Installationsanleitung für "Scalix Plugin für Ldap Account Manager"

1. Requirements
1.1. LDAP Account Manager
1.2. Scalix Server
1.3. OpenLDAP Server

2. Installation / Configuration
2.1. OpenLDAP Server
2.2. LDAP Account Manager
2.3. Scalix Server
2.3.1. Single Sign On
2.3.2. Synchronisation

3. Synchonisation
3.1. Synchonisation with availables Scalix accounts
3.2. Synchonisation without availables Scalix accounts
3.3. Cronjob
4. Others

1. Requirements

Before you can start the installation of the "Scalix Plugin for LDAP Account Manager", you need a runable scalix server and a lam installation. You also need root rights on both servers (Scalix and OpenLDAP server).

1.1. LDAP Account Manager

The LDAP Account Manager must be already installed efficient, so you can create or edit users and groups otherwise use the installation manual:
http://lam.sourceforge.net/documentation/index.htm
The recommended version is 2.2.0 or higher.

1.2. Scalix Server

You must already done the base installation of the Scalix server, to install the plugin. If the OpenLDAP service and the Scalix service run on the same server, you must change the port of the scalix ldap (for example to port 3890). A manual how to change the scalix port can you find here:
Scalix Wiki - Change the default Scalix ldap port from 389

1.3. OpenLDAP Server

The Scalix server and the server, on which run the LDAP Account Manager, must be able to write on the OpenLDAP server. The samba server must be configured applicable, so that it communicate with the OpenLDAP.

2. Installation

Unzip the zip archiv, which you get per mail and upload the directories on the respective servers. You can upload the files in the directory, which you like (eg. /root/lam_plugin).

2.1. OpenLDAP

OpenLDAP needs a new schema, which can you find in the "openldap" directory in the zip archive. Copy this file (scalix.schema) to /etc/openldap/schema/. Now you have to edit the configuration of the OpenLDAP server. In SuSE you can find the configuration file by the path "/etc/openldap/slapd.conf".
On the top of the configuration file you can find the below lines (which can be departed):

On the end of the "include" lines add following line:

After the change, the lines should be look like (new lines are bold):

Your OpenLDAP server have now new attributes, which are needed by scalix addon.
Now add on the end of the OpenLDAP configuration following line:

By this line you create an index on the attribute "scalixScalixObject", which accelerate the access on this attribute. Restart your OpenLDAP server and the first step is finshed:

2.2. LDAP Accout Manager

Copy the files in the directory "ldap_account_manager" into the installation directory of the "LDAP Account Manager". As example if the zip archiv uploaded on the path "/root/ldap_account_manager" and the installation directory of the LDAP Account Manager is in "/srv/www/htocs/lam", so run following command:

After this copy action, there are 2 new files in the LDAP Account Manager:

Now you must activate this module in the LDAP Account Manager. Go to the startpage of the lam and go to -> LAM-configuration -> Edit server profiles -> Enter password and login.



Click on the button "Edit modules". In the category "Users" and "Groups" you can find a module named "Scalix". To activate this new modules, mark the "scalix" entry in the "available list" and click on the arrow button. If finished, the scalix modules must be list in the "selected modules":



Click on the "OK" button on the bottom of the page.
Now you must enter on the configuration page the mailnode(s) and the e-mail domain(s) of the scalix server. Enter per line only one e-mail domain / mailnode:



Now click on the "OK" button to save the configuration. If you are login into the lam and create or edit a group /user, you can find a new tab named "Scalix".

2.3. Scalix Server

The configuration of the scalix server following in 2 steps:

2.3.1. Single Sign On

"Single Sign On" is used for the password authentification to the OpenLDAP Server. This means, if a user changes the password on the samba server to "12345", the user can also login with the same password on the scalix server. The same effect is also, if a user changes his password in the webmail, so scalix changes the password in reality on the OpenLDAP server.

