Difference between revisions of "Generic LDAP Integration"

[unchecked revision][checked revision]
m
 
(13 intermediate revisions by 3 users not shown)
Line 8: Line 8:
  
 
=== LDAP Connection ===
 
=== LDAP Connection ===
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! width=250px | Name
 
! width=250px | Name
Line 19: Line 18:
 
| Configure whether the connection to the LDAP server is to be unencrypted on port 389, LDAP-TLS on port 389, or LDAP-SSL on port 636
 
| Configure whether the connection to the LDAP server is to be unencrypted on port 389, LDAP-TLS on port 389, or LDAP-SSL on port 636
 
|-
 
|-
| Ignore SSL Security Warnings (only when using LDAP-TLS or LDAP-SSL)
+
| Accept all certificates (only when using LDAP-TLS or LDAP-SSL)
| Permit connections when a self-signed or non-public certificate is used by the LDAP server
+
| {{Option_Accept_all_certificates}}
 
|-
 
|-
 
| Administrative DN
 
| Administrative DN
Line 33: Line 32:
  
 
=== User Filter and Attributes ===
 
=== User Filter and Attributes ===
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! width=250px | Name
 
! width=250px | Name
Line 55: Line 53:
  
 
=== Group Filter and Attributes ===
 
=== Group Filter and Attributes ===
 
=== Options ===
 
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! width=250px | Name
 
! width=250px | Name
 
! Description
 
! Description
 
|-
 
|-
| Automatically delete users in MailStore Server
+
| Filter
| If enabled, MailStore will delete users from the local MailStore database when the user is deleted, removed from the filtered group, or falls out of scope based on the above LDAP filter settings
+
| LDAP filter to return only group objects
 +
|-
 +
| Name
 +
| The LDAP attribute that contains the common name of a group
 +
|-
 +
| Description (optional)
 +
| The LDAP attribute that contains a human readable description for each group
 +
|-
 +
| Members
 +
| The LDAP attribute that contains the common name of group members
 +
|-
 +
| Search Filter for Members
 +
| LDAP filter to resolve group members when members are not specified as a DN string as part of the group results. MailStore will fill in the <tt>{member}</tt> variable with values from the ''Members'' attribute
 +
|-
 +
| Group
 +
| The actual group(s) containing users that MailStore Server will synchronize
 
|}
 
|}
 
+
{{Directory Services Authentication|LDAP}}
 
+
{{Directory Services Options|LDAP}}
 
{{Directory Services Assign Default Privileges}}
 
{{Directory Services Assign Default Privileges}}
  
Line 72: Line 82:
  
 
=== Active Directory ===
 
=== Active Directory ===
It is possible to connect LDAP Generic to Active Directory, allowing for more flexibility and control than MailStore's built-in Active Directory support. For example, LDAP Generic will allow you to accept invalid or self-signed certificates, use custom filters or change which attributes are used by MailStore.
+
It is possible to connect LDAP Generic to Active Directory, allowing for more flexibility and control than MailStore's built-in Active Directory support. For example, LDAP Generic will allow you to accept invalid or self-signed certificates when using LDAP-SSL or LDAP-TLS, use custom filters or change which attributes are used by MailStore.
  
 
It is assumed that the Active Directory LDAP service is reachable by the MailStore instance on TCP port 389 or 636, including opening ports in the firewall, where applicable.
 
It is assumed that the Active Directory LDAP service is reachable by the MailStore instance on TCP port 389 or 636, including opening ports in the firewall, where applicable.
Line 98: Line 108:
 
| Use SSL as transport encryption
 
| Use SSL as transport encryption
 
|-
 
|-
| rowspan=2| Ignore SSL Security Warnings
+
| rowspan=2| Accept all certificates
 
| ''Enabled''
 
| ''Enabled''
 
| Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
 
| Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
Line 106: Line 116:
 
|-
 
|-
 
| Administrative DN
 
| Administrative DN
| <tt>mailstoreserver@example.com</tt>
+
| <tt>mailstore@example.com</tt>
 
| Active Directory account for MailStore's use
 
| Active Directory account for MailStore's use
 
|-
 
|-
Line 156: Line 166:
 
|-
 
|-
 
|rowspan = 2 |E-mail Addresses (opt.)
 
