HowTos/OpenLDAP User Management

From Scalix Wiki
Revision as of 18:32, 20 July 2007 by Davidz@sutc.com (Talk | contribs) (External OpenLDAP User Management)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

In Response to this thread: [1] I have started this HowTo. Hopefully others can provide more info.


Summary of Setup

Have an existing OpenLDAP server running Samba and being a Primary Domain Controller. We wanted to have ONE point of administration for users. So we want to be able to modify email setting from OpenLDAP. We were currently using phpLDAPAdministrator[2]. We wanted to continue using it. So we had no intention of using SAC for user admin tasks. (Actually when you setup you system this way SAC grays out all the users settings. So you can't change them.)


OpenLDAP Server Modifications

Existing OpenLDAP Server 2.2.29 running on Fedora Core 3. I had to make two modifications to my existing OpenLDAP directory. First was to add the schema file.

Edit /etc/openldap/slapd.conf and add the line for the scalix.schema

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/scalix.schema

Also here is a copy of the scalix.schema file. I noticed the one that came with Scalix was missing lots of options. So Florian provided an updated one. As of version 11.1 I don't think it has been changed. But maybe someone else can verify.

# Copyright (C) 2006 Scalix Corporation.  All rights reserved.

# OpenLDAP schema extension for Scalix omldapsync attributes
# For reference see OpenLDAP 2.1 Administrator's Guide

# Installation steps (requires root login):
#
# 1. Stop OpenLDAP slapd server (e.g. kill -INT `cat /var/run/slapd.pid`)
#
# 2. Copy this file to OpenLDAP schema sub directory (e.g. /etc/openldap/schema)
#
# 3. Edit OpenLDAP slapd.conf file (e.g. /etc/openldap/slapd.conf) to:
#
#    a. Extend the schema by appending reference to the 'include' section,
#       something like the following lines:
#
#       # include schema extension for Scalix omldapsync attributes
#       include /etc/openldap/schema/scalix-10.0.0.schema
#
#    b. Ensure Scalix omldapsync has sufficient read access to all the data,
#       usually determined by the type of bind and the dn used.
#
#    c. Ensure Scalix omldapsync has sufficient search limit to return all the
#       matching entries, usually determined by the 'sizelimit' setting used.
#
# 4. Start OpenLDAP slapd server (e.g. /usr/sbin/slapd)
#
# 5. Fix any error, repeat steps 1 to 4 as necessary.
#
# 6. Test add (e.g. /usr/bin/ldapadd -D "cn=Manager,dc=my-domain,dc=com") using
#    something like the following LDIF lines:
#
#    dn: cn=testuser scalix,dc=my-domain,dc=com
#    objectClass: inetOrgPerson
#    cn: testuser scalix
#    displayName: Testuser Scalix
#    sn: Scalix
#    mail: testuser@test.scalix.com
#    objectClass: scalixUserClass
#    scalixScalixObject: TRUE
#    scalixMailnode: ou1,ou2
#    scalixServerLanguage: ENGLISH
#    scalixAdministrator: TRUE
#    scalixMailboxAdministrator: FALSE
#    scalixEmailAddress: testuser@my-domain.com
#    scalixEmailAddress: testuser@my-domain.de
#    scalixLimitMailboxSize: 1024000
#    scalixLimitOutboundMail: TRUE
#    scalixLimitInboundMail: FALSE
#    scalixLimitNotifyUser: TRUE
#    scalixHideUserEntry: FALSE
#    scalixMailboxClass: FULL
#
#    dn: cn=testgroup scalix,dc=my-domain,dc=com
#    objectClass: groupOfNames
#    cn: testgroup scalix
#    member: cn=testuser scalix,dc=my-domain,dc=com
#    objectClass: scalixGroupClass
#    scalixScalixObject: TRUE
#    scalixMailnode: ou1,ou2
#    displayName: Testgroup Scalix
#    scalixEmailAddress: testgroup@test.scalix.com
#    scalixHideUserEntry: TRUE
#
# 7. Test search (e.g. /usr/bin/ldapsearch -b "dc=my-domain,dc=com" -x -D ""
#    -w "" cn=*scalix) to check for read access and correct entries were added.

