Omldapsync HowTo - Six
From Scalix Wiki
Appendix A - ldapsync13.schema (OpenLDAP Servers)
A copy of ldapsync13.schema is provided because the copy included with the Scalix installation was incomplete in earlier releases.
# Copyright (C) 2006 Scalix Corporation. All rights reserved.
# OpenLDAP schema extension for Scalix omldapsync attributes
# For reference see OpenLDAP 2.1 Administrator's Guide
# Installation steps (requires root login):
#
# 1. Stop OpenLDAP slapd server (e.g. kill -INT `cat /var/run/slapd.pid`)
#
# 2. Copy this file to OpenLDAP schema sub directory (e.g. etc/openldap/schema)
#
# 3. Edit OpenLDAP slapd.conf file (e.g. /etc/openldap/slapd.conf) to:
#
# a. Extend the schema by appending reference to the 'include' section,
# something like the following lines:
#
# # include schema extension for Scalix omldapsync attributes
# include /etc/openldap/schema/ldapsync13.schema
#
# b. Ensure Scalix omldapsync has sufficient read access to all the data,
# usually determined by the type of bind and the dn used.
#
# c. Ensure Scalix omldapsync has sufficient search limit to return all the
# matching entries, usually determined by the 'sizelimit' setting used.
#
# 4. Start OpenLDAP slapd server (e.g. /usr/sbin/slapd)
#
# 5. Fix any error, repeat steps 1 to 4 as necessary.
#
# 6. Test add (e.g. /usr/bin/ldapadd -D "cn=Manager,dc=my-domain,dc=com") using
# something like the following LDIF lines:
#
# dn: cn=testuser scalix,dc=my-domain,dc=com
# objectClass: inetOrgPerson
# cn: testuser scalix
# displayName: Testuser Scalix
# sn: Scalix
# mail: testuser@test.scalix.com
# objectClass: scalixUserClass
# scalixScalixObject: TRUE
# scalixMailnode: ou1,ou2
# scalixServerLanguage: ENGLISH
# scalixAdministrator: TRUE
# scalixMailboxAdministrator: FALSE
# scalixEmailAddress: testuser@my-domain.com
# scalixEmailAddress: testuser@my-domain.de
# scalixLimitMailboxSize: 1024
# scalixLimitOutboundMail: TRUE
# scalixLimitInboundMail: FALSE
# scalixLimitNotifyUser: TRUE
# scalixHideUserEntry: FALSE
# scalixMailboxClass: FULL
#
# dn: cn=testgroup scalix,dc=my-domain,dc=com
# objectClass: groupOfNames
# cn: testgroup scalix
# member: cn=testuser scalix,dc=my-domain,dc=com
# objectClass: scalixGroupClass
# scalixScalixObject: TRUE
# scalixMailnode: ou1,ou2
# displayName: Testgroup Scalix
# scalixEmailAddress: testgroup@test.scalix.com
# scalixHideUserEntry: TRUE
#
# 7. Test search (e.g. /usr/bin/ldapsearch -b "dc=my-domain,dc=com" -x -D ""
# -w "" cn=*scalix) to check for read access and correct entries were added.
# define macro for Scalix root OID
objectIdentifier scalixOID 1.3.6.1.4.1.19049
# new attributes to describe an Scalix user or group object
# use 1.1.x from Scalix root OID
attributetype ( scalixOID:1.1.10 NAME ( 'scalixScalixObject' )
DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object
If this is set to FALSE and the object is matched by the omldapsync
filter, a Contact entry/Internet user is created. If set to true, a
mailbox is setup. For Group/PDL objects, this must always be set to true'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.11 NAME ( 'scalixMailnode' )
DESC 'Comma-separated org units for object.s mailnode. This is the
Mailnode name as defined when the Scalix server was setup. In
Multi-server environments, this is used to select on which server
the object is to be created.'
SINGLE-VALUE
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( scalixOID:1.1.12 NAME ( 'scalixAdministrator' )
DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE,
the user created will have full Scalix admin capabilites.'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.13 NAME ( 'scalixMailboxAdministrator' )
DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with
this flag set to TRUE can access ANY mailbox on a server through
mboxadmin signon. This is usually only used for migration tools and
typically not exposed through LDAP'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.14 NAME ( 'scalixServerLanguage' )
DESC 'Message catalog language for client. This is one of the Scalix-supported
languages found in /var/opt/scalix/nls/om_langs'
SINGLE-VALUE
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( scalixOID:1.1.15 NAME ( 'scalixEmailAddress' )
DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The
order is important as the first of these values is used as the outgoing
from address of the user.'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( scalixOID:1.1.16 NAME ( 'scalixLimitMailboxSize' )
DESC 'mailbox size limit for the user in MB'
SINGLE-VALUE
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( scalixOID:1.1.17 NAME ( 'scalixLimitOutboundMail' )
DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail.
Set to TRUE or FALSE'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.18 NAME ( 'scalixLimitInboundMail' )
DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail.
Set to TRUE or FALSE'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.19 NAME ( 'scalixLimitNotifyUser' )
DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail.
