN_OPCODES=
#
# PART 1.3 for IMPORT - ldap parameters
#######################################
# EX_ATTR: attributes to extract from remote system for import
# e.g. "member dn uid objectClass displayName sn givenname initials mail entryUUID cn <etc>"
EX_ATTR=scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNoti
fyUser scalixScalixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator scalixEmailAddress memb
er dn uid objectClass displayName sn givenname initials mail entryUUID cn facsimileTelephoneNumber homephone street st telephoneNumb
er title c company departmentNumber description l mobile pager physicalDeliveryOfficeName postalCode
# EX_BASEn: search base(s) to extract entries from remote system
# specify a container name and its full LDAP suffix
# e.g. "cn=users,dc=your_org,dc=com"
EX_BASE1=ou=accounts,ou=Samba,dc=in,dc=at4,dc=net
EX_BASE2=
EX_BASE3=
EX_BASE4=
EX_BASE5=
EX_BASE6=
EX_BASE7=
EX_BASE8=
EX_BASE9=
# NOTE: extra EX_BASE10 upto EX_BASE200 can be defined here
# EX_FILTER: search filter to include/exclude entries to import
# e.g. "(&(cn=*)(|(mail=*)(scalixEmailAddress=*))(|(objectClass=inetOrgPerson)(objectClass=groupOfNames)))"
EX_FILTER=(&(cn=*)(|(mail=*)(scalixEmailAddress=*))(|(objectClass=inetOrgPerson)(objectClass=groupOfNames)))
# IM_OMADDRESS: Scalix address where remote entries are imported
# NOTE: this may be an internet route configured for coexistence
# If the remote entry supplies its own route then to use it in
# preference to the default a special '@' prefix must be added.
# e.g. "/internet" or "internet"
IM_OMADDRESS=/internet
# IM_MV_ATTR: mapped attributes that can be imported with multi values
# e.g. "objectClass INTERNET-ADDR omMemberForeignAddr"
IM_MV_ATTR=objectClass INTERNET-ADDR omMemberForeignAddr
# EX_GUID: the remote tag name for extracting Foreign GUID
# e.g. "entryUUID"
EX_GUID=entryUUID
# LDAPCT_BIN_ATT: must set value to EX_GUID if it is a binary attribute
# e.g. ""
LDAPCT_BIN_ATT=
# EX_PAGESIZE: use pagesize control extension to overcome search limit
# e.g. "100"
EX_PAGESIZE=1000
# EX_SCOPE: use one of sub, one, base to control search scope
# e.g. "sub"
#EX_SCOPE=sub
#
# PART 1.4 for EXPORT - ldap parameters
#######################################
# NOTE: export is not supported for this agreement type
#
# PART 2 Mapping Configuration
#################################################################
# WARNING: refer to documentation before editing the tables.
# This section defines the mappings required in order to map data
# between the remote and local LDAP systems for import or export.
# The general format is <lines of value> enclosed by markers.
# When edited using omldaputil, do one of the followings:
# -presss <enter> to accept the default offered inside []
# -type in alternative value and press <enter>
# -type in '-' to remove the line offered
# -type in '+<value> to insert it before current line
# For more details on all mapping rules see omldaputil man page.
#
# PART 2.1 for IMPORT - mapping table
#####################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in IM_MV_ATTR, only keep first instances
#####################################
# primary mapping table
IM_MAPPING_TABLE=
# tag the entry using sync agreement name
|ADMINISTERED-BY|*|ldapsync-at4sync
# scalix reserved attributes
scalixHideUserEntry|EX-CDA-DIRECTORY|TRUE|1
scalixHideUserEntry|EX-CDA-DIRECTORY|FALSE|
scalixMailboxClass|UL-CLASS|*|*
scalixLimitMailboxSize|*|*|*
scalixLimitOutboundMail|*|*|*
scalixLimitInboundMail|*|*|*
scalixLimitNotifyUser|*|*|*
scalixScalixObject|omMailbox|*|*
scalixMailnode|omMailnode|*|*
scalixServerLanguage|UL-IL|*|*
scalixAdministrator|ADMIN|*|*
scalixMailboxAdministrator|MBOXADMIN|*|*
# scalix object classes
objectClass|*|groupOfNames|distributionList
objectClass|*|inetOrgPerson|organizationalPerson
objectClass||*|#ignore others
# distinguished name
dn|*|*|*
# global unique id
entryUUID|GLOBAL-UNIQUE-ID|*|*
# common name
cn|CN|*,1,64!ISMISSING=displayName|*
cn||*|#suppress it otherwise
displayName|CN|*,1,64|*
# initial
initials|I|*,1,5|*
# surname
sn|S|*,1,40|*
# use cn for surname if sn is missing
cn|S|*,1,40!ISMISSING=sn|*
# given name is mapped if surname is present
givenName|G|*,1,16!ISPRESENT=sn|*
givenName||*|#suppress it otherwise
# primary internet address for non-scalix user
mail|INTERNET-ADDR|*,1,512!ISMISSING=scalixEmailAddress|!CUSTOM=TX_IA_TO_QP_IA
mail||*|#suppress it otherwise
# all internet addresses for scalix user
scalixEmailAddress|INTERNET-ADDR|*,1,512|!CUSTOM=TX_IA_TO_QP_IA
# the DN of the entry
dn|FOREIGN-ADDR|*,1,512|*
# the DN of the group members
member|omMemberForeignAddr|*|*
# authentication id
uid|UL-AUTHID|*|*
# informational attributes
facsimileTelephoneNumber|FAX|*,1,32|!CUSTOM=TO_PS_STR
homephone|HOME-PHONE|*,1,32|!CUSTOM=TO_PS_STR
street|STREET-ADDRESS|*,1,128|!REPLACE=\033J|\012
st|STATE-OR-PROVINCE|*,1,128|*
telephoneNumber|PHONE-1|*,1,32|!CUSTOM=TO_PS_STR
title|TITLE|*,1,128|*
c|CNTRY|*,1,2|*
company|EMPL-ORG|*,1,64|*
departmentNumber|EMPL-DEPT|*,1,32|*
description|ENTRY-DESC|*,1,1024|!REPLACE=\033J|\012
l|L|*,1,128|*
mobile|MOBILE-PHONE|*,1,32|!CUSTOM=TO_PS_STR
pager|PAGER-PHONE|*,1,32|!CUSTOM=TO_PS_STR
physicalDeliveryOfficeName|PD-OFFICE-NAME|*,1,128|*
postalCode|POSTAL-CODE|*,1,40|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#IM_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# PART 2.2 for EXPORT - mapping tables
######################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
#
#####################################
# primary mapping table
EX_MAPPING_TABLE=
*|*|*|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#EX_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# END
#################################################################


