This article describes how you can synchronize your LDAP server with an Axigen server, specifically an LDAP to Axigen synchronization.
Solution
Starting with Axigen 7.0, administrators have the option to synchronize the LDAP database with Axigen server domain information. The supported options are:
2-Way synchronization
Axigen to LDAP synchronization
LDAP to Axigen synchronization
The synchronization will occur for:
- Axigen 7.0 version or later
- OpenLDAP 2.4.x version or later
- the following overlays must be active in the OpenLDAP installation:
* syncprov
* memberof
These overlays should be present in the standard OpenLDAP distribution
modules path as files suffixed with ".la".
WARNING: Please back up the existing LDAP installation before implementing the Axigen <-> LDAP synchronization. This step is very important because the Axigen to LDAP synchronization can lead to modifications of your LDAP database and as such you could find the respective database will not be usable in other integrations you might have previously configured.
OpenLDAP configuration
After meeting the above requirements you must download the Axigen OpenLDAP Schema from the corresponding download section on our website:
https://www.axigen.com/mail-server/download-axigen-openldap-schema.html
The above archive contains a schema file named axigen.schema. Place this file in the standard schema location for your LDAP server, usually /etc/openldap/schema/ or /etc/ldap/schema/.
Now you must make the following modifications to the OpenLDAP server configuration file slapd.conf.
1) The axigen.schema file must be included along with the other required
schemas. To accomplish this add the following line to the required configuration file section:
Example:
include /etc/openldap/schema/axigen.schema
2) Each OpenLDAP server used must be configured with a unique identifier, by using the 'serverID' directive.
Example:
serverID 1
3) The "modulepath" attribute, if not specified, must point to the directory
where all modules reside.
Example:
modulepath /usr/lib/openldap
4) Then, the required modules must be specified to be loaded at startup.
Example:
moduleload syncprov.la
moduleload memberof.la
5) The two modules specified above must be configured within your LDAP database specification section, as follows:
# Replication support enabled (for cookies)
overlay syncprov
syncprov-checkpoint 100 30
syncprov-sessionlog 100
# Member-of support enabled
overlay memberof
memberof-refint true
6) Configure the following indexing options for your database:
Example:
# Indexing options for database #1
index entryUUID,entryCSN eq
7) Make sure you have the rootdn directive specified. For example:
rootdn "cn=admin,dc=test,dc=org"
rootpw pa$$w0rd
8) Restart the ldap service.
An example of the minimum requirements for the spald.conf is:
After making the above configuration changes to your LDAP server, you must add the initial entries to your database.
Below you can find an example LDIF for an imaginary organization and two branches (Users/Groups) used for the synchronization with the internal Axigen database.
Place the above entries in a .ldif file, modifying the domain name example.test to match your own, and then you can use the following command to add it to the LDAP database:
ldapadd -D "cn=admin,dc=test,dc=org" -W -x -f filename.ldif
You will be asked for the password you set up in the /etc/openldap/slapd.conf
An output similar to this will be returned:
To check that the above entries were added use:
ldapsearch -b "dc=test,dc=org" -D "cn=admin,dc=test,dc=org" -W -x
Axigen Mail Server configuration
1) Create a new LDAP Connector.
- Go to Webadmin -> Clustering -> Clustering Setup -> LDAP Connectors tab -> Connector List section -> press the "Add Connector" button.
In the "LDAP Server Parameters" enter:
- the IP/Hostname and Port on wich the LDAP server is listening.
- from the "Server type" drop-down box make sure you select
"OpenLDAP"
- select the required synchronization method from the drop-down box related to the "" entry. For the configuration presented in this article choose "LDAP to Axigen".
For the "LDAP Search Parameters" use:
- choose the "Use Administrative DN" - This option instructs Axigen to authenticate, using the defined user, to the LDAP server before requesting information. This user is the admin user defined in the LDAP rootdn configuration.
- enter the proper "Admin DN" and "Admin DN Password". In our case these are:
Admin DN:
Admin DN Passord:
- in the "Account base DN" field enter:
- check the box related to the "Enable Group Synchronization" option and enter for the "Group base DN" field:
- click the "Quick Add" button at the bottom of the wizard page.
