Difference between revisions of "HowTos/Samba4"
(16 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | |||
'''Scalix server:''' | '''Scalix server:''' | ||
Line 17: | Line 15: | ||
Samba test user name: testsx | Samba test user name: testsx | ||
− | Samba | + | Samba test group name: scalixtestGR |
− | Before start: here | + | Before start: here is described the test configuration for other cases you need to change some settings, for example: DN:DC=TEST,DC=SCALIX,DC=LOCAL replace to your DN |
==Extending of Samba scheme :== | ==Extending of Samba scheme :== | ||
+ | |||
+ | |||
'''Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!! ''' | '''Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!! ''' | ||
Line 41: | Line 41: | ||
attributeSyntax: 2.5.5.8 | attributeSyntax: 2.5.5.8 | ||
isSingleValued: FALSE | isSingleValued: FALSE | ||
+ | |||
+ | dn: CN=scalixMailnode,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | ||
+ | objectClass: top | ||
+ | objectClass: attributeSchema | ||
+ | attributeID: 1.3.6.1.4.1.19049.1.1.11 | ||
+ | cn: scalixMailnode | ||
+ | name: scalixMailnode | ||
+ | lDAPDisplayName: scalixMailnode | ||
+ | attributeSyntax: 2.5.5.12 | ||
+ | isSingleValued: TRUE | ||
dn: CN=scalixAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | dn: CN=scalixAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | ||
Line 61: | Line 71: | ||
lDAPDisplayName: scalixMailboxAdministrator | lDAPDisplayName: scalixMailboxAdministrator | ||
attributeSyntax: 2.5.5.8 | attributeSyntax: 2.5.5.8 | ||
+ | isSingleValued: FALSE | ||
+ | |||
+ | dn: CN=scalixServerLanguage,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | ||
+ | objectClass: top | ||
+ | objectClass: attributeSchema | ||
+ | attributeID: 1.3.6.1.4.1.19049.1.1.14 | ||
+ | cn: scalixServerLanguage | ||
+ | name: scalixServerLanguage | ||
+ | lDAPDisplayName: scalixServerLanguage | ||
+ | attributeSyntax: 2.5.5.12 | ||
+ | isSingleValued: TRUE | ||
+ | |||
+ | dn: CN=scalixEmailAddress,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | ||
+ | objectClass: top | ||
+ | objectClass: attributeSchema | ||
+ | attributeID: 1.3.6.1.4.1.19049.1.1.15 | ||
+ | cn: scalixEmailAddress | ||
+ | name: scalixEmailAddress | ||
+ | lDAPDisplayName: scalixEmailAddress | ||
+ | attributeSyntax: 2.5.5.12 | ||
isSingleValued: FALSE | isSingleValued: FALSE | ||
Line 116: | Line 146: | ||
lDAPDisplayName: scalixHideUserEntry | lDAPDisplayName: scalixHideUserEntry | ||
attributeSyntax: 2.5.5.8 | attributeSyntax: 2.5.5.8 | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
dn: CN=scalixMailboxClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | dn: CN=scalixMailboxClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | ||
Line 155: | Line 155: | ||
lDAPDisplayName: scalixMailboxClass | lDAPDisplayName: scalixMailboxClass | ||
attributeSyntax: 2.5.5.12 | attributeSyntax: 2.5.5.12 | ||
+ | |||
+ | dn: CN=scalixActiveSync,CN=Schema,CN=Configuration,DC=SAMBA,DC=LOCAL | ||
+ | objectClass: top | ||
+ | objectClass: attributeSchema | ||
+ | attributeID: 1.3.6.1.4.1.19049.1.1.22 | ||
+ | cn: scalixActiveSync | ||
+ | name: scalixActiveSync | ||
+ | lDAPDisplayName: scalixActiveSync | ||
+ | attributeSyntax: 2.5.5.8 | ||
+ | isSingleValued: FALSE | ||
</pre> | </pre> | ||
Line 183: | Line 193: | ||
mayContain: scalixHideUserEntry | mayContain: scalixHideUserEntry | ||
mayContain: scalixMailboxClass | mayContain: scalixMailboxClass | ||
+ | mayContain: scalixActiveSync | ||
defaultObjectCategory: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | defaultObjectCategory: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL | ||
Line 254: | Line 265: | ||
== Old Samba4 groups extensions. == | == Old Samba4 groups extensions. == | ||
− | [root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_groups.ldif --option="dsdb:schema update allowed"=true | + | For all Samba groups which you wish to add to Scalix : [root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_groups.ldif --option="dsdb:schema update allowed"=true |
file: Mod_groups.ldif | file: Mod_groups.ldif | ||
Line 313: | Line 324: | ||
[root@scalix ~]#kinit scalix-ual@TEST.SCALIX.LOCAL | [root@scalix ~]#kinit scalix-ual@TEST.SCALIX.LOCAL | ||
− | If no errors that means all ok. | + | If no errors that means all is ok. |