|rowspan = 2 |E-mail Addresses (opt.)
|<tt>proxyAddress</tt>
+
|<tt>proxyAddresses</tt>
 
|Exchange environments
 
|Exchange environments
 
|-
 
|-
Line 204: Line 214:
 
{| class="wikitable"
 
{| class="wikitable"
 
! width=250px | Name
 
! width=250px | Name
! Example
+
! Value
 +
! Description
 
|-
 
|-
 
| Server Name
 
| Server Name
 
| <tt>directory.example.com</tt>
 
| <tt>directory.example.com</tt>
 +
| DNS name or IP address of the OpenLDAP server.
 +
|-
 +
| rowspan=3 | Protocol
 +
| <tt>LDAP</tt>
 +
| Do not use transport encryption
 +
|-
 +
| <tt>LDAP-TLS</tt>
 +
| Use TLS as transport encryption
 
|-
 
|-
| Protocol
 
 
| <tt>LDAP-SSL</tt>
 
| <tt>LDAP-SSL</tt>
 +
| Use SSL as transport encryption
 +
|-
 +
| rowspan=2| Accept all certificates
 +
| ''Enabled''
 +
| Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
 
|-
 
|-
| Ignore SSL Security Warnings
+
| ''Disabled''
| ''Checked''
+
| Do not establish a TLS/SSL encrypted connection, if the certificate validation failed.
 
|-
 
|-
 
| Administrative DN
 
| Administrative DN
 
| <tt>cn=admin,dc=example,dc=com</tt>
 
| <tt>cn=admin,dc=example,dc=com</tt>
 +
| LDAP username that MailStore should use for accessing the OpenLDAP server
 
|-
 
|-
 
| Password
 
| Password
 
| <tt>MySecretPassword</tt>
 
| <tt>MySecretPassword</tt>
 +
| Password of the user specified in ''Administrative DN'' above
 
|-
 
|-
 
| Base DN
 
| Base DN
 
| <tt>dc=example,dc=com</tt>
 
| <tt>dc=example,dc=com</tt>
 +
| The Base-DN of the LDAP directory
 
|}
 
|}
  
Line 228: Line 254:
 
{| class="wikitable"
 
{| class="wikitable"
 
! width=250px | Name
 
! width=250px | Name
! Example
+
! Value
 +
! Description
 +
|-
 +
|rowspan = 2 | Filter (optional)
 +
|<tt>(objectClass=posixAccount)</tt>
 +
|All objects of type ''posixAccount'', usually all users
 +
|-
 +
|<tt>(&(objectClass=posixAccount)(mail=*))</tt>
 +
|All users with configured email address
 +
|-
 +
|rowspan = 2 |User Name
 +
|<tt>uid</tt>
 +
| Use the value of LDAP attribute ''UID'' as MailStore user name
 
|-
 
|-
| Filter (optional)
+
|<tt>cn</tt>
| <tt>(objectClass=posixAccount)</tt>
+
| Use the value of LDAP attribute ''CN'' as MailStore user name
 
|-
 
|-
| User Name
+
|rowspan = 2 |Local Part Only (E-mail Addresses / UPN)
| <tt>uid</tt>
+
|''Enabled''
 +
| Only use the local part from a user name in UPN format
 
|-
 
|-
| Local Part Only (E-mail Addresses / UPN)
+
|''Disabled''
| ''Unchecked''
+
| Use the full user name in UPN format
 
|-
 
|-
| Full Name (optional)
+
|Full Name (optional)
| <tt>displayName</tt>
+
|<tt>displayName</tt>
 +
| Use the value of LDAP attribute ''displayName'' as MailStore user name
 
|-
 
|-
| E-mail Addresses (opt.)
+
|E-mail Addresses (opt.)
| <tt>mail</tt>
+
|<tt>mail</tt>
 +
| Use the values of LDAP attribute ''mail'' for the email addresses of MailStore users
 
|}
 
|}
  
Line 249: Line 290:
 
{| class="wikitable"
 
{| class="wikitable"
 
