How to use LDAP
Posted by , Last modified by on 01 August 2012 05:06 PM

What is LDAP?

LDAP is an acronym for Lightweight Directory Access Protocol. It is a protocol for accessing directory services.

LDAP lets you "locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet," and whether or not you know the domain name, IP address, or geographic whereabouts.

You can find your colleagues from Directory Service in MS Outlook or any other e-mail client, where LDAP is supported.

 

LDAP References

 

 

LDAP in IceWarp Server

IceWarp’s implementation of LDAP is based on the OpenLDAP Project and is available in all modern IceWarp Server builds. The LDAP server is installed automatically during the IceWarp Server installation. Encrypted communication on session layer (SSL) is supported.

LDAP features within IceWarp Server are divided into two parts. One is dedicated to user while the other one to group synchronization.
With users and/or groups of IceWarp Server being automatically synchronized to directory server, LDAP enabled clients such as MS Outlook can use the server as a source of email addresses and other data.

 

 

LDAP Service Settings

On Linux platforms server runs always under root account no matter the account IceWarp Server is running under. On the other hand, on windows it always runs under the same account as control service.

Tab LDAP
The slapd.conf button allows you to edit the general configuration file (slapd.conf). It is the general configuration file of the OpenLDAP server that is integrated with IceWarp Server. It is located in %install_directory%\IceWarp\ldap\slapd.conf.
You can control access and LDAP server behavior in general in this file.

For explanation of slapd.conf see Appendix A or check OpenLDAP Project website http://www.openldap.org/.

 

Tab Properties
Once the service is started, the LDAP server is active on the ports specified in ports settings. By default basic port 389 and SSL port 636 are used.

Each service is bound to a TCP port number. This can be changed if needed, but the default ports conform to IANA standards which would be required by ISPs. If you are using a firewall, you have to open ports for all services.

 

 

IceWarp to LDAP Synchronization Features

Now, let’s have a look on configuration settings of users and groups in IceWarp Server administration console.


User Accounts

Go to Domains&Accounts -> Global Settings -> Advanced tab.

Tick Active checkbox to enable/disable synchronization of user accounts.
LDAP Host can be 127.0.0.1 or other ip where LDAP server is listening on.
Base DN
is the location under which users will be synchronized (use at least suffix defined in conf file).
User DN is the account used to access LDAP service (default is cn=admin).
Password is password for user DN (default value is admin).

 

It is strongly recommended to alter credentials in configuration file (slapd.conf) and to use encrypted connection in order to secure access to your data. Also note that the default config allows read access for user with anonymous bind (anyone can read your data). This is a serious security treat if your LDAP service is reachable from internet. Since release of 11.2.0, the default config was updated to disallow read for anonymous binds.

Button B allows you to edit the bypass file. The file can contain email addresses, domains and IPs (one per line) as usual. It is possible to use masks too. However values entered in this particular bypass file should contain only values that can be matched against email addresses of IceWarp Server‘s accounts as there is no sense in using anything else.

Once you have everything setup as desired, press the Synchronize All Users to LDAP Now button to synchronize all existing IceWarp users (of course without those matching bypass rules) to chosen directory server.

It is mandatory to have name property filled in order to enable sync mechanism to create objects on LDAP server. Missing name will make it impossible for the object to be synced!

In case of problems with synchronization on Windows releases, please check that you have c_accounts_global_ldap_usewindowsdll system API variable set to true. When on false, it sometimes happen that there are wrong data sent to LDAP server which is preventing synchronization from work. More on this swith is decribed in server help related to directory service synchronization.


Groups

In this case, contacts from GAL folder, default contact folder of group and contact folder anticipating in HAB (Hierarchical Address Book) structure are sent to LDAP server. Just to clarify the relation between a group and a public folder, public folders are folders similar to folders owned by an account, but public folder is shared among all group members. So they could be also understood as group folders.

Go to GroupWare -> Public Folders -> LDAP tab.

Tick Active checkbox to enable/disable the synchronization of groups (or public folders).
LDAP Host can be 127.0.0.1 or other ip where LDAP server is listening on.
Base DN
(at least suffix defined in conf file) is the location under which groups will be synchronized.
User DN is the account used to access LDAP service (default is cn=admin).
Password is password for user DN (default value is admin).

Synchronization is automatically triggered on update of relevant item in IceWarp Server.

 

Synchronizing Primary Email Address Only

By default, IceWarp sends every alias of an account to directory server, which results in multiple mail attributes for a single entity. This can sometimes confuse LDAP client which displays only the last of mail attributes acquired. You can prevent tis behavior with API variable C_Accounts_Global_LDAP_SyncPrimaryAliasOnly. When it is set to true, only primary alias of an account is sent to LDAP server.

 

Preserving Hierarchy of Entries

IceWarp Server is capable of synchronizing the hierarchy of domains and accounts as it exists on its side. You can achieve such with server variable %domain_dc% placed in rootDN input. Sync mechanism will automatically create dc (domain component) for each domain level – in other words IceWarp domain my.example.com will be parsed as dc=my,dc=example,dc=com and all account will be synced under this LDAP entry. It is also possible to store whole hierarchy under another container, i.e. if you wish to have mail server accounts stored in dc=mailserver, fill in %domain_dc%,dc=mailserver into rootDN field.

 

Synchronized Data

IceWarp Server is sending only a few properties of user accounts; basically groupware data are not involved. Only properties from User tab (user settings in administration console). Despite the former, passwords are not synchronized too.