Below you can find a screenshot detailing the required configuration parameters:
2) Enable LDAP synchronization for the required domain via Webadmin -> Domains & Accounts -> Manage Domains -> click the "Edit" button corresponding to the desired domain -> General tab -> LDAP Synchronization section -> check the box related to the "Enable LDAP synchronization" option and choose from the below drop-down box the LDAP connector you have specifically set-up and click the "Save Configuration" button at the bottom of the page.
In order to add new users to the LDAP structure which will be later synced with Axigen please refer to the objectClass 'axiAccount' and 'axiGroup' attributes from the axigen.schema file.
For example if you would like to define a user with the password "secret" and this user should have access to SMTP Sending, SMTP Receiving and IMAP services only you should have the following attributes for this user:
userPassword secret
axiServices: 11
NOTE: The axiServices value is computed by adding the power of 2 values corresponding to each service:
SMTP Receiving = 2^0 = 1
SMTP Sending = 2^1 = 2
POP3 = 2^2 = 4
IMAP = 2^3 = 8
Webmail = 2^4 = 16
Remote POP = 2^5 = 32
SMTP Receiving + SMTP Sending + IMAP = 1 + 2 + 8 = 11
This order of this list can be obtained via Webadmin -> Domains & Accounts -> Manage Accounts -> Edit account -> Services area
NOTE: In our case of LDAP to Axigen synchronization, accounts that already exist in the respective domain, before making the above Axigen configurations will be added and synced with the LDAP database, when their parameters are first modified.
The synchronization will occur for:
- Account/Group creation/deletion
- Account configuration
- Group membership
- Axigen 7.0 version or later
- OpenLDAP 2.4.x version or later
- the following overlays must be active in the OpenLDAP installation:
* syncprov
* memberof
These overlays should be present in the standard OpenLDAP distribution
modules path as files suffixed with ".la".
WARNING: Please back up the existing LDAP installation before implementing the Axigen <-> LDAP synchronization. This step is very important because the Axigen to LDAP synchronization can lead to modifications of your LDAP database and as such you could find the respective database will not be usable in other integrations you might have previously configured.
OpenLDAP configuration
After meeting the above requirements you must download the Axigen OpenLDAP Schema from the corresponding download section on our website:
https://www.axigen.com/mail-server/download-axigen-openldap-schema.html
The above archive contains a schema file named axigen.schema. Place this file in the standard schema location for your LDAP server, usually /etc/openldap/schema/ or /etc/ldap/schema/.
Now you must make the following modifications to the OpenLDAP server configuration file slapd.conf.
1) The axigen.schema file must be included along with the other required
schemas. To accomplish this add the following line to the required configuration file section:
Example:
include /etc/openldap/schema/axigen.schema
2) Each OpenLDAP server used must be configured with a unique identifier, by using the 'serverID' directive.
Example:
serverID 1
3) The "modulepath" attribute, if not specified, must point to the directory
where all modules reside.
Example:
modulepath /usr/lib/openldap
4) Then, the required modules must be specified to be loaded at startup.
Example:
moduleload syncprov.la
moduleload memberof.la
5) The two modules specified above must be configured within your LDAP database specification section, as follows:
# Replication support enabled (for cookies)
overlay syncprov
syncprov-checkpoint 100 30
syncprov-sessionlog 100
# Member-of support enabled
overlay memberof
memberof-refint true
6) Configure the following indexing options for your database:
Example:
# Indexing options for database #1
index entryUUID,entryCSN eq
7) Make sure you have the rootdn directive specified. For example:
rootdn "cn=admin,dc=test,dc=org"
rootpw pa$$w0rd
8) Restart the ldap service.
An example of the minimum requirements for the spald.conf is:
slapd.conf
=======
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/axigen.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
serverID 1
database bdb
suffix "dc=test,dc=org"
rootdn "cn=admin,dc=test,dc=org"
rootpw pa$w0rd
directory /var/lib/openldap-data
index objectClass eq
index ou,cn,mail,surname,givenname eq,pres,sub
index entryUUID,entryCSN eq
moduleload memberof.la
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 30
syncprov-sessionlog 100
overlay memberof
memberof-refint true
After making the above configuration changes to your LDAP server, you must add the initial entries to your database.
