HowTos/OpenLDAP User Management
From Scalix Wiki
Revision as of 17:23, 21 March 2012 by PatSuwalski (Talk | contribs) (Reverted edits by MediaWiki spam cleanup (Talk) to last version by Medievalist)
Scalix Wiki -> How-Tos -> Use External OpenLDAP Server for User Management
In Response to this thread: [1] I have started this HowTo. Hopefully others can provide more info.
Contents
Summary of Setup
Have an existing OpenLDAP server running Samba and being a Primary Domain Controller. We wanted to have ONE point of administration for users. So we want to be able to modify email setting from OpenLDAP. We were currently using phpLDAPAdministrator[2]. We wanted to continue using it. So we had no intention of using SAC for user admin tasks. (Actually when you setup you system this way SAC grays out all the users settings. So you can't change them.)
OpenLDAP Server Modifications
Existing OpenLDAP Server 2.2.29 running on Fedora Core 3. I had to make two modifications to my existing OpenLDAP directory. First was to add the schema file.
Edit /etc/openldap/slapd.conf and add the line for the scalix.schema
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/scalix.schema
Also here is a copy of the scalix.schema file. I noticed the one that came with Scalix was missing lots of options. So Florian provided an updated one. As of version 11.1 I don't think it has been changed. But maybe someone else can verify.
