Scalix 11, openldap, samba, external groups

[hughesjr]

OK ...

I have an existing openldap authentication database for samba and I would like to be able to bring over both the groups and users to scalix.

I am able to bring over the users and groups fine ... but group membership is an issue.

Here is what a group looks like in openldap:

# sshusers, Groups, example.com
dn: cn=sshusers,ou=Groups,dc=example,dc=com
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: scalixUserClass
displayName: sshusers
sambaGroupType: 2
sambaSID: S-1-5-21-3516781642-1962875130-3438800523-3035
description: Users allowed SSH access
gidNumber: 1017
cn: sshusers
memberUid: hughesjr
scalixScalixObject: TRUE
scalixMailnode: mail
scalixEmailAddress: sshusers@crm.example.com

I did this in sync.conf to get the groups to show up on my scalix server when using omldapsync:

EX_BASE2=ou=Groups,dc=example,dc=com
EX_FILTER=(&(cn=*)(|(mail=*)(scalixEmailAddress=*))(|(objectClass=inetOrgPerson)(objectClass=sambaGroupMapping)))
IM_MV_ATTR=objectClass INTERNET-ADDR memberUid

#in the IM_MAPPING_TABLE= entry
memberUid|omMemberForeignAddr|*|*

What I end up with in scalix is this:

cn=sshusers, o=Scalix
cn=sshusers
objectClass=top
objectClass=distributionList
objectClass=mhsDistributionList
objectClass=scalixDistributionList
surname=sshusers
description=Users allowed SSH access
mhsORAddresses=S=sshusers/OU1=mail/CN=sshusers
omInternetAddr=sshusers@crm.example.com
mail=sshusers@crm.example.com
rfc822Mailbox=sshusers@crm.example.com
omAddress=sshusers /mail/CN=sshusers
omMailnode=mail
omCn=sshusers
omForeignAddr=cn=sshusers,ou=Groups,dc=example,dc=com
omGlobalUniqueId=1e250a6e-227e-102b-88d4-fcae9bc2e961
omLocalUniqueId=3504
omAdministeredBy=ldapsync-${2}

So there are no entries for omMemberForeignAddr in the scalix group.

I created a normal scalix group (via sac) called testgroup and assigned my remote user (hughesjr) to it ... it looks like this:

cn=testgroup, o=Scalix
cn=testgroup
objectClass=top
objectClass=distributionList
objectClass=mhsDistributionList
objectClass=scalixDistributionList
surname=testgroup
mhsORAddresses=S=testgroup/OU1=mail/CN=testgroup
omInternetAddr="testgroup" <testgroup@crm.example.com>
mail=testgroup@crm.example.com
rfc822Mailbox=testgroup@crm.example.com
omAddress=testgroup /mail/CN=testgroup
omMailnode=mail
omCn=testgroup
omGlobalUniqueId=08c100003af9d854-352.0.861.291
omLocalUniqueId=7312

These groups are strikingly similar and I notice that the group testgroup does not put it's members in the group definition, but instead puts the group's omLocalUniqueId in the definition for the user.

Is this the required way to get users in a group ... by adding the omLocalUniqueId of the group to the user's entry? Or, would making an entry like "omMemberForeignAddr=hughesjr" in the group definition work.

(this server is Scalix 11 GA, if that makes a difference ... new install, no upgrades)

If omLocalUniqueId is the way, will I have to build some kind of external ldap script to make that happen, or can I do it in the sync.cfg?

if I do modify the local ldap database using omldapmodify to add the proper group omLocalUniqueId to the user, will it work ... and is that the proper way to accomplish this???

----------------------
Another question would be ... can I just grab the groups via ldap (I have authentication working against the ldap server right now) and use those groups to assign permissions to items (like resources, public folders, etc.) ... or do I have to get the groups and memberships into the local LDAP database to do that).

[hughesjr]

BTW ...

