OMLDAPSYNC ignoring search filter in sync.cfg?

[patrickmcshane]

Hi,

I have omldapsync working but not exactly getting the behavior I would
have expected given the LDAP search filter I provided. In order to
prevent omldapsync from importing non-Scalix system accounts, I set the
filter to only include LDAP entries that contain the attribute
exScalixObject=TRUE as shown in the filter line in my sync.cfg file
excerpt just below:

EX_FILTER=(|(&(objectclass=inetOrgPerson)(mail=*)(exScalixObject=TRUE))(&(objectclass=groupOfNames)(mail=*)))

I added the new filter item into the first "anded" section of the search
filter.

When I subsequently run the omldapsync command in test mode, it still
indicates that it will bring in all 39 OpenLDAP accounts when only 2 of
them actually contain the exScalixObject attribute.

Please let me know what I am doing wrong with the filter or why omldapsync
is apparently ignoring it.

Thanks,
Pat

=============== OUTPUT FROM omldapsync===============
[root@mxlx01p dslx01p]# omldapsync -n -u dslx01p
2006-03-28 10:45:22 STATUS: test LDAP dir sync import dslx01p started
###############
2006-03-28 10:45:23 INFO: work dir is /var/opt/scalix/ldapsync/dslx01p/import
2006-03-28 10:45:23 STATUS: reprocess search results from
dslx01p.be.sddc1.luthresearch.com ...
2006-03-28 10:45:23 STATUS: find delta and perform mapping ...
2006-03-28 10:45:23 INFO: ... 0 entries to delete
2006-03-28 10:45:23 INFO: ... 39 entries to add
2006-03-28 10:45:23 INFO: ... 0 entries to modify
2006-03-28 10:45:23 STATUS: test apply membdelete data against Scalix ...
2006-03-28 10:45:23 INFO: ... 0 entries passed for member.curr
2006-03-28 10:45:23 INFO: ... 0 entries failed for member.curr
2006-03-28 10:45:23 INFO: ... 0 entries warned for member.curr
2006-03-28 10:45:23 STATUS: test apply delete data against Scalix ...
2006-03-28 10:45:23 INFO: ... 0 entries passed for delete.curr
2006-03-28 10:45:23 INFO: ... 0 entries failed for delete.curr
2006-03-28 10:45:23 INFO: ... 0 entries warned for delete.curr
2006-03-28 10:45:23 STATUS: test apply add data against Scalix ...
2006-03-28 10:45:40 INFO: ... 39 entries passed for add.curr
2006-03-28 10:45:40 INFO: ... 0 entries failed for add.curr
2006-03-28 10:45:40 INFO: ... 0 entries warned for add.curr
2006-03-28 10:45:40 STATUS: test apply limit data against Scalix ...
2006-03-28 10:45:41 INFO: ... 0 entries passed for add.curr
2006-03-28 10:45:41 INFO: ... 0 entries failed for add.curr
2006-03-28 10:45:41 INFO: ... 0 entries warned for add.curr
2006-03-28 10:45:41 STATUS: test apply modify data against Scalix ...
2006-03-28 10:45:41 INFO: ... 0 entries passed for modify.curr
2006-03-28 10:45:41 INFO: ... 0 entries failed for modify.curr
2006-03-28 10:45:41 INFO: ... 0 entries warned for modify.curr
2006-03-28 10:45:41 STATUS: test apply limit data against Scalix ...
2006-03-28 10:45:41 INFO: ... 0 entries passed for modify.curr
2006-03-28 10:45:41 INFO: ... 0 entries failed for modify.curr
2006-03-28 10:45:41 INFO: ... 0 entries warned for modify.curr
2006-03-28 10:45:41 STATUS: test apply membadd data against Scalix ...
2006-03-28 10:45:42 INFO: ... 0 entries passed for member.curr
2006-03-28 10:45:42 INFO: ... 0 entries failed for member.curr
2006-03-28 10:45:42 INFO: ... 0 entries warned for member.curr
2006-03-28 10:45:42 STATUS: test apply membmodify data against Scalix ...
2006-03-28 10:45:42 INFO: ... 0 entries passed for member.curr
2006-03-28 10:45:42 INFO: ... 0 entries failed for member.curr
2006-03-28 10:45:42 INFO: ... 0 entries warned for member.curr
2006-03-28 10:45:42 INFO: test mode - keep current search result for
reprocessing
2006-03-28 10:45:42 STATUS: test LDAP dir sync import dslx01p completed
#############
2006-03-28 10:45:42 STATUS: test LDAP dir sync export dslx01p started
###############
2006-03-28 10:45:42 INFO: agreement type 13 only supports import operation
2006-03-28 10:45:42 STATUS: test LDAP dir sync export dslx01p completed
#############

[ScalixSupport]

What happens when you issue an ldapsearch command using that filter ?

Cheers

Dave

[patrickmcshane]

[root@mxlx01p dslx01p]# ldapsearch -x -LLL exscalixobject=TRUE dn
dn: uid=pmcshane,ou=People,dc=luthresearch,dc=com

dn: uid=test,ou=People,dc=luthresearch,dc=com

Interesting....

