Difference between revisions of "OXLDAPSync Guide"

(added box for "not supported")
 
(16 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= How to install OX LDAP Sync =
+
<div style="border:2px solid red; text-align:center; padding: 1em; margin: 0.5em;">This page is DEPRECATED. oxldapsync is not supported and is outdated.</div>
 
 
== Debian ==
 
 
 
Add the following entry to /etc/apt/sources.list:
 
 
 
deb http://software.open-xchange.com/OX6/unsupported/repo/DebianEtch/ /
 
 
 
and run
 
 
 
$ apt-get update
 
$ apt-get install oxldapsync
 
 
 
== SLES10 ==
 
 
 
Run the following commands:
 
 
 
$ zypper sa http://software.open-xchange.com/OX6/unsupported/repo/SLES10 UNSUPPORTED
 
$ zypper install oxldapsync
 
  
 +
{{InstallPlugin|toplevel=components|pluginname=oxldapsync|sopath=unsupported/oxldapsync|reponame=oxldapsync|version=OX 6.22 or newer}}
  
 
= How to run OX LDAP Sync =
 
= How to run OX LDAP Sync =
  
With oxldapsync you can sync user and group objects from a ldap compatible
+
With OX LDAP Sync you can sync user and group objects from a LDAP compatible
directory with Open Xchange. When you modify or add an user to your
+
directory with Open-Xchange. When you modify or add an user to your
ldap directory oxldapsync will also modify or add the user to Open Xchange.
+
ldap directory oxldapsync will also modify or add the user to Open-Xchange.
  
 
== Prerequisites ==
 
== Prerequisites ==
Line 31: Line 14:
 
# You need one user distinguished name who at least can search and            read user objects. If you decide to synchronize groups, the ldap user needs to search and read these objects, too.
 
# You need one user distinguished name who at least can search and            read user objects. If you decide to synchronize groups, the ldap user needs to search and read these objects, too.
 
# If you want to synchronize groups you need to know if the          membership to the group is defined by the userid or by the          complete distinguished name of the user.
 
# If you want to synchronize groups you need to know if the          membership to the group is defined by the userid or by the          complete distinguished name of the user.
# User attributes you want to sync with Open Xchange
+
# User attributes you want to sync with Open-Xchange
 +
# Open-Xchange must authenticate against the LDAP server instead of the database, which is the default. In order to achieve that, deinstall package <tt>open-xchange-authentication-database</tt> and install <tt>open-xchange-authentication-ldap</tt> and configure it accordingly in changing /opt/open-xchange/etc/groupware/ldap.properties. As an alternative, <tt>open-xchange-authentication-imap</tt> could be used, if your IMAP server authenticates against your LDAP server.
  
 
== configuring OX LDAP Sync ==
 
== configuring OX LDAP Sync ==
Line 59: Line 43:
 
                 updategroups                "yes" if you want to also sync
 
                 updategroups                "yes" if you want to also sync
 
                                             groups with ox
 
                                             groups with ox
                 updateAlias                shall mail aliases of a user get
+
                 updateAliases              shall mail aliases of a user get
 
                                             updated with the one from the ldap.
 
                                             updated with the one from the ldap.
 
                                             In case you can name only one
 
                                             In case you can name only one
Line 116: Line 100:
  
 
To run this program regularly just create a cronjob
 
To run this program regularly just create a cronjob
 +
 +
= Troubleshooting =
 +
== Special chars scrambled ==
 +
If you run OX LDAP Sync via Cronjob an the umlauts (ä,ö,ü,...) of your entries in the "Global Addressbook" are scrambled, try setting the LANG environment variable in your crontab, e. g. German UTF-8 users should set this to something like this:
 +
 +
LANG=de_DE.UTF-8
 +
#m      h      dom    mon    dow    command
 +
0      23      *      *      Sun    /path/to/oxldapsync.pl
 +
 +
For more information on using the crontab please visit [http://tldp.org/LDP/LGNET/151/prestia.html this howto at The Linux Documentation Project].
 +
 +
[[Category: OX6]]
 +
[[Category: AppSuite]]

Latest revision as of 06:12, 15 March 2019

This page is DEPRECATED. oxldapsync is not supported and is outdated.

Install on OX OX 6.22 or newer

Debian GNU/Linux 10.0

Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:

deb https://software.open-xchange.com/components/unsupported/oxldapsync/DebianBuster/ /
# if you have a valid maintenance subscription, please uncomment the 
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/components/unsupported/oxldapsync/updates/DebianBuster/ /

and run

$ apt-get update
$ apt-get install oxldapsync

Debian GNU/Linux 11.0

Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:

deb https://software.open-xchange.com/components/unsupported/oxldapsync/DebianBullseye/ /
# if you have a valid maintenance subscription, please uncomment the 
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/components/unsupported/oxldapsync/updates/DebianBullseye/ /

and run

$ apt-get update
$ apt-get install oxldapsync


How to run OX LDAP Sync

With OX LDAP Sync you can sync user and group objects from a LDAP compatible directory with Open-Xchange. When you modify or add an user to your ldap directory oxldapsync will also modify or add the user to Open-Xchange.

