Difference between revisions of "Generic LDAP Integration"

[unchecked revision][checked revision]
m
 
(43 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Synchronizing User Accounts with a Generic LDAP Directory Service =
+
{{Directory Services Preamble|LDAP server}}
  
In addition to adding users manually (which is described in chapter [[Users,_Folders_and_Settings#User_Management|User Management]]), MailStore can
+
== Accessing Directory Service Integration ==
synchronize its internal user database with your company's generic LDAP directory service (e.g. OpenLDAP, Novell eDirectory).
+
{{Directory Services Accessing Configuration|LDAP server|Mldap_sync_01.png}}
  
During synchronization, user data and email addresses are gathered from the LDAP directory and entered into MailStore. MailStore makes no changes to the lDAP directory. The scope of the synchronization can be limited through filters.
+
== Connection to the LDAP Directory Service ==
 +
For synchronization MailStore Server requires information on how to connect to the LDAP directory service and how to obtain the required data from it.
  
== Opening the Directory Service Integration ==
+
=== LDAP Connection ===
 +
{| class="wikitable"
 +
! width=250px | Name
 +
! Description
 +
|-
 +
| Server Name
 +
| DNS name or IP address of your LDAP server
 +
|-
 +
| Protocol
 +
| Configure whether the connection to the LDAP server is to be unencrypted on port 389, LDAP-TLS on port 389, or LDAP-SSL on port 636
 +
|-
 +
| Accept all certificates (only when using LDAP-TLS or LDAP-SSL)
 +
| {{Option_Accept_all_certificates}}
 +
|-
 +
| Administrative DN
 +
| Distinguished Name (DN) or user name of a user with appropriate privileges on the LDAP server
 +
|-
 +
| Password
 +
| Password of the user specified in Administrative DN
 +
|-
 +
| Base DN
 +
| LDAP base DN, if needed
 +
|}
  
Using MailStore Client, log on as MailStore administrator. Click on ''Administrative Tools'' > ''Users and Privileges'' and then on ''Directory Services''. Under ''Integration'', change the directory service type to ''LDAP Generic''.
+
=== User Filter and Attributes ===
 +
{| class="wikitable"
 +
! width=250px | Name
 +
! Description
 +
|-
 +
| Filter (optional)
 +
| Filter LDAP objects to return only user objects with email addresses
 +
|-
 +
| User Name
 +
| The LDAP attribute containing the username that you wish MailStore to use
 +
|-
 +
| Local Part Only (E-mail Addresses / UPN)
 +
| If unchecked, MailStore will use the full username including domain portion, e.g. ''username@example.com''. If checked, MailStore will only use the local part of the User Name specified, e.g. the ''username''
 +
|-
 +
| Full Name (optional)
 +
| The full name of the user, for display purposes within MailStore
 +
|-
 +
| E-mail Addresses (opt.)
 +
| The LDAP attribute containing the user's email address. This can contain multiple, comma separated, e-mail addresses
 +
|}
  
[[File:Mldap_sync_01.png|center|450px]]
+
=== Group Filter and Attributes ===
 +
{| class="wikitable"
 +
! width=250px | Name
 +
! Description
 +
|-
 +
| Filter
 +
| LDAP filter to return only group objects
 +
|-
 +
| Name
 +
| The LDAP attribute that contains the common name of a group
 +
|-
 +
| Description (optional)
 +
| The LDAP attribute that contains a human readable description for each group
 +
|-
 +
| Members
 +
| The LDAP attribute that contains the common name of group members
 +
|-
 +
| Search Filter for Members
 +
| LDAP filter to resolve group members when members are not specified as a DN string as part of the group results. MailStore will fill in the <tt>{member}</tt> variable with values from the ''Members'' attribute
 +
|-
 +
| Group
 +
| The actual group(s) containing users that MailStore Server will synchronize
 +
|}
 +
{{Directory Services Authentication|LDAP}}
 +
{{Directory Services Options|LDAP}}
 +
{{Directory Services Assign Default Privileges}}
  
== Verbindungseinstellungen festlegen ==
+
== Configuration Samples ==
  
Bevor die Synchronisierungsfunktion verwendet werden kann, benötigt MailStore Informationen darüber, wie der LDAP-Verzeichnisdienst erreicht werden kann.
+
=== Active Directory ===
 +
It is possible to connect LDAP Generic to Active Directory, allowing for more flexibility and control than MailStore's built-in Active Directory support. For example, LDAP Generic will allow you to accept invalid or self-signed certificates when using LDAP-SSL or LDAP-TLS, use custom filters or change which attributes are used by MailStore.
  