When I used:
omldapsync -n -i dslx01p
I saw the 2 entries I expected. Now when using:
omldapsync -n -u dslx01p
I also see only 2 entries.

Some chaching going on somewhere that I should know about? I have not changed the filter at all.

[ScalixSupport]

I was talking about the filter you specified, i.e.

(|(&(objectclass=inetOrgPerson)(mail=*)(exScalixObject=TRUE))(&(objectclass=groupOfNames)(mail=*)))

Cheers

Dave

[patrickmcshane]

Like I said, the filter is good.

ldapsearch -x -LLL "(|(&(objectclass=inetOrgPerson)(mail=*)(exScalixObject=TRUE))(&(objectclass=groupOfNames)(mail=*)))" dn

dn: uid=pmcshane,ou=People,dc=luthresearch,dc=com

dn: uid=test,ou=People,dc=luthresearch,dc=com

?????

[patrickmcshane]

Now that the entries are imported should I be able to send email these accounts and login to /webmail?

Example: LDAP mail attribute was set to pmcshane@luthresearch.com

I can't authenticate and I can't login using these newly imported users and the user icons that now shown them in SAC do not show the expected envelope image. I have included all Scalix attributes and the Scalix objectclass as per the MS Word document technote titled "Using omldapsync with OpenLDAP and Scalix 10". Below is listed the actual LDIF of one of the users that omldapsync imported. Please note that ALL exScalix attributes are there.

[root@mxlx01p dslx01p]# ldapsearch -x -LLL uid=pmcshane dn: uid=pmcshane,ou=People,dc=luthresearch,dc=com
labeledURI: http://www.luthresearch.com/~pmcshane
gecos: Patrick Mcshane
loginShell: /bin/bash
cn: Patrick Mcshane
homeDirectory: /home/pmcshane
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
objectClass: top
objectClass: exScalixClass
exScalixMailnode: mxlx01p,luthresearch
exScalixObject: TRUE
exScalixMsglang: ENGLISH
exScalixAdmin: TRUE
exScalixMboxadmin: TRUE
mail: pmcshane@luthresearch.com
mailHost: smtp.luthresearch.com
uid: pmcshane
uidNumber: 300
gidNumber: 10
givenName: Patrick
sn: Mcshane
street: 313 Creek Drive
postOfficeBox: 114
title: Manager
l: St Davids
st: PA
postalCode: 19087
telephoneNumber: 6109950080
facsimileTelephoneNumber: 6039479172
shadowLastChange: 13230
o: Luth
userPassword:: xxxxxxxx

Any ideas?

[patrickmcshane]

PING.........

Any ideas on the "omldapsync -i sync-id" problem?

Again, I have all receommended Scalix LDAP attributes and omldapsync "seems" to be working fine. The entries are brought in to the Scalix directory but they do not get provisioned properly within Scalix with mailboxes etc....

All mapping appears to be correct including exScalixMailnode.

The OpenLDAP user entries show up in Scalix but they can't login.

What am I missing?

Please advise.....

[patrickmcshane]

Here is the actual LDIF directly from the Scalix directory after the omldapsync. Does it seem correct?

dn: cn=Patrick Mcshane, o=Scalix
cn: Patrick Mcshane
l: St Davids
st: PA
street: 313 Creek Drive
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: mhsUser
objectClass: scalixPerson
surname: Mcshane
title: Manager
postalCode: 19087
telephoneNumber: 6109950080
facsimileTelephoneNumber: 6039479172
givenName: Patrick
mhsORAddresses: S=Mcshane/G=Patrick/OU1=mxlx01p/OU2=luthresearch/CN=Patrick Mc
shane
omInternetAddr: pmcshane@luthresearch.com
mail: pmcshane@mail.luthresearch.com
mail: pmcshane@luthresearch.com
rfc822Mailbox: pmcshane@mail.luthresearch.com
rfc822Mailbox: pmcshane@luthresearch.com
omAddress: Patrick Mcshane /mxlx01p,luthresearch/CN=Patrick Mcshane
omMailnode: mxlx01p,luthresearch
omCn: Patrick Mcshane
omForeignAddr: uid=pmcshane,ou=People,dc=luthresearch,dc=com
omGlobalUniqueId: 61176bba-481c-102a-9675-c36c596b019d
omLocalUniqueId: 1168

Here is the LDIF from the sxadmin user:
dn: cn=sxadmin, o=Scalix
cn: sxadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: mhsUser
objectClass: scalixPerson
surname: sxadmin
mhsORAddresses: S=sxadmin/OU1=mxlx01p/OU2=luthresearch/CN=sxadmin
omInternetAddr: sxadmin-mxlx01p@luthresearch.com
mail: sxadmin-mxlx01p@luthresearch.com
rfc822Mailbox: sxadmin-mxlx01p@luthresearch.com
omAddress: sxadmin /mxlx01p,luthresearch/CN=sxadmin
omMailnode: mxlx01p,luthresearch
omCn: sxadmin
omGlobalUniqueId: 1500000003048244-012.7.41.01
omLocalUniqueId: 97
omUlClass: Limited

Why isn't user pmcshane recognized by Scalix as a valid email user?

