How to use LDAP
Posted by , Last modified by on 01 August 2012 05:06 PM
What is LDAP?
LDAP is an acronym for Lightweight Directory Access Protocol. It is a protocol for accessing directory services.
LDAP lets you "locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet," and whether or not you know the domain name, IP address, or geographic whereabouts.
You can find your colleagues from Directory Service in MS Outlook or any other e-mail client, where LDAP is supported.
LDAP in IceWarp Server
IceWarp’s implementation of LDAP is based on the OpenLDAP Project and is available in all modern IceWarp Server builds. The LDAP server is installed automatically during the IceWarp Server installation. Encrypted communication on session layer (SSL) is supported.
LDAP features within IceWarp Server are divided into two parts. One is dedicated to user while the other one to group synchronization.
LDAP Service Settings
On Linux platforms server runs always under root account no matter the account IceWarp Server is running under. On the other hand, on windows it always runs under the same account as control service.
For explanation of slapd.conf see Appendix A or check OpenLDAP Project website http://www.openldap.org/.
Each service is bound to a TCP port number. This can be changed if needed, but the default ports conform to IANA standards which would be required by ISPs. If you are using a firewall, you have to open ports for all services.
IceWarp to LDAP Synchronization Features
Now, let’s have a look on configuration settings of users and groups in IceWarp Server administration console.
Go to Domains&Accounts -> Global Settings -> Advanced tab.
Tick Active checkbox to enable/disable synchronization of user accounts.
It is strongly recommended to alter credentials in configuration file (slapd.conf) and to use encrypted connection in order to secure access to your data. Also note that the default config allows read access for user with anonymous bind (anyone can read your data). This is a serious security treat if your LDAP service is reachable from internet. Since release of 11.2.0, the default config was updated to disallow read for anonymous binds.
Button B allows you to edit the bypass file. The file can contain email addresses, domains and IPs (one per line) as usual. It is possible to use masks too. However values entered in this particular bypass file should contain only values that can be matched against email addresses of IceWarp Server‘s accounts as there is no sense in using anything else.
Once you have everything setup as desired, press the Synchronize All Users to LDAP Now button to synchronize all existing IceWarp users (of course without those matching bypass rules) to chosen directory server.
It is mandatory to have name property filled in order to enable sync mechanism to create objects on LDAP server. Missing name will make it impossible for the object to be synced!
In case of problems with synchronization on Windows releases, please check that you have c_accounts_global_ldap_usewindowsdll system API variable set to true. When on false, it sometimes happen that there are wrong data sent to LDAP server which is preventing synchronization from work. More on this swith is decribed in server help related to directory service synchronization.
In this case, contacts from GAL folder, default contact folder of group and contact folder anticipating in HAB (Hierarchical Address Book) structure are sent to LDAP server. Just to clarify the relation between a group and a public folder, public folders are folders similar to folders owned by an account, but public folder is shared among all group members. So they could be also understood as group folders.
Go to GroupWare -> Public Folders -> LDAP tab.
Tick Active checkbox to enable/disable the synchronization of groups (or public folders).
Synchronization is automatically triggered on update of relevant item in IceWarp Server.
Synchronizing Primary Email Address Only
By default, IceWarp sends every alias of an account to directory server, which results in multiple mail attributes for a single entity. This can sometimes confuse LDAP client which displays only the last of mail attributes acquired. You can prevent tis behavior with API variable C_Accounts_Global_LDAP_SyncPrimaryAliasOnly. When it is set to true, only primary alias of an account is sent to LDAP server.
Preserving Hierarchy of Entries
IceWarp Server is capable of synchronizing the hierarchy of domains and accounts as it exists on its side. You can achieve such with server variable %domain_dc% placed in rootDN input. Sync mechanism will automatically create dc (domain component) for each domain level – in other words IceWarp domain my.example.com will be parsed as dc=my,dc=example,dc=com and all account will be synced under this LDAP entry. It is also possible to store whole hierarchy under another container, i.e. if you wish to have mail server accounts stored in dc=mailserver, fill in %domain_dc%,dc=mailserver into rootDN field.
IceWarp Server is sending only a few properties of user accounts; basically groupware data are not involved. Only properties from User tab (user settings in administration console). Despite the former, passwords are not synchronized too.
How to Set LDAP Directory Service in MS Outlook
In Server Information must be set a hostname or ip of host where LDAP server is running. It is usually the same hostname that you use in e-mail settings (integrated LDAP runs on the same machine as IceWarp Server).
The Logon Information checkbox can be left unticked if default configuration is used on LDAP server side (anonymous users can read). If this does not work for you, contact your administrator for assistance.
Before pressing Next button, use the More Settings button to configure the connection completely.
In the Connection tab you can specify the display name. Outlook use the same value as hostname by default, but you can change it as you wish, e.g. "Work Address Book".
You must specify the port, where the LDAP service is running. The default value is 389, but basically the value must be the same as the one set on IceWarp Server’s side. We strongly recommended that you keep the default value. For SSL encrypted connection use port to 636 (or port set in IceWarp Server) and tick Use Secure Socket Layer checkbox. Using encrypted communication is recommended if traffic between clients and server goes through internet as LDAP sends plain text data mostly.
In the Search tab is a column named Search base that is one of the most important settings in MS Outlook. It specifies a starting point where the search begins. Choose to use custom base and enter your root DN (empty by default) or DN of entry located under the default container (i.e. dc=example,dc=com,dc=your_rootDN).
In the server settings you can specify limiting values. Search timeout is in seconds and allows MS Outlook to terminate sessions if the LDAP server is not available. Specify the maximum number of entries you wish to return after a successful search specifies the maximum number of entries returned.
The LDAP server that is integrated with IceWarp Server makes it possible for you to have remote address book available in your LDAP enabled clients. However you can achieve the same functionality with other IceWarp products, especially Outlook (since version 2007) can be enhanced greatly with IceWarp OutlookSync plugin.
IceWarp Server’s LDAP synchronization features provide a way to add mail server entities to directory server.
Settings of slapd.conf in "%install_dir%\Icewarp\ldap\"
This is a default configuration file. It is recommended to keep the default values unless you know what you are doing. This does not apply to credentials however. It is wise to change them. This appendix contains only default minimum needed to run OpenLDAP properly – you can read full documentation at project’s website (http://www.openldap.org/software/man.cgi). Also, there is no access restriction defined in this file. Server accessible from internet should have its security settings improved.
Lines starting with # are ignored as comments.
Restricting Access with ACLs