How to Synchronize LDAP to Axigen

This article describes how you can synchronize your LDAP server with an Axigen server, specifically an LDAP to Axigen synchronization.

Solution

Starting with Axigen 7.0, administrators have the option to synchronize the LDAP database with Axigen server domain information. The supported options are:

  • 2-Way synchronization
  • Axigen to LDAP synchronization
  • LDAP to Axigen synchronization

  • The synchronization will occur for:
    • Account/Group creation/deletion
    • Account configuration
    • Group membership
    The requirements for this integration are:

    - Axigen 7.0 version or later
    - OpenLDAP 2.4.x version or later
    -  the following overlays must be active in the OpenLDAP installation:
           * syncprov
           * memberof
        These overlays should be present in the standard OpenLDAP distribution
        modules path as files suffixed with ".la".

    WARNING: Please back up the existing LDAP installation before implementing the Axigen <-> LDAP synchronization. This step is very important because the Axigen to LDAP synchronization can lead to modifications of your LDAP database and as such you could find the respective database will not be usable in other integrations you might have previously configured.


    OpenLDAP configuration

    After meeting the above requirements you must download the Axigen OpenLDAP Schema from the corresponding download section on our website:

    https://www.axigen.com/mail-server/download-axigen-openldap-schema.html

    The above archive contains a schema file named axigen.schema. Place this file in the standard schema location for your LDAP server, usually /etc/openldap/schema/ or /etc/ldap/schema/.

    Now you must make the following modifications to the OpenLDAP server configuration file slapd.conf.

    1) The axigen.schema file must be included along with the other required
      schemas. To accomplish this add the following line to the required configuration file section:
    Example:

            include                 /etc/openldap/schema/axigen.schema

    2) Each OpenLDAP server used must be configured with a unique identifier, by using the 'serverID' directive.
    Example:

            serverID 1

    3) The "modulepath" attribute, if not specified, must point to the directory
      where all modules reside.
    Example:

            modulepath              /usr/lib/openldap

    4) Then, the required modules must be specified to be loaded at startup.
    Example:

            moduleload    syncprov.la
            moduleload    memberof.la

    5) The two modules specified above must be configured within your LDAP database specification section, as follows:

            # Replication support enabled (for cookies)
            overlay                 syncprov
            syncprov-checkpoint     100 30
            syncprov-sessionlog     100
            # Member-of support enabled
            overlay                 memberof
            memberof-refint         true

    6) Configure the following indexing options for your database:
    Example:

            # Indexing options for database #1
            index           entryUUID,entryCSN                eq

    7) Make sure you have the rootdn directive specified. For example:

    rootdn          "cn=admin,dc=test,dc=org"
    rootpw          pa$$w0rd

    8) Restart the ldap service.

    An example of the minimum requirements for the spald.conf is:

    slapd.conf
    =======
    include /etc/openldap/schema/core.schema
    include /etc/openldap/schema/cosine.schema
    include /etc/openldap/schema/inetorgperson.schema
    include /etc/openldap/schema/misc.schema
    include /etc/openldap/schema/axigen.schema
    pidfile /var/run/openldap/slapd.pid
    argsfile /var/run/openldap/slapd.args
    serverID 1
    database bdb
    suffix "dc=test,dc=org"
    rootdn "cn=admin,dc=test,dc=org"
    rootpw pa$w0rd
    directory /var/lib/openldap-data
    index objectClass eq
    index ou,cn,mail,surname,givenname eq,pres,sub
    index entryUUID,entryCSN eq
    moduleload memberof.la
    moduleload syncprov.la
    overlay syncprov
    syncprov-checkpoint 100 30
    syncprov-sessionlog 100
    overlay memberof
    memberof-refint true


    After making the above configuration changes to your LDAP server, you must add the initial entries to your database.

    Below you can find an example LDIF for an imaginary organization and two branches (Users/Groups) used for the synchronization with the internal Axigen database.