! width=250px | Name
 
! width=250px | Name
! Example
+
! Value
 +
! Description
 
|-
 
|-
 
| Filter
 
| Filter
 
| <tt>(objectClass=posixGroup)</tt>
 
| <tt>(objectClass=posixGroup)</tt>
 +
| All objects of category ''posixGroup'', usually all groups
 
|-
 
|-
 
| Name
 
| Name
 
| <tt>cn</tt>
 
| <tt>cn</tt>
 +
| Use the value of the LDAP attribute ''CN'' as group name
 
|-
 
|-
 
| Description (optional)
 
| Description (optional)
 
| <tt>description</tt>
 
| <tt>description</tt>
 +
| Use the value of the LDAP attribute ''description'' as group name
 
|-
 
|-
 
| Members
 
| Members
| <tt>memberUid</tt>
+
| <tt>member</tt>
 +
| Use the value LDAP attribute ''member'' to determine group members
 +
|-
 +
| rowspan=2 | Search Filter for Members
 +
| ''emtpy''
 +
| Group members are returned as Distinguished Names
 
|-
 
|-
| Search Filter for Members
 
 
| <tt><nowiki>(|(&(objectClass=posixAccount)(uid={member}))(&(objectClass=posixGroup)(cn={member})))</nowiki></tt>
 
| <tt><nowiki>(|(&(objectClass=posixAccount)(uid={member}))(&(objectClass=posixGroup)(cn={member})))</nowiki></tt>
 +
| members in ''memberUid'' are only given as plain user or group names
 
|-
 
|-
 
| Group
 
| Group
 
| <tt>MailStore Users</tt>
 
| <tt>MailStore Users</tt>
 +
| Synchronize only users from the ''MailStore Users'' group
 
|}
 
|}
  
 
{{Directory Services Run Synchronization}}
 
{{Directory Services Run Synchronization}}
 +
[[File:mads_sync_02.png|center|450px]]
  
[[File:mads_sync_02.png|center|450px]]
 
  
{{Directory Services Login with Directory Services Credentials|LDAP server|mads_ldapauth_01.png}}
+
{{Directory Services Test Authentication}}
 +
{{Directory Services Login with Directory Services Credentials|LDAP server}}
  
 
[[de:Generische_LDAP-Integration]]
 
[[de:Generische_LDAP-Integration]]
 
[[en:Generic LDAP Integration]]
 
[[en:Generic LDAP Integration]]

Latest revision as of 15:03, 26 April 2021

In addition to adding users manually as described in chapter User Management, MailStore Server can synchronize its internal user database with the LDAP server of your organization.

During synchronization, user information, such as user names and email addresses, is copied from the LDAP server into MailStore Server's user database. That way, users can use their LDAP server credentials to also log on to MailStore Server and emails can be assigned to their corresponding user archives automatically, for example. No changes are made to the LDAP server itself by MailStore Server. The scope of the synchronization can be limited through filters.


Accessing Directory Service Integration

  • Log on to MailStore Client as a MailStore Server administrator.
  • Click on Administrative Tools > Users and Archives > Directory Services.
  • In the Integration section, change the directory service type to LDAP server.
Mldap sync 01.png


Connection to the LDAP Directory Service

For synchronization MailStore Server requires information on how to connect to the LDAP directory service and how to obtain the required data from it.

LDAP Connection

Name Description
Server Name DNS name or IP address of your LDAP server
Protocol Configure whether the connection to the LDAP server is to be unencrypted on port 389, LDAP-TLS on port 389, or LDAP-SSL on port 636
Accept all certificates (only when using LDAP-TLS or LDAP-SSL) If the certificate provided by the remote host cannot be verified (e.g. self-signed or signed by an unknown certificate authority), enable the option Accept all certificates to allow MailStore to establish a connection. As this option leads to an insecure configuration, warnings may appear in the summary and/or the dashboard.
Administrative DN Distinguished Name (DN) or user name of a user with appropriate privileges on the LDAP server
Password Password of the user specified in Administrative DN
Base DN LDAP base DN, if needed

