Pulling contacts from AD

cdclark · Postby **cdclark** » Thu Mar 16, 2006 12:39 pm

I'm looking to add another LDAP directory to SWA. I read the instructions in the Install Guide Page 103, and followed them to the best of my ability, but without success. (SWA hangs at login when I have this 3rd directory configured, returns to normal when I comment out the new stuff).

I also searched the forum and came across this: http://www.scalix.com/community/viewtop ... ght=filter

However, if I am to believe the Install guide, just adding the server's info to swa.properties should be sufficient, I should not have to mess around with slapd, etc.

Prior to using Scalix I would add an LDAP directory to our users' Outlook, that pointed to our AD domain controller. The search base configured there would be cn=users,dc-ourdomain,dc=com.

So that's what I put in the baseDN line.

However, it also requires a valid user account to access the directory, supplied in the form DOMAIN\username (I suppose username@domain.com might work also).

Not everyone on the Scalix server has an account on the AD domain, so I'd like to specify a username AND password in the config. Is that possible?

As for the search filter... I'm lost. Does anyone have a template an AD LDAP search filter, , or would the default one in the install guide work?

msweeney · Postby **msweeney** » Fri Mar 17, 2006 12:07 pm

curious to how to do this as well.

Postby **ScalixSupport** » Mon Mar 20, 2006 10:15 am

Hi,

turns out this is fairly straightforward. It's just I accidently trashed my W2K AD while testing it out ;-) Thank god for VM images...

Anyway, to enable SWA to _anonymously_ query an external AD, this is what you need to do:

1) enable anonymous querying of AD, nothing describes it better than this document, even though it was written by Novell. The MSFT docs are useless. The document can be found here: http://www.novell.com/coolsolutions/appnote/15120.html

2) Add the relevant swa.properties:

swa.ldap.4.type=system
swa.ldap.4.server=lab1.uk.scalix.com
swa.ldap.4.port=389
swa.ldap.4.baseDN=cn=users,dc=uk,dc=scalix,dc=com
swa.ldap.4.displayName.resourceLabel=AD
swa.ldap.4.authType=none
swa.ldap.4.filter=(|(mail=%s*)(cn=%s*)(givenname=%s*)(sn=%s*))
swa.ldap.4.addressSearchLimit=100
swa.ldap.4.search.1.header=true
swa.ldap.4.search.1.type=name
swa.ldap.4.search.1.name.resourceID=addressbooksearch_label_name
swa.ldap.4.search.1.name.resourceLabel=Name
swa.ldap.4.search.1.dirAttribute=cn
swa.ldap.4.search.2.header=true
swa.ldap.4.search.2.type=email
swa.ldap.4.search.2.name.resourceID=addressbooksearch_label_email
swa.ldap.4.search.2.name.resourceLabel=Email Address
swa.ldap.4.search.2.dirAttribute=mail

3) restart Tomcat

You can of course edit the searchfilter above, but this is what worked for me.

Cheers,

Sascha.

msweeney · Postby **msweeney** » Mon Mar 20, 2006 11:03 am

where does step 2 take place? where do we add the properties for our domain? in what file?

I see 3 places where I have a swa.properties file, do I make the changes to all 3? or just in etc/opt ?

Postby **ScalixSupport** » Mon Mar 20, 2006 11:16 am

That should be /etc/opt/scalix/webmail/swa.properties

Sascha.

msweeney · Postby **msweeney** » Mon Mar 20, 2006 12:03 pm

hmmm is there a way to see why it's not pulling anything? I followed the instructions on the Novell page, and added the info into swa.props, restarted Tomcat and .... same as before, no contacts being pulled, I modified the cn=users,dc=mydomain and all that as well, pointed to the right server (our exchange server)

Is there a log file? or some way to run this via commandline to see some feedback ?

cdclark · Postby **cdclark** » Mon Mar 20, 2006 12:16 pm

Sascha, Thanks for the procedure.