== Scalix Samba4 sync. == | == Scalix Samba4 sync. == | ||
− | Create Samba | + | Create Samba Synchronization Agreement (Agreement type 11) like in chapter [[HowTos/Omldapsync#The_type_11_Agreement | AD Integration HowTo]] |
Then go to /var/opt/scalix/??/s/ldapsync/[Agreement_name] | Then go to /var/opt/scalix/??/s/ldapsync/[Agreement_name] | ||
− | and on sync.cfg | + | and change lines on file sync.cfg : |
<pre> | <pre> | ||
Line 351: | Line 362: | ||
# Comment this out if you want to use one of the alternative authentication | # Comment this out if you want to use one of the alternative authentication | ||
# schemes below. | # schemes below. | ||
− | #auth required om_auth | + | #auth required om_auth |
# | # | ||
Line 362: | Line 373: | ||
# information. | # information. | ||
# | # | ||
− | # auth sufficient om_auth | + | # auth sufficient om_auth |
# auth sufficient om_krb5 use_first_pass | # auth sufficient om_krb5 use_first_pass | ||
# auth required pam_deny | # auth required pam_deny | ||
Line 373: | Line 384: | ||
# | # | ||
#auth required om_krb5 user_unknown=ignore | #auth required om_krb5 user_unknown=ignore | ||
− | #auth optional om_auth | + | #auth optional om_auth use_first_pass |
# LDAP Authentication. | # LDAP Authentication. | ||
Line 380: | Line 391: | ||
# | # | ||
# LDAP authentication 1 | # LDAP authentication 1 | ||
− | # auth sufficient om_auth | + | # auth sufficient om_auth |
# auth sufficient om_ldap use_first_pass | # auth sufficient om_ldap use_first_pass | ||
# auth required pam_deny | # auth required pam_deny | ||
Line 386: | Line 397: | ||
# LDAP authentication 2 | # LDAP authentication 2 | ||
# auth required om_ldap user_unknown=ignore | # auth required om_ldap user_unknown=ignore | ||
− | # auth optional om_auth | + | # auth optional om_auth use_first_pass |
Line 399: | Line 410: | ||
# auth required om_krb5 user_unknown=ignore | # auth required om_krb5 user_unknown=ignore | ||
# auth required om_ldap user_unknown=ignore | # auth required om_ldap user_unknown=ignore | ||
− | # auth optional om_auth | + | # auth optional om_auth use_first_pass |
#account required om_auth | #account required om_auth | ||
− | #password required om_auth | + | #password required om_auth |
auth required om_krb5 user_unknown=ignore | auth required om_krb5 user_unknown=ignore | ||
− | auth optional om_auth | + | auth optional om_auth use_first_pass |
account required om_auth | account required om_auth | ||
− | password required om_auth | + | password required om_auth |
</pre> | </pre> | ||
Line 417: | Line 428: | ||
auth sufficient om_krb5 use_first_pass | auth sufficient om_krb5 use_first_pass | ||
− | auth | + | auth optional om_auth use_first_pass |
account required om_auth | account required om_auth | ||
password required om_auth | password required om_auth | ||
Line 426: | Line 437: | ||
<pre> | <pre> | ||
auth required om_krb5 user_unknown=ignore | auth required om_krb5 user_unknown=ignore | ||
− | auth optional om_auth | + | auth optional om_auth use_first_pass |
account required om_auth | account required om_auth | ||
Line 434: | Line 445: | ||
<pre> | <pre> | ||
auth required om_krb5 user_unknown=ignore | auth required om_krb5 user_unknown=ignore | ||
− | auth optional om_auth | + | auth optional om_auth use_first_pass |
account required om_auth | account required om_auth | ||
− | password required om_auth nopreauth | + | password required om_auth nopreauth |
</pre> | </pre> | ||
Line 446: | Line 457: | ||
# Comment this out if you want to use one of the alternative authentication | # Comment this out if you want to use one of the alternative authentication | ||
# schemes below. | # schemes below. | ||
− | #auth required om_auth | + | #auth required om_auth |
# | # | ||
Line 457: | Line 468: | ||
# information. | # information. | ||
# | # | ||
− | #auth sufficient om_auth | + | #auth sufficient om_auth |
#auth sufficient om_krb5 use_first_pass | #auth sufficient om_krb5 use_first_pass | ||
#auth required pam_deny | #auth required pam_deny | ||
Line 468: | Line 479: | ||
# | # | ||
# auth required om_krb5 user_unknown=ignore | # auth required om_krb5 user_unknown=ignore | ||
− | # auth optional om_auth | + | # auth optional om_auth use_first_pass |
# LDAP Authentication. | # LDAP Authentication. | ||
Line 475: | Line 486: | ||