# Copyright (C) 2006 Scalix Corporation. All rights reserved.
# OpenLDAP schema extension for Scalix omldapsync attributes
# For reference see OpenLDAP 2.1 Administrator's Guide
# Installation steps (requires root login):
#
# 1. Stop OpenLDAP slapd server (e.g. kill -INT `cat /var/run/slapd.pid`)
#
# 2. Copy this file to OpenLDAP schema sub directory (e.g. /etc/openldap/schema)
#
# 3. Edit OpenLDAP slapd.conf file (e.g. /etc/openldap/slapd.conf) to:
#
# a. Extend the schema by appending reference to the 'include' section,
# something like the following lines:
#
# # include schema extension for Scalix omldapsync attributes
# include /etc/openldap/schema/scalix-10.0.0.schema
#
# b. Ensure Scalix omldapsync has sufficient read access to all the data,
# usually determined by the type of bind and the dn used.
#
# c. Ensure Scalix omldapsync has sufficient search limit to return all the
# matching entries, usually determined by the 'sizelimit' setting used.
#
# 4. Start OpenLDAP slapd server (e.g. /usr/sbin/slapd)
#
# 5. Fix any error, repeat steps 1 to 4 as necessary.
#
# 6. Test add (e.g. /usr/bin/ldapadd -D "cn=Manager,dc=my-domain,dc=com") using
# something like the following LDIF lines:
#
# dn: cn=testuser scalix,dc=my-domain,dc=com
# objectClass: inetOrgPerson
# cn: testuser scalix
# displayName: Testuser Scalix
# sn: Scalix
# mail: testuser@test.scalix.com
# objectClass: scalixUserClass
# scalixScalixObject: TRUE
# scalixMailnode: ou1,ou2
# scalixServerLanguage: ENGLISH
# scalixAdministrator: TRUE
# scalixMailboxAdministrator: FALSE
# scalixEmailAddress: testuser@my-domain.com
# scalixEmailAddress: testuser@my-domain.de
# scalixLimitMailboxSize: 1024000
# scalixLimitOutboundMail: TRUE
# scalixLimitInboundMail: FALSE
# scalixLimitNotifyUser: TRUE
# scalixHideUserEntry: FALSE
# scalixMailboxClass: FULL
#
# dn: cn=testgroup scalix,dc=my-domain,dc=com
# objectClass: groupOfNames
# cn: testgroup scalix
# member: cn=testuser scalix,dc=my-domain,dc=com
# objectClass: scalixGroupClass
# scalixScalixObject: TRUE
# scalixMailnode: ou1,ou2
# displayName: Testgroup Scalix
# scalixEmailAddress: testgroup@test.scalix.com
# scalixHideUserEntry: TRUE
#
# 7. Test search (e.g. /usr/bin/ldapsearch -b "dc=my-domain,dc=com" -x -D ""
# -w "" cn=*scalix) to check for read access and correct entries were added.
# define macro for Scalix root OID
objectIdentifier scalixOID 1.3.6.1.4.1.19049
# new attributes to describe an Scalix user or group object
# use 1.1.x from Scalix root OID
attributetype ( scalixOID:1.1.10 NAME ( 'scalixScalixObject' )
DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object
If this is set to FALSE and the object is matched by the omldapsync
filter, a Contact entry/Internet user is created. If set to true, a
mailbox is setup. For Group/PDL objects, this must always be set to true'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.11 NAME ( 'scalixMailnode' )
DESC 'Comma-separated org units for objects mailnode. This is the
Mailnode name as defined when the Scalix server was setup. In
Multi-server environments, this is used to select on which server
the object is to be created.'
SINGLE-VALUE
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( scalixOID:1.1.12 NAME ( 'scalixAdministrator' )
DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE,
the user created will have full Scalix admin capabilites.'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.13 NAME ( 'scalixMailboxAdministrator' )
DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with
this flag set to TRUE can access ANY mailbox on a server through
mboxadmin signon. This is usually only used for migration tools and
typically not exposed through LDAP'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.14 NAME ( 'scalixServerLanguage' )
DESC 'Message catalog language for client. This is one of the Scalix-supported
languages found in /var/opt/scalix/nls/om_langs'
SINGLE-VALUE
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( scalixOID:1.1.15 NAME ( 'scalixEmailAddress' )
DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The
order is important as the first of these values is used as the outgoing
from address of the user.'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( scalixOID:1.1.16 NAME ( 'scalixLimitMailboxSize' )
DESC 'mailbox size limit for the user in MB'
SINGLE-VALUE
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( scalixOID:1.1.17 NAME ( 'scalixLimitOutboundMail' )
DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail.
Set to TRUE or FALSE'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.18 NAME ( 'scalixLimitInboundMail' )
DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail.
Set to TRUE or FALSE'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.19 NAME ( 'scalixLimitNotifyUser' )
DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail.
Set to TRUE or FALSE'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.20 NAME ( 'scalixHideUserEntry' )
DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.21 NAME ( 'scalixMailboxClass' )
DESC 'Class of User Mailbox FULL or LIMITED. This maps to
Premium or Standard users as defined by Scalix User licensing policy'
SINGLE-VALUE
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
# auxiliary classes for scalix User and group
# use 1.2.x from Scalix root OID
objectclass ( scalixOID:1.2.10 NAME 'scalixUserClass'
DESC 'Supplemental class containing the Scalix User-related attributes'
AUXILIARY
MUST ( scalixScalixObject $ scalixMailnode
)
MAY ( scalixAdministrator $ scalixMailboxAdministrator $
scalixServerLanguage $ scalixEmailAddress $
scalixLimitMailboxSize $ scalixLimitOutboundMail $
scalixLimitInboundMail $ scalixLimitNotifyUser $
scalixHideUserEntry $ scalixMailboxClass
) )
objectclass ( scalixOID:1.2.11 NAME 'scalixGroupClass'
DESC 'Supplemental class containing the Scalix Group-related attributes'
AUXILIARY
MUST ( scalixScalixObject $ scalixMailnode
)
MAY ( scalixEmailAddress $ scalixHideUserEntry
) )
Now in my situation I already had OpenLDAP working so I now needed to add all these "new" attributes into existing users with some default values. I have lost the script I used but here is what I was able to recover. First create a list of users to modify:
ldapsearch -x |grep ou=Users > userlist
This search can obviously be modified to get what you need out of OpenLDAP. Sample Output is:
dn: uid=user1,ou=Users,dc=foo,dc=com dn: uid=user2,ou=Users,dc=foo,dc=com dn: uid=user3,ou=Users,dc=foo,dc=com dn: uid=user4,ou=Users,dc=foo,dc=com
I then ran this overly simple perl script to process the user list:
#!/usr/bin/perl
$infile="userlist";
open (INFILE, $infile);
@mylines=<INFILE>;
foreach $line (@mylines) {
chop ($line);
$outfile="modifyusers";
open (OUT, ">$outfile");
#Next line is what changes for each value in array above...