[ScalixSupport]

Hi Pat,

Can you post the results of omshowu -n "Patrick Mcshane" and omsearch -e "cn=Patrick Mcshane" ? Are you also trying to authenticate against your LDAP server or via Scalix?

Thanks,
Rachel

[patrickmcshane]

Hi Rachel,

Thanks for responding!!!!!

Here are the results and YES we are authenticating against OpenLDAP (Redhat Ent ES 4, OpenLDAP v2.2).

Seems like omldapsync is working fine but Scalix won't provision the mailboxes (user icons show no envelopes in SAC).

[root@mxlx01p dslx01p]# omshowu -n "Patrick Mcshane"; omsearch -e "cn=Patrick Mcshane"
omshowu : [OM 8040] The user can't be found, or has been deleted.

CN=Patrick Mcshane/G=Patrick/S=Mcshane/OU1=mxlx01p/OU2=luthresearch/UL-AUTHID=pmcshane/POSTAL-CODE=19087/FAX=6039479172/FOREIGN-ADDR=uid\=pmcshane,ou\=People,dc\=luthresearch,dc\=com/L=St Davids/STREET-ADDRESS=313 Creek Drive/TITLE=Contractor/STATE-OR-PROVINCE=PA/PHONE-1=6109950080/INTERNET-ADDR=pmcshane@luthresearch.com

[ScalixSupport]

Hi Pat,

Could you also post the output from:

omshowmn -m all
omshowu -m all
omsearch -e "cn=Patrick Mcshane" -m @all-attr@ -v

Thanks,
Rachel

[patrickmcshane]

Rachel,

As per your request, command output below.....

Thanks,
Pat

[root@mxlx01p dslx01p]# omshowmn -m all
** mxlx01p,luthresearch
[root@mxlx01p dslx01p]#
[root@mxlx01p dslx01p]#
[root@mxlx01p dslx01p]# omshowu -m all
sxadmin /mxlx01p,luthresearch/CN=sxadmin
sxqueryadmin /mxlx01p,luthresearch/CN=sxqueryadmin
Import Admin /mxlx01p,luthresearch/CN=Import Admin
[root@mxlx01p dslx01p]#
[root@mxlx01p dslx01p]#
[root@mxlx01p dslx01p]# omsearch -e "cn=Patrick Mcshane" -m @all-attr@ -v
CN=Patrick Mcshane
G=Patrick
S=Mcshane
OU1=mxlx01p
OU2=luthresearch
UL-AUTHID=pmcshane
POSTAL-CODE=19087
FAX=6039479172
FOREIGN-ADDR=uid\=pmcshane,ou\=People,dc\=luthresearch,dc\=com
L=St Davids
STREET-ADDRESS=313 Creek Drive
TITLE=Contractor
STATE-OR-PROVINCE=PA
PHONE-1=6109950080
GLOBAL-UNIQUE-ID=61176bba-481c-102a-9675-c36c596b019d
INTERNET-ADDR=pmcshane@luthresearch.com
HOST-FQDN=mxlx01p.fe.sddc1.luthresearch.com
LOCAL-UNIQUE-ID=1168
IA-FORMAL=pmcshane@luthresearch.com
S-SDX=M250
G-SDX=P362
DBV-ID=33554450

[ScalixSupport]

Hi Pat,

I spent a fair amount of time trying to reproduce this and my best guess as to what happened is that you ran omldapsync once when your LDAP entry wasn't correct. Then once it was corrected and omldapsync was run again, it corrected the system directory entry, but it's not going to create the userlist entry because that only happens on an add.

So, what you'll need to do is:

Code: Select all

omdelent -e "cn=Patrick Mcshane"


then re-run:

Code: Select all

omldapsync -u dslx01p


Thanks,
Rachel

[patrickmcshane]

Rachel,

Thanks for looking into this!

Going forward and assuming that we'll always be adding Scalix users indirectly via OpenLDAP and assuming that our OpenLDAP entries and sync.cfg file are correct vased on what I've shown you:

What would the actual recommended step by step process be immediately after the OpenLDAP Scalix user entry is created to assure that when "omldapsync -u dslx01p" is run that 1) the OpenLDAP entry is properly imported/converted into a Scalix LDAP entry and 2) that the newly created Scalix entry includes a properly provisioned mailbox?

How often to run "omldapsync" in cron?

Lastly, could OpenLDAP entries be managed diectly by SAC?

Thanks,
Pat

[patrickmcshane]

By the way, Ill run the commands you mentioned eariler and let you know if that finally clears things up. I am certainly hoping that this works as it is the last hurdle before a full deplyment begins.

Question: Since we're using a central OpenLDAP, what OpenLDAP front-end GUI tool/software would you recommend assuming that we can't use SAC to make changes directly to OpenLDAP?