=== LDAP-Verbindung ===
+
It is assumed that the Active Directory LDAP service is reachable by the MailStore instance on TCP port 389 or 636, including opening ports in the firewall, where applicable.
  
Legen Sie die Verbindungseinstellungen zum LDAP-Verzeichnisdienst-Server fest.
+
As most Active Directory configurations are quite similar, it will be possible to copy/paste most of the examples below, making only minor modifications based on your environment.
  
* '''Servername''' - Der Namen oder die IP-Adresse des LDAP-Verzeichnisdienst-Servers.
+
==== LDAP Connection ====
* '''Verschlüsselung''' - Art der Verschlüsselung die bei der Verbindung zum LDAP-Verzeichnisdienst-Server verwendet werden soll.
+
{| class="wikitable"
* '''Administrativer DN''' - Distinguished-Name (DN) eines administrativen LDAP-Benutzers.
+
! width=250px | Name
* '''Kennwort''' - Das Kennwort des unter ''Administrativer DN'' angegebenen LDAP-Benutzers.
+
! Value
 +
! Description
 +
|-
 +
| Server Name
 +
| <tt>dc001.example.com</tt>
 +
| DNS name or IP address of an Active Directory domain controller.
 +
|-
 +
| rowspan=3 | Protocol
 +
| <tt>LDAP</tt>
 +
| Do not use transport encryption
 +
|-
 +
| <tt>LDAP-TLS</tt>
 +
| Use TLS as transport encryption
 +
|-
 +
| <tt>LDAP-SSL</tt>
 +
| Use SSL as transport encryption
 +
|-
 +
| rowspan=2| Accept all certificates
 +
| ''Enabled''
 +
| Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
 +
|-
 +
| ''Disabled''
 +
| Do not establish a TLS/SSL encrypted connection, if the certificate validation failed.
 +
|-
 +
| Administrative DN
 +
| <tt>mailstore@example.com</tt>
 +
| Active Directory account for MailStore's use
 +
|-
 +
| Password
 +
| <tt>MySecretPassword</tt>
 +
| Password of the user specified in ''Administrative DN'' above
 +
|-
 +
| Base DN
 +
| ''Empty''
 +
| LDAP base DN will be detected automatically in Active Directory environments
 +
|}
  
=== LDAP-Scope ===
+
==== User Filter and Attributes ====
 +
{| class="wikitable"
 +
! width=250px | Name
 +
! Value
 +
! Description
 +
|-
 +
|rowspan = 4 | Filter (optional)
 +
|<tt>(objectCategory=User)</tt>
 +
|All users
 +
|-
 +
|<tt>(&(objectCategory=User)(mail=*))''</tt>
 +
|All users with Active Directory e-mail addresses
 +
|-
 +
|<tt>(&(objectCategory=User)(proxyAddresses=*))</tt>
 +
|All users with Exchange e-mail addresses
 +
|-
 +
|<tt>(&(objectCategory=User)(proxyAddresses=*)(mail=*))</tt>
 +
|All users with Exchange e-mail addresses who are also listed in the global address book
 +
|-
 +
|rowspan = 2 |User Name
 +
|<tt>userPrincipalName</tt>
 +
| Use Active Directory user name as MailStore user name
 +
|-
 +
|<tt>sAMAccountName</tt>
 +
| Use pre-Windows 2000 user name as MailStore user name
 +
|-
 +
|rowspan = 2 |Local Part Only (E-mail Addresses / UPN)
 +
|''Enabled''
 +
| Only use the local part from the Active Directory user name in UPN format
 +
|-
 +
|''Disabled''
 +
| Use the full Active Directory user name in UPN format
 +
|-
 +
|Full Name (optional)
 +
|<tt>displayName</tt>
 +
|The user's visible name in Active Directory
 +
|-
 +
|rowspan = 2 |E-mail Addresses (opt.)
 +
|<tt>proxyAddresses</tt>
 +
|Exchange environments
 +
|-
 +
|<tt>mail</tt>
 +
|Non-Exchange environments
 +
|}
  
