HowTos/Omldapsync
Scalix Wiki -> How-Tos -> Omldapsync
Contents
- 1 About This Document
- 2 Preparing to synchronize with Scalix
- 3 How it Works
- 4 Converting an Entry to a Scalix Account
- 5 The Password
- 6 Managing Groups (PDLs) with LDAP
- 7 Integrating Existing Scalix Mailboxes into LDAP
- 8 Understanding the Mapping Table
- 9 Using Additional LDAP Attributes not Contained in the Mapping Table
- 10 Fixing omldapsync After Errors
- 11 Using omsyncwrap
- 12 Troubleshooting
- 13 Handy LDAP commands
- 14 References
- 15 Appendix A - ldapsync13.schema (OpenLDAP Servers)
- 16 Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)
- 17 Appendix C -slapd.conf (OpenLDAP Server)
- 18 Appendix D - OpenLDAP
- 19 Appendix E - Sun ONE Directory Server
- 20 Appendix E - Active Directory
About This Document
This document is intended to assist you in synchronizing a Scalix server with an LDAP directory. OpenLDAP and Sun ONE Directory Server are used for examples; in the future it would be nice to include examples of omldapsync with Active Directory.
We'll cover configuration of the LDAP server, creation of the omldapsync agreement, using the LDAP directory for authentication, and there will be an overview of how omldapsync works.
While writing this paper, the following software was used:
- Scalix 11.3.0 running on RedHat Enterprise 5.1 (Tikanga)
- OpenLDAP 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon)
- Sun ONE Directory Server Version 5 2005Q4 (5.2 P6) running on Solaris 10 for X86
Many, many thanks to Karl Buchner for his paper Using omldapsync with OpenLDAP and Scalix 11. A significant portion of this text was stolen directly from that document, with his permission.
Preparing to synchronize with Scalix
Configure the Remote Directory
In order to synchronize the remote directory with Scalix, we must configure the remote server so that it is aware of some special Scalix attributes. This is done via extending the remote directory's schema. We must also ensure that the remote server is configured so that it will send back all the relevant entries.
OpenLDAP
The OpenLDAP schema files are typically located in /etc/ldap/schema or /etc/openldap/schema.
The OpenLDAP slapd.conf file is typically located in /etc/ldap or /etc/openldap.
- Stop the OpenLDAP slapd server.
- Copy /var/opt/scalix/??/s/sys/ldapsync13.schema from the Scalix server to your OpenLDAP server's schema directory and ensure that the copied file is world readable.
- Add an "include" statement to the slapd.conf file as follows, using a path appropriate to your environment:
include /etc/ldap/schema/ldapsync13.schema
- After the database directive for the directory you wish to synchronize with Scalix, ensure the following values are set in slapd.conf according to your environment:
database bdb suffix "dc=mydomain,dc=net" rootdn "cn=admin,dc=mydomain,dc=net" rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa directory "/var/lib/ldap/mydomain"
- To generate an encrypted password, use the slappasswd command and enter the password when prompted.
- If you have multiple databases, they must each have their own directory.
- Ensure the sizelimit in slapd.conf is large enough for LDAP to return all the matching entries to omldapsync.
- Restart slapd.
The ldapsync13.schema file does not require editing.
Sun ONE Directory Server
- Ensure the sizelimit is large enough for LDAP to return all the matching entries to omldapsync.
- Login to the System Server Console and double-click the Directory Server for your host.
- Select the Configuration tab -> Performance node -> Client Control tab
- Set the Size limit and save.
- Update the schema so Sun ONE Directory Server is aware of the special Scalix attributes. There are two methods for updating the schema file. You may use the Directory Server Console, or you may edit the schema files directly.
Editing the schema via the Directory Server Console (preferred method)
- Login to the System Server Console and double-click the Directory Server for your host.
- Select the Configuration tab -> Schema node -> Attributes tab -> Create button
- Create the attributes according to the following table:
Attribue Name | OID | Separate | Description | Syntax | Multi-valued |
---|---|---|---|---|---|
scalixScalixObject | 1.1.10 | boolean TRUE or FALSE for creating scalix mailbox/PDL object. If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true | Boolean | no | |
scalixMailnode | 1.1.11 | , | Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created. | DirectoryString | no |
scalixAdministrator | 1.1.12 | Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites. | Boolean | no | |
scalixMailboxAdministrator | 1.1.13 | Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP. | Boolean | no | |
scalixServerLanguage | 1.1.14 | Message catalog language for client. This is one of the Scalix-sup
ported languages found in /var/opt/scalix/nls/om_langs |
DirectoryString | no | |
scalixEmailAddress | 1.1.15 | List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user. | DirectoryString | yes | |
scalixLimitMailboxSize | 1.1.16 | mailbox size limit for the user in MB | Integer | no | |
scalixLimitOutboundMail | 1.1.17 | As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE | Boolean | no | |
scalixLimitInboundMail | 1.1.18 | As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE | Boolean | no | |
scalixLimitNotifyUser | 1.1.19 | As Sanction on Mailbox quota overuse, notify the User by eMail.
Set to TRUE or FALSE |
Boolean | no | |
scalixHideUserEntry | 1.1.20 | Hide User Entry from Addressbook. Set to TRUE or FALSE | Boolean | no | |
scalixMailboxClass | 1.1.21 | Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy | DirectoryString | no |
- Select the Object Classes tab and create the Object Classes according to the following table
Name | Parent | OID | Required | Allowed |
---|---|---|---|---|
scalixUserClass | top | 1.2.10 | scalixMailnode
scalixScalixObject |
scalixAdministrator
scalixEmailAddress scalixHideUserEntry scalixLimitInboundMail scalixLimitMailboxSize scalixLimitNotifyUser scalixLimitOutboundMail scalixMailboxAdministrator scalixMailboxClass scalixServerLanguage |
scalixGroupClass | top | 1.2.11 | scalixMailnode
scalixScalixObject |
displayname
scalixEmailAddress scalixHideUserEntry |
- Immediately after making the above changes, stop and restart the Directory Server.
# /usr/sbin/directoryserver restart
NOTE: If you choose to use the Directory Server Console to define the Scalix attributes, you must restart the server immediatley after making your changes. Restarting the server saves your modifications to the 99user.ldif file permanently and prevents other modifications made from the command line or the console from overwriting your changes.
Editing the Schema File Directly
The Sun ONE Directory Server schema files are typically located in ServerRoot/slapd-serverID/config/schema.
- Edit the 90Scalix.ldif file in the appendix of this document, replacing fubar with your host name and mydomain and net with values appropriate to your own domain. You must also update the userdn and groupdn values.
- Stop the Sun ONE Directory Server.
- Copy the 90Scalix.ldif to your Sun ONE Directory Server's schema directory.
- Ensure that the file is world readable.
- Restart the Sun ONE Directory Server.
# /usr/sbin/directoryserver restart
NOTE: If you replicate your schema amongst multiple servers, the replicated schemas will store the definitions from 90Scalix.ldif in their 99user.ldif file.
Active Directory
The steps for setting up Active Directory for synchronization with Scalix are documented in the Scalix Setup and Configuration Guide, in the chapter entitled "Integrating with Active Directory".
Basically the steps are as follows:
- Installing the Schema Extensions
- Installing the GUI Extensions
- Setting Up Synchronization Agreements
NOTE: There are a couple of errors in the section that describes how to set up the synchronization agreement; bugs have been logged. The errors are described below in " Create omldapsync Agreement" under the type 11 agreement.