User Filter and Attributes

Name Description
Filter (optional) Filter LDAP objects to return only user objects with email addresses
User Name The LDAP attribute containing the username that you wish MailStore to use
Local Part Only (E-mail Addresses / UPN) If unchecked, MailStore will use the full username including domain portion, e.g. [email protected]. If checked, MailStore will only use the local part of the User Name specified, e.g. the username
Full Name (optional) The full name of the user, for display purposes within MailStore
E-mail Addresses (opt.) The LDAP attribute containing the user's email address. This can contain multiple, comma separated, e-mail addresses

Group Filter and Attributes

Name Description
Filter LDAP filter to return only group objects
Name The LDAP attribute that contains the common name of a group
Description (optional) The LDAP attribute that contains a human readable description for each group
Members The LDAP attribute that contains the common name of group members
Search Filter for Members LDAP filter to resolve group members when members are not specified as a DN string as part of the group results. MailStore will fill in the {member} variable with values from the Members attribute
Group The actual group(s) containing users that MailStore Server will synchronize

Authentication

  • Method
    Here you can choose how users that have been synchronized from LDAP will be authenticated.
    • LDAP
      With this option, users can log on directly to MailStore Server with their LDAP credentials. The provided credentials are relayed by MailStore Server to LDAP for verification.
    • AD FS (OpenID Connect)
      If your company employs Active Directory Federation Services (AD FS), users can also log on to MailStore Server using OpenID Connect through AD FS. For this, you have to configure your AD FS according to our setup guide and enter the following parameters in MailStore Server afterwards.
      • Discovery URI
        The URI by which the AD FS are reachable. Typically, this is the fully qualified domain name of the AD FS server followed by the path /adfs, e.g. https://adfs.example.com/adfs. The certificate used by the AD FS must be trusted.
      • Client ID
        The Client Identifier of the Application Group that has been created for MailStore Server in AD FS.
      • Redirect-URI
        The Redirect-URI that has been configured in the Application Group.
      • Always require credentials for login
        If this option is enabled, users must authenticate against AD FS everytime they log on to MailStore Server.
    Please note: When using OpenID Connect to authenticate users, accessing the archive via IMAP is not possible for technical reasons.

Options

  • Automatically delete users in MailStore Server
    Here you can choose whether users that have been deleted in the LDAP will also be deleted in the MailStore Server user database by the synchronization. Users will also be deleted if they fall out of scope of the configured settings.
    Only MailStore Server users that have their authentication method set to Directory Services will be deleted.
    If the archive folder of such a user already contains archived emails, only the user entry but not its archive folder will be deleted in MailStore Server.

Assigning Default Privileges

By default, users that have been synchronized to MailStore Server from a directory service have the privilege to log on to MailStore Server as well as read access to their own user archive.
You can configure those default privileges before synchronization, for example, to assign the privilege Archive E-mail to all new users. To do this, click on Default Privileges...
More information on managing user privileges and their effects is available in the chapter Users, Folders and Settings which also has details on editing existing privileges.


Configuration Samples

Active Directory

It is possible to connect LDAP Generic to Active Directory, allowing for more flexibility and control than MailStore's built-in Active Directory support. For example, LDAP Generic will allow you to accept invalid or self-signed certificates when using LDAP-SSL or LDAP-TLS, use custom filters or change which attributes are used by MailStore.

It is assumed that the Active Directory LDAP service is reachable by the MailStore instance on TCP port 389 or 636, including opening ports in the firewall, where applicable.

As most Active Directory configurations are quite similar, it will be possible to copy/paste most of the examples below, making only minor modifications based on your environment.