print OUT "$line\n";
print OUT <<EOM;
changetype: modify
add: objectClass
objectClass: exScalixClass
-
add: scalixScalixObject
scalixScalixObject: TRUE
-
add: scalixMailnode
scalixMailnode: server,domain
-
add: scalixServerLanguage
scalixServerLanguage: ENGLISH
-
add: scalixAdministrator
scalixAdministrator: FALSE
-
add: scalixMailboxAdministrator
scalixMailboxAdministrator: FALSE
-
add: scalixLimitOutboundMail
scalixLimitOutboundMail: FALSE
-
add: scalixLimitInboundMail
scalixLimitInboundMail: FALSE
-
add: scalixLimitMailboxSize
scalixLimitMailboxSize: 25
-
add: scalixLimitNotifyUser
scalixLimitNotifyUser: TRUE
-
add: scalixHideUserEntry
scalixHideUserEntry: FALSE
-
add: scalixMailboxClass
scalixMailboxClass: LIMITED
-
EOM
close (OUT);
# The first line just prints the output to the screen, the second will do the operation
# Uncomment the one you want to do. I use the first to test then actually do it.
#print "$line\n";
#print "ldapmodify -x -D \"uid=Manager,ou=Users,dc=foo,dc=com\" -W -v -f $outfile\n";
} #end for loop
One final thing to modify on the existing OpenLDAP Server was the add user scripts. Since we are using Samba + PDC + OpenLDAP we are using the smbldap-tools. So I modified the new user script to automatically add scalix attributes. Starting at LINE 383 of /usr/local/sbin/smbldap-useradd
my $modify = $ldap_master->modify ( "uid=$userName,$config{usersdn}",
changes => [
add => [objectClass => 'sambaSAMAccount'],
add => [sambaPwdLastSet => "$valpwdlastset"],
add => [sambaLogonTime => '0'],
add => [sambaLogoffTime => '2147483647'],
add => [sambaKickoffTime => '2147483647'],
add => [sambaPwdCanChange => "$valpwdcanchange"],
add => [sambaPwdMustChange => "$valpwdmustchange"],
add => [displayName => "$config{userGecos}"],
add => [sambaAcctFlags => "$valacctflags"],
add => [sambaSID => "$config{SID}-$userRid"],
add => [objectclass => "scalixUserClass"],
add => [scalixScalixObject => "TRUE"],
add => [scalixMailnode => "mailserver,domain"],
add => [scalixServerLanguage => "ENGLISH"],
add => [scalixAdministrator => "FALSE"],
add => [scalixMailboxAdministrator => "FALSE"],
add => [scalixMailboxClass => "LIMITED"],
add => [scalixLimitMailboxSize => "25"],
add => [scalixLimitOutboundMail => "FALSE"],
add => [scalixLimitInboundMail => "FALSE"],
add => [scalixLimitNotifyUser => "TRUE"],
add => [scalixHideUserEntry => "FALSE"]
]
);
$modify->code && die "failed to add entry: ", $modify->error ;
Now all new users will be created with the proper attributes.
So that does it for the OpenLDAP modifications.
Scalix System Modifications
First thing I did was to get Scalix 100% working without worrying about LDAP. So after that has been established these are the changes I made.
First there are four files that you ahve to change to tell Scalix to look at the OpenLDAP server for it's authentication not itself. They are located in: /var/opt/scalix/XX/s/sys/pam.d/
- ual.remote
- smtpd.auth
- pop3
- omslapdeng
Comment everything and add:
auth sufficient om_ldap auth sufficient om_auth account required om_auth password required om_auth session required om_auth
After that it, it's time to start getting the sync.cfg up and running. I started with running:
omldapsync -i syncname
This will launch omldapsync in interactive mode. I don't have the step by step instructions for interactive mode, but it's pretty self explanatory. Use agreement type 13 I only use it to initially setup the sync anyway, after that I edited it by hand. So in /var/opt/scalix/XX/s/ldapsync/SYNCNAME you can edit sync.cfg.
Here is what mine looks like after it's been edited to sync all the new OpenLDAP attributes to the proper names.
Note this file has been edited for privacy.