Create omldapsync Agreement
The man page for omldapsync is very good; refer to it for more complete information.
omldapsync agreements can be of several different types, depending on whether you want to synchronize with an Exchange 5.5 directory, Sun ONE Directory Server, Active Directory, OpenLDAP, etc. The commonly used types are
- 11 - Import from Acitve Directory to Scalix
- 13 - Import from OpenLDAP or Sun ONE Directory Server to Scalix
- 21 - Import/Export address information between Exchange 5.5 and Scalix
These types are discussed in more detail below.
The import-only agreements are used for managing all users from a central (LDAP) directory. The import/export agreement is used to keep address books synchronized between disparate systems.
It is advisable to name your agreements according to what type of agreement it is and the LDAP host with which it is associated. This makes it easy to tell at a glance what the agreement is intended to do.
The type 11 Agreement
This is documented in the AD Integration HowTo.
The Type 13 Agreement
Assuming we are going to synchronize with a host named fubar.mydomain.net, we would create our agreement as follows. On the Scalix server:
omldapsync -c 13fubar INPUT: Select sync agreement type to create (21): 13 INPUT: Edit config file now y/n (n): y INPUT: Use vi to edit y/n (n): y
Update the following with values appropriate to your environment; values given are for illustration only. The purpose of these fields is explained in the configuration file you are editing.
JAVA_HOME=/usr/java/jre1.5.0_13 EX_HOST=fubar.mydomain.net EX_LOGON=cn=admin,dc=mydomain,dc=net (for synchronizing with OpenLDAP servers) EX_LOGON=cn=Directory Manager (for synchronizing with Sun ONE Directory Servers) EX_PASS=secret IM_HOST=sxlab.mydomain.net IM_CAA_URL=http://sxlab.mydomain.net/caa/ IM_CAA_NAME=sxadmin IM_CAA_PASS=sxpass EX_ATTR (for synchronizing with Sun ONE Directory Servers only, change entryUUID to nsUniqueId) EX_BASE1=cn=users,dc=mydomain,dc=net EX_GUID=entryUUID (for synchronizing with OpenLDAP servers) EX_GUID=nsUniqueId (for synchronizing with Sun ONE Directory Servers)
You may also want to modify the following values:
IM_DELETE_MAILBOX
For synchronizing with Sun ONE Directory Servers only, change the following line
from entryUUID|GLOBAL-UNIQUE-ID|*|* to nsUniqueId|GLOBAL-UNIQUE-ID|*|*
INPUT: Compare old config to new y/n (n): n INPUT: Replace old config with new y/n (?): y INPUT: Attempt to test data extraction now y/n (n): n
The type 21 agreement
To be written - feel free to contribute!
Synchronize the Directories
You can synchronize in interactive mode or with a single command. The interactive mode is friendlier and easier to understand ; the single command is useful for scheduling synchronization from cron. You must be root to run omldapsync.
Interactively:
# omldapsync -i 13fubar 2008-02-07 09:16:17 INFO: command line is /opt/scalix/bin/omldapsync -i 13fubar 2008-02-07 09:16:18 STATUS: Interactive for 13fubar started ######## Common tasks menu for syncid 13fubar 0. Display this menu 1. Configure the LDAP dir sync settings 2. Force a complete (re)load of the directory 3. Update the directory after some changes 4. Accept previous error and update directory 5. Skip previous error and update directory 6. Update the directory and prompt for error 7. Modify all sync records from the directory 8. Delete all sync records in the directory d. Toggle debug mode from current setting <0> n. Toggle test mode from current setting <> q. Quit INPUT: Please enter an option (0): 3
Single command:
There are command line equivalents for the above; see the man page for more detailed information on these and other command line options. To update the directory after some changes (option 3 above), you would run
$ omldapsync -u 13fubar
How it Works
omldapsync stores its information in /var/opt/scalix/??/s/ldapsync; this directory is created when the first omldapsync agreement is defined.
In the ldapsync directory are subdirectories, one for each omldapsync agreement.
The ldapsync.log file is also stored here. It records the execution of various omldapsync commands and their output. For example, you can see when agreements were created, when synchronizations ran, and if you run omldapsync with debugging enabled (-d option), you will also see the debugging output.
A New Agreement
When a new agreement is created, a subdirectory is created under /var/opt/scalix/??/s/ldapsync; the subidrectory has the same name as the sync agreement, for example /var/opt/scalix/??/s/ldapsync/13fubar.
Within this agreement subdirectory are the following files and directories:
- sync.cfg
- this is the configuration file you edited when you created the agreement with the omldapsync -c 13fubar command. If you have errors in your log that suggest improper configuration of your agreement, you can edit this file directly or you can run omldapsync -c 13fubar again and elect to replace the old config file with the new.
- sync.last
- a copy of your old sync.cfg file. If you totally mess things up and wish you could go back to your old config file, this is where you get it. Only one copy is stored, so you can only go back one version.
- sync.log
- this is similar to the ldapsync.log file, but it only contains entries pertaining to the omldapsync agreement that has the same name as the agreement subdirectory, for example, 13fubar.
- import
- this is the working directory for the import portion of the synchronization agreement.
- export
- this directory is not used by a type 13 omldap synchronization agreement, because type 13 agreements only import data from the LDAP server; they don't export. It is created but will remain empty.
The First Synchronization
For demonstration purposes, we'll start with one simple (non-Scalix user) entry in the LDAP directory.
? cat /tmp/addmouse dn: uid=MMouse,dc=mydomain,dc=net givenName: Mildred sn: Mouse telephoneNumber: 800-555-1212 mail: mildred@fubar.mydomain.net facsimileTelephoneNumber: 800-222-0000 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: MMouse preferredLanguage: en cn: Mildred Mouse
OpenLDAP:
$ ldapadd -x -D cn=admin,dc=mydomain,dc=net -w secret -f /tmp/addmouse
SunONE:
$ ldapadd -D "cn=directory manager" -w secret -f /tmp/addmouse
Synchronize with the command omldapsync -u 13fubar; for output that is a little more informative you can enable debugging. While this isn't practical all the time, it is good tool for learning.
# omldapsync -u 13fubar -d1
After the synchronization is complete you can verify that the entry was imported.
# omsearch -e s=mouse CN=Mildred Mouse/G=Mildred/S=Mouse/OU1=internet/ADMINISTERED-BY=ldapsync-13fubar/PHONE-1=800-555-1212/FAX=800-222-0000/FOREIGN-ADDR=uid\=MMouse,dc\=mydomain,dc\=net/INTERNET-ADDR=mildred@fubar.mydomain.net
The log file for this agreement, /var/opt/scalix/sb/s/ldapsync/13fubar/sync.log, has a fair amount of output because we used the -d1 option. Among other things, it shows the remote directory being searched and one entry found for adding:
2008-02-06 16:45:12 STATUS: search source directory on fubar.mydomain.net ... 2008-02-06 16:45:12 INFO: search base is dc=mydomain,dc=net 2008-02-06 16:45:12 INFO: ... 5 entries to check 2008-02-06 16:45:13 STATUS: find delta and perform mapping ... 2008-02-06 16:45:14 INFO: ... 0 entries to delete 2008-02-06 16:45:14 INFO: ... 1 entries to add 2008-02-06 16:45:14 INFO: ... 0 entries to modify
If you encounter problems, a good way to begin troubleshooting is to run omldapsync with the -d1 option and then examine your sync.log file.