Legen Sie den Umfang der Synchronisierung fest.
+
==== Group Filter and Attributes ====
 +
{| class="wikitable"
 +
! width=250px | Name
 +
! Value
 +
! Description
 +
|-
 +
| Filter
 +
| <tt>(objectCategory=Group)</tt>
 +
| All objects of category ''Group'', usually all groups
 +
|-
 +
| Name
 +
| <tt>cn</tt>
 +
| Use the value of the LDAP attribute ''CN'' as group name
 +
|-
 +
| Description (optional)
 +
| <tt>description</tt>
 +
| Use the value of the LDAP attribute ''description'' as group name
 +
|-
 +
| Members
 +
| <tt>member</tt>
 +
| Use the value LDAP attribute ''member'' to determine group members
 +
|-
 +
| Search Filter for Members
 +
| ''emtpy''
 +
| Group members are returned as Distinguished Names
 +
|-
 +
| Group
 +
| <tt>MailStore Users</tt>
 +
| Synchronize only users from the ''MailStore Users'' group
 +
|}
  
* '''Basis-DN''' - LDAP Basis-DN, z.B. ''dc=meinfirma,dc=local''
+
=== OpenLDAP ===
* '''Filter''' - [http://tools.ietf.org/html/rfc4515 RFC 4515] konformer LDAP Filter, z.B. ''&((objectclass=posixAccount)(mail=*))''
+
OpenLDAP is a commonly used LDAP server, configuration will require some knowledge of your LDAP environment.
  
=== LDAP-Attribute ===
+
It is assumed that the LDAP service is reachable by the MailStore instance on TCP port 389 or 636, including opening ports in the firewall, where applicable.
  
Legen Sie fest, welche LDAP-Benutzer-Attribute den MailStore-Benutzer-Attributen entsprechen.
+
As OpenLDAP is very flexible, configuration options vary from server to server and you may need to make significant modifications to the examples below to fit the schema used in your environment.
  
* '''Benutzername''' - LDAP Attribut für Benutzername, z.B. ''cn'' oder ''uid''.
+
==== LDAP Connection ====
* '''Vollständiger Name (opt.)''' - Optional: LDAP Attribut für des anzuzeigenden Namen, z.B. ''displayName''.
+
{| class="wikitable"
* '''E-Mail-Adressen''' - Optional: LDAP Attribut für die SMTP Adresse, z.B. ''mail''. Es können mehrere Adressen durch Komma getrennt angegeben werden.
+
! width=250px | Name
 +
! Value
 +
! Description
 +
|-
 +
| Server Name
 +
| <tt>directory.example.com</tt>
 +
| DNS name or IP address of the OpenLDAP server.
 +
|-
 +
| rowspan=3 | Protocol
 +
| <tt>LDAP</tt>
 +
| Do not use transport encryption
 +
|-
 +
| <tt>LDAP-TLS</tt>
 +
| Use TLS as transport encryption
 +
|-
 +
| <tt>LDAP-SSL</tt>
 +
| Use SSL as transport encryption
 +
|-
 +
| rowspan=2| Accept all certificates
 +
| ''Enabled''
 +
| Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
 +
|-
 +
| ''Disabled''
 +
| Do not establish a TLS/SSL encrypted connection, if the certificate validation failed.
 +
|-
 +
| Administrative DN
 +
| <tt>cn=admin,dc=example,dc=com</tt>
 +
| LDAP username that MailStore should use for accessing the OpenLDAP server
 +
|-
 +
| Password
 +
| <tt>MySecretPassword</tt>
 +
| Password of the user specified in ''Administrative DN'' above
 +
|-
 +
| Base DN
 +
| <tt>dc=example,dc=com</tt>
 +
| The Base-DN of the LDAP directory
 +
|}
  