# define macro for Scalix root OID
objectIdentifier scalixOID 1.3.6.1.4.1.19049

# new attributes to describe an Scalix user or group object
# use 1.1.x from Scalix root OID
attributetype ( scalixOID:1.1.10 NAME ( 'scalixScalixObject' )
        DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object
              If this is set to FALSE and the object is matched by the omldapsync
              filter, a Contact entry/Internet user is created. If set to true, a
              mailbox is setup. For Group/PDL objects, this must always be set to true'
        SINGLE-VALUE
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.11 NAME ( 'scalixMailnode' )
        DESC 'Comma-separated org units for objects mailnode. This is the
              Mailnode name as defined when the Scalix server was setup. In
              Multi-server environments, this is used to select on which server
              the object is to be created.'
        SINGLE-VALUE
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        ORDERING caseIgnoreOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

attributetype ( scalixOID:1.1.12 NAME ( 'scalixAdministrator' )
        DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE,
              the user created will have full Scalix admin capabilites.'
        SINGLE-VALUE
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.13 NAME ( 'scalixMailboxAdministrator' )
        DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with
              this flag set to TRUE can access ANY mailbox on a server through
              mboxadmin signon. This is usually only used for migration tools and
              typically not exposed through LDAP'
        SINGLE-VALUE
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.14 NAME ( 'scalixServerLanguage' )
        DESC 'Message catalog language for client. This is one of the Scalix-supported
              languages found in /var/opt/scalix/nls/om_langs'
        SINGLE-VALUE
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        ORDERING caseIgnoreOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( scalixOID:1.1.15 NAME ( 'scalixEmailAddress' )
        DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The
              order is important as the first of these values is used as the outgoing
              from address of the user.'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        ORDERING caseIgnoreOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( scalixOID:1.1.16 NAME ( 'scalixLimitMailboxSize' )
        DESC 'mailbox size limit for the user in MB'
         SINGLE-VALUE
        EQUALITY integerMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( scalixOID:1.1.17 NAME ( 'scalixLimitOutboundMail' )
        DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail.
              Set to TRUE or FALSE'
        SINGLE-VALUE
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.18 NAME ( 'scalixLimitInboundMail' )
        DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail.
              Set to TRUE or FALSE'
        SINGLE-VALUE
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.19 NAME ( 'scalixLimitNotifyUser' )
        DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail.
              Set to TRUE or FALSE'
        SINGLE-VALUE
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.20 NAME ( 'scalixHideUserEntry' )
        DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE'
        SINGLE-VALUE
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.21 NAME ( 'scalixMailboxClass' )
        DESC 'Class of User Mailbox FULL or LIMITED. This maps to
              Premium or Standard users as defined by Scalix User licensing policy'
   SINGLE-VALUE
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        ORDERING caseIgnoreOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

# auxiliary classes for scalix User and group
# use 1.2.x from Scalix root OID
objectclass ( scalixOID:1.2.10 NAME 'scalixUserClass'
        DESC 'Supplemental class containing the Scalix User-related attributes'
        AUXILIARY
        MUST ( scalixScalixObject     $ scalixMailnode
        )
        MAY  ( scalixAdministrator    $ scalixMailboxAdministrator $
                scalixServerLanguage   $ scalixEmailAddress $
                scalixLimitMailboxSize $ scalixLimitOutboundMail $
                scalixLimitInboundMail $ scalixLimitNotifyUser $
                scalixHideUserEntry    $ scalixMailboxClass
   ) )

objectclass ( scalixOID:1.2.11 NAME 'scalixGroupClass'
        DESC 'Supplemental class containing the Scalix Group-related attributes'
        AUXILIARY
        MUST ( scalixScalixObject $ scalixMailnode
        )
        MAY  ( scalixEmailAddress $ scalixHideUserEntry
   ) )