In the import directory, a lot of new files have been created. Of particular interest is the add.curr file, which shows the entry as it came from the remote LDAP server, and again after it was added to the Scalix directory.
dn: uid=MMouse,dc=mydomain,dc=net uid: MMouse objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Mouse givenname: Mildred mail: mildred@fubar.mydomain.net nsUniqueID: 37906181-d43011dc-80eeab21-efb0ae03 cn: Mildred Mouse facsimileTelephoneNumber: 800-222-0000 telephoneNumber: 800-555-1212 dn: uid=MMouse,dc=mydomain,dc=net FOREIGN-ADDR: uid=MMouse,dc=mydomain,dc=net UL-AUTHID: MMouse objectClass: organizationalPerson S: Mouse G: Mildred INTERNET-ADDR: mildred@fubar.mydomain.net GLOBAL-UNIQUE-ID: 37906181-d43011dc-80eeab21-efb0ae03 CN: Mildred Mouse FAX: 800-222-0000 PHONE-1: 800-555-1212 ADMINISTERED-BY: ldapsync-13fubar
This can be helpful when trying to figure out how data is being imported. You can see the data brought in from LDAP and the data applied to Scalix. For example, you can see that the Scalix GLOBAL-UNIQUE-ID takes the same value as the LDAP userUUID or the nsUniqueID, and that the INTERNET-ADDR is derived from the mail attribute. The mapping table is used to define how particular attributes get their values assigned.
The Second Synchronization
Now we'll add a second entry to our LDAP directory.
? cat /tmp/addduck dn: uid=DDuck,dc=mydomain,dc=net uid: DDuck objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson givenName: Dora sn: Duck cn: Dora Duck mail: dora.duck@fubar.mydomain.net
OpenLDAP:
$ ldapadd -x -D cn=admin,dc=mydomain,dc=net -w secret -f /tmp/addduck
SunONE:
$ ldapadd -D "cn=directory manager" -w secret -f /tmp/addduck
Synchronize to the Scalix server:
# omldapsync -u 13fubar -d1
Two entries in the LDAP directory match our criteria for synchronization. There are no modifications or deletions, but there will be one addition:
2008-02-07 08:45:27 STATUS: search source directory on fubar.mydomain.net ... 2008-02-07 08:45:27 INFO: search base is dc=mydomain,dc=net 2008-02-07 08:45:28 INFO: ... 2 entries to check 2008-02-07 08:45:28 STATUS: find delta and perform mapping ... 2008-02-07 08:45:30 INFO: ... 0 entries to delete 2008-02-07 08:45:30 INFO: ... 1 entries to add 2008-02-07 08:45:30 INFO: ... 0 entries to modify
You can verify the entry was added with an omsearch command:
# omsearch -e s=duck CN=Dora Duck/G=Dora/S=Duck/OU1=internet/ADMINISTERED-BY=ldapsync-13fubar/FOREIGN-ADDR=uid\=DDuck,dc\=mydomain,dc\=net/INTERNET-ADDR=dora.duck@fubar.mydomain.net
Here's what's going on behind the scenes. omldapsync searches the Scalix SYSTEM directory and the LDAP directory and stores the combined results in search.curr. In our example of a newly created LDAP directory and a new omldapsync agreement, it just found two entries. One is Mildred Mouse and one is Dora Duck.
omldapsync then compares search.curr to search.last, and applies the differences to the Scalix directory. In our case, Mildred Mouse is in both files but Dora Duck is only in search.curr so Dora Duck will be added to the Scalix SYSTEM directory.
If the synchronization was successful, omldapsync stores the results of search.curr to search.last, and moves search.last to search.last.[0-9]. After search.last.1 is used, then search.last.2 will be used, then 3,4...9,0,1,2 and it continues in a cycle.
If the synchronization encountered problems, search.curr will be kept on disk so that corrections can be made and the synchronization can be run again against the current snapshot.
If you're using this document as a tutorial and executing the commands as they're discussed, you can examine the files in the /var/opt/scalix/??/s/ldapsync/13fubar/import directory. You'll see that the most recent search.last.# file contains the results of the search when only Mildred Mouse was returned. The search.last file contains the results of the most recent search, when Mildred Mouse and Dora Duck were found.
Subsequent Synchronizations
In subsequent synchronizations, you may see the following files get created or updated, depending on what occurred during the sync. Additions to this section of the document would be most welcome.
- add.curr
- only created if new entries exist in LDAP which need to be added to Scalix.
- add.curr.dist
- distribution lists (groups) to be added to Scalix.
- add.cur.memb
- members to be added to distribution lists (groups).
- add.curr.user
- The user entries which are to be added (as opposed to group entries to be added).
- add.pass
- The entries to be added which pass all the tests and actually get added to Scalix.
- delete.curr
- only created if entries have been removed from LDAP and need to be deleted from Scalix.
- delete.curr.user
- The users to be deleted (as opposed to groups).
- delete.fail
- The entries which can't be deleted for some reason. The log file will show the reason.
- delete.pass
- The entries which actually get deleted from Scalix.
- empty.to.prev
- When modifying a distribution list (group), a changetype: modify is done to the group in LDAP. The modification is replace: member and a complete member list is provided. During omldapsync, this behavior is imitated; first all members are deleted and then all members are added. empty.to.prev lists the members to be deleted so that the distribution list is empty. Then the entire accurate membership list is added.
- membadd.pass
- Members to be added to distribution lists (groups) that pass all the test criteria.
- membdelete.pass
- Members to be deleted from distribution lists (groups) that pass all the test criteria.
- member.curr
- Entries that are already members of the Scalix directory, whether internet users or Scalix account holders. Used during modifications.
- member.curr.dist
- A subset of member.curr; it contains distribution lists (groups).
- member.curr.memb
- Seems to be the same as member.curr.dist.
- member.curr.user
- A subset of member.curr; only the user entries (as opposed to group entries).
- search.curr
- Basically the result of a search against the SYTEM driectory combined with an ldapsearch against the LDAP directory. Only retained if omldapsync fails; usually by the time you look at the files, this one has been renamed to search.last. If it exists, its contents are used rather than doing a new ldapsearch. The contents of add.curr, delete.curr, modify.curr, etc. are built by comparing search.curr to search.last.
- search.last
- When omldapsync completes successfully, search.curr is renamed to search.last.
- search.last.[0-9]
- archival copies of search.last. The files are not rotated; that is, search.last.0 does not always contain the results of the search immediately prior to search.last. Rather, search.last is written to search.last.1, then search.last.2, then search.last.3, and so on. After search.last.9 is written, it starts over and search.last.0 will be written, then search.last.1, search.last.2, and so on.
- search.temp
- Whenever temp.curr is written to, the old temp.curr goes into search.temp.
- temp.curr
- The current search results. Usually this matches search.last but if there are errors and search.curr is retained rather than being written to search.last, temp.curr will match search.curr.
- util.input
- util.log
Converting an Entry to a Scalix Account
In this section we will go over the steps required to provision a new mailbox on Scalix by adding and/or modifying entries in OpenLDAP. In this exercise, we will convert "Dora Duck" to a Scalix user.
First, create a file to be used with the ldapmodify command. The file below assigns a value to all the Scalix attributes. You will probably never use all the attributes but it's nice to see what is available. For an explanation of what they do, see the documentation in the schema (a copy is provided in the appendices).