== Durchführung der Synchronisierung ==
+
==== User Filter and Attributes ====
 +
{| class="wikitable"
 +
! width=250px | Name
 +
! Value
 +
! Description
 +
|-
 +
|rowspan = 2 | Filter (optional)
 +
|<tt>(objectClass=posixAccount)</tt>
 +
|All objects of type ''posixAccount'', usually all users
 +
|-
 +
|<tt>(&(objectClass=posixAccount)(mail=*))</tt>
 +
|All users with configured email address
 +
|-
 +
|rowspan = 2 |User Name
 +
|<tt>uid</tt>
 +
| Use the value of LDAP attribute ''UID'' as MailStore user name
 +
|-
 +
|<tt>cn</tt>
 +
| Use the value of LDAP attribute ''CN'' as MailStore user name
 +
|-
 +
|rowspan = 2 |Local Part Only (E-mail Addresses / UPN)
 +
|''Enabled''
 +
| Only use the local part from a user name in UPN format
 +
|-
 +
|''Disabled''
 +
| Use the full user name in UPN format
 +
|-
 +
|Full Name (optional)
 +
|<tt>displayName</tt>
 +
| Use the value of LDAP attribute ''displayName'' as MailStore user name
 +
|-
 +
|E-mail Addresses (opt.)
 +
|<tt>mail</tt>
 +
| Use the values of LDAP attribute ''mail'' for the email addresses of MailStore users
 +
|}
  
Nachdem Sie die Verbindungseinstellungen (wie oben beschrieben) angegeben haben, können Sie die MailStore-Benutzerliste mit der LDAP-Benutzerliste abgleichen.
+
==== Group Filter and Attributes ====
 
+
{| class="wikitable"
Klicken Sie auf ''Einstellungen überprüfen'', um zu sehen, was bei einem Klick auf ''Jetzt Synchronisieren'' passieren würde. Klicken Sie auf ''Jetzt Synchronisieren'' um zu starten.
+
! width=250px | Name
 +
! Value
 +
! Description
 +
|-
 +
| Filter
 +
| <tt>(objectClass=posixGroup)</tt>
 +
| All objects of category ''posixGroup'', usually all groups
 +
|-
 +
| Name
 +
| <tt>cn</tt>
 +
| Use the value of the LDAP attribute ''CN'' as group name
 +
|-
 +
| Description (optional)
 +
| <tt>description</tt>
 +
| Use the value of the LDAP attribute ''description'' as group name
 +
|-
 +
| Members
 +
| <tt>member</tt>
 +
| Use the value LDAP attribute ''member'' to determine group members
 +
|-
 +
| rowspan=2 | Search Filter for Members
 +
| ''emtpy''
 +
| Group members are returned as Distinguished Names
 +
|-
 +
| <tt><nowiki>(|(&(objectClass=posixAccount)(uid={member}))(&(objectClass=posixGroup)(cn={member})))</nowiki></tt>
 +
| members in ''memberUid'' are only given as plain user or group names
 +
|-
 +
| Group
 +
| <tt>MailStore Users</tt>
 +
| Synchronize only users from the ''MailStore Users'' group
 +
|}
  
 +
{{Directory Services Run Synchronization}}
 
[[File:mads_sync_02.png|center|450px]]
 
[[File:mads_sync_02.png|center|450px]]
  
= Anmeldung mit LDAP-Zugangsdaten =
 
 
In der Standardeinstellung verfügt jeder in MailStore angelegte Benutzer über ein Kennwort nur für MailStore. Dieses kann der MailStore-Administrator während der Einrichtung des Benutzers festlegen. Vom Benutzer selbst kann es hinterher in der ''Verwaltung'' des MailStore Client geändert werden.
 