# | # | ||
# LDAP authentication 1 | # LDAP authentication 1 | ||
− | # auth sufficient om_auth | + | # auth sufficient om_auth |
# auth sufficient om_ldap use_first_pass | # auth sufficient om_ldap use_first_pass | ||
# auth required pam_deny | # auth required pam_deny | ||
Line 481: | Line 492: | ||
# LDAP authentication 2 | # LDAP authentication 2 | ||
# auth required om_ldap user_unknown=ignore | # auth required om_ldap user_unknown=ignore | ||
− | # auth optional om_auth | + | # auth optional om_auth use_first_pass |
Line 494: | Line 505: | ||
#auth required om_krb5 user_unknown=ignore | #auth required om_krb5 user_unknown=ignore | ||
#auth required om_ldap user_unknown=ignore | #auth required om_ldap user_unknown=ignore | ||
− | #auth optional om_auth | + | #auth optional om_auth use_first_pass |
#account required om_auth | #account required om_auth | ||
− | #password required om_auth | + | #password required om_auth |
auth required om_krb5 user_unknown=ignore | auth required om_krb5 user_unknown=ignore | ||
− | auth optional om_auth | + | auth optional om_auth use_first_pass |
account required om_auth | account required om_auth | ||
− | password required om_auth | + | password required om_auth |
</pre> | </pre> | ||
Restart Scalix serveces and try to log in via Outlook, SWA, or POP3/IMAP | Restart Scalix serveces and try to log in via Outlook, SWA, or POP3/IMAP |
Latest revision as of 15:03, 24 November 2014
Scalix server:
IP - 192.168.0.1
Hostname - mail.scalix.test
Mail domain: scalix.test
Samba4 server:
IP - 192.168.0.100
Domain - TEST.SCALIX.LOCAL
Samba test user name: testsx
Samba test group name: scalixtestGR
Before start: here is described the test configuration for other cases you need to change some settings, for example: DN:DC=TEST,DC=SCALIX,DC=LOCAL replace to your DN
Contents
Extending of Samba scheme :
Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!!
[root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Att_extensions.ldif --option="dsdb:schema update allowed"=true
file:Att_extensions.ldif
dn: CN=scalixScalixObject,CN=Schema,CN=Configuration,DC=TEST,DC=SCALIX,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.10 cn: scalixScalixObject name: scalixScalixObject lDAPDisplayName: scalixScalixObject attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixMailnode,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.11 cn: scalixMailnode name: scalixMailnode lDAPDisplayName: scalixMailnode attributeSyntax: 2.5.5.12 isSingleValued: TRUE dn: CN=scalixAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.12 cn: scalixAdministrator name: scalixAdministrator lDAPDisplayName: scalixAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixMailboxAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.13 cn: scalixMailboxAdministrator name: scalixMailboxAdministrator lDAPDisplayName: scalixMailboxAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixServerLanguage,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.14 cn: scalixServerLanguage name: scalixServerLanguage lDAPDisplayName: scalixServerLanguage attributeSyntax: 2.5.5.12 isSingleValued: TRUE dn: CN=scalixEmailAddress,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.15 cn: scalixEmailAddress name: scalixEmailAddress lDAPDisplayName: scalixEmailAddress attributeSyntax: 2.5.5.12 isSingleValued: FALSE dn: CN=scalixLimitMailboxSize,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.16 cn: scalixLimitMailboxSize name: scalixLimitMailboxSize lDAPDisplayName: scalixLimitMailboxSize attributeSyntax: 2.5.5.9 isSingleValued: FALSE dn: CN=scalixLimitOutboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.17 cn: scalixLimitOutboundMail name: scalixLimitOutboundMail lDAPDisplayName: scalixLimitOutboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixLimitInboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.18 cn: scalixLimitInboundMail name: scalixLimitInboundMail lDAPDisplayName: scalixLimitInboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixLimitNotifyUser,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.19 cn: scalixLimitNotifyUser name: scalixLimitNotifyUser lDAPDisplayName: scalixLimitNotifyUser attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixHideUserEntry,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.20 cn: scalixHideUserEntry name: scalixHideUserEntry lDAPDisplayName: scalixHideUserEntry attributeSyntax: 2.5.5.8 dn: CN=scalixMailboxClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.21 cn: scalixMailboxClass name: scalixMailboxClass lDAPDisplayName: scalixMailboxClass attributeSyntax: 2.5.5.12 dn: CN=scalixActiveSync,CN=Schema,CN=Configuration,DC=SAMBA,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.22 cn: scalixActiveSync name: scalixActiveSync lDAPDisplayName: scalixActiveSync attributeSyntax: 2.5.5.8 isSingleValued: FALSE
