Omldapsync HowTo - Six

From Scalix Wiki
Revision as of 15:45, 18 March 2008 by Ltward (Talk | contribs) (Appendix A - ldapsync13.schema (OpenLDAP Servers))

Jump to: navigation, search

Appendix A - ldapsync13.schema (OpenLDAP Servers)

A copy of ldapsync13.schema is provided because the copy included with the Scalix installation was incomplete in earlier releases.

# Copyright (C) 2006 Scalix Corporation.  All rights reserved.

# OpenLDAP schema extension for Scalix omldapsync attributes
# For reference see OpenLDAP 2.1 Administrator's Guide

# Installation steps (requires root login):
#
# 1. Stop OpenLDAP slapd server (e.g. kill -INT `cat /var/run/slapd.pid`)
#
# 2. Copy this file to OpenLDAP schema sub directory (e.g.  etc/openldap/schema)
#
# 3. Edit OpenLDAP slapd.conf file (e.g. /etc/openldap/slapd.conf) to:
#
#    a. Extend the schema by appending reference to the 'include' section,
#       something like the following lines:
#
#       # include schema extension for Scalix omldapsync attributes
#       include /etc/openldap/schema/ldapsync13.schema
#
#    b. Ensure Scalix omldapsync has sufficient read access to all the data,
#       usually determined by the type of bind and the dn used.
#
#    c. Ensure Scalix omldapsync has sufficient search limit to return all the
#       matching entries, usually determined by the 'sizelimit' setting used.
#
# 4. Start OpenLDAP slapd server (e.g. /usr/sbin/slapd)
#
# 5. Fix any error, repeat steps 1 to 4 as necessary.
#
# 6. Test add (e.g. /usr/bin/ldapadd -D "cn=Manager,dc=my-domain,dc=com") using
#    something like the following LDIF lines:
#
#    dn: cn=testuser scalix,dc=my-domain,dc=com
#    objectClass: inetOrgPerson
#    cn: testuser scalix
#    displayName: Testuser Scalix
#    sn: Scalix
#    mail: testuser@test.scalix.com
#    objectClass: scalixUserClass
#    scalixScalixObject: TRUE
#    scalixMailnode: ou1,ou2
#    scalixServerLanguage: ENGLISH
#    scalixAdministrator: TRUE
#    scalixMailboxAdministrator: FALSE
#    scalixEmailAddress: testuser@my-domain.com
#    scalixEmailAddress: testuser@my-domain.de
#    scalixLimitMailboxSize: 1024
#    scalixLimitOutboundMail: TRUE
#    scalixLimitInboundMail: FALSE
#    scalixLimitNotifyUser: TRUE
#    scalixHideUserEntry: FALSE
#    scalixMailboxClass: FULL
#
#    dn: cn=testgroup scalix,dc=my-domain,dc=com
#    objectClass: groupOfNames
#    cn: testgroup scalix
#    member: cn=testuser scalix,dc=my-domain,dc=com
#    objectClass: scalixGroupClass
#    scalixScalixObject: TRUE
#    scalixMailnode: ou1,ou2
#    displayName: Testgroup Scalix
#    scalixEmailAddress: testgroup@test.scalix.com
#    scalixHideUserEntry: TRUE
#
# 7. Test search (e.g. /usr/bin/ldapsearch -b "dc=my-domain,dc=com" -x -D ""
#    -w "" cn=*scalix) to check for read access and correct entries were added.

