OXLDAPSync Guide
Install on OX OX 6.22 or newer
Debian GNU/Linux 11.0
Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:
deb https://software.open-xchange.com/components/unsupported/oxldapsync/DebianBullseye/ /
# if you have a valid maintenance subscription, please uncomment the
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/components/unsupported/oxldapsync/updates/DebianBullseye/ /
and run
$ apt-get update $ apt-get install oxldapsync
Debian GNU/Linux 12.0
Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:
deb https://software.open-xchange.com/components/unsupported/oxldapsync/DebianBookworm/ /
# if you have a valid maintenance subscription, please uncomment the
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/components/unsupported/oxldapsync/updates/DebianBookworm/ /
and run
$ apt-get update $ apt-get install oxldapsync
How to run OX LDAP Sync
With OX LDAP Sync you can sync user and group objects from a LDAP compatible directory with Open-Xchange. When you modify or add an user to your ldap directory oxldapsync will also modify or add the user to Open-Xchange.
Prerequisites
- An LDAP-server (currently openldap and ADS are supported)
- You need one user distinguished name who at least can search and read user objects. If you decide to synchronize groups, the ldap user needs to search and read these objects, too.
- If you want to synchronize groups you need to know if the membership to the group is defined by the userid or by the complete distinguished name of the user.
- User attributes you want to sync with Open-Xchange
- Open-Xchange must authenticate against the LDAP server instead of the database, which is the default. In order to achieve that, deinstall package open-xchange-authentication-database and install open-xchange-authentication-ldap and configure it accordingly in changing /opt/open-xchange/etc/groupware/ldap.properties. As an alternative, open-xchange-authentication-imap could be used, if your IMAP server authenticates against your LDAP server.
configuring OX LDAP Sync
After installing OXSync you will find the configuration files under /opt/oxldapsync/etc. You can use the example configuration files ldapsync.conf (openldap) and ldapsyn-ads.conf (Active Directory) as starting point.
OpenLDAP
Open ldapsync in your favourite text editor change following options to your needs:
ldapuri with dns-name or ip of your LDAP-Server userbasedn distinguished name under which the script will find user objects groupbasedn distinguished name under which the script will find group objects ldaptype type of ldap in this case openldap ldapuserdn distinguished name of the user which will be used to query the directory ldapuserpassword password for the ldapuser mappingfile absolute path to your ldap attribute -> ox attribute mapping updategroups "yes" if you want to also sync groups with ox updateAliases shall mail aliases of a user get updated with the one from the ldap. In case you can name only one mailaddress on your directory, say no here and you can manually add further mailaddresses in ox. They will not get deleted by the synctool. usemodifytimestamp set to yes, to update only users since last run userfilter searchfilter to find user objects, internal default "(objectClass=inetOrgPerson)" groupfilter searchfilter to find group objects, internal default "(objectClass=posixGroup)" deleteusers Say yes if you want to delete users in ox which are not in your directory and are not named by the "dontModifyUids" option deletegroups say yes to delete empty and non existing groups in ldap in ox dontModifyUids list of comma separeted uid's which shall not be modified by the sync script. You should note at least the contextadmin groupMemberAttribute name of attribute which holds the members in a group object memberAttributeIsDN say yes if groupMemberAttribute is a distinguished name groupDisplayNameAttribute displayname attribute for group groupNumberAttribute unique number attribute for group userPrimaryGroupAttribute attribute name where a users primary is stored
In the mapping file you will find ox options to create or modify users. The name on the left side of the equal sign is the name for the ox options. On the right side you name the ldap attribute name for this option. You can also give static values by enclosing them with qoutes.
Active Directory
For active directory synchronization just modify at least ldapuri, userbasedn, groupbasedn, ldapuserdn and ldapuserpassword.
To run the script type
$ /opt/oxldapsync/sbin/oxldapsync.pl -f <CONFIG FILENAME> \ -A <CONTEXT ADMIN USERNAME> \ -P <CONTEXT ADMIN PASSWORD> \ -c <CONTEXTID>
Additional parameters are:
-h help message -n don't save last user search time -v Verbose mode -s print messages to stdout
To run this program regularly just create a cronjob
Troubleshooting
Special chars scrambled
If you run OX LDAP Sync via Cronjob an the umlauts (ä,ö,ü,...) of your entries in the "Global Addressbook" are scrambled, try setting the LANG environment variable in your crontab, e. g. German UTF-8 users should set this to something like this:
LANG=de_DE.UTF-8 #m h dom mon dow command 0 23 * * Sun /path/to/oxldapsync.pl
For more information on using the crontab please visit this howto at The Linux Documentation Project.