$ cat /tmp/duckmod dn: uid=DDuck,dc=mydomain,dc=net changetype: modify replace: objectClass objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: scalixUserClass - add: scalixScalixObject scalixScalixObject: TRUE - add: scalixMailnode scalixMailnode: mail,node - add: scalixEmailAddress scalixEmailAddress: dora.duck@fubar.mydomain.net scalixEmailAddress: DDuck@mydomain.net scalixEmailAddress: dora@mydomain.net - add: scalixAdministrator scalixAdministrator: TRUE - add: scalixMailboxAdministrator scalixMailboxAdministrator: FALSE - add: scalixServerLanguage scalixServerLanguage: ENGLISH - add: scalixLimitMailboxSize scalixLimitMailboxSize: 500 - add: scalixLimitOutboundMail scalixLimitOutboundMail: TRUE - add: scalixLimitInboundMail scalixLimitInboundMail: FALSE - add: scalixLimitNotifyUser scalixLimitNotifyUser: TRUE - add: scalixHideUserEntry scalixHideUserEntry: FALSE - add: scalixMailboxClass scalixMailboxClass: FULL
Now in this modification file, I've included all the Scalix attributes just to make a fairly complete example. To convert an LDAP entry to a Scalix user account, the minimum you must do is add the scalixUserClass objectClass, and the scalixScalixObject and scalixMailnode attributes. The rest are optional.
Update the LDAP entry.
OpenLDAP:
$ ldapmodify -x -D cn=admin,dc=mydomain,dc=net -w secret \ -f /tmp/duckmod
Sun ONE:
$ ldapmodify -r -D "cn=directory manager" -w secret \ -f /tmp/duckmod
You'll get an error if you have any typos or syntax errors in your file, but to verify all the changes took place as expected, you can search for the entry:
OpenLDAP:
$ ldapsearch -x -b dc=mydomain,dc=net cn="dora duck"
Sun ONE:
$ ldapsearch -b dc=mydomain,dc=net "cn=dora duck"
# DDuck, mydomain.net dn: uid=DDuck,dc=mydomain,dc=net uid: DDuck givenName: Dora sn: Duck cn: Dora Duck mail: dora.duck@fubar.mydomain.net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: scalixUserClass scalixScalixObject: TRUE scalixMailnode: mail,node scalixAdministrator: TRUE scalixEmailAddress: dora.duck@fubar.mydomain.net scalixEmailAddress: DDuck@mydomain.net scalixEmailAddress: dora@mydomain.net scalixMailboxAdministrator: FALSE scalixServerLanguage: ENGLISH scalixLimitMailboxSize: 500 scalixLimitOutboundMail: TRUE scalixLimitInboundMail: FALSE scalixLimitNotifyUser: TRUE scalixHideUserEntry: FALSE scalixMailboxClass: FULL
Now we're ready to synchronize those changes into the Scalix server:
# omldapsync -u 13fubar -d1
NOTE: There is a minor bug with omldapsync which causes an error to occur if the scalixAdministrator attribute is in the modification. If this occurs, simply re-run omldapsync -u and the second iteration will run without incident.
Once the synchronization has completed, you can see that the entry is no longer merely an entry in the directory, but a full Scalix user:
# omshowu -n duck Authentication ID: DDuck Globally Unique ID: d55dafbe-8872-102c-9d8b-d586cd1e6306 User Name : Dora Duck /CN=Dora Duck MailNode : mail,node Internet Address : dora.duck@fubar.mydomain.net=DDuck@mydomain.net=dora@mydomain.net System Login : 60550 Password : unset Admin Capabilities : YES Mailbox Admin Capabilities : NO Language : ENGLISH Mail Account: Unlocked Last Signon : Never. Receipt of mail : ENABLED Service level : 0 Excluded from Tidying : NO Recovery Folder visible : NO User Class : Full SIS URL : sxidx://sxlab.mydomain.net/09a000005fb1fb74-121.0.861.291
NOTE: When assigning multiple email addresses, remember that the order is significant! When a Scalix account has multiple email addresses, it will receive messages addressed to any of the addresses. When the account sends out a message, the first email address will be used for the From and Reply-To values in that sent message.
The Password
You may have noticed in the exercises with Dora Duck, the account was created with the password unset. Even if we give Dora Duck a password on the LDAP system, her Scalix account will be created with the password unset. This is because passwords are encrypted in LDAP, and there is no way to "unconvert" the password for storage in Scalix.
So... what to do?
There are four options:
- Let the user login with his LDAP password. Don't let people change their password from the email client. This restricts password control to an outside application.
- Let the user login with their LDAP password, and if they opt to change their password from within the email client, the password in the LDAP directory gets changed.
- Let the user log in with either their email *or* their LDAP password. They can change their email password from the email client, but not their LDAP password. The two passwords are not synchronized; either one will work for login, but only the email password can be changed from the email client.
- Let the user log in with his email password only. The email and LDAP passwords are completely separate and unrelated (though the user could set them to the same value if he chose).
Outside Application
Let the user login with his LDAP password. Don't let people change their password from the email client. This restricts password control to an outside application.
- Add sxadmin and any other existing accounts to the LDAP directory as outlined in the section "Integrating Existing Scalix Mailboxes into LDAP".
- In /var/opt/scalix/??/s/sys/pam.d, edit the following files (create them if they do not exist):
- ual.remote
- smtpd.auth
- pop3
- ual.remote
The contents of the above files should be as follows:
auth sufficient om_ldap auth required pam_deny account required om_auth password required om_auth session required om_auth
- Edit or create /var/opt/scalix/??/s/sys/pam.d/omslapdeng with the following contents:
auth sufficient om_ldap auth sufficient om_auth auth required pam_deny account required om_auth password required om_auth session required om_auth
- Edit or create /var/opt/scalix/??/s/sys/om_ldap.conf:
host=fubar.mydomain.net search=subtree base=dc=mydomain,dc=net filter=uid=%s tls=off
- Restart Scalix
omshut; omrc
Change LDAP Password from email Client
Let the user login with their LDAP password, and if they opt to change their password from within the email client, the password in the LDAP directory gets changed. For more information on this, see the HowTo entitled "Using OpenLDAP for password management" in the Scalix Wiki.
- The user must have userPassword set in the LDAP directory.
- On the Scalix server, you must have pam_ldap and/or nssldap installed.
- Edit /etc/ldap.conf; the binddn and bindpw are optional:
# Your LDAP server. Must be resolvable without using LDAP. host fubar.mydomain.net # The distinguished name of the search base. base dc=mydomain,dc=net # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=directory manager # The credentials to bind with. # Optional: default is no credential. bindpw secret
- If you do not have SSL enabled, be sure you have it commented out in /etc/ldap.conf.
- In /var/opt/scalix/??/s/sys/pam.d, edit the following files (create them if they do not exist):
- ual.remote
- smtpd.auth
- pop3
- omslapdeng
- The contents of the above files should be as follows:
auth required om_om2authid auth sufficient /lib/security/pam_ldap.so ignore_unknown_user auth sufficient om_auth use_first_pass auth required pam_deny account sufficient om_auth account required /lib/security/pam_ldap.so password required om_auth preauth password required om_om2authid password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so
- Edit or create /var/opt/scalix/??/s/sys/om_ldap.conf:
host=fubar.mydomain.net search=subtree base=dc=mydomain,dc=net filter=uid=%s tls=off
- Edit or create /var/opt/scalix/??/s/sys/pam.d/pamcheck:
auth required om_debug account required om_debug session required om_debug password required om_debug auth required om_om2authid auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required om_om2authid password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so
- Restart Scalix
omshut; omrc
- Test the configuration with sxpamauth; note that you only use the surname, not the entire UID:
# sxpamauth -vvv duck pam_start_om("pamcheck", "duck") pam_authenticate() Password: pam_acct_mgmt() Authenticated
Dual Passwords
Let the user log in with either their email *or* their LDAP password. They can change their email password from the email client, but not their LDAP password. The two passwords are not synchronized; either one will work for login, but only the email password can be changed from the email client.
