LDAP Synchronization
BlueMind allows you to import users or groups from an LDAP directory (e.g. OpenLDAP). LDAP imports are incremental (new entries are added, and changes to data are recorded). Set up and execution of LDAP imports are domain-specific.
Imported user passwords are then validated against the LDAP server.
New users can connect to BlueMind even if their information has not been imported yet. Their BlueMind account will be created in the process if authentication is successful.
BlueMind users and groups are populated from the LDAP directory:
- during installation and configuration, during initial import,
- regularly and automatically via scheduled jobs
- and when a user logs in, on the fly, when it doesn't exist.
LDAP synchronization is designed to rely on a directory schema of type InetOrgPerson.
Installation
To access synchronization features with an ldap directory, it is necessary to install the ldap-import plugin.
To do this, connect to the server and use the following commands to launch the plugin installation:
- Debian/Ubuntu
- RedHat/CentOS
sudo aptitude update
sudo aptitude install bm-plugin-admin-console-ldap-import bm-plugin-core-ldap-import
yum update
yum install bm-plugin-admin-console-ldap-import bm-plugin-core-ldap-import
When installation is complete, restart the bm-core component using the following command:
bmctl restart
Configuration
Only the global administrator is able to configure LDAP synchronization for a domain. Domain administrators are able to view settings and launch import jobs.
- Log in as global administrator admin0@global.virt
- Go to System Management > Modify Domains and select the domain you want to set up
- Go to the "LDAP Import" tab
| Field | Note |
|---|---|
| LDAP server name or IP address | IP or FQDN of LDAP server of the form: ip-ou-fqdn[:port] If port is not specified, the port used depends on the protocol selected in Protocol. |
| Protocol | Choose the protocol to use: - PLAIN, default port1: 389 - SSL, default port1: 636 - SSL/accept all certificates, default port1: 636 - TLS, default port1: 389 - TLS/accept all certificates, default port1: 389 1: the port specified in the field Name or IP of the LDAP server is used first. If the port is not specified in the field Name or IP of the LDAP server, the default port corresponding to Protocol is used. |
| Directory root | Specify LDAP root (ReadOnly access is a prerequisite) |
| User DN | DN of the root user used to connect to the LDAP server |
| Password | The user password used to connect to the LDAP server |
| LDAP filter for users | Only users matching the applied filter are imported into BlueMind. The syntax of LDAP filters is described by RFC 4515. For example: - to display all persons who have their telephone number entered in the database: (&(objectclass=person)(telephoneNumber=\*))- to display all accounts with "MAIL" accountStatus that are not in the MAILSHARE branch of the directory: (&(!(ou:dn:=MAILSHARE))(&(objectClass=posixAccount)(accountStatus=MAIL))) |
| LDAP filter for groups | Only groups corresponding to the applied filter are imported into BlueMind. The syntax of LDAP filters is described by RFC 4515. For example: - to display groups in branches whose dn contains cn=system or cn=users: (&(objectClass=group)((cn:dn:=System)(cn:dn:=Users))) - to display groups with a description: (&(objectCategory=group)(description=\*)) |
| External ID | Attribute of an invariant and unique LDAP entry identifier used to bind an LDAP entry to a BlueMind entry. Used to link an LDAP entry to a BlueMind entry |
| Split domain group | This field can be left empty. It will be ignored if the split domain functionality is not configured for BlueMind. Emails sent to members of this group will be redirected to another mail server in the same domain (through split domain configuration). |
| Last execution successful | Date of last import run without errors. The incremental import mode takes into account changes made in LDAP since this date. |
| Last import status | Date and status of last LDAP import run. In the event of errors, the logs of the scheduled job for this domain's LDAP import provide more information |
| Start incremental synchronization | Force LDAP import to run in incremental mode. Only changes made since the date of Last successful execution are taken into account in LDAP. This operation corresponds to the execution of the LDAP import scheduled job for this domain. |
| Start global synchronization | Force LDAP import to run in global mode. In this mode, the date Last successful execution is not taken into account. All entries corresponding to the import parameters are processed. This operation can take a long time, depending on the number of LDAP entries to be processed. |
LDAP-BlueMind mapping
User attributes
| BlueMind | Attribut LDAP | Note |