 
Wenn Sie in Ihrem Unternehmen über ein generischen LDAP-Server (z.B. OpenLDAP, Novell eDirectory) verfügen, können Sie MailStore alternativ so konfigurieren, dass Benutzer sich mit Ihren LDAP-Kennwörtern über den MailStore Client am MailStore Server anmelden können.
 
 
== Vorgehensweise für Benutzer, die über die Synchronisierung mit dem generischen LDAP-Verzeichnisdienst angelegt wurden ==
 
 
Haben Sie wie im vorangegangenen Abschnitt beschrieben die MailStore-Benutzer per LDAP-Verzeichnisdienst-Synchronisierung angelegt, brauchen Sie nichts weiter zu tun. In diesem Fall hat MailStore alle notwendigen Einstellungen bereits automatisch für Sie vorgenommen.
 
 
== Vorgehensweise für manuell angelegte Benutzer ==
 
 
Haben Sie MailStore-Benutzer manuell angelegt und möchten Sie, dass sich diese mit ihrem LDAP-Kennwort anmelden können, befolgen Sie bitte die folgenden Schritte:
 
 
*Konfigurieren Sie die generische LDAP-Verzeichnisdienst-Integration wie im Kapitel [[Generische_LDAP-Integration#Abgleich_der_Benutzerkonten_mit_einem_generischen_LDAP-Verzeichnisdienst|Abgleich der Benutzerkonten mit einem generischen LDAP-Verzeichnisdienst]] beschrieben.
 
*Stellen Sie sicher, dass die MailStore-Benutzer denselben Namen tragen wie die entsprechenden Benutzer im LDAP-Verzeichnisdienst.
 
*Wählen Sie in den Benutzereigenschaften der Benutzer unter ''Authentifizierung'' die Option ''Verzeichnisdienste''.
 
 
[[File:mads_ldapauth_01.png|center|400px]]
 
  
 +
{{Directory Services Test Authentication}}
 +
{{Directory Services Login with Directory Services Credentials|LDAP server}}
  
 
[[de:Generische_LDAP-Integration]]
 
[[de:Generische_LDAP-Integration]]
 +
[[en:Generic LDAP Integration]]

Latest revision as of 15:03, 26 April 2021

In addition to adding users manually as described in chapter User Management, MailStore Server can synchronize its internal user database with the LDAP server of your organization.

During synchronization, user information, such as user names and email addresses, is copied from the LDAP server into MailStore Server's user database. That way, users can use their LDAP server credentials to also log on to MailStore Server and emails can be assigned to their corresponding user archives automatically, for example. No changes are made to the LDAP server itself by MailStore Server. The scope of the synchronization can be limited through filters.


Accessing Directory Service Integration

  • Log on to MailStore Client as a MailStore Server administrator.
  • Click on Administrative Tools > Users and Archives > Directory Services.
  • In the Integration section, change the directory service type to LDAP server.
Mldap sync 01.png


Connection to the LDAP Directory Service

For synchronization MailStore Server requires information on how to connect to the LDAP directory service and how to obtain the required data from it.

LDAP Connection

Name Description
Server Name DNS name or IP address of your LDAP server
Protocol Configure whether the connection to the LDAP server is to be unencrypted on port 389, LDAP-TLS on port 389, or LDAP-SSL on port 636
Accept all certificates (only when using LDAP-TLS or LDAP-SSL) If the certificate provided by the remote host cannot be verified (e.g. self-signed or signed by an unknown certificate authority), enable the option Accept all certificates to allow MailStore to establish a connection. As this option leads to an insecure configuration, warnings may appear in the summary and/or the dashboard.
Administrative DN Distinguished Name (DN) or user name of a user with appropriate privileges on the LDAP server
Password Password of the user specified in Administrative DN
Base DN LDAP base DN, if needed

User Filter and Attributes

Name Description
Filter (optional) Filter LDAP objects to return only user objects with email addresses
User Name The LDAP attribute containing the username that you wish MailStore to use
Local Part Only (E-mail Addresses / UPN) If unchecked, MailStore will use the full username including domain portion, e.g. username@example.com. If checked, MailStore will only use the local part of the User Name specified, e.g. the username
Full Name (optional) The full name of the user, for display purposes within MailStore
E-mail Addresses (opt.) The LDAP attribute containing the user's email address. This can contain multiple, comma separated, e-mail addresses