 

 

How to Set LDAP Directory Service in MS Outlook
Configuration of LDAP in MS Outlook is very simple; in this article Outlook 2010 is used. Populate File menu and select Account Settings. Go to Address Books tab. Press button New… to initiate the process of adding new one. Choose Internet Directory Service (LDAP) option as a next step.

In Server Information must be set a hostname or ip of host where LDAP server is running. It is usually the same hostname that you use in e-mail settings (integrated LDAP runs on the same machine as IceWarp Server).

The Logon Information checkbox can be left unticked if default configuration is used on LDAP server side (anonymous users can read). If this does not work for you, contact your administrator for assistance.

Before pressing Next button, use the More Settings button to configure the connection completely.

In the Connection tab you can specify the display name. Outlook use the same value as hostname by default, but you can change it as you wish, e.g. "Work Address Book".

You must specify the port, where the LDAP service is running. The default value is 389, but basically the value must be the same as the one set on IceWarp Server’s side. We strongly recommended that you keep the default value. For SSL encrypted connection use port to 636 (or port set in IceWarp Server) and tick Use Secure Socket Layer checkbox. Using encrypted communication is recommended if traffic between clients and server goes through internet as LDAP sends plain text data mostly.

In the Search tab is a column named Search base that is one of the most important settings in MS Outlook. It specifies a starting point where the search begins. Choose to use custom base and enter your root DN (empty by default) or DN of entry located under the default container (i.e. dc=example,dc=com,dc=your_rootDN).

In the server settings you can specify limiting values. Search timeout is in seconds and allows MS Outlook to terminate sessions if the LDAP server is not available. Specify the maximum number of entries you wish to return after a successful search specifies the maximum number of entries returned.

 

Summary

The LDAP server that is integrated with IceWarp Server makes it possible for you to have remote address book available in your LDAP enabled clients. However you can achieve the same functionality with other IceWarp products, especially Outlook (since version 2007) can be enhanced greatly with IceWarp OutlookSync plugin.

IceWarp Server’s LDAP synchronization features provide a way to add mail server entities to directory server.

 

Appendix A

Settings of slapd.conf in "%install_dir%\Icewarp\ldap\"

This is a default configuration file. It is recommended to keep the default values unless you know what you are doing. This does not apply to credentials however. It is wise to change them. This appendix contains only default minimum needed to run OpenLDAP properly – you can read full documentation at project’s website (http://www.openldap.org/software/man.cgi). Also, there is no access restriction defined in this file. Server accessible from internet should have its security settings improved.

Lines starting with # are ignored as comments.

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

ucdata-path      ./ucdata
include    ./schema/core.schema
include    ./schema/cosine.schema
include    ./schema/inetorgperson.schema

# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
# referralldap:/root.openldap.org

pidfile    ./run/slapd.pid
argsfile   ./run/slapd.args

# Load dynamic backend modules:
# modulepath     ./libexec/openldap
# moduleload     back_bdb.la
# moduleload     back_ldap.la
# moduleload     back_ldbm.la
# moduleload     back_passwd.la
# moduleload     back_shell.la

 
# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#          Allow self write access
#          Allow authenticated users read access
#          Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read

# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database   bdb
suffix     ""
rootdn     "cn=admin"

# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.

rootpw admin

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.

Directory  ./data

# Indices to maintain
Index      objectClasseq

Simple Explanation:

Include
This item lets include additional schema definitions. All schema definitions are located in the %install_directory%\IceWarp\ldap\schema directory. You can create your own definitions and edit the existing, but make sure to follow the creation rules otherwise LDAP will not start. You can easily find a problem with your configuration (or included schema) in log file (slapd.log). If you are a beginner use the existing schema definitions. IceWarp Server synchronizes only data that fit into InetOrgPerson schema only. This means that you have to keep this schema included in your configuration file.

Database
It is recommended to use DBD database for storing data. DBD obsoletes LBDM which was used by old server versions.

Suffix
This item identifies the suffix you will store your ldap entities under. Consider it to be the root container. All client connections will have to use at least this suffix. As database records are also under this suffix, you need to create new records again under new suffix when old one is changed. Usually the suffix would be your domain name, but wanted everyone to be able to use the LDAP out-of-the-box so we created the default suffix empty (suffix “”). Such value is the most versatile solution as it can contain similar object (domain) structure as exists in your IceWarp Server. You can alter suffix according to your needs, i.e. for a single domain setup dc=example,dc=com (every domain component must have separate dc definition, do not use spaces after comma).

Rootdn
This item identifies the administrator user that does not need to exist in LDAP server’s database for the suffix. The account is allowed to perform any action (like add or modify records). It always has to have the suffix appended – the default is "cn=admin" as there is no suffix to append.

Rootpw
This item contains the password for rootdn - the server administrator account. For improved security slappasswd tool can be used to generate encrypted password (i.e. {SSHA}GtG7bcLGsN/rf1iStKFK2qu0C2EZf/RX).

Directory
This specify directory, where data will be stored.

Index
This directive specifies the indexes to maintain for the given attribute. By default, no indices are maintained. Generally it is recommended to maintain at least an equality index upon objectClass.

Restricting Access with ACLs
In order to limit access to your data add ACL (access list) definition under DBD database section. Enclosed example would allow write to rooDN, read to users (you have to create some), authenticate to anonymous and nothing to everyone (the order does matter so the last rule is to deny access to those who did not pass first three rules).
access to *
    by self        write
    by users       read
    by anonymous   auth
    by *           none


Pidfile, Pidargs

These are Linux specific and can be commented out on Windows platforms.