Now in my situation I already had OpenLDAP working so I now needed to add all these "new" attributes into existing users with some default values. I have lost the script I used but here is what I was able to recover. First create a list of users to modify:

ldapsearch -x |grep ou=Users > userlist

This search can obviously be modified to get what you need out of OpenLDAP. Sample Output is:

dn: uid=user1,ou=Users,dc=foo,dc=com
dn: uid=user2,ou=Users,dc=foo,dc=com
dn: uid=user3,ou=Users,dc=foo,dc=com
dn: uid=user4,ou=Users,dc=foo,dc=com 

I then ran this overly simple perl script to process the user list:

#!/usr/bin/perl

$infile="userlist";

open (INFILE, $infile);
@mylines=<INFILE>;

foreach $line (@mylines) {
chop ($line);
$outfile="modifyusers";
open (OUT, ">$outfile");

#Next line is what changes for each value in array above...
print OUT "$line\n";
print OUT <<EOM;
changetype: modify
add: objectClass
objectClass: exScalixClass
-
add: scalixScalixObject
scalixScalixObject: TRUE
-
add: scalixMailnode
scalixMailnode: server,domain
-
add: scalixServerLanguage
scalixServerLanguage: ENGLISH
-
add: scalixAdministrator
scalixAdministrator: FALSE
-
add: scalixMailboxAdministrator
scalixMailboxAdministrator: FALSE
-
add: scalixLimitOutboundMail
scalixLimitOutboundMail: FALSE
-
add: scalixLimitInboundMail
scalixLimitInboundMail: FALSE
-
add: scalixLimitMailboxSize
scalixLimitMailboxSize: 25
-
add: scalixLimitNotifyUser
scalixLimitNotifyUser: TRUE
-
add: scalixHideUserEntry
scalixHideUserEntry: FALSE
-
add: scalixMailboxClass
scalixMailboxClass: LIMITED
-
EOM

close (OUT);
# The first line just prints the output to the screen, the second will do the operation
# Uncomment the one you want to do.  I use the first to test then actually do it.
#print "$line\n";
#print "ldapmodify -x -D \"uid=Manager,ou=Users,dc=foo,dc=com\" -W -v -f $outfile\n";

} #end for loop

One final thing to modify on the existing OpenLDAP Server was the add user scripts. Since we are using Samba + PDC + OpenLDAP we are using the smbldap-tools. So I modified the new user script to automatically add scalix attributes. Starting at LINE 383 of /usr/local/sbin/smbldap-useradd

my $modify = $ldap_master->modify ( "uid=$userName,$config{usersdn}",
                                        changes => [
                                                    add => [objectClass => 'sambaSAMAccount'],
                                                    add => [sambaPwdLastSet => "$valpwdlastset"],
                                                    add => [sambaLogonTime => '0'],
                                                    add => [sambaLogoffTime => '2147483647'],
                                                    add => [sambaKickoffTime => '2147483647'],
                                                    add => [sambaPwdCanChange => "$valpwdcanchange"],
                                                    add => [sambaPwdMustChange => "$valpwdmustchange"],
                                                    add => [displayName => "$config{userGecos}"],
                                                    add => [sambaAcctFlags => "$valacctflags"],
                                                    add => [sambaSID => "$config{SID}-$userRid"],
                                                    add => [objectclass => "scalixUserClass"],
                                                    add => [scalixScalixObject => "TRUE"],
                                                    add => [scalixMailnode => "mailserver,domain"],
                                                    add => [scalixServerLanguage => "ENGLISH"],
                                                    add => [scalixAdministrator => "FALSE"],
                                                    add => [scalixMailboxAdministrator => "FALSE"],
                                                    add => [scalixMailboxClass => "LIMITED"],
                                                    add => [scalixLimitMailboxSize => "25"],
                                                    add => [scalixLimitOutboundMail => "FALSE"],
                                                    add => [scalixLimitInboundMail => "FALSE"],
                                                    add => [scalixLimitNotifyUser => "TRUE"],
                                                    add => [scalixHideUserEntry => "FALSE"]
                                                   ]
                                      );

    $modify->code && die "failed to add entry: ", $modify->error ;

Now all new users will be created with the proper attributes.

So that does it for the OpenLDAP modifications.


Scalix System Modifications

TODO