How to install OX LDAP Sync

Debian

Add the following entry to /etc/apt/sources.list:

deb http://software.open-xchange.com/OX6/unsupported/repo/DebianEtch/ /

and run

$ apt-get update
$ apt-get install oxldapsync

SLES10

Run the following commands:

$ zypper sa http://software.open-xchange.com/OX6/unsupported/repo/SLES10 UNSUPPORTED
$ zypper install oxldapsync

How to run OX LDAP Sync

With oxldapsync you can sync user and group objects from a ldap compatible directory with Open Xchange. When you modify or add an user to your ldap directory oxldapsync will also modify or add the user to Open Xchange.

Prerequisites

1. An LDAP-server (currently openldap and ADS are supported)
2. You need one user distinguished name who at least can search and read user objects. If you decide to synchronize groups, the ldap user needs to search and read these objects, too.
3. If you want to synchronize groups you need to know if the membership to the group is defined by the userid or by the complete distinguished name of the user.
4. User attributes you want to sync with Open Xchange

configuring OX LDAP Sync

After installing OXSync you will find the configuration files under /opt/oxldapsync/etc. You can use the example configuration files ldapsync.conf (openldap) and ldapsyn-ads.conf (Active Directory) as starting point.

OpenLDAP

Open ldapsync in your favourite text editor change following options to your needs:

               ldapuri                     with dns-name or ip of your
                                           LDAP-Server
               userbasedn                  distinguished name under which the
                                           script will find user objects
               groupbasedn                 distinguished name under which the
                                           script will find group objects
               ldaptype                    type of ldap in this case openldap
               ldapuserdn                  distinguished name of the user
                                           which will be used to query the
                                           directory
               ldapuserpassword            password for the ldapuser
               mappingfile                 absolute path to your ldap
                                           attribute -> ox attribute mapping
               updategroups                "yes" if you want to also sync
                                           groups with ox
               updateAlias                 shall mail aliases of a user get
                                           updated with the one from the ldap.
                                           In case you can name only one
                                           mailaddress on your directory, say
                                           no here and you can manually add
                                           further mailaddresses in ox. They
                                           will not get deleted by the
                                           synctool.
               usemodifytimestamp          set to yes, to update only users
                                           since last run
               userfilter                  searchfilter to find user objects,
                                           internal default
                                           "(objectClass=inetOrgPerson)"
               groupfilter                 searchfilter to find group objects,
                                           internal default
                                           "(objectClass=posixGroup)"
               deleteusers                 Say yes if you want to delete users
                                           in ox which are not in your
                                           directory and are not named by the
                                           "dontModifyUids" option
               deletegroups                say yes to delete empty and non
                                           existing groups in ldap in ox
               dontModifyUids              list of comma separeted uid's which
                                           shall not be modified by the sync
                                           script. You should note at least
                                           the contextadmin
               groupMemberAttribute        name of attribute which holds the
                                           members in a group object
               memberAttributeIsDN         say yes if groupMemberAttribute is
                                           a distinguished name
               groupDisplayNameAttribute   displayname attribute for group
               groupNumberAttribute        unique number attribute for group
               userPrimaryGroupAttribute   attribute name where a users primary
                                           is stored

In the mapping file you will find ox options to create or modify users. The name on the left side of the equal sign is the name for the ox options. On the right side you name the ldap attribute name for this option. You can also give static values by enclosing them with qoutes.

Active Directory

For active directory synchronization just modify at least ldapuri, userbasedn, groupbasedn, ldapuserdn and ldapuserpassword.

To run the script type

$ /opt/oxldapsync/sbin/oxldapsync.pl -f <CONFIG FILENAME> \
                                   -A <CONTEXT ADMIN USERNAME> \
                                   -P <CONTEXT ADMIN PASSWORD> \
                                   -c <CONTEXTID>

Additional parameters are:

                       -h       help message
                       -n       don't save last user search time
                       -v       Verbose mode
                       -s       print messages to stdout

To run this program regularly just create a cronjob