LDAP Connection

Name Value Description
Server Name dc001.example.com DNS name or IP address of an Active Directory domain controller.
Protocol LDAP Do not use transport encryption
LDAP-TLS Use TLS as transport encryption
LDAP-SSL Use SSL as transport encryption
Accept all certificates Enabled Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
Disabled Do not establish a TLS/SSL encrypted connection, if the certificate validation failed.
Administrative DN [email protected] Active Directory account for MailStore's use
Password MySecretPassword Password of the user specified in Administrative DN above
Base DN Empty LDAP base DN will be detected automatically in Active Directory environments

User Filter and Attributes

Name Value Description
Filter (optional) (objectCategory=User) All users
(&(objectCategory=User)(mail=*)) All users with Active Directory e-mail addresses
(&(objectCategory=User)(proxyAddresses=*)) All users with Exchange e-mail addresses
(&(objectCategory=User)(proxyAddresses=*)(mail=*)) All users with Exchange e-mail addresses who are also listed in the global address book
User Name userPrincipalName Use Active Directory user name as MailStore user name
sAMAccountName Use pre-Windows 2000 user name as MailStore user name
Local Part Only (E-mail Addresses / UPN) Enabled Only use the local part from the Active Directory user name in UPN format
Disabled Use the full Active Directory user name in UPN format
Full Name (optional) displayName The user's visible name in Active Directory
E-mail Addresses (opt.) proxyAddresses Exchange environments
mail Non-Exchange environments

Group Filter and Attributes

Name Value Description
Filter (objectCategory=Group) All objects of category Group, usually all groups
Name cn Use the value of the LDAP attribute CN as group name
Description (optional) description Use the value of the LDAP attribute description as group name
Members member Use the value LDAP attribute member to determine group members
Search Filter for Members emtpy Group members are returned as Distinguished Names
Group MailStore Users Synchronize only users from the MailStore Users group

OpenLDAP

OpenLDAP is a commonly used LDAP server, configuration will require some knowledge of your LDAP environment.

It is assumed that the LDAP service is reachable by the MailStore instance on TCP port 389 or 636, including opening ports in the firewall, where applicable.

As OpenLDAP is very flexible, configuration options vary from server to server and you may need to make significant modifications to the examples below to fit the schema used in your environment.

LDAP Connection

Name Value Description
Server Name directory.example.com DNS name or IP address of the OpenLDAP server.
Protocol LDAP Do not use transport encryption
LDAP-TLS Use TLS as transport encryption
LDAP-SSL Use SSL as transport encryption
Accept all certificates Enabled Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
Disabled Do not establish a TLS/SSL encrypted connection, if the certificate validation failed.
Administrative DN cn=admin,dc=example,dc=com LDAP username that MailStore should use for accessing the OpenLDAP server
Password MySecretPassword Password of the user specified in Administrative DN above
Base DN dc=example,dc=com The Base-DN of the LDAP directory

User Filter and Attributes

Name Value Description
Filter (optional) (objectClass=posixAccount) All objects of type posixAccount, usually all users
(&(objectClass=posixAccount)(mail=*)) All users with configured email address
User Name uid Use the value of LDAP attribute UID as MailStore user name
cn Use the value of LDAP attribute CN as MailStore user name
Local Part Only (E-mail Addresses / UPN) Enabled Only use the local part from a user name in UPN format
Disabled Use the full user name in UPN format
Full Name (optional) displayName Use the value of LDAP attribute displayName as MailStore user name
E-mail Addresses (opt.) mail Use the values of LDAP attribute mail for the email addresses of MailStore users

Group Filter and Attributes

Name Value Description
Filter (objectClass=posixGroup) All objects of category posixGroup, usually all groups
Name cn Use the value of the LDAP attribute CN as group name
Description (optional) description Use the value of the LDAP attribute description as group name
Members member Use the value LDAP attribute member to determine group members
Search Filter for Members emtpy Group members are returned as Distinguished Names
(|(&(objectClass=posixAccount)(uid={member}))(&(objectClass=posixGroup)(cn={member}))) members in memberUid are only given as plain user or group names
Group MailStore Users Synchronize only users from the MailStore Users group

Running Directory Services Synchronization

Click on Test Settings to check synchronization configuration and the results returned by the directory service without any changes to the MailStore Server user database being actually committed.

To finally run the synchronization, click on Synchronize now. The results are shown with any changes committed to the MailStore Server user database.

Mads sync 02.png


You can test the authentication for a user by first selecting him from the list and then clicking on the button on the lower left. You will now be asked for that user's password. Upon clicking OK you'll receive a message whether the authentication has been successful.

Login with LDAP server Credentials

After synchronization MailStore users can log on to MailStore Server with their LDAP server username and LDAP server password.