I get no errors in the sync (command: omldapsync -I -M -u example) ... it does show this in the file import/modify.curr.memb

dn: cn=sshusers,ou=Groups,dc=example,dc=com
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: scalixUserClass
displayName: sshusers
description: Users allowed SSH access
cn: sshusers
memberUid: hughesjr
entryUUID: 1e250a6e-227e-102b-88d4-fcae9bc2e961
scalixScalixObject: TRUE
scalixMailnode: mail
scalixEmailAddress: sshusers@crm.example.com

dn: cn=sshusers,ou=Groups,dc=example,dc=com
ADMINISTERED-BY: ldapsync-${2}
CN: sshusers
ENTRY-DESC: Users allowed SSH access
FOREIGN-ADDR: cn=sshusers,ou=Groups,dc=example,dc=com
GLOBAL-UNIQUE-ID: 1e250a6e-227e-102b-88d4-fcae9bc2e961
INTERNET-ADDR: sshusers@crm.example.com
objectClass: distributionList
omMailbox: TRUE
omMailnode: mail
omMemberForeignAddr: hughesjr-unchanged-
S: sshusers

Here is what the sync.log says:

2006-12-24 08:33:46 STATUS: LDAP dir sync import example completed #############
2006-12-24 08:46:51 INFO: work dir is /var/opt/scalix/sx/s/ldapsync/example/import
2006-12-24 08:46:51 STATUS: search source directory on ldap.crm.example.com ...
2006-12-24 08:46:51 INFO: search base is ou=Users,dc=example,dc=com
2006-12-24 08:46:52 INFO: ... 97 entries to check
2006-12-24 08:46:53 INFO: search base is ou=Groups,dc=example,dc=com
2006-12-24 08:46:53 INFO: ... 26 entries to check
2006-12-24 08:46:54 STATUS: modify all records from ldap.crm.example.com ...
2006-12-24 08:46:54 STATUS: find delta and perform mapping ...
2006-12-24 08:46:59 INFO: ... 0 entries to delete
2006-12-24 08:46:59 INFO: ... 0 entries to add
2006-12-24 08:46:59 INFO: ... 123 entries to modify
2006-12-24 08:46:59 STATUS: apply membdelete data against Scalix ...
2006-12-24 08:47:14 INFO: ... 18 entries passed for member.curr
2006-12-24 08:47:14 INFO: ... 0 entries failed for member.curr
2006-12-24 08:47:14 INFO: ... 0 entries warned for member.curr
2006-12-24 08:47:14 STATUS: apply delete data against Scalix ...
2006-12-24 08:47:14 INFO: ... 0 entries passed for delete.curr
2006-12-24 08:47:14 INFO: ... 0 entries failed for delete.curr
2006-12-24 08:47:14 INFO: ... 0 entries warned for delete.curr
2006-12-24 08:47:14 STATUS: apply add data against Scalix ...
2006-12-24 08:47:14 INFO: ... 0 entries passed for add.curr
2006-12-24 08:47:14 INFO: ... 0 entries failed for add.curr
2006-12-24 08:47:14 INFO: ... 0 entries warned for add.curr
2006-12-24 08:47:14 STATUS: apply limit data against Scalix ...
2006-12-24 08:47:14 INFO: ... 0 entries passed for add.curr
2006-12-24 08:47:14 INFO: ... 0 entries failed for add.curr
2006-12-24 08:47:14 INFO: ... 0 entries warned for add.curr
2006-12-24 08:47:14 STATUS: apply modify data against Scalix ...
2006-12-24 08:49:33 INFO: ... 123 entries passed for modify.curr
2006-12-24 08:49:33 INFO: ... 0 entries failed for modify.curr
2006-12-24 08:49:33 INFO: ... 0 entries warned for modify.curr
2006-12-24 08:49:33 STATUS: apply limit data against Scalix ...
2006-12-24 08:49:39 INFO: ... 0 entries passed for modify.curr
2006-12-24 08:49:39 INFO: ... 0 entries failed for modify.curr
2006-12-24 08:49:39 INFO: ... 0 entries warned for modify.curr
2006-12-24 08:49:39 STATUS: apply membadd data against Scalix ...
2006-12-24 08:49:39 INFO: ... 0 entries passed for member.curr
2006-12-24 08:49:39 INFO: ... 0 entries failed for member.curr
2006-12-24 08:49:39 INFO: ... 0 entries warned for member.curr
2006-12-24 08:49:39 STATUS: apply membmodify data against Scalix ...
2006-12-24 08:49:54 INFO: ... 18 entries passed for member.curr
2006-12-24 08:49:54 INFO: ... 0 entries failed for member.curr
2006-12-24 08:49:54 INFO: ... 0 entries warned for member.curr
2006-12-24 08:49:54 STATUS: LDAP dir sync import example completed #############

[hughesjr]

OK ... still working this issue ... (I had accepted (-A) errors before, so that is why there were not any errors on my subsequent syncs)

I am starting to understand how this sync thing works.

anyway ... it seems that the problem is this:

Failed to obtain CN, MailNode for all the members in the Request SOAP Document from LDAP server scalix.crm.example.com

Using my original group (sshusers) ... it seems that in order to get users in the scalix group, they need more than just their username provided ... however, that is all that is provided for memberUid in samba.