Prerequisites

  1. An LDAP-server (currently openldap and ADS are supported)
  2. You need one user distinguished name who at least can search and read user objects. If you decide to synchronize groups, the ldap user needs to search and read these objects, too.
  3. If you want to synchronize groups you need to know if the membership to the group is defined by the userid or by the complete distinguished name of the user.
  4. User attributes you want to sync with Open-Xchange
  5. Open-Xchange must authenticate against the LDAP server instead of the database, which is the default. In order to achieve that, deinstall package open-xchange-authentication-database and install open-xchange-authentication-ldap and configure it accordingly in changing /opt/open-xchange/etc/groupware/ldap.properties. As an alternative, open-xchange-authentication-imap could be used, if your IMAP server authenticates against your LDAP server.

configuring OX LDAP Sync

After installing OXSync you will find the configuration files under /opt/oxldapsync/etc. You can use the example configuration files ldapsync.conf (openldap) and ldapsyn-ads.conf (Active Directory) as starting point.

OpenLDAP

Open ldapsync in your favourite text editor change following options to your needs:

               ldapuri                     with dns-name or ip of your
                                           LDAP-Server
               userbasedn                  distinguished name under which the
                                           script will find user objects
               groupbasedn                 distinguished name under which the
                                           script will find group objects
               ldaptype                    type of ldap in this case openldap
               ldapuserdn                  distinguished name of the user
                                           which will be used to query the
                                           directory
               ldapuserpassword            password for the ldapuser
               mappingfile                 absolute path to your ldap
                                           attribute -> ox attribute mapping
               updategroups                "yes" if you want to also sync
                                           groups with ox
               updateAliases               shall mail aliases of a user get
                                           updated with the one from the ldap.
                                           In case you can name only one
                                           mailaddress on your directory, say
                                           no here and you can manually add
                                           further mailaddresses in ox. They
                                           will not get deleted by the
                                           synctool.
               usemodifytimestamp          set to yes, to update only users
                                           since last run
               userfilter                  searchfilter to find user objects,
                                           internal default
                                           "(objectClass=inetOrgPerson)"
               groupfilter                 searchfilter to find group objects,
                                           internal default
                                           "(objectClass=posixGroup)"
               deleteusers                 Say yes if you want to delete users
                                           in ox which are not in your
                                           directory and are not named by the
                                           "dontModifyUids" option
               deletegroups                say yes to delete empty and non
                                           existing groups in ldap in ox
               dontModifyUids              list of comma separeted uid's which
                                           shall not be modified by the sync
                                           script. You should note at least
                                           the contextadmin
               groupMemberAttribute        name of attribute which holds the
                                           members in a group object
               memberAttributeIsDN         say yes if groupMemberAttribute is
                                           a distinguished name
               groupDisplayNameAttribute   displayname attribute for group
               groupNumberAttribute        unique number attribute for group
               userPrimaryGroupAttribute   attribute name where a users primary
                                           is stored


In the mapping file you will find ox options to create or modify users. The name on the left side of the equal sign is the name for the ox options. On the right side you name the ldap attribute name for this option. You can also give static values by enclosing them with qoutes.

Active Directory

For active directory synchronization just modify at least ldapuri, userbasedn, groupbasedn, ldapuserdn and ldapuserpassword.

To run the script type

$ /opt/oxldapsync/sbin/oxldapsync.pl -f <CONFIG FILENAME> \
                                   -A <CONTEXT ADMIN USERNAME> \
                                   -P <CONTEXT ADMIN PASSWORD> \
                                   -c <CONTEXTID>

Additional parameters are:

                       -h       help message
                       -n       don't save last user search time
                       -v       Verbose mode
                       -s       print messages to stdout

To run this program regularly just create a cronjob

Troubleshooting

Special chars scrambled

If you run OX LDAP Sync via Cronjob an the umlauts (ä,ö,ü,...) of your entries in the "Global Addressbook" are scrambled, try setting the LANG environment variable in your crontab, e. g. German UTF-8 users should set this to something like this:

LANG=de_DE.UTF-8
#m      h       dom     mon     dow     command
0       23      *       *       Sun     /path/to/oxldapsync.pl

For more information on using the crontab please visit this howto at The Linux Documentation Project.