Group Filter and Attributes

Name Description
Filter LDAP filter to return only group objects
Name The LDAP attribute that contains the common name of a group
Description (optional) The LDAP attribute that contains a human readable description for each group
Members The LDAP attribute that contains the common name of group members
Search Filter for Members LDAP filter to resolve group members when members are not specified as a DN string as part of the group results. MailStore will fill in the {member} variable with values from the Members attribute
Group The actual group(s) containing users that MailStore Server will synchronize

Authentication

  • Method
    Here you can choose how users that have been synchronized from LDAP will be authenticated.
    • LDAP
      With this option, users can log on directly to MailStore Server with their LDAP credentials. The provided credentials are relayed by MailStore Server to LDAP for verification.
    • AD FS (OpenID Connect)
      If your company employs Active Directory Federation Services (AD FS), users can also log on to MailStore Server using OpenID Connect through AD FS. For this, you have to configure your AD FS according to our setup guide and enter the following parameters in MailStore Server afterwards.
      • Discovery URI
        The URI by which the AD FS are reachable. Typically, this is the fully qualified domain name of the AD FS server followed by the path /adfs, e.g. https://adfs.example.com/adfs. The certificate used by the AD FS must be trusted.
      • Client ID
        The Client Identifier of the Application Group that has been created for MailStore Server in AD FS.
      • Redirect-URI
        The Redirect-URI that has been configured in the Application Group.
      • Always require credentials for login
        If this option is enabled, users must authenticate against AD FS everytime they log on to MailStore Server.
    Please note: When using OpenID Connect to authenticate users, accessing the archive via IMAP is not possible for technical reasons.

Options

  • Automatically delete users in MailStore Server
    Here you can choose whether users that have been deleted in the LDAP will also be deleted in the MailStore Server user database by the synchronization. Users will also be deleted if they fall out of scope of the configured settings.
    Only MailStore Server users that have their authentication method set to Directory Services will be deleted.
    If the archive folder of such a user already contains archived emails, only the user entry but not its archive folder will be deleted in MailStore Server.

Assigning Default Privileges

By default, users that have been synchronized to MailStore Server from a directory service have the privilege to log on to MailStore Server as well as read access to their own user archive.
You can configure those default privileges before synchronization, for example, to assign the privilege Archive E-mail to all new users. To do this, click on Default Privileges...
More information on managing user privileges and their effects is available in the chapter Users, Folders and Settings which also has details on editing existing privileges.

Configuration Samples

Active Directory

It is possible to connect LDAP Generic to Active Directory, allowing for more flexibility and control than MailStore's built-in Active Directory support. For example, LDAP Generic will allow you to accept invalid or self-signed certificates when using LDAP-SSL or LDAP-TLS, use custom filters or change which attributes are used by MailStore.

It is assumed that the Active Directory LDAP service is reachable by the MailStore instance on TCP port 389 or 636, including opening ports in the firewall, where applicable.

As most Active Directory configurations are quite similar, it will be possible to copy/paste most of the examples below, making only minor modifications based on your environment.

LDAP Connection

Name Value Description
Server Name dc001.example.com DNS name or IP address of an Active Directory domain controller.
Protocol LDAP Do not use transport encryption
LDAP-TLS Use TLS as transport encryption
LDAP-SSL Use SSL as transport encryption
Accept all certificates Enabled Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
Disabled Do not establish a TLS/SSL encrypted connection, if the certificate validation failed.
Administrative DN mailstore@example.com Active Directory account for MailStore's use
Password MySecretPassword Password of the user specified in Administrative DN above
Base DN Empty LDAP base DN will be detected automatically in Active Directory environments