[root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Class_extensions.ldif --option="dsdb:schema update allowed"=true
file:Class_extensions.ldif
dn: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.10 cn: scalixUserClass name: scalixUserClass lDAPDisplayName: scalixUserClass description: Supplemental class containing the Scalix User-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: scalixAdministrator mayContain: scalixMailboxAdministrator mayContain: scalixServerLanguage mayContain: scalixEmailAddress mayContain: scalixLimitMailboxSize mayContain: scalixLimitOutboundMail mayContain: scalixLimitInboundMail mayContain: scalixLimitNotifyUser mayContain: scalixHideUserEntry mayContain: scalixMailboxClass mayContain: scalixActiveSync defaultObjectCategory: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL dn: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.11 cn: scalixGroupClass name: scalixGroupClass lDAPDisplayName: scalixGroupClass description: Supplemental class containing the Scalix Group-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: displayName mayContain: scalixEmailAddress mayContain: scalixHideUserEntry defaultObjectCategory: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL
[root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Users_extensions.ldif --option="dsdb:schema update allowed"=true
file: Users_extensions.ldif
dn: CN=User,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixUserClass
[root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Groups_extensions.ldif --option="dsdb:schema update allowed"=true
file: Groups_extensions.ldif
dn: CN=Group,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixGroupClass
Old Samba4 users extensions.
For all Samba users which you wish to add to Scalix : [root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_user.ldif --option="dsdb:schema update allowed"=true
Instead "CN=testsx" type "CN=other user name'
file: Mod_user.ldif
dn: CN=testsx,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail replace:scalixMailboxClass scalixMailboxClass: FULL replace: scalixServerLanguage scalixServerLanguage: ENGLISH replace: scalixEmailAddress scalixEmailAddress:testsx@scalix.test replace:scalixLimitOutboundMail scalixLimitOutboundMail: FALSE replace:scalixAdministrator scalixAdministrator: FALSE
Old Samba4 groups extensions.
For all Samba groups which you wish to add to Scalix : [root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_groups.ldif --option="dsdb:schema update allowed"=true
file: Mod_groups.ldif
dn: CN=scalixtestGR,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail
Add new user to Samba4.
Create new Samba user [root@samba ~]#:/Path/to/samba/bin/samba-tool user add testsx
and modify it like in chapter 2. (There are simples ways to create a users, but described the most heaviest variant)
Create new group on Samba4.
[root@samba ~]#/Path/to/samba/bin/samba-tool group add scalixtestGR
and modify it like in chapter 3.
Add a service principal (keytab).
Create user named "scalix-ual" : [root@samba ~]#/Path/to/samba/bin/samba-tool user add scalix-ual
Create service principal : [root@samba ~]#/Path/to/samba/bin/samba-tool spn add scalix-ual/mail.scalix.test scalix-ual
Create keytab file: [root@samba ~]#/Path/to/samba/bin/samba-tool domain exportkeytab ./test.keytab --principal=scalix-ual/mail.scalix.testl@TEST.SCALIX.LOCAL
Kerberos config on Scalix system.
Copy test.keytab to Scalix server
run : [root@scalix ~]#ommergekeys ./test.keytab
run: [root@scalix ~]#omkrbconf -r TEST.SCALIX.LOCAL -s 192.168.0.100 -d TEST.SCALIX.LOCAL
Test Kerberos.
[root@scalix ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 scalix-ual/mail.scalix.test@TEST.SCALIX.LOCAL 1 scalix-ual/mail.scalix.test@TEST.SCALIX.LOCAL 1 scalix-ual/mail.scalix.test@TEST.SCALIX.LOCAL
[root@scalix ~]#kinit scalix-ual@TEST.SCALIX.LOCAL
If no errors that means all is ok.