|---|---|---|
| login | uid | Values are mapped on import for compatibility reasons: - accented letters are replaced by their non-accented equivalent - all letters are changed to lowercase - spaces are replaced by '_' |
| firstname | givenName | |
| lastname | sn | |
| formatedName | displayName | If the displayName attribute is absent, the field will be generated by BlueMind by concatenating the various non-empty parts of first name, last name, title, etc. in the same way as the Full Name in contact cards. |
| description | description | |
| mail mailLocalAddress mailAlternateAddress gosaMailAlternateAddress | The default BlueMind address is defined by the first of the values found in the following fields (in order) :
The following are used as aliases. ⚠️ If none of these attributes is filled in or valid, an address of the form: login@<default domain> will be assigned | |
| user mail quota | mailQuotaSize mailQuota gosaMailQuota | Must be expressed in bytes in LDAP. The first of these LDAP attributes to be found is used : mailQuotaSize > mailQuota > gosaMailQuota |
| work phones | telephoneNumber | |
| home phones | homePhone | |
| mobile phones | mobile | |
| fax | facsimileTelephoneNumber | |
| pager | pager | |
| memberOf | memberOf | List of groups the user is a member of. BlueMind users can only be added to LDAP groups imported previously. |
| photoID | jpegPhoto | Profile picture: attribute content is imported as profile picture for related account |
| user.value.contactInfos.organizational.title | title | |
| user.value.contactInfos.organizational.org.company | o | |
| user.value.contactInfos.organizational.org.division | or | |
| user.value.contactInfos.organizational.org.department | departmentNumber | |
| address.locality | l | |
| address.postalCode | postalCode | |
| address.countryName | st | |
| address.streetAddress | postalAddress | |
| address.postOfficeBox | postOfficeBox |
Group attributes
| BlueMind | Attribut LDAP | Note |
|---|---|---|
| name | cn | |
| description | description | |
| If this field is left blank, the group will not have a BlueMind mailbox. | ||
| member | memberUid (Unix method) | The group in the directory contains as many memberUid attributes as it has members. Unlike the member attribute in AD directories, it contains the user's unix uid. With this mode of operation memberOf is not possible.Only users and groups already imported into BlueMind are added to the group members |
| member | member ( method of Active Directory Synchronization) | The group in the directory contains as many member attributes as it has members. Optionally, the directory can provide the memberOf. This attribute is contained in the user and points to all the groups to which the user belongs.Only synchronized groups and users are added to the BlueMind group. |
Both group management methods (Active Directory or Unix) can be used, but only one at a time:
- or by using the
memberattribute (andmemberOfif available) - or by using the
memberUidattribute
If the directory uses both, synchronization will not work correctly.
Allocation of rights
Access to applications is through role management that are assigned to users. As LDAP imports do not handle roles, imported users are not assigned any roles and they are unable to access applications (webmail, contacts, calendar).
The easiest and most effective way of handling this is through groups:
- in LDAP, assign one (or several, if desired) common group to users
- launch a first import: the group(s) are imported into BlueMind along with users
- go to administration and assign the desired roles to the group
Roles are maintained during subsequent imports and updates.
In the future, simply assign new users to this/ese group(s) in order to give them the desired roles.
When new versions are released, BlueMind is regularly asked to add new roles, in particular to manage existing functions. For example, version 3.5.9 of BlueMind allows the administrator to enable or disable the ability to connect to Thunderbird via a new role. In earlier versions, all users had this ability.
To make sure that after the update the new right will be enabled for existing users, you must set the group(s) in which LDAP users have been assigned to are as default group.
To do this, go to the group(s)' admin page, check the "Default group" box and save:
Forcing or correcting a UID
A user's UID can be filled in or corrected in the user's admin page in BlueMind.
To do this, go to the admin console > Directories > Directory Browser > select user > Maintenance tab: enter the user's LDAP UID in the ExternalID box then save.
User information will be synchronized with the LDAP directory at the next execution of the ImportLDAPJob task.
The ExternalID must be prefixed with "ldap://".
ldap://5d6b50-399a6-1e6f2-d01267d1f-0fbecb