# define macro for Scalix root OID
objectIdentifier scalixOID 1.3.6.1.4.1.19049

# new attributes to describe an Scalix user or group object
# use 1.1.x from Scalix root OID
attributetype ( scalixOID:1.1.10 NAME ( 'scalixScalixObject' )
       DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object
             If this is set to FALSE and the object is matched by the omldapsync
             filter, a Contact entry/Internet user is created. If set to true, a
             mailbox is setup. For Group/PDL objects, this must always be set to true'
       SINGLE-VALUE
       EQUALITY booleanMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.11 NAME ( 'scalixMailnode' )
       DESC 'Comma-separated org units for object.s mailnode. This is the
             Mailnode name as defined when the Scalix server was setup. In
             Multi-server environments, this is used to select on which server
             the object is to be created.'
       SINGLE-VALUE
       EQUALITY caseIgnoreMatch
       SUBSTR caseIgnoreSubstringsMatch
       ORDERING caseIgnoreOrderingMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( scalixOID:1.1.12 NAME ( 'scalixAdministrator' )
       DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE,
             the user created will have full Scalix admin capabilites.'
       SINGLE-VALUE
       EQUALITY booleanMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.13 NAME ( 'scalixMailboxAdministrator' )
       DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with
             this flag set to TRUE can access ANY mailbox on a server through
             mboxadmin signon. This is usually only used for migration tools and
             typically not exposed through LDAP'
       SINGLE-VALUE
       EQUALITY booleanMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.14 NAME ( 'scalixServerLanguage' )
       DESC 'Message catalog language for client. This is one of the Scalix-supported
             languages found in /var/opt/scalix/nls/om_langs'
       SINGLE-VALUE
       EQUALITY caseIgnoreMatch
       SUBSTR caseIgnoreSubstringsMatch
       ORDERING caseIgnoreOrderingMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( scalixOID:1.1.15 NAME ( 'scalixEmailAddress' )
       DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The
             order is important as the first of these values is used as the outgoing
             from address of the user.'
       EQUALITY caseIgnoreMatch
       SUBSTR caseIgnoreSubstringsMatch
       ORDERING caseIgnoreOrderingMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( scalixOID:1.1.16 NAME ( 'scalixLimitMailboxSize' )
       DESC 'mailbox size limit for the user in MB'
           SINGLE-VALUE
       EQUALITY integerMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( scalixOID:1.1.17 NAME ( 'scalixLimitOutboundMail' )
       DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail.
             Set to TRUE or FALSE'
       SINGLE-VALUE
       EQUALITY booleanMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.18 NAME ( 'scalixLimitInboundMail' )
       DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail.
             Set to TRUE or FALSE'
       SINGLE-VALUE
       EQUALITY booleanMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.19 NAME ( 'scalixLimitNotifyUser' )
       DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail.
             Set to TRUE or FALSE'
       SINGLE-VALUE
       EQUALITY booleanMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.20 NAME ( 'scalixHideUserEntry' )
       DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE'
       SINGLE-VALUE
       EQUALITY booleanMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

attributetype ( scalixOID:1.1.21 NAME ( 'scalixMailboxClass' )
       DESC 'Class of User Mailbox FULL or LIMITED. This maps to
             Premium or Standard users as defined by Scalix User licensing policy'
       SINGLE-VALUE
       EQUALITY caseIgnoreMatch
       SUBSTR caseIgnoreSubstringsMatch
       ORDERING caseIgnoreOrderingMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
 
# auxiliary classes for scalix User and group
# use 1.2.x from Scalix root OID
objectclass ( scalixOID:1.2.10 NAME 'scalixUserClass'
       DESC 'Supplemental class containing the Scalix User-related attributes'
       AUXILIARY
       MUST ( scalixScalixObject     $ scalixMailnode)
       MAY  ( scalixAdministrator    $ scalixMailboxAdministrator $
                    scalixServerLanguage   $ scalixEmailAddress $
                    scalixLimitMailboxSize $ scalixLimitOutboundMail $
                    scalixLimitInboundMail $ scalixLimitNotifyUser $
                    scalixHideUserEntry    $ scalixMailboxClass ) )

objectclass ( scalixOID:1.2.11 NAME 'scalixGroupClass'
       DESC 'Supplemental class containing the Scalix Group-related attributes'
       AUXILIARY
       MUST ( scalixScalixObject $ scalixMailnode )
       MAY  ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) )

Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)

dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;

 acl "anonymous, no acis"; 
 allow (read, search, compare) userdn = "ldap:///anyone";)

aci: (targetattr = "*")(version 3.0;

 acl "Configuration Administrators Group";  
 allow (all) groupdn = "ldap:///cn=Configuration Administrators,   
 ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)

aci: (targetattr = "*")(version 3.0;

 acl "Configuration Administrator"; 
 allow (all) userdn = "ldap:///uid=admin,ou=Administrators, 
 ou=TopologyManagement,  o=NetscapeRoot";)

aci: (targetattr = "*")(version 3.0;

 acl "Local Directory Administrators Group "; 
 allow (all) groupdn = "ldap:///cn=Directory Administrators, 
 dc=mydomain,dc=net";)

aci: (targetattr = "*")(version 3.0;

 acl "SIE Group"; 
 allow (all)groupdn = "ldap:///cn=slapd-fubar, 
 cn=Sun ONE Directory Server, cn=Server Group, 
 cn=fubar.mydomain.net, ou=mydomain.net, o=NetscapeRoot";)

modifiersName: cn=directory manager modifyTimestamp: 20080205163801Z attributeTypes: ( 1.1.13 NAME 'scalixMailboxAdministrator'

 DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. 
 A user with this flag set to TRUE can access ANY mailbox 
 on a server through  mboxadmin signon. This is usually 
 only used for migration tools and typically not exposed 
 through LDAP' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.18 NAME 'scalixLimitInboundMail'

 DESC 'As Sanction on Mailbox quota overuse, stop user 
 from receiving mail.  Set to TRUE or FALSE' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.10 NAME 'scalixScalixObject'

 DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL 
 object.  If this is set to FALSE and the object is matched 
 by the omldapsync filter, a Contact entry/Internet user is 
 created. If set to true, a mailbox is setup. For Group/PDL 
 objects, this must always be set to true.' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.15 NAME 'scalixEmailAddress'

 DESC 'List of SMTP addresses of user. This is a multi-valued 
 attribute. The order is important as the first of these values 
 is used as the outgoing from address of the user.' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.20 NAME 'scalixHideUserEntry'

 DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.12 NAME 'scalixAdministrator'

 DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, 
 the user created will have full Scalix admin capabilites.' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.17 NAME 'scalixLimitOutboundMail'

  DESC 'As Sanction on Mailbox quota overuse, stop user from 
 sending mail.  Set to TRUE or FALSE' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.14 NAME 'scalixServerLanguage'

 DESC 'Message catalog language for client.  This is one of 
 the Scalix-supported languages found in 
 /var/opt/scalix/nls/om_langs' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.19 NAME 'scalixLimitNotifyUser'

 DESC 'As Sanction on Mailbox quota overuse, notify the User 
 by eMail. Set to TRUE or FALSE' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.11 NAME 'scalixMailnode'

 DESC 'Comma-separated org units for object.s mailnode. 
 This is the Mailnode name as defined when the Scalix
 server was setup. In Multi-server environments, this is 
 used to select on which server the object is to be created.' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.16 NAME 'scalixLimitMailboxSize'

 DESC 'mailbox size limit for the user in MB' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

attributeTypes: ( 1.1.21 NAME 'scalixMailboxClass'

 DESC 'Class of User Mailbox FULL or LIMITED. This maps to 
 Premium or Standard users as defined by Scalix User 
 licensing policy' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
 SINGLE-VALUE
 X-ORIGIN 'user defined' )

objectClasses: ( 1.2.10 NAME 'scalixUserClass'

 SUP top 
 STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) 
 MAY ( scalixAdministrator $ scalixEmailAddress $ 
   scalixHideUserEntry $ scalixLimitInboundMail $ 
   scalixLimitMailboxSize $ scalixLimitNotifyUser $ 
   scalixLimitOutboundMail $ scalixMailboxAdministrator $ 
   scalixMailboxClass $ scalixServerLanguage ) 
 X-ORIGIN 'user defined' )

objectClasses: ( 1.2.11 NAME 'scalixGroupClass'

 SUP top 
 STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) 
 MAY ( displayName $ scalixEmailAddress $ 
   scalixHideUserEntry ) 
 X-ORIGIN 'user defined' )

Appendix C -slapd.conf (OpenLDAP Server)

This is a sample slapd.conf file taken from OpenLAP version 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon). Your slapd.conf file may be more or less complex than this one.

