Installing Scalix 10 onto Fedora Core 4 and integrating with OpenLDAP.
Note sure if this is helpful, but people have helped me a great deal
so I thought I'd post my notes.
The setup:
(ext mail relay)-------> (internal mail relay) -------> (scalix)
We use Postfix on the (internal mail relay) so that we can do spam and virus filtering using the 'content_filter' part of Postfix.
1. Install vanilla FC4 with LVM (LVM is required for backups)
Note I previously had Zimbra on my initial server, the Scalix rep here
advised me to re-install FC4, I initially didn't but ran into some weird
troubles, so in the end I put in a vanilla Fc4 - not saying you will
have this trouble, but the 20 minutes its takes to put a clean install
in is probably worth it
1a. Install Java SDK (usually will go in /usr/java/)
2. Make sure /etc/hosts is correct. Note the second line
this HAS to be correct (FC might screw this around).
Code: Select all
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
10.20.20.1 scalixmail.xxx.com scalixmail
3. Download Scalix and start the installer
- You're likely to get problems when its doing the environment check.
- If you get network problems check Step 2 above!
- If you have dependency issues, just ctrl-Z (background) the installer
and install using:
Code: Select all
$> yum (you will probably need to install 'compat-libstdc++-296')- 'fg' the process and run the checks again
- install all parts of scalix
4. Now scalix is installed, that wasn't too hard.
Most scalix stuff is stored in weird directories (for a FC user anyway):
Code: Select all
- /var/opt/scalix
- /opt/scalix
- /opt/scalix-tomcat
- /etc/opt/scalix
5. Now login to the web interface:
- http://<hostname>/webmail
Also login to the administrators interface:
- http://<hostname>/sac
6. You'll probably want to make some users now to see how things work, go ahead
and create a user from the Admin interface. Notice the "Advanced" tab for
that user, in here will be the "Authentication ID" - this is important as
this says what will be used against your LDAP.
7. Now you'll want to use your LDAP. You need to do two things to get this to
work:
1. Authenticate against LDAP
2. Import users from your LDAP
8. Authenticate against an external LDAP
This is quite easy, you need to edit/create /var/opt/scalix/sys/om_ldap.conf
to contain the details of your ldap server:
Code: Select all
host=ldap.xxx.com
search=subtree
base=ou=Users,dc=xxx,com
filter=uid=%s
tls=off
this didn't work for someone, so maybe try:
Code: Select all
host=ldap.xxx.com
search=none
dn=uid=%s,ou=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxx
tls=off
Then you have to create /var/opt/scalix/sys/pam.d/ual.remote which is
similar to the normal PAM stuff:
Code: Select all
auth sufficient om_ldap
auth sufficient om_auth use_first_pass
auth required pam_deny
account required om_auth
password optional om_ldap
password required om_auth nullok
session required om_auth
(In one of the forums someone says you have to edit pam.d/pop3 and pam.d/imap
or something, but I haven't done this and mine seems to work okay)
Once this is done, you'll want to restart your scalix server and try to login
to the account you created in Step 6 trying the external LDAP password. To
make this test make any sense at all, you'll need to check that the
"Authentication ID" (see Step 6) is what your external LDAP uses. You'll also
want to make sure the password you set on the Scalix server for the user in
Step 6 is different to the password on your external LDAP, so that you can
prove to yourself it is actually reading your external LDAP.
9. Importing users
This is the most difficult/painful/annoying step. I recommend using a dev
environment for this.
Scalix can't keep in sync with a normal OpenLDAP server using Replication
(Slurpd in OpenLDAP's case). Apparently there is no protocol standard for
LDAP replication which is a real shame. Instead you have to use a Scalix
script that you put in crontab(!) to run every X minutes that will hopefully
keep things in sync.
Sounds reasonable doesn't it.
The script to do this is called "omldapsync" and is found in /opt/scalix/bin.
Omldapsync uses a config file to talk with your external LDAP or Active
Directory or whatever. In this way you can have different "syncid"'s that
are used for different directories (i.e. you could sync to multiple
directories). These 'syncid's are numbered.
For LDAP, they have assigned it the number '13'. You can see a sample config
called "ldapsync13.cfg" in /var/opt/scalix/sys. The problem here is that
this config file doesn't seem to be used when omldapsync is run. Instead
I ran omldapsync interactively and configured up the LDAP sync configuration
through that.
NOTE: you are likely to have to set the correct path to the JAVA SDK you
installed above (by default it looks for JAVA in something like
/usr/java/jdk-1.4_04)
To do this, run:
Code: Select all
/opt/scalix/bin/omldapsync -i 13This should bring up a menu of options, the first thing that needs to be
done is "Configure the LDAP dir sync settings".