- The user must have userPassword set in the LDAP directory
- In /var/opt/scalix/??/s/sys/pam.d, edit the following files (create them if they do not exist):
- ual.remote
- smtpd.auth
- pop3
- omslapdeng
- The contents of the above files should be as follows:
auth sufficient om_ldap auth sufficient om_auth auth required pam_deny account required om_auth password required om_auth session required om_auth
- Edit or create /var/opt/scalix/??/s/sys/om_ldap.conf:
host=fubar.mydomain.net search=subtree base=dc=mydomain,dc=net filter=uid=%s tls=off
- Restart Scalix
omshut; omrc
Separate email Password
Let the user log in with his email password only. The email and LDAP passwords are completely separate and unrelated (though the user could set them to the same value if he chose).
When a new account gets created in Scalix due to having scalixUserClass, scalixScalixObject, and scalixMailnode set in the LDAP directory, the following steps should be taken:
- Set the password:
ommodu {authentication-id|-o name[/mailnode]} -p password
- Auto-expire the password.
ommodu {authentication-id|-o name[/mailnode]} -e
You can use scripts to set and auto-expire the password. Both of these steps are optional, but auto-expiration is especially recommended. This is done in order to prevent undetected, unwanted access to an account.
Managing Groups (PDLs) with LDAP
Groups can be managed from OpenLDAP and subsequently synchronized to Scalix where they will appear as Public Distribution Lists (also termed “Groups” in the Scalix Administration Console). The members of the group in OpenLDAP can be internet users or they can have Scalix mailboxes. For example, assume the same scenario described in the beginning of the is document – where the LDAP directory contains two users that have been synchronized to Scalix. Mildred Mouse is an internet user, and Dora Duck has a Scalix account.
You can make a group of these two users within LDAP, using an LDIF file and the ldapadd command. The format of the LDIF file is as follows:
$ cat /tmp/group dn: cn=testgroup,dc=mydomain,dc=net objectClass: groupOfNames cn: testgroup member: uid=mmouse,dc=mydomain,dc=net member: uid=dduck,dc=mydomain,dc=net objectClass: scalixGroupClass scalixScalixObject: TRUE scalixMailnode: mail,node scalixEmailAddress: testgroup@fubar.mydomain.net displayName: Testgroup
On the LDAP server, add to LDAP with ldapadd.
$ ldapadd -x -D cn=admin,dc=mydomain,dc=net -w secret -f /tmp/group
or
$ ldapadd -D "cn=directory manager" -w secret -f /tmp/group
On the Scalix server, synchronize:
omldapsync -u 13fubar
You can omsearch for the PDL, or group:
# omsearch -e s=testgroup S=testgroup2/OU1=mail/OU2=node/CN=Testgroup/INTERNET-ADDR=testgroup@fubar.mydomain.net/ENTRY-TYPE=4/DL-POLICY=0/FOREIGN-ADDR=cn\=testgroup,dc\=mydomain,dc\=net/ADMINISTERED-BY=ldapsync-13fubar/DL-MEMBERS=[CN=Mildred Mouse/G=Mildred/S=Mouse/OU1=internet]=[CN=Dora Duck/G=Dora/S=Duck/OU1=mail/OU2=node]
You can also see that the members' entries have been updated to reflect their membership in the PDL, or group:
# omsearch -e s=duck CN=Dora Duck/G=Dora/S=Duck/OU1=mail/ADMINISTERED-BY=ldapsync-13fubar/FOREIGN-ADDR=uid\=DDuck,dc\=mydomain,dc\=net/INTERNET-ADDR=dora.duck@mydomain.net=dduck@mydomain.net=dora.duck@fubar.mydomain.net/OU2=node/UL-AUTHID=DDuck/UL-IL=ENGLISH/UL-CAPS=6/ENTRY-TYPE=1/UL-CLASS=Full/PARENT-DL=704
Integrating Existing Scalix Mailboxes into LDAP
Sometimes you will have an existing Scalix implementation that you want to integrate with LDAP. To do that, we'll need to populate the LDAP directory with Scalix users in a way that will cause both LDAP and Scalix to accept them and to establish the fact that the entries are being administered in LDAP rather than Scalix.
Assume you have a Scalix account for Portly Pig, but Portly doesn't have an entry in the LDAP directory.
# omshowu -n pig Authentication ID: Portly.Pig@sxlab.mydomain.net Globally Unique ID: 14b10000d320aa74-121.0.861.291 User Name : Portly Pig /CN=Portly Pig MailNode : mail,node Internet Address : "Portly Pig" <Portly.Pig@sxlab.mydomain.net> System Login : 60538 Password : set Admin Capabilities : NO Mailbox Admin Capabilities : NO Language : C Mail Account: Unlocked Last Signon : Never. Receipt of mail : ENABLED Service level : 0 Excluded from Tidying : NO Recovery Folder visible : NO User Class : Full SIS URL : sxidx://sxlab.mydomain.net/04b10000d320aa74-121.0.861.291
Ensure that omldapsync -u will run without error. If you have any errors, fix them before proceeding.
Add the Portly Pig entry to the LDAP directory:
$ cat /tmp/addpig dn: uid=ppig,dc=mydomain,dc=net uid: ppig sn: Pig givenname: Portly cn: Portly Pig userpassword: PigPass objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: scalixUserClass scalixScalixObject: TRUE scalixMailnode: mail,node scalixServerLanguage: ENGLISH scalixAdministrator: TRUE scalixMailboxAdministrator: TRUE scalixEmailAddress: ppig@sxlab.mydomain.net
OpenLDAP:
$ ldapadd -x -D cn=admin,dc=mydomain,dc=net -w secret -f /tmp/addpig
SunONE:
$ ldapadd -D "cn=directory manager" -w secret -f /tmp/addpig
Now we "trick" omldapsync into accepting the entry as foreign. This takes several steps.
omldapsync -u 13fubar -n
This causes omldapsync to show what updates would normally be made, without actually applying them. Thus, omldapsync updates its working files so that the new LDAP entry for Portly Pig is added to search.curr, but no additions to the Scalix directory are attempted.
omldapsync -u 13fubar -A
This causes omldapsync to run and accept all errors. Without the -A option, we'd get an error saying "[OM 8024] The name/mailnode "CN=Portly Pig/G=Portly/S=Pig/OU1=mail/OU2=node/INTERNET-ADDR=ppig@sxlab.mydomain.net" already exists. The name/mailnode is that of an existing user." We know this name exists, and it's okay. So we accept the error and run omldapsync anyway.
Incidentally, you cannot just run omldapsync -A the first time; the errors have to have been generated before they can be accepted.
Now we change the global-unique-id in Scalix. We want to use the one in LDAP, because that's where we will be administering the Portly Pig account from now on. The LDAP global-unique-id is authoritative.
First, find the LDAP global-unique-id.
OpenLDAP:
$ ldapsearch -h fubar.mydomain.net -x -b dc=mydomain,dc=net cn="portly pig" entryUUID
Sun ONE:
$ ldapsearch -h fubar.mydomain.net -b dc=mydomain,dc=net "cn=portly pig" nsUniqueId
# ppig, mydomain.net dn: uid=ppig,dc=mydomain,dc=net entryUUID: e701c65e-70e6-102c-8b25-1be75418929d
Now, copy the global-unique-id into the Scalix entry. This takes two ommodent commands:
# ommodent -e cn="portly pig" -n global-unique-id=e701c65e-70e6-102c-8b25-1be75418929d # ommodent -d userlist -t h -e cn="portly pig" -n global-unique-id=e701c65e-70e6-102c-8b25-1be75418929d
Now run omldapsync one more time, modifying all entries.
omldapsync -u 13fubar -M
This causes omldapsync to attempt to modify all the records in the directory, so it can take a while for this command to run. After this command is run, you can do an omsearch for the Portly Pig account and you will see it is administered-by ldapsync-13fubar.