  1. This is the main slapd configuration file. See slapd.conf(5) for more
  2. info on the configuration options.
  1. Global Directives:
  1. Features to permit
  2. allow bind_v2
  1. Schema and objectClass definitions

include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ldapsync13.schema

  1. Where the pid file is put. The init.d script
  2. will not stop the server if you change this.

pidfile /var/run/slapd/slapd.pid

  1. List of arguments that were passed to the server

argsfile /var/run/slapd/slapd.args

  1. Read slapd.conf(5) for possible values

loglevel 256

  1. Where the dynamically loaded modules are stored

modulepath /usr/lib/ldap moduleload back_bdb

  1. The maximum number of entries that is returned for a search operation

sizelimit 5000

  1. The tool-threads parameter sets the actual amount of cpu's that is used
  2. for indexing.

tool-threads 1

  1. Specific Backend Directives for bdb:
  2. Backend specific directives apply to this backend until another
  3. 'backend' directive occurs

backend bdb checkpoint 512 30

  1. Specific Backend Directives for 'other':
  2. Backend specific directives apply to this backend until another
  3. 'backend' directive occurs
  4. backend <other>
  1. Specific Directives for database #1, of type bdb:
  2. Database specific directives apply to this databasse until another
  3. 'database' directive occurs

database bdb

  1. The base of your directory in database #1

suffix "dc=mydomain,dc=net"

  1. rootdn directive for specifying a superuser on the database. This is needed
  2. for syncrepl.

rootdn "cn=admin,dc=mydomain,dc=net" rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa


  1. Where the database file are physically stored for database #1

directory "/var/lib/ldap/mydomain"

  1. For the Debian package we use 2MB as default but be sure to update this
  2. value if you have plenty of RAM

dbconfig set_cachesize 0 2097152 0

  1. Sven Hartge reported that he had to set this value incredibly high
  2. to get slapd running at all. See http://bugs.debian.org/303057
  3. for more information.
  1. Number of objects that can be locked at the same time.

dbconfig set_lk_max_objects 1500

  1. Number of locks (both requested and granted)

dbconfig set_lk_max_locks 1500

  1. Number of lockers

dbconfig set_lk_max_lockers 1500

  1. Indexing options for database #1

index objectClass eq

  1. Save the time that the entry gets modified, for database #1

lastmod on

  1. Where to store the replica logs for database #1
  2. replogfile /var/lib/ldap/replog
  1. The userPassword by default can be changed
  2. by the entry owning it if they are authenticated.
  3. Others should not be able to see it, except the
  4. admin entry below
  5. These access lines apply to database #1 only

access to attrs=userPassword,shadowLastChange

       by dn="cn=admin,dc=mydomain,dc=net" write
       by anonymous auth
       by self write
       by * none
  1. Ensure read access to the base for things like
  2. supportedSASLMechanisms. Without this you may
  3. have problems with SASL not knowing what
  4. mechanisms are available and the like.
  5. Note that this is covered by the 'access to *'
  6. ACL below too but if you change that as people
  7. are wont to do you'll still need this if you
  8. want SASL (and possible other things) to work
  9. happily.

access to dn.base="" by * read

  1. The admin dn has full write access, everyone else
  2. can read everything.

access to *

       by dn="cn=admin,dc=mydomain,dc=net" write
       by * read
  1. For Netscape Roaming support, each user gets a roaming
  2. profile for which they have write access to
  3. access to dn=".*,ou=Roaming,o=morsnet"
  4. by dn="cn=admin,dc=mydomain,dc=net" write
  5. by dnattr=owner write
  1. Specific Directives for database #2, of type 'other' (can be bdb too):
  2. Database specific directives apply to this databasse until another
  3. 'database' directive occurs
  4. database <other>
  1. The base of your directory for database #2
  2. suffix "dc=debian,dc=org"