Below you can find an example LDIF for an imaginary organization and two branches (Users/Groups) used for the synchronization with the internal Axigen database.
# test.org
dn: dc=test,dc=org
objectClass: dcObject
objectClass: organization
dc: test
o: org
# Users, test.org
dn: ou=Users,dc=test,dc=org
objectClass: organizationalUnit
ou: Users
# Groups, test.org
dn: ou=Groups,dc=test,dc=org
objectClass: organizationalUnit
ou: Groups
Place the above entries in a .ldif file, modifying the domain name example.test to match your own, and then you can use the following command to add it to the LDAP database:
ldapadd -D "cn=admin,dc=test,dc=org" -W -x -f filename.ldif
You will be asked for the password you set up in the /etc/openldap/slapd.conf
An output similar to this will be returned:
adding new entry "dc=test,dc=org"
adding new entry "ou=Users,dc=test,dc=org"
adding new entry "ou=Groups,dc=test,dc=org"
To check that the above entries were added use:
ldapsearch -b "dc=test,dc=org" -D "cn=admin,dc=test,dc=org" -W -x
Axigen Mail Server configuration
1) Create a new LDAP Connector.
- Go to Webadmin -> Clustering -> Clustering Setup -> LDAP Connectors tab -> Connector List section -> press the "Add Connector" button.
The connector options should be entered based on the settings of your LDAP server. Enter a name for the connector in the "LDAP Connector name" field.
In the "LDAP Server Parameters" enter:
- the IP/Hostname and Port on wich the LDAP server is listening.
- from the "Server type" drop-down box make sure you select
"OpenLDAP"
- select the required synchronization method from the drop-down box related to the "" entry. For the configuration presented in this article choose "LDAP to Axigen".
For the "LDAP Search Parameters" use:
- choose the "Use Administrative DN" - This option instructs Axigen to authenticate, using the defined user, to the LDAP server before requesting information. This user is the admin user defined in the LDAP rootdn configuration.
- enter the proper "Admin DN" and "Admin DN Password". In our case these are:
Admin DN:
cn=admin,dc=test,dc=org
Admin DN Passord:
pa$w0rd
- in the "Account base DN" field enter:
ou=Users,dc=test,dc=org
- check the box related to the "Enable Group Synchronization" option and enter for the "Group base DN" field:
ou=Groups,dc=test,dc=org
- click the "Quick Add" button at the bottom of the wizard page.
Below you can find a screenshot detailing the required configuration parameters:
2) Enable LDAP synchronization for the required domain via Webadmin -> Domains & Accounts -> Manage Domains -> click the "Edit" button corresponding to the desired domain -> General tab -> LDAP Synchronization section -> check the box related to the "Enable LDAP synchronization" option and choose from the below drop-down box the LDAP connector you have specifically set-up and click the "Save Configuration" button at the bottom of the page.
In order to add new users to the LDAP structure which will be later synced with Axigen please refer to the objectClass 'axiAccount' and 'axiGroup' attributes from the axigen.schema file.
For example if you would like to define a user with the password "secret" and this user should have access to SMTP Sending, SMTP Receiving and IMAP services only you should have the following attributes for this user:
userPassword secret
axiServices: 11
NOTE: The axiServices value is computed by adding the power of 2 values corresponding to each service:
SMTP Receiving = 2^0 = 1
SMTP Sending = 2^1 = 2
POP3 = 2^2 = 4
IMAP = 2^3 = 8
Webmail = 2^4 = 16
Remote POP = 2^5 = 32
SMTP Receiving + SMTP Sending + IMAP = 1 + 2 + 8 = 11
This order of this list can be obtained via Webadmin -> Domains & Accounts -> Manage Accounts -> Edit account -> Services area
NOTE: In our case of LDAP to Axigen synchronization, accounts that already exist in the respective domain, before making the above Axigen configurations will be added and synced with the LDAP database, when their parameters are first modified.
OS:
LinuxWindowsFreeBSDNetBSDOpenBSDSolaris