User Filter and Attributes

Name Value Description
Filter (optional) (objectCategory=User) All users
(&(objectCategory=User)(mail=*)) All users with Active Directory e-mail addresses
(&(objectCategory=User)(proxyAddresses=*)) All users with Exchange e-mail addresses
(&(objectCategory=User)(proxyAddresses=*)(mail=*)) All users with Exchange e-mail addresses who are also listed in the global address book
User Name userPrincipalName Use Active Directory user name as MailStore user name
sAMAccountName Use pre-Windows 2000 user name as MailStore user name
Local Part Only (E-mail Addresses / UPN) Enabled Only use the local part from the Active Directory user name in UPN format
Disabled Use the full Active Directory user name in UPN format
Full Name (optional) displayName The user's visible name in Active Directory
E-mail Addresses (opt.) proxyAddresses Exchange environments
mail Non-Exchange environments

Group Filter and Attributes

Name Value Description
Filter (objectCategory=Group) All objects of category Group, usually all groups
Name cn Use the value of the LDAP attribute CN as group name
Description (optional) description Use the value of the LDAP attribute description as group name
Members member Use the value LDAP attribute member to determine group members
Search Filter for Members emtpy Group members are returned as Distinguished Names
Group MailStore Users Synchronize only users from the MailStore Users group

OpenLDAP

OpenLDAP is a commonly used LDAP server, configuration will require some knowledge of your LDAP environment.

It is assumed that the LDAP service is reachable by the MailStore instance on TCP port 389 or 636, including opening ports in the firewall, where applicable.

As OpenLDAP is very flexible, configuration options vary from server to server and you may need to make significant modifications to the examples below to fit the schema used in your environment.

LDAP Connection

Name Value Description
Server Name directory.example.com DNS name or IP address of the OpenLDAP server.
Protocol LDAP Do not use transport encryption
LDAP-TLS Use TLS as transport encryption
LDAP-SSL Use SSL as transport encryption
Accept all certificates Enabled Establish a TLS/SSL encrypted connection, even if the certificate validation failed.
Disabled Do not establish a TLS/SSL encrypted connection, if the certificate validation failed.
Administrative DN cn=admin,dc=example,dc=com LDAP username that MailStore should use for accessing the OpenLDAP server
Password MySecretPassword Password of the user specified in Administrative DN above
Base DN dc=example,dc=com The Base-DN of the LDAP directory

User Filter and Attributes

Name Value Description
Filter (optional) (objectClass=posixAccount) All objects of type posixAccount, usually all users
(&(objectClass=posixAccount)(mail=*)) All users with configured email address
User Name uid Use the value of LDAP attribute UID as MailStore user name
cn Use the value of LDAP attribute CN as MailStore user name
Local Part Only (E-mail Addresses / UPN) Enabled Only use the local part from a user name in UPN format
Disabled Use the full user name in UPN format
Full Name (optional) displayName Use the value of LDAP attribute displayName as MailStore user name
E-mail Addresses (opt.) mail Use the values of LDAP attribute mail for the email addresses of MailStore users

Group Filter and Attributes

Name Value Description
Filter (objectClass=posixGroup) All objects of category posixGroup, usually all groups
Name cn Use the value of the LDAP attribute CN as group name
Description (optional) description Use the value of the LDAP attribute description as group name
Members member Use the value LDAP attribute member to determine group members
Search Filter for Members emtpy Group members are returned as Distinguished Names
(|(&(objectClass=posixAccount)(uid={member}))(&(objectClass=posixGroup)(cn={member}))) members in memberUid are only given as plain user or group names
Group MailStore Users Synchronize only users from the MailStore Users group

Running Directory Services Synchronization

Click on Test Settings to check synchronization configuration and the results returned by the directory service without any changes to the MailStore Server user database being actually committed.

To finally run the synchronization, click on Synchronize now. The results are shown with any changes committed to the MailStore Server user database.

Mads sync 02.png


You can test the authentication for a user by first selecting him from the list and then clicking on the button on the lower left. You will now be asked for that user's password. Upon clicking OK you'll receive a message whether the authentication has been successful.

Login with LDAP server Credentials

After synchronization MailStore users can log on to MailStore Server with their LDAP server username and LDAP server password.