##################################################################
#
# Scalix LDAP Directory Synchronization configuration
# NOTE: this file must be edited with care before use
# Interactively editable fields are controlled by the following:
EDIT_PROMPT=JAVA_HOME EX_HOST EX_LOGON EX_PASS IM_HOST IM_CAA_URL IM_CAA_KEYSTORE IM_CAA_NAME IM_CAA_PASS EX_BASE1 EX_BASE2 EX_BASE3 IM_OMADDRESS
# Sync agreement type - see omldapsync man page
TYPE_ID=13
# Sync agreement id - set by argument
SYNC_ID=serverNEW
# JAVA_HOME: home directory of java installation
# e.g. "/usr/java/j2sdk1.4.2_02"
JAVA_HOME=/usr/java/jre1.5.0_06
# The class path required by omldapagent java application (under
# /opt/scalix/svr/java/bin) is setup automatically by omldapsync to
# access dependent java libraries (under /opt/scalix/svr/java/lib)
##################################################################
#
# PART 1 General Configuration
##################################################################
# This section covers the settings required for tools to access
# both the remote and local systems for import or export.
# The general format is one or more line of <tag>=<value>
# Line starts with '#' is treated as comment
# When edited using omldaputil, do one of the followings:
# -presss <enter> to accept the default offered inside []
# -type in alternative <value> and press <enter>
# -do not quote the value with "" or ''
#
# PART 1.1 for IMPORT - remote host
##########################################
# EX_HOST: remote LDAP directory server name or IP address
# e.g. "remote_server.your_domain.com" or "192.168.1.216"
EX_HOST=ldapserver.domain.com
# EX_PORT: LDAP server port number
# e.g. "389" is normally used
EX_PORT=389
# EX_LOGON: user that can search/delete/add/modify directory
# your adminstrator or migration account is often used
# e.g. "cn=Export Admin,cn=users,dc=your_org,dc=com"
EX_LOGON=uid=root,ou=Users,dc=DOMAIN,dc=COM
# EX_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
EX_PASS=secret
#
# PART 1.2 for IMPORT - local host
#########################################
# IM_HOST: local Scalix directory server name
# must specify FQDN where internet and user group will be imported
# e.g. "local_server.your_domain.com"
IM_HOST=mailserver.domain.com
# IM_PORT: LDAP server port number
# e.g. "389" is normally used
#<na>IM_PORT=389
# IM_LOGON: user that can search/delete/add/modify directory
# your Scalix administrator account is often used
# e.g. "Import Admin" for user with this common name
#<na>IM_LOGON=Import Admin
# IM_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
#<na>IM_PASS=
# IM_CAA_URL: Scalix CAA service url - must end with "/"
# e.g. "http://local_server.your_domain.com:8080/caa/"
IM_CAA_URL=http://mailserver.domain.com/caa/
# IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only
# e.g "/var/opt/scalix/ldapsync/keystore"
IM_CAA_KEYSTORE=
# IM_CAA_ID: service login session-id
# e.g. "12345"
IM_CAA_ID=12345
# IM_CAA_NAME: service login auth-id, must have Scalix admin capability
# e.g. "user_name@your_domain.com"
IM_CAA_NAME=sxadmin@mailserver.domain.com
# IM_CAA_PASS: service login password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
IM_CAA_PASS=secret
# IM_DELETE_MAILBOX: whether sync of mailbox delete will be applied to Scalix
# NOTE: set to "FALSE" to keep the mailbox and handle the deletion manually
IM_DELETE_MAILBOX=TRUE
#
# PART 1.3 for IMPORT - ldap parameters
#######################################
# EX_SCALIX_ATTRS: list of resersed Scalix attributes in external directory
# to administer Scalix user/group from this remote master source
# e.g. "EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG ..."
#EX_SCALIX_ATTRS=EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG EX_SCALIX_ADMIN EX_SCALIX_MBOXADMIN