Understanding the Mapping Table
One of the most important parts of the sync agreement is the mapping table. The mapping table comprises one section of the configuration file which was made when you created the omldapsync agreement. The mapping table for each agreement can be found in /var/opt/scalix/sb/s/ldapsync/13fubar/sync.cfg, where 13fubar is the name of the sync agreement.
A mapping table is a collection of mapping rules which will be applied to every record that is imported or exported between the Scalix directory and LDAP via omldapsync.
Each mapping rule consists of 4 fields separated by “|” of the form
<from_tag>|<to_tag>|<from_value>|<to_value>
Below are some sample entries from the mapping table for a type 13 sync agreement. Because type 13 agreements only import from LDAP to Scalix, these mappings are all from LDAP attributes to Scalix attributes.
The first shows that the LDAP uid becomes the Scalix UL-AUTHID. Only the attribute name changes; the value remains the same.
# authentication id uid|UL-AUTHID|*|*
The global unique ID is derived from the entryUUID of an OpenLDAP record, and from the nsUniqueID attribute of a Sun ONE Directory Server record.
OpenLDAP:
# global unique id entryUUID|GLOBAL-UNIQUE-ID|*|*
Sun ONE:
# global unique id nsUniqueId|GLOBAL-UNIQUE-ID|*|*
The common name in Scalix can be derived a few different ways:
# common name cn|CN|*,1,64!ISMISSING=displayName|* cn||*|#suppress it otherwise displayName|CN|*,1,64|*
The first line says that if the LDAP record does NOT contain a displayName, use the substring of the LDAP cn attribute beginning at position 1 but only going to position 64. This is because the Scalix CN cannot exceed a length of 64 characters.
The second line says that if cn exists (and there is a displayName), we'll just ignore it by mapping it to nothing.
The third line says if a displayName is present in the LDAP record, map it to the Scalix CN attribute, but don't exceed 64 characters in length.
Although this looks daunting, if you consult the man page for omldaputil, it won't be nearly as mystical :-) It's all explained very nicely.
Using Additional LDAP Attributes not Contained in the Mapping Table
You're not limited to only importing the default LDAP attributes and special Scalix attributes from LDAP into Scalix; you can import additional LDAP attributes into your Scalix directory. The list of attributes being imported from LDAP can be found in the EX_ATTR and IM_MV_ATTR definitions of the agreement's sync.cfg file. Following the example we've set up in this document, /var/opt/scalix/??/s/ldapsync/13fubar/sync.cfg contains the following lines (this is from an agreement with a Sun ONE Directory Server; in an agreement with an OpenLDAP server the nsUniqueID attribute would be replaced with entryUUID):
EX_ATTR=scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNotifyUser scalixScalixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator scalixEmailAddress member dn uid objectClass displayName sn givenname initials mail nsUniqueID cn facsimileTelephoneNumber homephone street st telephoneNumber title c company departmentNumber description l mobile pager physicalDeliveryOfficeName postalCode IM_MV_ATTR=objectClass INTERNET-ADDR omMemberForeignAddr
Let's say you wanted to synchronize LDAP's employeenumber attribute with Scalix. The first thing you do is look in the sync.cfg file for the agreement and see that it's not already being synchronized; that is, make sure it isn't listed in the EX_ATTR or IM_MV_ATTR definitions. If you see your desired attribute in one of the definitions, look in the mapping table portion of the agreement to find out what Scalix attribute corresponds to your desired LDAP attrbibute. For more information, see "Understanding the Mapping Table" section of this document.
If you don't see your desired LDAP attribute in the EX_ATTR or IM_MV_ATTR definitions, add it. Use EX_ATTR for regular attributes and IM_MV_ATTR for multi-valued attributes.
The second thing you need to do is figure out which Scalix attribute you want to map to the LDAP attribute. The omshowatt command is very useful for this purpose.
# omshowatt | more <...> NAME-TITLE 10 Personal Title HOME-PHONE KMSV 32 Home Telephone Number A X 16 X.400 Administration Domain EMPL-ID K 30 Employee ID LDAP-OBJECT-CLASS V 40 LDAP objectClass
The first column is the name of the Scalix attribute.
The second column holds flags. The man page for omshowatt will give you good information about these but for now it is sufficient to know that a "V" means it is a multi-valued attribute. If you are importing a multi-valued LDAP attribute, then you must import it into a Scalix attribute with a "V" in the second column of omshowatt output.
The third column is the length in octets.
The fourth column is a "friendlier" localized name.
The EMPL-ID attribute seems like a good one for our purposes. We'll map the LDAP employeeNumber attribute to the Scalix EMPL-ID attribute by adding an entry into the primary mapping table section of the sync.cfg file for this agreement. For example:
employeeNumber|EMPL-ID|*,1,30|*
The above entry means we will import the first thirty characters of the LDAP employeeNumber and store it in the Scalix EMPL-ID attribute.
Fixing omldapsync After Errors
Using omsyncwrap
Troubleshooting
UM 1065 - https://bugzilla.scalix.com/show_bug.cgi?id=16535 error 1005: Entry must have a valid global unique id ldap_bind: No such object
[OM 16078] An attribute's value contains invalid characters. Usually this is self-evident but in the case of a PDL with an underscore in the name you may not realize that Scalix does not allow underscores in PDL names. So change the group name in LDAP or Active Directory and remove the underscore.
Handy LDAP commands
omldapsearch
To search an Active Directory domain controller:
# omldapsearch -D cn=Administrator,cn=users,dc=mydomain,dc=net -w secret -h adlab.mydomain.net -b dc=mydomain,dc=net cn=* cn
OpenLDAP
# ldapadd -x -D cn=admin,dc=mydomain,dc=net -w secret -f /tmp/addfile
# ldapmodify -D cn=admin,dc=mydomain,dc=net -w secret -f /tmp/modfile
# ldapdelete -x -D cn=admin,dc=mydomain,dc=net -w secret uid=ppig,dc=mydomain,dc=net
# ldapsearch -x -b dc=mydomain,dc=net cn="donald duck"
SunONE
This will not work:
$ ldapdelete -D "directory manager" -w secret "uid=dduck,dc=mydomain,dc=net"
but this will:
$ cat /tmp/duckdel dn: uid=DDuck,dc=mydomain,dc=net changetype: delete $ ldapmodify -D "cn=directory manager" -w secret -f /tmp/duckdel
$ ldapmodify -r -D "cn=directory manager" -w secret -f /tmp/duckmod
$ ldapsearch -b dc=mydomain,dc=net "cn=donald duck"
Active Directory
# ldapsearch -x -h exlab.mydomain.net -b dc=mydomain,dc=net -D "cn=administrator,cn=users,dc=mydomain,dc=net" -w <password>
References
Sun ONE Directory Server Administration Guide
Sun ONE Directory Server Deployment Guide
Sun ONE Directory Server 5.2 Reference Manual
Sun Java Enterprise System 2005Q4 Installer tutorial
Scalix Server Setup and Configuration Guide
Scalix HowTo: Using OpenLDAP for password management
ScalixReady Technical Note: OpenLDAP in a Scalix Environment
Appendix A - ldapsync13.schema (OpenLDAP Servers)
A copy of ldapsync13.schema is provided because the copy included with the Scalix installation was incomplete in earlier releases.