Set to TRUE or FALSE'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.20 NAME ( 'scalixHideUserEntry' )
DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE'
SINGLE-VALUE
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( scalixOID:1.1.21 NAME ( 'scalixMailboxClass' )
DESC 'Class of User Mailbox FULL or LIMITED. This maps to
Premium or Standard users as defined by Scalix User licensing policy'
SINGLE-VALUE
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
# auxiliary classes for scalix User and group
# use 1.2.x from Scalix root OID
objectclass ( scalixOID:1.2.10 NAME 'scalixUserClass'
DESC 'Supplemental class containing the Scalix User-related attributes'
AUXILIARY
MUST ( scalixScalixObject $ scalixMailnode)
MAY ( scalixAdministrator $ scalixMailboxAdministrator $
scalixServerLanguage $ scalixEmailAddress $
scalixLimitMailboxSize $ scalixLimitOutboundMail $
scalixLimitInboundMail $ scalixLimitNotifyUser $
scalixHideUserEntry $ scalixMailboxClass ) )
objectclass ( scalixOID:1.2.11 NAME 'scalixGroupClass'
DESC 'Supplemental class containing the Scalix Group-related attributes'
AUXILIARY
MUST ( scalixScalixObject $ scalixMailnode )
MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) )
Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;
acl "anonymous, no acis";
allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr = "*")(version 3.0;
acl "Configuration Administrators Group";
allow (all) groupdn = "ldap:///cn=Configuration Administrators,
ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0;
acl "Configuration Administrator";
allow (all) userdn = "ldap:///uid=admin,ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0;
acl "Local Directory Administrators Group ";
allow (all) groupdn = "ldap:///cn=Directory Administrators,
dc=mydomain,dc=net";)
aci: (targetattr = "*")(version 3.0;
acl "SIE Group";
allow (all)groupdn = "ldap:///cn=slapd-fubar,
cn=Sun ONE Directory Server, cn=Server Group,
cn=fubar.mydomain.net, ou=mydomain.net, o=NetscapeRoot";)
modifiersName: cn=directory manager
modifyTimestamp: 20080205163801Z
attributeTypes: ( 1.1.13 NAME 'scalixMailboxAdministrator'
DESC 'Boolean TRUE or FALSE for Mailbox Admin capability.
A user with this flag set to TRUE can access ANY mailbox
on a server through mboxadmin signon. This is usually
only used for migration tools and typically not exposed
through LDAP'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.18 NAME 'scalixLimitInboundMail'
DESC 'As Sanction on Mailbox quota overuse, stop user
from receiving mail. Set to TRUE or FALSE'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.10 NAME 'scalixScalixObject'
DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL
object. If this is set to FALSE and the object is matched
by the omldapsync filter, a Contact entry/Internet user is
created. If set to true, a mailbox is setup. For Group/PDL
objects, this must always be set to true.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.15 NAME 'scalixEmailAddress'
DESC 'List of SMTP addresses of user. This is a multi-valued
attribute. The order is important as the first of these values
is used as the outgoing from address of the user.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.20 NAME 'scalixHideUserEntry'
DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.12 NAME 'scalixAdministrator'
DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE,
the user created will have full Scalix admin capabilites.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.17 NAME 'scalixLimitOutboundMail'
DESC 'As Sanction on Mailbox quota overuse, stop user from
sending mail. Set to TRUE or FALSE'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.14 NAME 'scalixServerLanguage'
DESC 'Message catalog language for client. This is one of
the Scalix-supported languages found in
/var/opt/scalix/nls/om_langs'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.19 NAME 'scalixLimitNotifyUser'
DESC 'As Sanction on Mailbox quota overuse, notify the User
by eMail. Set to TRUE or FALSE'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.11 NAME 'scalixMailnode'
DESC 'Comma-separated org units for object.s mailnode.
This is the Mailnode name as defined when the Scalix
server was setup. In Multi-server environments, this is
used to select on which server the object is to be created.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.16 NAME 'scalixLimitMailboxSize'
DESC 'mailbox size limit for the user in MB'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
X-ORIGIN 'user defined' )
attributeTypes: ( 1.1.21 NAME 'scalixMailboxClass'
DESC 'Class of User Mailbox FULL or LIMITED. This maps to
Premium or Standard users as defined by Scalix User
licensing policy'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
X-ORIGIN 'user defined' )
objectClasses: ( 1.2.10 NAME 'scalixUserClass'
SUP top
STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject )
MAY ( scalixAdministrator $ scalixEmailAddress $
scalixHideUserEntry $ scalixLimitInboundMail $
scalixLimitMailboxSize $ scalixLimitNotifyUser $
scalixLimitOutboundMail $ scalixMailboxAdministrator $
scalixMailboxClass $ scalixServerLanguage )
X-ORIGIN 'user defined' )
objectClasses: ( 1.2.11 NAME 'scalixGroupClass'
SUP top
STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject )
MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry )
X-ORIGIN 'user defined' )
Appendix C -slapd.conf (OpenLDAP Server)
This is a sample slapd.conf file taken from OpenLAP version 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon). Your slapd.conf file may be more or less complex than this one.
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ldapsync13.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 256
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# The maximum number of entries that is returned for a search operation
sizelimit 5000
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=mydomain,dc=net"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=mydomain,dc=net"
rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa
# Where the database file are physically stored for database #1
directory "/var/lib/ldap/mydomain"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=mydomain,dc=net" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=mydomain,dc=net" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=mydomain,dc=net" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