And the /var/opt/scalix/co/s/sys/om_ldap.conf file

host=ldap-cluster.in.at4.net
search=subtree
base=ou=accounts,ou=Samba,dc=in,dc=at4,dc=net
filter=uid=%s
tls=on
debug=3

It's a critical path for us to take this integration OK to use Scalix.

Thanks in advance.

billb3
Scalix Star
Scalix Star
Posts: 464
Joined: Mon May 26, 2008 8:56 pm
Location: Kingston, NY
Contact:

Postby billb3 » Tue Feb 17, 2009 12:01 am

I don't use TLS/SSL on my ldap server, so I can't speak from experience. But I did see this in the wiki:

http://scalix.org/wiki/index.php?title= ... leshooting
I experienced trouble when trying to use TLS(SSL) with my LDAP. I was not able to login to webmail at all using any user accounts created via the ldapsync process. Disabling TLS on my LDAP server solved it. I'm not sure if it was an improperly configured LDAP server or if Scalix can't speak SSL over LDAP.

Valerion
Scalix Star
Scalix Star
Posts: 2730
Joined: Thu Feb 26, 2004 7:40 am
Location: Johannesburg, South Africa
Contact:

Postby Valerion » Tue Feb 17, 2009 1:44 am

Not too sure it SSL/TLS are supported, I haven't yet tested that extensivelky.

I suggest you enable plaintext connections from the Scalix server only. That way you can also trace the traffic to see where any errors occur. Alternatively you can try to put stunnel in client-mode on the Scaliix server and use that to speak to OpenLDAP.

at4net

Postby at4net » Tue Feb 17, 2009 5:04 am

I think that use stunnel with cleartext password is good as temporal solution, but in an enterprise enviroment is not desirable as use native support for TLS connection.

Thanks to all.

Valerion wrote:Not too sure it SSL/TLS are supported, I haven't yet tested that extensivelky.

I suggest you enable plaintext connections from the Scalix server only. That way you can also trace the traffic to see where any errors occur. Alternatively you can try to put stunnel in client-mode on the Scaliix server and use that to speak to OpenLDAP.

CharlieBrooks

Re: Integrate scalix over existing infraestructue OpenLDAP/Samba

Postby CharlieBrooks » Fri May 01, 2009 5:10 pm

Stunnel is OK for enterprise use; or, at least, plenty of enterprises use it. But I didn't bother with it.

What I did was implement a local OpenLDAP slave node on the scalix server, and configure the ACLs in OpenLDAP to permit unencrypted access from the loopback (127.0.0.1) only for omldapsync. Since scalix natively uses port 389 (although, I hope that will eventually change) I had to put the OpenLDAP slave on a different port, but that is easy enough.

Since synchronization is on an encrypted port (636) all the unencrypted traffic's on loopback and never hits the wiring. Scalix and samba run faster with local lookup, too.


Return to “Third Party Integration”



Who is online

Users browsing this forum: No registered users and 2 guests