# Copyright (C) 2006 Scalix Corporation. All rights reserved. # OpenLDAP schema extension for Scalix omldapsync attributes # For reference see OpenLDAP 2.1 Administrator's Guide # Installation steps (requires root login): # # 1. Stop OpenLDAP slapd server (e.g. kill -INT `cat /var/run/slapd.pid`) # # 2. Copy this file to OpenLDAP schema sub directory (e.g. etc/openldap/schema) # # 3. Edit OpenLDAP slapd.conf file (e.g. /etc/openldap/slapd.conf) to: # # a. Extend the schema by appending reference to the 'include' section, # something like the following lines: # # # include schema extension for Scalix omldapsync attributes # include /etc/openldap/schema/ldapsync13.schema # # b. Ensure Scalix omldapsync has sufficient read access to all the data, # usually determined by the type of bind and the dn used. # # c. Ensure Scalix omldapsync has sufficient search limit to return all the # matching entries, usually determined by the 'sizelimit' setting used. # # 4. Start OpenLDAP slapd server (e.g. /usr/sbin/slapd) # # 5. Fix any error, repeat steps 1 to 4 as necessary. # # 6. Test add (e.g. /usr/bin/ldapadd -D "cn=Manager,dc=my-domain,dc=com") using # something like the following LDIF lines: # # dn: cn=testuser scalix,dc=my-domain,dc=com # objectClass: inetOrgPerson # cn: testuser scalix # displayName: Testuser Scalix # sn: Scalix # mail: testuser@test.scalix.com # objectClass: scalixUserClass # scalixScalixObject: TRUE # scalixMailnode: ou1,ou2 # scalixServerLanguage: ENGLISH # scalixAdministrator: TRUE # scalixMailboxAdministrator: FALSE # scalixEmailAddress: testuser@my-domain.com # scalixEmailAddress: testuser@my-domain.de # scalixLimitMailboxSize: 1024 # scalixLimitOutboundMail: TRUE # scalixLimitInboundMail: FALSE # scalixLimitNotifyUser: TRUE # scalixHideUserEntry: FALSE # scalixMailboxClass: FULL # # dn: cn=testgroup scalix,dc=my-domain,dc=com # objectClass: groupOfNames # cn: testgroup scalix # member: cn=testuser scalix,dc=my-domain,dc=com # objectClass: scalixGroupClass # scalixScalixObject: TRUE # scalixMailnode: ou1,ou2 # displayName: Testgroup Scalix # scalixEmailAddress: testgroup@test.scalix.com # scalixHideUserEntry: TRUE # # 7. Test search (e.g. /usr/bin/ldapsearch -b "dc=my-domain,dc=com" -x -D "" # -w "" cn=*scalix) to check for read access and correct entries were added. # define macro for Scalix root OID objectIdentifier scalixOID 1.3.6.1.4.1.19049 # new attributes to describe an Scalix user or group object # use 1.1.x from Scalix root OID attributetype ( scalixOID:1.1.10 NAME ( 'scalixScalixObject' ) DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.11 NAME ( 'scalixMailnode' ) DESC 'Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created.' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.12 NAME ( 'scalixAdministrator' ) DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites.' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.13 NAME ( 'scalixMailboxAdministrator' ) DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.14 NAME ( 'scalixServerLanguage' ) DESC 'Message catalog language for client. This is one of the Scalix-supported languages found in /var/opt/scalix/nls/om_langs' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.15 NAME ( 'scalixEmailAddress' ) DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.16 NAME ( 'scalixLimitMailboxSize' ) DESC 'mailbox size limit for the user in MB' SINGLE-VALUE EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( scalixOID:1.1.17 NAME ( 'scalixLimitOutboundMail' ) DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.18 NAME ( 'scalixLimitInboundMail' ) DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.19 NAME ( 'scalixLimitNotifyUser' ) DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.20 NAME ( 'scalixHideUserEntry' ) DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.21 NAME ( 'scalixMailboxClass' ) DESC 'Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) # auxiliary classes for scalix User and group # use 1.2.x from Scalix root OID objectclass ( scalixOID:1.2.10 NAME 'scalixUserClass' DESC 'Supplemental class containing the Scalix User-related attributes' AUXILIARY MUST ( scalixScalixObject $ scalixMailnode) MAY ( scalixAdministrator $ scalixMailboxAdministrator $ scalixServerLanguage $ scalixEmailAddress $ scalixLimitMailboxSize $ scalixLimitOutboundMail $ scalixLimitInboundMail $ scalixLimitNotifyUser $ scalixHideUserEntry $ scalixMailboxClass ) ) objectclass ( scalixOID:1.2.11 NAME 'scalixGroupClass' DESC 'Supplemental class containing the Scalix Group-related attributes' AUXILIARY MUST ( scalixScalixObject $ scalixMailnode ) MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) )
Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)
dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0; acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=mydomain,dc=net";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ldap:///cn=slapd-fubar, cn=Sun ONE Directory Server, cn=Server Group, cn=fubar.mydomain.net, ou=mydomain.net, o=NetscapeRoot";) modifiersName: cn=directory manager modifyTimestamp: 20080205163801Z attributeTypes: ( 1.1.13 NAME 'scalixMailboxAdministrator' DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.18 NAME 'scalixLimitInboundMail' DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.10 NAME 'scalixScalixObject' DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object. If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.15 NAME 'scalixEmailAddress' DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.20 NAME 'scalixHideUserEntry' DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.12 NAME 'scalixAdministrator' DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.17 NAME 'scalixLimitOutboundMail' DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.14 NAME 'scalixServerLanguage' DESC 'Message catalog language for client. This is one of the Scalix-supported languages found in /var/opt/scalix/nls/om_langs' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.19 NAME 'scalixLimitNotifyUser' DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.11 NAME 'scalixMailnode' DESC 'Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.16 NAME 'scalixLimitMailboxSize' DESC 'mailbox size limit for the user in MB' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.21 NAME 'scalixMailboxClass' DESC 'Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) objectClasses: ( 1.2.10 NAME 'scalixUserClass' SUP top STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) MAY ( scalixAdministrator $ scalixEmailAddress $ scalixHideUserEntry $ scalixLimitInboundMail $ scalixLimitMailboxSize $ scalixLimitNotifyUser $ scalixLimitOutboundMail $ scalixMailboxAdministrator $ scalixMailboxClass $ scalixServerLanguage ) X-ORIGIN 'user defined' ) objectClasses: ( 1.2.11 NAME 'scalixGroupClass' SUP top STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) X-ORIGIN 'user defined' )
Appendix C -slapd.conf (OpenLDAP Server)
This is a sample slapd.conf file taken from OpenLAP version 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon). Your slapd.conf file may be more or less complex than this one.
# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ldapsync13.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 256 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # The maximum number of entries that is returned for a search operation sizelimit 5000 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=mydomain,dc=net" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=mydomain,dc=net" rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa # Where the database file are physically stored for database #1 directory "/var/lib/ldap/mydomain" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=mydomain,dc=net" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=mydomain,dc=net" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=mydomain,dc=net" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org"
Appendix D - OpenLDAP
The majority of readers interested in the OpenLDAP portions of this document will have an OpenLDAP Server already functioning in their production environment; sometimes, however, it's nice to set up a lab machine for testing or proof of concept. This section will step you through installing a minimal OpenLDAP Server on Ubuntu.