SO ... who is the expert on what is needed to be passed into the group create selction besides just the uid.

[hughesjr]

Hmmm ....

This is getting really ugly.

I have the EXACT same problem as this thread:

http://www.scalix.com/community/viewtopic.php?t=3123

The original poster said he fixed it and that he would post the results ... but he seems to have forgotten

From what I see ... I need to provide something that looks like this to get samba/openldap groups mapped as a foreign group:

member: cn=username,ou=Users,dc=example,dc=com

and that is included in:

objectclass: groupOfNames

HOWEVER ....

posixGroups and groupOfNames are mutually exclusive in the current LDAP schema files unless one modifies nis.schema to make posixGroups change to SUP top AUXILIARY. See this very long thread:

http://www.mail-archive.com/ldap@listse ... 00322.html

However, my samba domain needs posixGroups (as that is how smbldap tools and ldap-account-manager are written, which is what I use to control groups) ... and I do not think I want to heavily modify the source to those.

I think I will try to create (or use) another auxiliary objectclass that I can assign this to:

member: cn=username,ou=Users,dc=example,dc=com

Then I can try and change the mapping for that new objectclass to groupOfNames in the IM_MAPPING_TABLE= section in sync.cfg

Anybody have any comments or am I going to spend the rest of the year talking to myself ???

[hughesjr]

OK ...

Let me try some easier questions

1. In the sync.cfg, can I call a separate script for mapping? Are there examples somewhere if the answer is yes.

(I see things like !CUSTOM=xxxxx, but can that be an external script?)

2. Maybe the easy answer to this is to not bring over members at all from openldap ... but just bring over the groups, and then run a script that checks membership externally by comparing Scalix to openldap and updates scalix accordingly?

[jaga0]

OK ...

Let me try some easier questions :lol:

1. In the sync.cfg, can I call a separate script for mapping? Are there examples somewhere if the answer is yes.

(I see things like !CUSTOM=xxxxx, but can that be an external script?)

See if this helps: http://www.scalix.com/community/viewtopic.php?t=2139

[hughesjr]

See if this helps: http://www.scalix.com/community/viewtopic.php?t=2139

jaga0 - Indeed that does help

I was able to take the map file from that link and write a map that will import the samba groups.

I need to create some error checking in script ... it blows up with no real warnings if there is something wrong.

However ... here is the map file as it works for me now:

1. to use this you need the openldap-clients package (that is the name in Fedora, Red Hat, CentOS ... not sure in other distros{whatever provides the executable ldapsearch}) installed on the scalix server. It might be possible to modify the ldapsearch parmeters to make it work with omldapsearch.

2. You need the following code in the sync.cfg file for your connector:

Code: Select all

EX_ATTR=memberUid (plus all the other default values)
EX_BASE1=ou=Users,dc=example,dc=com
EX_BASE2=ou=Groups,dc=example,dc=com
EX_FILTER=(&(cn=*)(|(mail=*)(scalixEmailAddress=*))(|(objectClass=inetOrgPerson)(objectClass=posixGroup)))
IM_MV_ATTR=objectClass INTERNET-ADDR omMemberForeignAddr

#objectClass|*|groupOfNames|distributionList
objectClass|*|posixGroup|distributionList

# the DN of the group members
#member|omMemberForeignAddr|*|*
memberUid|omMemberForeignAddr|*|!SCRIPT=memberuid.map --ldifrec sourcefile

3. Here is the memberuid.map ... it goes in /var/opt/scalix/**/*/rules
(on my system ... **/* is sx/s ... for Version 11, this path varies):