    # test.org
    dn: dc=test,dc=org
    objectClass: dcObject
    objectClass: organization
    dc: test
    o: org

    # Users, test.org
    dn: ou=Users,dc=test,dc=org
    objectClass: organizationalUnit
    ou: Users

    # Groups, test.org
    dn: ou=Groups,dc=test,dc=org
    objectClass: organizationalUnit
    ou: Groups

    Place the above entries in a .ldif file, modifying the domain name example.test to match your own, and then you can use the following command to add it to the LDAP database:

    ldapadd -D "cn=admin,dc=test,dc=org" -W -x -f filename.ldif

    You will be asked for the password you set up in the /etc/openldap/slapd.conf

    An output similar to this will be returned:

    adding new entry "dc=test,dc=org"

    adding new entry "ou=Users,dc=test,dc=org"

    adding new entry "ou=Groups,dc=test,dc=org"

    To check that the above entries were added use:

    ldapsearch -b "dc=test,dc=org" -D "cn=admin,dc=test,dc=org" -W -x



    Axigen Mail Server configuration

    1) Create a new LDAP Connector.

       - Go to Webadmin -> Clustering -> Clustering Setup -> LDAP Connectors tab -> Connector List section -> press the "Add Connector" button.

    The connector options should be entered based on the settings of your LDAP server. Enter a name for the connector in the "LDAP Connector name" field.


    In the "LDAP Server Parameters" enter:

    - the IP/Hostname and Port on wich the LDAP server is listening.
    - from the "Server type" drop-down box make sure you select
     
    "OpenLDAP"

    - select the required synchronization method from the drop-down box related to the "" entry. For the configuration presented in this article choose "LDAP to Axigen".

    For the "LDAP Search Parameters" use:

    - choose the "Use Administrative DN" - This option instructs Axigen to authenticate, using the defined user, to the LDAP server before requesting information. This user is the admin user defined in the LDAP rootdn configuration.
    - enter the proper "Admin DN" and "Admin DN Password". In our case these are:

    Admin DN:
    cn=admin,dc=test,dc=org

    Admin DN Passord:
    pa$w0rd

    - in the "Account base DN" field enter:
    ou=Users,dc=test,dc=org

    - check the box related to the "Enable Group Synchronization" option and enter for the "Group base DN" field:
    ou=Groups,dc=test,dc=org

    - click the "Quick Add" button at the bottom of the wizard page.

    Below you can find a screenshot detailing the required configuration parameters:




    2) Enable LDAP synchronization
    for the required domain via Webadmin -> Domains & Accounts -> Manage Domains -> click the "Edit" button corresponding to the desired domain -> General tab -> LDAP Synchronization section -> check the box related to the "Enable LDAP synchronization" option and choose from the below drop-down box the LDAP connector you have specifically set-up and click the "Save Configuration" button at the bottom of the page.




    In order to add new users to the LDAP structure which will be later synced with Axigen please refer to the  objectClass 'axiAccount' and 'axiGroup' attributes from the axigen.schema file.

    For example if you would like to define a user with the password "secret" and this user should have access to SMTP Sending, SMTP Receiving and IMAP services only you should have the following attributes for this user:
     userPassword secret
     axiServices: 11

    NOTE: The axiServices value is computed by adding the power of 2 values corresponding to each service:
    SMTP Receiving = 2^0 = 1
    SMTP Sending = 2^1 = 2
    POP3 = 2^2 = 4
    IMAP = 2^3 = 8
    Webmail = 2^4 = 16
    Remote POP = 2^5 = 32
    SMTP Receiving + SMTP Sending + IMAP = 1 + 2 + 8 = 11
    This order of this list can be obtained via Webadmin -> Domains & Accounts -> Manage Accounts -> Edit account -> Services area


    NOTE: In our case of LDAP to Axigen synchronization, accounts that already exist in the respective domain, before making the above Axigen configurations will be added and synced with the LDAP database, when their parameters are first modified.
    OS: LinuxWindowsFreeBSDNetBSDOpenBSDSolaris