Omldapsync HowTo - Six
From Scalix Wiki
Appendix A - ldapsync13.schema (OpenLDAP Servers)
A copy of ldapsync13.schema is provided because the copy included with the Scalix installation was incomplete in earlier releases.
# Copyright (C) 2006 Scalix Corporation. All rights reserved. # OpenLDAP schema extension for Scalix omldapsync attributes # For reference see OpenLDAP 2.1 Administrator's Guide # Installation steps (requires root login): # # 1. Stop OpenLDAP slapd server (e.g. kill -INT `cat /var/run/slapd.pid`) # # 2. Copy this file to OpenLDAP schema sub directory (e.g. etc/openldap/schema) # # 3. Edit OpenLDAP slapd.conf file (e.g. /etc/openldap/slapd.conf) to: # # a. Extend the schema by appending reference to the 'include' section, # something like the following lines: # # # include schema extension for Scalix omldapsync attributes # include /etc/openldap/schema/ldapsync13.schema # # b. Ensure Scalix omldapsync has sufficient read access to all the data, # usually determined by the type of bind and the dn used. # # c. Ensure Scalix omldapsync has sufficient search limit to return all the # matching entries, usually determined by the 'sizelimit' setting used. # # 4. Start OpenLDAP slapd server (e.g. /usr/sbin/slapd) # # 5. Fix any error, repeat steps 1 to 4 as necessary. # # 6. Test add (e.g. /usr/bin/ldapadd -D "cn=Manager,dc=my-domain,dc=com") using # something like the following LDIF lines: # # dn: cn=testuser scalix,dc=my-domain,dc=com # objectClass: inetOrgPerson # cn: testuser scalix # displayName: Testuser Scalix # sn: Scalix # mail: testuser@test.scalix.com # objectClass: scalixUserClass # scalixScalixObject: TRUE # scalixMailnode: ou1,ou2 # scalixServerLanguage: ENGLISH # scalixAdministrator: TRUE # scalixMailboxAdministrator: FALSE # scalixEmailAddress: testuser@my-domain.com # scalixEmailAddress: testuser@my-domain.de # scalixLimitMailboxSize: 1024 # scalixLimitOutboundMail: TRUE # scalixLimitInboundMail: FALSE # scalixLimitNotifyUser: TRUE # scalixHideUserEntry: FALSE # scalixMailboxClass: FULL # # dn: cn=testgroup scalix,dc=my-domain,dc=com # objectClass: groupOfNames # cn: testgroup scalix # member: cn=testuser scalix,dc=my-domain,dc=com # objectClass: scalixGroupClass # scalixScalixObject: TRUE # scalixMailnode: ou1,ou2 # displayName: Testgroup Scalix # scalixEmailAddress: testgroup@test.scalix.com # scalixHideUserEntry: TRUE # # 7. Test search (e.g. /usr/bin/ldapsearch -b "dc=my-domain,dc=com" -x -D "" # -w "" cn=*scalix) to check for read access and correct entries were added. # define macro for Scalix root OID objectIdentifier scalixOID 1.3.6.1.4.1.19049 # new attributes to describe an Scalix user or group object # use 1.1.x from Scalix root OID attributetype ( scalixOID:1.1.10 NAME ( 'scalixScalixObject' ) DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.11 NAME ( 'scalixMailnode' ) DESC 'Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created.' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.12 NAME ( 'scalixAdministrator' ) DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites.' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.13 NAME ( 'scalixMailboxAdministrator' ) DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.14 NAME ( 'scalixServerLanguage' ) DESC 'Message catalog language for client. This is one of the Scalix-supported languages found in /var/opt/scalix/nls/om_langs' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.15 NAME ( 'scalixEmailAddress' ) DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.16 NAME ( 'scalixLimitMailboxSize' ) DESC 'mailbox size limit for the user in MB' SINGLE-VALUE EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( scalixOID:1.1.17 NAME ( 'scalixLimitOutboundMail' ) DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.18 NAME ( 'scalixLimitInboundMail' ) DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.19 NAME ( 'scalixLimitNotifyUser' ) DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.20 NAME ( 'scalixHideUserEntry' ) DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.21 NAME ( 'scalixMailboxClass' ) DESC 'Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) # auxiliary classes for scalix User and group # use 1.2.x from Scalix root OID objectclass ( scalixOID:1.2.10 NAME 'scalixUserClass' DESC 'Supplemental class containing the Scalix User-related attributes' AUXILIARY MUST ( scalixScalixObject $ scalixMailnode) MAY ( scalixAdministrator $ scalixMailboxAdministrator $ scalixServerLanguage $ scalixEmailAddress $ scalixLimitMailboxSize $ scalixLimitOutboundMail $ scalixLimitInboundMail $ scalixLimitNotifyUser $ scalixHideUserEntry $ scalixMailboxClass ) ) objectclass ( scalixOID:1.2.11 NAME 'scalixGroupClass' DESC 'Supplemental class containing the Scalix Group-related attributes' AUXILIARY MUST ( scalixScalixObject $ scalixMailnode ) MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) )
Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)
dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0; acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=mydomain,dc=net";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ldap:///cn=slapd-fubar, cn=Sun ONE Directory Server, cn=Server Group, cn=fubar.mydomain.net, ou=mydomain.net, o=NetscapeRoot";) modifiersName: cn=directory manager modifyTimestamp: 20080205163801Z attributeTypes: ( 1.1.13 NAME 'scalixMailboxAdministrator' DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.18 NAME 'scalixLimitInboundMail' DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.10 NAME 'scalixScalixObject' DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object. If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.15 NAME 'scalixEmailAddress' DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.20 NAME 'scalixHideUserEntry' DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.12 NAME 'scalixAdministrator' DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.17 NAME 'scalixLimitOutboundMail' DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.14 NAME 'scalixServerLanguage' DESC 'Message catalog language for client. This is one of the Scalix-supported languages found in /var/opt/scalix/nls/om_langs' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.19 NAME 'scalixLimitNotifyUser' DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.11 NAME 'scalixMailnode' DESC 'Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.16 NAME 'scalixLimitMailboxSize' DESC 'mailbox size limit for the user in MB' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.21 NAME 'scalixMailboxClass' DESC 'Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) objectClasses: ( 1.2.10 NAME 'scalixUserClass' SUP top STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) MAY ( scalixAdministrator $ scalixEmailAddress $ scalixHideUserEntry $ scalixLimitInboundMail $ scalixLimitMailboxSize $ scalixLimitNotifyUser $ scalixLimitOutboundMail $ scalixMailboxAdministrator $ scalixMailboxClass $ scalixServerLanguage ) X-ORIGIN 'user defined' ) objectClasses: ( 1.2.11 NAME 'scalixGroupClass' SUP top STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) X-ORIGIN 'user defined' )
Appendix C -slapd.conf (OpenLDAP Server)
This is a sample slapd.conf file taken from OpenLAP version 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon). Your slapd.conf file may be more or less complex than this one.
# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ldapsync13.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 256 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # The maximum number of entries that is returned for a search operation sizelimit 5000 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=mydomain,dc=net" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=mydomain,dc=net" rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa # Where the database file are physically stored for database #1 directory "/var/lib/ldap/mydomain" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=mydomain,dc=net" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=mydomain,dc=net" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=mydomain,dc=net" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org"