Code: Select all

#!/bin/sh
##########################################################################
#
# memberuid.map - used to import openldap posixGroups memberUid to
# Scalix omMemberForeignAddr which will populate a scalix distributionlist
# with the openldap group information, including members.
#
# See this link for instructions to use:
# http://www.scalix.com/community/viewtopic.php?t=5405#23861
#
##########################################################################
# Wed Dec 27 2006 Johnny Hughes <johnny@centos.org> 1.0
# - Original Release
#
# Sun Dec 31 2006 Johnny Hughes <johnny@centos.org> 1.0.1
# - Modified the new_member ldapsearch to filter by uid in the search
#   instead of with grep.  Should speed up the interface as less records
#   are initially returned.
# - "omldapsearch" can be substituted for "ldapsearch -x", if desired. Also
#   requiring change is "^omForeignAddr\:" to "^omForeignAddr\="
##########################################################################

# handle "<start>"
# return ready status
rep="220 Subject Mapper Ready"
echo "$rep"

# loop to process commands
Quit="FALSE"
while read cmd
do
    case "$cmd" in
    "HELO"*)
        # handle "HELO<SP><text>"
                # return ok status
        rep="250 Ok"
        ;;
    "SUBJECT:"*)
                # handle "SUBJECT:<text>"
                # subject does not match requirement, return reason
                uid=`echo $cmd | sed -e "s/SUBJECT://"`
                new_member=`ldapsearch -h 127.0.0.1 -x "(&(objectClass=person)(|(omForeignAddr=uid=$uid,*)))" | grep "^omForeignAddr\:" |  cut -f 2 -d ":" | sed -e "s/^ //"`
                #enable the below echos for error checking (creates files in the sync import directory)
                #
                #echo cmd: $cmd >> newfile.$uid
                #echo uid: $uid >> newfile.$uid
                #echo new_member: $new_member >> newfile.$uid

                rep="252 $new_member"
        ;;
    "QUIT"*)
                # handle "QUIT<SP><text>"
        # return status, set flag to exit loop
        rep="221 Subject Mapper Close"; Quit="TRUE"
        ;;
    *)
        # handle "<others>"
                # return error status
        rep="500 Unrecognised Command or Syntax Error"
        ;;
    esac

    # must reply to each command
    echo "$rep"
    if [ "X$Quit" != "XTRUE" ]
    then
        continue
    else
        break
    fi
done

exit 0


4. There is an example script in /opt/scalix/examples/general called subject.map.

Help concerning the script and the sync.cfg file can be found using:

man omldapsync
man omldaputil

5. This requires that you have added the following attributes to each of your groups in openldap:

Code: Select all

objectClass: scalixUserClass
scalixScalixObject: TRUE
scalixMailnode: your_mailnode_name
scalixEmailAddress: some_group_name@example.com

[vlaurenz]

Glad it worked out for you Johnny.

Are you running v10 or v11? We're running v10 on CentOS 4.4 and will probably be upgrading sometime next month.

[florian]

omldapsync - except for a couple of minor bug fixes - hasn't changed from v10 to v11, so it shouldn't really matter to much for this context.

Florian.

[hughesjr]

I am using CentOS-4.4 and Version 11 of scalix ....

For anyone who would rather use omldapsearch instead of ldapsearch .... this should work for the newmember line in the map script equally well:

Code: Select all

new_member=`omldapsearch -h 127.0.0.1 "(&(objectClass=person)(|(omForeignAddr=uid=$uid,*)))" | grep "^omForeignAddr\=" |  cut -f 2 -d ":" | sed -e "s/^ //"`

I also created a version of openldap that has smbk5pwd that some openldap authenticators may find handy:

http://www.scalix.com/community/viewtopic.php?t=5431

[tdegouw]

Thanks, this was almost what i needed. In our LDAP the user id's are stored in the memberUid variable. Hence i needed some way to transform these into the values stored in the omForeignAddr.

For example :

Code: Select all

memberUid=jdoe
memberUid=mhork
memberUid=pdwaas


You can alter the script above a little to get the correct uid's from the ldap and convert them to cnames as shown in your omForeignAddr (ldapsearch -x).

Code: Select all

new_member=`omldapsearch -h 127.0.0.1 "(&(objectClass=person)(|(omUlAuthid=$uid)))" | grep "^omForeignAddr\=" |  cut -c 15- | sed -e "s/^ //"`