Scalix Samba4 sync.
Create Samba Synchronization Agreement (Agreement type 11) like in chapter AD Integration HowTo
Then go to /var/opt/scalix/??/s/ldapsync/[Agreement_name]
and change lines on file sync.cfg :
sn|S|*1,40|* ==> name|S|*|* ... givenName|G|*,1,16!ISPRESENT=surname|* ==> name|G|*,1,16!ISPRESENT=surname|* ...
and run omldapsync -u [Agreement_name]
Tests.
On /var/opt/scalix/??/s/sys/pam.d modify authentications files:
file: omslapdeng
# Standard Scalix Authentication # # Comment this out if you want to use one of the alternative authentication # schemes below. #auth required om_auth # # Kerberos authentication 1 # # With this scheme we attempt local authentication first and, if that # fails, we try kerberos authentication. Note that if we do it the other # way around we run the risk of the KDC locking a principal account for # users that are known to both Kerberos and Scalix. See om_krb5(8) for more # information. # # auth sufficient om_auth # auth sufficient om_krb5 use_first_pass # auth required pam_deny # Kerberos authentication 2 # # With this scheme, users that are known to the kerberos KDC, must # authenticate using kerberos. Users not known to the kerberos KDC can log # in using their Scalix password. See om_krb5(8) for more information. # #auth required om_krb5 user_unknown=ignore #auth optional om_auth use_first_pass # LDAP Authentication. # There are two possible schemes corresponding to the two Kerberos schemes. # above See om_ldap(8) for more information. # # LDAP authentication 1 # auth sufficient om_auth # auth sufficient om_ldap use_first_pass # auth required pam_deny # # LDAP authentication 2 # auth required om_ldap user_unknown=ignore # auth optional om_auth use_first_pass # Combined authentication # # It is possible to combine Kerberos authentication 1 and LDAP # authentication 1, although there is no good way to escape false negative # authentication attempts with one or the other scheme. If users are known # to either Kerberos or LDAP then we can extend scheme 2 for combined # authentication: # # auth required om_krb5 user_unknown=ignore # auth required om_ldap user_unknown=ignore # auth optional om_auth use_first_pass #account required om_auth #password required om_auth auth required om_krb5 user_unknown=ignore auth optional om_auth use_first_pass account required om_auth password required om_auth
file: pop3
auth sufficient om_krb5 use_first_pass auth optional om_auth use_first_pass account required om_auth password required om_auth
file: smtpd.auth
auth required om_krb5 user_unknown=ignore auth optional om_auth use_first_pass account required om_auth
file: ual.local
auth required om_krb5 user_unknown=ignore auth optional om_auth use_first_pass account required om_auth password required om_auth nopreauth
file: ual.remote
# Standard Scalix Authentication # # Comment this out if you want to use one of the alternative authentication # schemes below. #auth required om_auth # # Kerberos authentication 1 # # With this scheme we attempt local authentication first and, if that # fails, we try kerberos authentication. Note that if we do it the other # way around we run the risk of the KDC locking a principal account for # users that are known to both Kerberos and Scalix. See om_krb5(8) for more # information. # #auth sufficient om_auth #auth sufficient om_krb5 use_first_pass #auth required pam_deny # Kerberos authentication 2 # # With this scheme, users that are known to the kerberos KDC, must # authenticate using kerberos. Users not known to the kerberos KDC can log # in using their Scalix password. See om_krb5(8) for more information. # # auth required om_krb5 user_unknown=ignore # auth optional om_auth use_first_pass # LDAP Authentication. # There are two possible schemes corresponding to the two Kerberos schemes. # above See om_ldap(8) for more information. # # LDAP authentication 1 # auth sufficient om_auth # auth sufficient om_ldap use_first_pass # auth required pam_deny # # LDAP authentication 2 # auth required om_ldap user_unknown=ignore # auth optional om_auth use_first_pass # Combined authentication # # It is possible to combine Kerberos authentication 1 and LDAP # authentication 1, although there is no good way to escape false negative # authentication attempts with one or the other scheme. If users are known # to either Kerberos or LDAP then we can extend scheme 2 for combined # authentication: # #auth required om_krb5 user_unknown=ignore #auth required om_ldap user_unknown=ignore #auth optional om_auth use_first_pass #account required om_auth #password required om_auth auth required om_krb5 user_unknown=ignore auth optional om_auth use_first_pass account required om_auth password required om_auth
Restart Scalix serveces and try to log in via Outlook, SWA, or POP3/IMAP