EX_SCALIX_ATTRS=SCALIXHIDEUSERENTRY SCALIXMAILBOXCLASS SCALIXLIMITMAILBOXSIZE SCALIXLIMITOUTBOUNDMAIL SCALIXLIMITINBOUNDMAIL SCALIXLIMITNOTIFYUSER
EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG EX_SCALIX_ADMIN EX_SCALIX_MBOXADMIN
# SCALIXHIDEUSERENTRY: name of attribute to specify whether the user entry
# should be hidden from Outlook address book
# e.g. "scalixHideUserEntry"
SCALIXHIDEUSERENTRY=scalixHideUserEntry
# SCALIXMAILBOXCLASS: name of attribute to specify whether the mailbox class
# should have full or limited features
# e.g. "scalixMailboxClass"
SCALIXMAILBOXCLASS=scalixMailboxClass
# SCALIXLIMITMAILBOXSIZE: name of attribute to specify whether Scalix limit
# on mailbox size is required, must use a numerical value >= zero
# e.g. "scalixLimitMailboxSize"
SCALIXLIMITMAILBOXSIZE=scalixLimitMailboxSize
# SCALIXLIMITOUTBOUNDMAIL: name of attribute to specify whether Scalix limit
# on outbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitOutboundMail"
SCALIXLIMITOUTBOUNDMAIL=scalixLimitOutboundMail
# SCALIXLIMITINBOUNDMAIL: name of attribute to specify whether Scalix limit
# on inbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitInboundMail"
SCALIXLIMITINBOUNDMAIL=scalixLimitInboundMail
# SCALIXLIMITNOTIFYUSER: name of attribute to specify whether Scalix limit
# on notify user is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitNotifyUser"
SCALIXLIMITNOTIFYUSER=scalixLimitNotifyUser
# EX_SCALIX_MAILBOX: name of attribute to specify whether Scalix object
# is required, yes if value is set to "TRUE"
# e.g. "exScalixObject"
EX_SCALIX_MAILBOX=scalixScalixObject
# EX_SCALIX_MAILNODE: name of attribute to specify which Scalix mailnode
# to add the mailbox, must use "<ou1>,<ou2>,<ou3>,<ou4>" format
# e.g. "exScalixMailnode"
EX_SCALIX_MAILNODE=scalixMailnode
# EX_SCALIX_MSGLANG: name of attribute to specify which Scalix message
# catalog language to use for client, default to "C" if not set
# e.g. "exScalixMsglang"
EX_SCALIX_MSGLANG=scalixServerLanguage
# EX_SCALIX_ADMIN: name of attribute to specify whether to give the user
# Scalix admin capability, yes if value is set to "TRUE"
# e.g. "exScalixAdmin"
EX_SCALIX_ADMIN=scalixAdministrator
# EX_SCALIX_MBOXADMIN: name of attribute to specify whether to give the user
# Scalix mailbox-admin capability, yes if value is set to "TRUE"
# e.g. "exScalixMboxadmin"
EX_SCALIX_MBOXADMIN=scalixMailboxAdministrator
# EX_ATTR: attributes to extract from remote system for import
# e.g. "member dn uid objectClass displayName sn givenname initials mail entryUUID cn <etc>"
#EX_ATTR=exScalixObject exScalixMailnode exScalixMsglang exScalixAdmin exScalixMboxadmin member dn uid objectClass displayName sn givenname initia
ls mail entryUUID cn facsimileTelephoneNumber homephone street st telephoneNumber title co company departmentNumber description l mobile pager phy
sicalDeliveryOfficeName postalCode
EX_ATTR=scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNotifyUser scalixS
calixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator member dn uid objectClass displayName sn givenname
initials mail entryUUID cn scalixEmailAddress facsimileTelephoneNumber homephone streetAddress st telephoneNumber title company department descrip
tion mobile pager physicalDeliveryOfficeName postalCode secretary
# EX_BASEn: search base(s) to extract entries from remote system
# specify a container name and its full LDAP suffix
# e.g. "cn=users,dc=your_org,dc=com"
EX_BASE1=ou=Users,dc=DOMAIN,dc=COM
EX_BASE2=
EX_BASE3=
EX_BASE4=
EX_BASE5=
EX_BASE6=
EX_BASE7=
EX_BASE8=
EX_BASE9=
# EX_FILTER: search filter to include/exclude entries to import
# e.g. "(|(&(objectclass=inetOrgPerson)(mail=*))(&(objectclass=groupOfNames)(mail=*)))"
EX_FILTER=(|(&(objectclass=inetOrgPerson)(mail=*))(&(objectclass=groupOfNames)(mail=*)))