Scalix must be able to read in OpenLDAP. There is an example of the ACLs "etc/openldap/slapd" (SuSE):

Copy the files "ual.remote, smtpd.auth, pop3, omslapdeng" in the directory "scalix/single_sign_on/" from the zip archive to the scalix server to "/var/opt/scalix/[ts]/s/sys/pam.d/". Overwrite already existing files.
Copy the file "scalix/single_sign_on/om_ldap.conf" from the zip archive to "/var/opt/scalix/ts/s/sys/" and open it with an editor. Edit the hostname of the OpenLDAP server and the base of the users. A finished configuration can be look like this:

Now you must restart the scalix server with the following command:

After the scalix restart, the scalix users have to use the password witch are entered in OpenLDAP. If sxadmin doesn't exists in openLDAP, you have to create it, otherwise you can't login into the SAC, because the scalix server doesn't find the sxadmin in the OpenLDAP.

2.3.2. Synchronize

For the synchronisation, we use the scalix tool "omldapsync", which is already with the basic scalix installation installed. Run the following command ("openldap" is the name of the sync-config, you can also use an other name):

Now you are in the installation / configuration menu of the omldapsync. Choose option "1".

The configuration started now. For OpenLDAP, enter the agreement type "13". More Information can you find in the manual ("man omldapsnyc").

Don`t change the configuration now. Enter "n". We will use the configuration from the zip archive. More informations later.

Don`t test the configuration. Enter "n".

Enter "q" to quit the configuration mode.
Now change the configuration file. Copy the configuration script from the zip archive (scalix/sync.cfg) to /var/opt/scalix/[ts]/s/ldapsync/openldap/sync.cfg and convert the file to the unix format:

Edit the configuration file "/var/opt/scalix/[ts]/s/ldapsync/openldap/sync.cfg". Change following lines:

• JAVA_HOME: Directory of the java installation
• EX_HOST: The hostname or ip of the ldap server
• EX_PORT: Port of the ldap server (389 is normally used)
• EX_LOGON: DN of the user, which can write into the ldap directory.
• EX_PASS: Password from this user.
• IM_CAA_URL: Url to the CAA service. Normally used is: http://fqdn/caa/ . The url must end with an "/"!
• IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only.
• IM_CAA_NAME: Scalix username with administration rights.
• IM_CAA_PASS: Password of the scalix user.
• IM_DELETE_MAILBOX: Delete the user mailbox, if the user be deleted.
• EX_BASE1: The DN to the users in the OpenLDAP.
• EX_BASE2: The DN to the groups in the OpenLDAP.
• EX_BASE3-9: Additional DNs for users or groups.

Then search in the configuration after following line:

Replace the dn to the users. %s is a variable for the username.

3. Synchronisation

The installation/configuration of the addon is finished. Now you can start with the synchronisation. If on the scalix server exists already users or groups, you must create this account in the lam with the same account data.

If on the scalix server exists already accounts, you can continue with "3.1. Synchonisation with availables Scalix accounts". If there are no accounts on the scalix server, continue with "3.2. Synchonisation without availables Scalix accounts".

All Groups, which you will not synchronisize, you need not create in the LAM (example: ScalixAdmins).

3.1. Synchonisation with availables Scalix accounts

If on the scalix server exists already users or groups, you must create this account in the lam with the same account data. This means, all user and group data on the scalix server (email address, show in addressbook, administrator, mailbox administrator,...) must be insert in the lam. Also all users and group data, which are inserted in the lam (surname, lastname,...), must be insert in the Scalix. This applies for users and groups!
If this happens, you can start with the synchronisation. The basic command for the synchronisation is "omldapsync -u openldap". But the command would return an error, because there are already exists users and groups with the same name on the scalix server. The "omldapsync" tool will be check, if a user or group already exists. To ignore this error, use the parameter "-A":

In future you can run the command without the parameter "-A". If there are errors by the synchronisation, you can ignore it every time with the parameter "-A".

3.2. Synchonisation without availables Scalix accounts

If there are no accounts on the scalix server, you can start directly start with the synchronisation.

This command synchronisation the users and groups to the OpenLDAP server. If there are errors by the synchronisation, you can ignore it with the parameter "-A".

3.3. Cronjob

If the synchronisation works, you can create an crontab, which synchronisation every 30 minutes.
Run crontab -e:

If there are errors by the synchronisation, you can ignore it with the paramter "-A".

4. Synchonisation

Primary groups from the OpenLDAP can't synchronisation, only the secondary groups.