Directory Service

This option allows you to have IceWarp Server synchronized with directory service via LDAP protocol.

Figure. Domain level management: Directory Service tab.

It supports Active Directory (AD) or other kinds of LDAP directory servers. However, we recommend using LDAP server that supports operational attributes modifyTimestamp and entryUUID. For instance, you may use OpenLDAP. IceWarp Server uses those attributes to identify entity even after email address is changed or to detect change of user data. If you don't use these two attributes, the only way to identify the entity is to use an email. In this case IceWarp Server process all user data on each synchronization. This can cause serious performance problems. In order to avoid it, you need to disable synchronization of groupware (user) data. Go to File > API console, set c_system_adsyncdisablevcardsync API variable to true.

IceWarp Server synchronizes on a regular basis. This means that if you make any changes to user data within the directory server, they will be reflected on IceWarp Server. However, there is a limitation. IceWarp Server stores most of user properties into its vCard, which are handled by groupware. If you change vCard on IceWarp Server side, the change will not be saved during synchronization. It happens because the attributes in LDIF are not stored in IceWarp Server for the changed entity.

Synchronization is done every five minutes by default. If you want to change the time, go to File > API console and set new value in the c_accounts_global_activedirectorysyncinterval API variable.

Note: Only one-way synchronization is possible. Directory server pushes changes to IceWarp Server. If you change user data within IceWarp Server , this change will not be reflected on the directory server and IceWarp Server will revert this change to match the state on the directory server. But you can still create users within the domain which do not exist on your directory server. Such users will not be affected by the synchronization engine.

Exception: There is a way how users synchronized against a directory server can change their passwords via IceWarp WebClient. This option is available for Active Directory and IceWarp Server version 10.3.0 and newer, for generic LDAP servers version 11.2.0 and newer. For more information, refer to the Changing Password via IceWarp WebClient.

User template will be applied on newly created IceWarp accounts since version 11.3.0.

General section

The option "Synchronize users and groups with directory service" is available only for products with Cisco Integration enabled. Also when external synchronization library is presented in dedicated folder - {install_path}/externalsync. Check the checkbox to allow synchronization of users and groups with an Active Directory or other LDAP server.

Figure. Directory Service tab: General section.

Server section

In this section you can specify the details of the directory server.

Figure. Directory Service tab: Server section

Field

Description

Server lookup type

Сhoose one the options:

  • Use hostname: use IP address or URL

  • Use DNS SRV lookup: DNS record for LDAP/AD server

  • Use DNS SRV lookup + SSL: DNS record for LDAP/AD server (secured)

Hostname

Specify the Hostname or IP of the directory server. To use LDAP over SSL in combination with windows.dll and Active Directory, you should use FQDN of the directory server (the same value must be used in the Common name in certificate of that server).

Note: You can force secure communication with the LDAP server by specifying: ldaps://{your_ldap_server} (port can be specified using the :port suffix).
Example: ldaps://ldap.icewarp.com:636
or ldaps://182.164.6.24

Backup hostname

Specify a backup directory server, if you have one.

Note: This setting may cause a problem with user login as IceWarp. It is not capable to store authentication string (user API variable u_authmodevalue) longer than 116 characters.
This limit is fixed in version 11.5.0.

Username

Specify a user with access rights to user information on the directory server.

User with read-only rights can synchronize itself. However if such user wants to change password, he should have write permission too.

Password

Specify the password for the user above.

Synchronize Now

If you click this button, IceWarp Server will synchronize the domain with the specified directory server immediately.

DN

This field is intended to be used for more precise control over the domain you access. DN can serve as an additional filter. It defines the scope of what is going to be read from directory server.

If you need to enter anything here, then it should be a complete DN, e.g.: cn=Users,dc=icewarp,dc=comordc=icewarp,dc=com for all accounts in all sub nodes.
Please ask your directory server administrator for the complete DN.

Warning: If you need to search through a large scope, but there are not many objects, which match sync configuration, limit the query results with filter. Object, which match usually have desired mail attribute value.
For more information about this topic, refer to Sync Accounts from Multiple Email Domains.

Test connection

Click this button to check that IceWarp Server can access the LDAP server. This test will reveal what is returned from your directory server to IceWarp Server . Basically, you can check your synchronization settings..

Advanced section

In this section you can specify advanced settings of the directory server.

Figure. Directory Service tab: Advanced section.

Field

Description

LDAP server type

Select from the list

  • Active Directory: choose this option for Microsoft Active Directory.

  • Generic LDAP: choose this option for other LDAP servers, e.g.: OpenLDAP.