# IM_DN_SUFFIX: set the dn suffix (location) for the imported entries
# NOTE: by default all rdns from the remote dn will be retained & encoded
# for maximum uniqueness. To only use the first <N> rdns for this, specify
# the argument in the format "<N>|<suffix>" instead of "<suffix>".
# e.g. "o=Scalix" for all rdns, or "2|o=Scalix" for first 2 rdns.
#<na>IM_DN_SUFFIX=2|o=Scalix
# IM_OMADDRESS: Scalix address where where entries are imported
# NOTE: this is a route which you configure for coexistence
# e.g. "/internet" or "internet"
IM_OMADDRESS=/internet
# IM_MV_ATTR: mapped attributes that can be imported with multi values
# e.g. "objectClass INTERNET-ADDR omMemberForeignAddr"
IM_MV_ATTR=objectClass INTERNET-ADDR omMemberForeignAddr
# EX_GUID: the remote tag name for extracting Foreign GUID
# e.g. "entryUUID"
EX_GUID=entryUUID
# LDAPCT_BIN_ATT: must set value to EX_GUID if it is a binary attribute
# e.g. ""
LDAPCT_BIN_ATT=
# EX_PAGESIZE: use pagesize control extension to overcome search limit
# e.g. "100"
EX_PAGESIZE=1000
#
# PART 1.4 for EXPORT - ldap parameters
#######################################
# NOTE: export is not supported for this agreement type
#
# PART 2 Mapping Configuration
#################################################################
# WARNING: refer to documentation before editing the tables.
# This section defines the mappings required in order to map data
# between the remote and local LDAP systems for import or export.
# The general format is <lines of value> enclosed by markers.
# When edited using omldaputil, do one of the followings:
# -presss <enter> to accept the default offered inside []
# -type in alternative value and press <enter>
# -type in '-' to remove the line offered
# -type in '+<value> to insert it before current line
# For more details on all mapping rules see omldaputil man page.
#
# PART 2.1 for IMPORT - mapping table
#####################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in IM_MV_ATTR, only keep first instances
#####################################
# primary mapping table
IM_MAPPING_TABLE=
# scalix reserved attributes
#${SCALIXHIDEUSERENTRY}|scalixHideUserEntry|TRUE|1
#${SCALIXHIDEUSERENTRY}|scalixHideUserEntry|FALSE|
#${SCALIXMAILBOXCLASS}|omUlClass|*|*
#${SCALIXHIDEUSERENTRY}|EX-CDA-DIRECTORY|TRUE|1
#${SCALIXHIDEUSERENTRY}|EX-CDA-DIRECTORY|FALSE|
#${SCALIXMAILBOXCLASS}|UL-CLASS|*|*
#${SCALIXLIMITMAILBOXSIZE}|scalixLimitMailboxSize|*|*
#${SCALIXLIMITOUTBOUNDMAIL}|scalixLimitOutboundMail|*|*
#${SCALIXLIMITINBOUNDMAIL}|scalixLimitInboundMail|*|*
#${SCALIXLIMITNOTIFYUSER}|scalixLimitNotifyUser|*|*
#${EX_SCALIX_MAILBOX}|omMailbox|*|*
#${EX_SCALIX_MAILNODE}|omMailnode|*|*
#${EX_SCALIX_MSGLANG}|UL-IL|*|*
#${EX_SCALIX_ADMIN}|ADMIN|*|*
#${EX_SCALIX_MBOXADMIN}|MBOXADMIN|*|*
scalixHideUserEntry|EX-CDA-DIRECTORY|TRUE|1
scalixHideUserEntry|EX-CDA-DIRECTORY|FALSE|
scalixMailboxClass|UL-CLASS|*|*
scalixLimitMailboxSize|scalixLimitMailboxSize|*|*
scalixLimitOutboundMail|scalixLimitOutboundMail|*|*
scalixLimitInboundMail|scalixLimitInboundMail|*|*
scalixLimitNotifyUser|scalixLimitNotifyUser|*|*
scalixScalixObject|omMailbox|*|*
scalixMailnode|omMailnode|*|*
scalixServerLanguage|UL-IL|*|*
scalixAdministrator|ADMIN|*|*
scalixMailboxAdministrator|MBOXADMIN|*|*
#scalix object classes
objectClass|*|groupOfNames|distributionList
objectClass|*|inetOrgPerson|organizationalPerson
objectClass||*|#ignore others
# distinguished name
dn|*|*|*
# global unique id
entryUUID|GLOBAL-UNIQUE-ID|*|*
# common name
displayName|CN|*,1,64|*
# use cn for common name if displayName is missing
cn|CN|*,1,64!ISMISSING=displayName|*
cn||*|#suppress it otherwise
# initial
initials|I|*,1,5|*
# surname
sn|S|*,1,40|*
# use cn for surname if sn is missing
cn|S|*,1,40!ISMISSING=sn|*
# given name is mapped if surname is present
givenName|G|*,1,16!ISPRESENT=sn|*
givenName||*|#suppress it otherwise