If I'm understanding this correctly, I need to change AD to allow anonymous users to read from LDAP? What are the security implications from this beyond the obvious access the personal info (name/number/address, etc)? Should I be concerned that this is opening up other holes?

Ideally I'd like to just create an AD user account just for this purpose. (I made user 'ldaplookup' on AD for configuring Outlook, so I don't have to help users to update the LDAP directory settings in outlook every time they change their logon password). I used the same account when I configured SquirrelMail for LDAP lookups. I'd like to do the same for Scalix to avoid any unforseen consequences of enabling LDAP lookup for anonymous users. Any thoughts on this?

Thanks,

Cameron

Postby **ScalixSupport** » Mon Mar 20, 2006 12:31 pm

msweeney wrote:hmmm is there a way to see why it's not pulling anything? I followed the instructions on the Novell page, and added the info into swa.props, restarted Tomcat and .... same as before, no contacts being pulled, I modified the cn=users,dc=mydomain and all that as well, pointed to the right server (our exchange server)

Is there a log file? or some way to run this via commandline to see some feedback ?

an ldapsearch should bring up something like this

ldapsearch -LLL -x -h lab1.uk.scalix.com -b "dc=uk,dc=scalix,dc=com" -LLL 'objectclass=person' cn mail s g

That should at least return some usable error.

msweeney · Postby **msweeney** » Mon Mar 20, 2006 2:05 pm

hmmm I dont get much output....only

# refldap://domaine_name.local/CN=Configu ... e,DC=local

but I've done ldap searches before and am getting output from the AD, still seeing nothing in ADDRESS book or contacts

very sorry, still very new new to Linux os's and the whole AD thing.

Postby **ScalixSupport** » Mon Mar 20, 2006 2:08 pm

Looks like you did not follow all the steps from the Novell site.

Cheers,

Sascha.

msweeney · Postby **msweeney** » Mon Mar 20, 2006 2:26 pm

Hmm I've looked over the Novell instructions again, and I've got it all done, each step matches with their captures. I have the 4 new entries (LIST, READ, READ, READ) and they all have apply these permissions checkbox checked. and yes they are ALLOWED.

ldapsearch -LLL -x -h ip_address -b "dc=domaine_name,dc=LOCAL" gives me output however, a huge stream (88k redircted to text file)

msweeney · Postby **msweeney** » Mon Mar 20, 2006 4:15 pm

oh just thought of something, could the reason this is not working be due to the fact that my mail domain is DIFFERENT than the actual domain?

for example : domain.com is the real one, and testdomain.net is my new domain to tets the emails on, I just reliazed we did that to facilitate testing.

cdclark · Postby **cdclark** » Mon Mar 20, 2006 6:50 pm

ScalixSupport wrote:Looks like you did not follow all the steps from the Novell site.

Cheers,

Sascha.

I followed the Novell procedures as well (for W2K AD domain). However, I do have some 2003 servers in my forest. Perhaps I should check out the procedures for 2003, since my AD has been updated to support 2003?

In any case, I get the same results as msweeney.

Code: Select all

ldapsearch -LLL -x -h server.mydomain.com -b "dc=mydomain,dc=com" -LLL 'objectclass=person' cn mail s g
# refldap://atlanta.mydomain.com/DC=atlanta,DC=mydomain,DC=com

# refldap://mydomain.com/CN=Configuration,DC=mydomain,DC=com

When I try to launch SWA with the added lines in swa.properties, SWA locks up. If I comment out the lines and restart Tomcat it works as before.

cdclark · Postby **cdclark** » Mon Mar 20, 2006 7:01 pm

I added the additional Windows Server 2003 attribute from the Novell directions and still have the same issues.

msweeney · Postby **msweeney** » Tue Mar 21, 2006 10:17 am

if by SWA you mean the web client, mine was loading up fine with those lines added in. You have an error in your config file perhaps ? Did you check your logs to see if anything is mentionned ?

Scalix Forums

Pulling contacts from AD

Pulling contacts from AD

Who is online