Filter

(for both users and groups)

In this field, you can specify the full LDAP filter for users and groups respectively for synchronization. The syntax of the filter can be either simple or complex. For simple syntax, just enter the objectClass which represents a user or a group respectively on your directory service, e.g.: User  (Group )

For complex syntax enter the full filter in the syntax supported by your directory service enclosed in brackets, e.g.:

(&(objectClass=inetOrgPerson)(mail=*domain.com*))
(userAccountControl=66048) - synchronizes users with the given userAccountControl.

Generally, use the right syntax expression that the directory service (OpenLDAP, AD, etc.) uses for the desired category. For more information see the appropriate RFC: LDAP Object Class - RFC 2798; LDAP search filter syntax - RFC 2254.

Most typical objects types:

  • User: Typically used by AD.

  • Group: Typically used by AD.

  • inetOrgPerson:Objects typically used by LDAP.

You will find more information on Sync Accounts from Multiple Email Domains.

Figure. Directory Service tab: Advanced section.

Field

Description

Directory service domain is different from this domain name

Check this option in the following cases:

  • The domain names in IceWarp Server and your directory server do not match.

  • When the domain used in mail attribute in the directory server does not match domain in IceWarp Server.

  • When both of the former cases are true.

See the The domain names of your directory server and IceWarp Server do not match and Email Domain of AD Accounts Is Different from IceWarp Server Domain.

Domain

If your LDAP domain name is different from your IceWarp Server domain name, you should specify it here. You can also specify a second AD domain name here, separated with a semicolon, if required. Ask your AD administrator whether it is necessary.
Example 1:

  • IceWarp Server domain = icewarpdemo.com

  • AD server domain = ADDomain

  • Email addresses in ADDomain are *@icewarpdemo.com

  • Enter ADDomain

Example 2:

  • IceWarp Server domain = icewarpdemo.com

  • AD server domain = ADDomain

  • Email addresses in ADDomain are *@mydomain.com

  • Enter ADDomain;mydomain.com

Example 3:

See the The domain names of your directory server and IceWarp Server do not match and Email Domain of AD Accounts Is Different from IceWarp Server Domain.

AD login source

Select which property is used as a source of login by onto your directory server. This setting controls what is put into the u_authmodevalue variable of a synchronized user:

  • Use userprincipalname: the authentication value should end with user@domain.

  • Use samaccountname: the authentication value should end just with NT user name.

  • Use DN: the authentication string should end with something like CN=TheOne,CN=Users,DC=example,DC=com.

Local username source, Basic property

This setting determines which LDIF attribute will be used by the IceWarp Server as username for IceWarp provided services:

  • Primary Alias of AD Account: alias taken from mail attribute is used.

  • Login of AD Account: the selected AD login source (see above) is used.

  • CN of AD account: the common name of directory server object is used.

 

Local username source,Custom AD property

Set a custom LDIF attribute that you want to use as a source for username of accounts in IceWarp Server. Setting a value into this field will override and disable what you set in the Basic property dropdown. This field displays content of the USERNAMEFROMSPECIALFIELD element of the syncad.dat config file.

For instance, if you wish to use LDIF attribute description as username in IceWarp Server, type description into this input.

Add AD login to local alias

Check this box if you want the user's AD login name to be added to the Alias field within the Management > {domain} > {user} > User. AD login name refers only to alias and not to the whole email address.

Kerberos/GSSAPI/SSO section

Figure. Directory Service tab: Kerberos/GSSAPI/SSO section.

Field

Description

Enabled

Check the box if you want to use Single Sign-On (SSO).

Service name

Fill in the service name.

The syntax is: {site_name}@{ACTIVE_DIRECTORY_SERVER_DOMAIN}

Example: server.icewarp.com@AD.ICEWARPDEMO.COM

You may also use the FQDN or domain of your IceWarp Server instance.

Note: SSO service name consists of two parts: {vhost} @ {ADSERVER}.
{vhost} can be the same if you use the same {ADSERVER} for multiple IceWarp domains.

If you want to create multiple SSO enabled domains which are connected to multiple AD domains, you should create different {vhost} parts.

Remote account matching

Select the way how IceWarp Server users will be matched with accounts in your directory server.

  • Match with username. In this case you will use user's IceWarp ServerUsername.

  • Match with alias: In this case you will use user's IceWarp ServerAlias.

  • Match with AD user's connection string: In this case you will use the Authentication field (when LDAP/Active Directory are selected).
    See the {user} > Options > Account section.

Place keytab files under "config/_keytabs" directory

Click the Manage keytabs button to open a file manager. Into the {install_directory}/config/_keytabs/ folder, place files with keys generated by Active Directory for individual principals (SMTP, IMAP, POP, XMPP, HTTP) using the ktpass command.

Each file name has the following format: {principal}#{server_name}@{ACTIVE_DIRECTORY_SERVER_DOMAIN}

Examples:

  • xmpp#server.icewarp.com@AD.ICEWARPDEMO.COM

  • HTTP#server.icewarp.com@AD.ICEWARPDEMO.COM

The syncad.dat File

The file path is [install_directory] > config. Besides of tags with self-explanatory names, this file includes ones that need explanation. See the list of tags below.