# internet addresses
mail|INTERNET-ADDR|*,1,512|*
# no mapping for ALIAS
# the DN of the entry
dn|FOREIGN-ADDR|*,1,512|*
# the DN of the group members
member|omMemberForeignAddr|*|*
# authentication id
uid|UL-AUTHID|*|*
# informational attributes
facsimileTelephoneNumber|FAX|*,1,32|!CUSTOM=TO_PS_STR
homephone|HOME-PHONE|*,1,32|!CUSTOM=TO_PS_STR
street|STREET-ADDRESS|*,1,128|!REPLACE=\033J|\012
st|STATE-OR-PROVINCE|*,1,128|*
telephoneNumber|PHONE-1|*,1,32|!CUSTOM=TO_PS_STR
title|TITLE|*,1,128|*
co|CNTRY|*,1,2|*
company|EMPL-ORG|*,1,64|*
departmentNumber|EMPL-DEPT|*,1,32|*
description|ENTRY-DESC|*,1,1024|!REPLACE=\033J|\012
l|L|*,1,128|*
mobile|MOBILE-PHONE|*,1,32|!CUSTOM=TO_PS_STR
pager|PAGER-PHONE|*,1,32|!CUSTOM=TO_PS_STR
physicalDeliveryOfficeName|PD-OFFICE-NAME|*,1,128|*
postalCode|POSTAL-CODE|*,1,40|*
# no mapping for ASSISTANT-PHONE
# no mapping for PHONE-2
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#IM_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# PART 2.2 for EXPORT - mapping tables
######################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in EX_MV_ATTR, only keep first instances
#####################################
# primary mapping table
EX_MAPPING_TABLE=
*|*|*|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#EX_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# END
#################################################################
If you want your users to be able to use their existing LDAP password to authenticate to their mailboxes you must create the file /var/opt/scalix/xx/s/sys/om_ldap.conf
## LDAP server address - Should be same as EX_HOST setting in the sync.cfg file. host=ldapserver.domain.com search=subtree ## Base DN for our LDAP tree. base=dc=DOMAIN,dc=COM filter=uid=%s
Added by computernay:
The above config for om_ldap.conf did not work on our system. Trying to log in always gave an error about username or password being incorrect. This is the config that worked for us:
host=ldapserver.domain.com search=none dn=uid=%s,ou=people,dc=DOMAIN,dc=COM tls=off
I believe this assumes your users are in ou=people. Just wanted to share it for others who may be having the same problem.
Conclusion
This is a very brief explanation of how to setup a Scalix server syncing to an external LDAP server. There is much detail that has been ommitted (mainly because it was over a year ago that I set this up originally), hopefully other can fill in the details as they work through the process.
Good Luck.
Troubleshooting TLS/SSL connections
You should always use TLS (unless your LDAP server is accessed through local loopback or a filesystem socket), because otherwise sensitive user data is passed in cleartext over the network.
Question: I experienced trouble when trying to use TLS(SSL) with my LDAP. I was not able to login to webmail at all using any user accounts created via the ldapsync process. Disabling TLS on my LDAP server solved it. I'm not sure if it was an improperly configured LDAP server or if Scalix can't speak SSL over LDAP.
Answer: If your scalix server does not let you use TLS with ldapsync, that's most likely because of cert issues on the LDAP server. The scalix system is almost certainly using the OpenLDAP and OpenSSL client libraries, which (in most linux distributions) will not allow you to connect over TLS unless the LDAP server cert is verifiable, not expired, and not self-signed. To fix this problem, you can purchase valid certs and a valid CA bundle, or you can put "TLS_REQCERT never" in your OpenLDAP configuration. Note that I'm not talking about the NSS-LDAP configuration in /etc/ldap.conf, or the LDAP server configuration in /etc/openldap/slapd.conf, I'm talking about the LDAP client library default configuration in /etc/openldap/ldap.conf (all locations mentioned are from Red Hat, your distro may have chosen different locations).