This document was written for OpenLDAP version 2.3.35 running on Ubuntu 7.10 (Gutsy Gibbon) on an X86 laptop. The information should be applicable to other platforms and versions, within reason.
Getting the Software
Install the slapd package via Synaptic (System -> Administration -> Synaptic Package Manager) or apt-get (apt-get install slapd).
Start and stopping OpenLDAP
/etc/init.d/slapd start /etc/init.d/slapd start /etc/init.d/slapd restart
Configuration
Configuration information is generally stored in /etc/ldap/slapd.conf though some OpenLDAP servers use /etc/openldap/slapd.conf.
You'll need to update the following lines in slapd.conf:
suffix "dc=mydomain,dc=net" rootdn "cn=admin,dc=mydomain,dc=net" rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa directory "/var/lib/ldap/mydomain"
You can define multiple databases but each must have its own directory, they can't all share one directory.
The encrypted rootpw is created by running slappasswd; to create an encryption of the password "secret" you'd run:
# slappasswd -s secret {SSHA}91EpYZ0u6luAaVB4Q08TdrmhDfGVg8Hy
Schema
The schema definition is stored in multiple files in the etc/ldap/schema directory.
If your schema files are not in this location, check your slapd.conf file to see where they are located.
Inital Population of the Database
You can easily set up a basic structure with an LDIF file similar to the one below:
# cat init.ldif dn: dc=mydomain,dc=net objectClass: dcObject objectClass: organizationalUnit dc: mydomain ou: MyDomain Dot Net dn: ou=people,dc=mydomain,dc=net objectClass: organizationalUnit ou: people dn: ou=groups,dc=mydomain,dc=net objectClass: organizationalUnit ou: groups
Then add these values with an ldapadd command:
# ldapadd -x -D cn=admin,dc=mydomain,dc=net -w secret -f init.ldif
Appendix E - Sun ONE Directory Server
The majority of readers interested in the Sun ONE portions of this document will have a Sun ONE Directory Server already functioning in their production environment; sometimes, however, it's nice to set up a lab machine for testing or proof of concept. This section will step you through installing a minimal Sun ONE Directory Server.
This document was written for Sun ONE Directory Server version 5.2 P6 2005Q4 running on Solaris 10 on an X86 laptop. The information should be applicable to other platforms and versions, within reason.
System Requirements
The Sun ONE Directory Server is available for the following OS:
- Solaris 9 and 10
- Red Had Enterprise Linux Advanced Server (AS) 3 and 4
- HP-UX 11.11 (PA-RISC)
- Microsoft Windows 2000 Server and Advanced Server
- Microsoft Windws Server 2003 Standard Edition and Enterprise Edition
You will need 400 Gb of disk space.
More specification information is available from the vendor at http://www.sun.com/software/products/directory_srvr_ee/specs.jsp
Getting the Software
To get the software, go to Sun's download page at http://www.sun.com/download/index.jsp
- Under "Identity Management", select "Directory Server"
- Click to download "Directory Server"
- Click "Download Now"
- Step 1: Select Component - Directory Server
- Step 2: Select Version - 5 2005Q4 (5.2 P6)
- Step 3: Select Delivery Type - Native Package (PKG) (Note - only patches are available for X86 in ZIP format; for the entire package you have to select PKG)
- Step 4: Select Platform - Solaris 10 X86
- Click "View Downloads"
Download and Install the System Patches
Download
- On the web page listing your selection results, select one of the System Patches; you will get an error in a new browser window because you are not logged in. Login (register if you have not yet done so).
- Go back to the original window and select the patch again.
- Select "Download Patch: HTTP" and save to disk; save in /var/spool/patch.
- Download all the patches in this manner.
Install
For each patch, uncompress as follows:
unzip patchname.zip
For example:
unzip 119811-04.zip
This will create a directory named patchname, for example 119811-04.
Add the patch:
patchadd /var/spool/patch/119811-04
Download and Install Directory Server
On the web page listing your selection results, click "Base Full Install for Directory Server 5 2005Q4". This will launch Sun's Download Center. Accept the License Agreement, then select the following components. Be careful when using the "check all" box in any section; it will select all the boxes in another section as well.
- Solaris x86 Platform - Sun Java Identity Management Suite - Solaris X86 Platform
- Sun Java TM Directory Server (java_es_05Q4_directory-ga-solaris-x86.zip)
Click the orange button that says "Download selected with Sun Download Manager"
If you are presented with a dialog box asking if you want to save to disk or open with Sun Java 5.0 Web Start, choose to open with Sun Java 5.0 Web Start.
If the zip file does not self-extract, uncompress it with the following command:
unzip java_es_05Q4_directory-ga-solaris-x86.zip
The Sun Java System Directory Server 5 2005Q4 is actually a portion of the Sun Java Enterprise System, so we will be installing the Enterprise System and only selecting the System Directory Server component. You must be root to install the Sun Java Enterprise System.
cd java_es_05Q4_directory/Solaris_x86 ./installer -nodisplay
Read and accept the license agreement.
Select which language(s) you want installed.
Installation Type - when prompted "Do you want to install the full set of Sun Java(TM) Enterprise System Products and Services?" answer no.
Select Sun Java(TM) System Directory Server 5 2005Q4 (option 3)
Press Enter to accept the list of applications that the installer will install.
If prompted to upgrade the J2SE(TM) Software Development Kit, choose the automatic update option.
Accept the default location for the installation directories when prompted.
Select 1 to continue the installation.
Select 1 to configure now.
Answer the questions when prompted, making a note of the Server admin User ID (default "admin") and password, DN (default "cn=Directory Manager") and password.
When prompted about how you would like to populate the directory server with data, if you select 1 or 3, sample data will be automatically loaded. If you select 2 or 3, you must have an LDIF file on disk from which data can be loaded.
After answering all the questions, select 1 to Install the Java Enterprise System Directory Server.
View the installation summary and verify everything is correct.
Download Directory Server patch
Note: This is only necessary if you have an older installation of Sun ONE Directory Server and need to update it. If you have just completed the full installation, you will be up to date and no patches are required.
- On the web page listing your selection results, click "Directory Server 5 2005Q4 (5.2 Pg) PKG Patch".
- Select "Download Patch: HTTP" and save to disk.
Uncompress as follows:
unzip patchname.zip
For example:
unzip 115615-28.zip
This will create a directory named patchname, for example 115615-28.
Add the patch:
patchadd /var/spool/patch/115615-28
Start and stopping the server
Both of these scripts must run with the same UID and GID as the Directory Server. For example, if the Directory Server runs as nobody, you must run the start-slapd and stop-slapd utilities as nobody.
Starting the server:
/usr/sbin/directoryserver start
or
ServerRoot/slapd-serverID/start-slapd Example: /var/opt/mps/serverroot/slapd-fubar/start-slapd
Stopping the server:
/usr/sbin/directoryserver stop
or
ServerRoot/slapd-serverID/stop-slapd Example: /var/opt/mps/serverroot/slapd-fubar/stop-slapd
Configuration
Configuration information is stored in ServerRoot/slapd-serverID/config/dse.ldif
Example: /var/opt/mps/serverroot/slapd-fubar/config/dse.ldif
As the filename suggests, it is in LDAP Data Interchange Format (LDIF).
Schema
The schema definition is stored in multiple files in ServerRoot/slapd-serverID/config/schema
Example: /var/opt/mps/serverroot/slapd-fubar/config/schema
These files are in the LDAP Data Interchange Format (LDIF).