<USERNAMEFROMADUSERNAME>1</USERNAMEFROMADUSERNAME> - if enabled (1), account name is imported from attributes givenname and sn, but only in the case both are not empty and vCard synchronization is disabled, otherwise the name is determined in a common manner. For more information refer to How AD Sync Determines User Full Name.

<ALLDATADELETION>0</ALLDATADELETION> - if enabled (1), emails and all other account bound data stored on mail storage are deleted when sync mechanism removes an account from IceWarp Server . This setting prevents accidental data loss (not all of them). On the other hand, it comes at a price as the mail storage has to be purged manually.

<VCARDMAP> - feature that allows control over import of LDIF attributes to IceWarp groupware. For more information refer to vCard Map Feature.

<GROUPSUPPORTREMOTEMEMBERS>0</GROUPSUPPORTREMOTEMEMBERS> - if enabled (1), groups can contain even members whose mail attribute value does not match sync settings (such members would not be accepted as users due to an email address from a different domain). If you want to synchronize a distribution group with email addresses that do not belong to any user synced to IceWarp, this is the option to allow it.

Hierarchical Address Book (HAB)

Synchronization can be configured to convert organization units on the directory server into IceWarp Server groups. These groups can then be a part of HAB. This functionality has to be set manually in the syncad.dat file ([install_directory]/config/).

There are three nodes to configure:

  1. <CREATEGROUPSFOROUS>1</CREATEGROUPSFOROUS>

    This makes the AD/LDAP sync to create groups for all relevant organization units.

    For instance, you want to import the following user into IceWarp: dn: CN=Lukas Novak,OU=Client,OU=Webmail,OU=Devel,DC=icewarp,DC=in. In this case four groups are created automatically: Client, Webmail, Devel and Contacts. Lukas is a member of the Client group. Client group is a member of the Webmail group, etc. The Contacts folder is automatically set as the root group.

    Note: The alias of the group has to be plain ASCII and unique. In the order to follow this rule, group aliases are constructed as ou=<name>_<id>.

  2. <GROUPSFOROUSROOT>OU=Webmail,OU=Devel</GROUPSFOROUSROOT>

    This option allows skipping of some organization units from being converted into groups. You can specify which organization unit (must be in scope of DN) to use as the root one. Only units belonging under that unit will be converted into groups.

    On the contrary to the previous example, setting the root group like as follows:

    <GROUPSFOROUSROOT>OU=Webmail,OU=Devel</GROUPSFOROUSROOT>

    synchronization of the same user object:

    dn: CN=Lukas Novak,OU=Client,OU=Webmail,OU=Devel,DC=icewarp,DC=in

    would cause creation of only two groups - Client and Webmail. The Contacts folder will not be set as the root group, because we can determine the name of the root from <GROUPSFOROUSROOT>.

  3. <GROUPSFOROUSROOTNAME>Some name</GROUPSFOROUSROOTNAME>

    This option can override the default name of the root folder.

    Examples (all cases require having CREATEGROUPSFOROUS set to 1):

    Settings:

    <GROUPSFOROUSROOT>OU=Webmail,OU=Devel</GROUPSFOROUSROOT>

    <GROUPSFOROUSROOTNAME>Units</GROUPSFOROUSROOTNAME>

    User:

    dn: CN=Lukas Dvorak,OU=Client,OU=Webmail,OU=Devel,DC=icewarp,DC=in

    Created groups: Units, Client

    Settings:

    <GROUPSFOROUSROOT></GROUPSFOROUSROOT>

    <GROUPSFOROUSROOTNAME>Units</GROUPSFOROUSROOTNAME>

    User:

    dn: CN=Lukas Dvorak,OU=Client,OU=Webmail,OU=Devel,DC=icewarp,DC=in

    Created groups: Units, Devel, Webmail, Client.

    Settings:

    <GROUPSFOROUSROOT></GROUPSFOROUSROOT>

    <GROUPSFOROUSROOTNAME></GROUPSFOROUSROOTNAME>

    User:

    dn: CN=Lukas Dvorak,OU=Client,OU=Webmail,OU=Devel,DC=icewarp,DC=in

    Created groups: Contacts, Devel, Webmail, Client.

    Settings:

    <GROUPSFOROUSROOT>OU=Devel</GROUPSFOROUSROOT>

    <GROUPSFOROUSROOTNAME>Units</GROUPSFOROUSROOTNAME>

    User:

    dn: CN=Lukas Dvorak,OU=Client,OU=Webmail,OU=Devel,DC=icewarp,DC=in

    Created groups: Units, Webmail, Client.