This is really quite a painful step, go through and fill in what you can.
The 'mapping' stuff is where you are able to map external LDAP attributes to
Scalix attributes. When doing this, remember that for an attribute to be
read from your local LDAP, you will HAVE to add it to 'EX_ATTR' before you
can reference it.
Once you've finished editing this to the best of your ability, exit it and
it will attempt some tests which presumably test your external LDAP.
If these fail, go back and edit the config some more and try again.
Finally this should work and you'll want to try to
"Force a complete (re)load of the directory".
Hopefully this works for you. If it doesn't, you can activate the 'debug'
mode to test it.
Once you've successfully imported some users you should be able to use
"/opt/scalix/bin/omldapsearch cn=*" to list the entries in Scalix's LDAP.
This should now include some imported users.
At this point have a look at the administration page: http://<hostname>/sac
you should be able to see your new users.
*NOTE* In our case, we needed to have all 'mailLocalAddress' entries
imported as mail aliases. This was done by using 'omldapsync -i 13' and
editing the import mapping to:
Code: Select all
mailLocalAddress|INTERNET-ADDR|*,1,512|!SPRINTF=%s@mydomain.comAs can be seen, the 'SPRINTF' function is used, there are other functions
that can be used too - see 'man omldaputil'
9. Add Scalix schema to your LDAP
Although you can see the users in your Scalix administration webpage these
users can't login!!!
In my setup they didn't have the 'Manager of' and 'Advanced' tabs in the
administrator console.
To fix this I had to add the Scalix schema to my external OpenLDAP server
and set some values. To do this:
Copy the /var/opt/scalix/sys/ldapsync13.schema into your external LDAP's
schema directory.
(For a FC OpenLDAP server this means:
- copy ldapsync13.schema to /etc/openldap/schema/
- edit /etc/openldap/slapd.conf to include this new schema and
restart the server)
Now add some Scalix attributes to your users in this external LDAP. I added
Code: Select all
exScalixObject: TRUE
exScalixMsglang: ENGLISH
exScalixAdmin: TRUE
exScalixMboxadmin: FALSE
exScalixMailnode: <mailnode>
(These seem to be in flux - we added 'exScalixMailboxClass' too and mapped it to 'UL-CLASS' in omldapsync so that we can control if a user was a Premium or Standard user in our ldap tools)
I used jxExplorer (a Java LDAP adminstration program) to do this.
Note the "exScalixMailnode:" should probably be the name of the mailnode
your server (can be found in the administration webpage under "Server info").
Now use the "omldapsync -i 13" script from step 8 to delete all users and
re-import then. Now when you open the Scalix administration web page they
should have "Manager of" and "Advanced" tabs.
10. Scalix can only create imported users as "Limited" (i.e. no calendars!)
To change a user to be a Premium user, use:
Code: Select all
$> ommodu <username> --class full
11. Make sure users can have 'Personal Contacts'. Because we are using an
external LDAP for authentication, we need to make sure that a user can
use the local LDAP for storing 'Personal Contacts'.
This is done through the file: /var/opt/scalix/sys/pam.d/omsldapeng
Need to make this file read:
Code: Select all
auth sufficient om_ldap
auth sufficient om_auth
auth required pam_deny
account required om_auth
password required om_auth
session required om_auth
-- see http://portal.knowledgebase.net/display ... =0.3656885
12. In our setup we have our scalix mail being routed through a relay
(which handles all the aliasing/groups etc). In this situation we have
users on Scalix having the email address <user>@scalix1.<mydomain>.com.
The problem was that their emails were being sent out with this email
address as the 'From:'.
To fix this, alter the /etc/mail/sendmail.mc file and enter:
Code: Select all
MASQUERADE_AS(`mydomain.com')
Then run:
Code: Select all
$>make -C /etc/mail sendmail.cf
This should rewrite all outgoing mail to come from <mydomain>.com
Notes: As we have the (Internal mail relay) we needed to add an
rfc822MailMember entry into LDAP to get mail
sent to the scalix server. If you do this (on a Sendmail or Postfix box)
you will need to add the scalix server in your transport tables, e.g:
Code: Select all
scalix1.mydomain.com smtp:scalix1.mydomain.com
(Remember to 'postmap' the file).
********************************************************************************
Impressions:
- For those adminstrators used to complete control with Sendmail/Postfix/Qmail,
this is a change.
- You're not going to know whats going on as much (or maybe you will over time).
There are 350+ binaries to control everything - this is bordering on insane.
- I'm using a Dual Xenon P4 2.8 with 5 73Gig SCSI RAID5. I only have 1Gig RAM in it (i've ordered more), and the web interface is quite laggy (especially the SAC) . I'm hoping the RAM upgrades fix it.
- Its a *lot* nicer user interface
