LDAP Configuration

To configure LDAP properly you have to have some prior knowledge. To learn more about LDAP search the Internet or follow the resource links. IceWarp Server's LDAP will let you immediately add, modify, delete and search records on LDAP.

The main settings are done in the LDAP\slapd.conf file. The file looks like this:

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

ucdata-path ./ucdata

include ./schema/core.schema

include ./schema/cosine.schema

include ./schema/inetorgperson.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap:/root.openldap.org

pidfile ./run/slapd.pid

argsfile ./run/slapd.args

# Load dynamic backend modules:

# modulepath ./libexec/openldap

# moduleload back_bdb.la

# moduleload back_ldap.la

# moduleload back_ldbm.la

# moduleload back_passwd.la

# moduleload back_shell.la

# Sample security restrictions

# Require integrity protection (prevent hijacking)

# Require 112-bit (3DES or better) encryption for updates

# Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

# Root DSE: allow anyone to read it

# Subschema (sub)entry DSE: allow anyone to read it

# Other DSEs:

# Allow self write access

# Allow authenticated users read access

# Allow anonymous users to authenticate

# Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

# by self write

# by users read

# by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn. (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database bdb

suffix ""

rootdn "cn=admin"

# Cleartext passwords, especially for the rootdn, should

# be avoid. See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw admin

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory ./data

# Indices to maintain

index objectClass eq

include

This item lets you include additional schema definitions. All schema definitions are located in the LDAP\Schema directory. You can create your own definitions and edit the existing. Make sure to follow the creation rules otherwise LDAP will not start. If you are a beginner use always the existing schema definitions.

suffix

This item identifies the suffix you will use the LDAP server under. All client connections will have to use this suffix. All DB records are also under this suffix so when you change the suffix you need to create the new records again under the suffix. Usually the suffix is like your domain name.

suffix "dc=icewarpdemo.com,dc=com"

We wanted to you to be able to use the LDAP right always so we created the suffix:

suffix "dc=root"

rootdn

This item identifies the administrator user of LDAP that does not need to exist in LDAP and still perform any actions like add, edit and delete records. It always has to contain the suffix at the end. The default is:

rootdn "cn=admin,dc=root"

rootpw

This item contains the password for RootDN the administrator account in LDAP.

The rest of the slapd.conf file lets you perform additional changes. Make sure you do not change them unless you know what you are doing. Any additional information can be found at http://www.openldap.org/.

access

This directive is used to define access rights (ACL) to a database. By default, only users are allowed to read (not anyone). If you want to allow access for anyone (what was default before version 11.2.0), remove or comment out access definition. Please read comment in the .config file for more information on this subject.

LDAP configuration > import on Windows

Get a certificate for AD server from a CA and import it.

This certificate for AD  can be self-signed. It is certificate, which AD that you want to sync users from use, to the machine where you run IceWarp. Import this certificate on IceWarp Server to Trusted Root CA/ local machine so even service running under system account can access it.

To get the certificate use LDAP browser or some other 3rd party tool that connects to port 636, LDAP Admin is recommended.

Than you have to import the certificate to a certificate store which is accessible to services as IceWarp runs as service by default. If you run it under particular user, obviously you can import certificate to storage accessible to that user only. Open mmc add certificate snap-in, select local computer as the scope.

Certificate attribute CN and AD hostname used in IceWarp Server domain directory service must match.

When you configure IceWarp Server domain sync, use the same value for hostname as there is in certificate property CN, otherwise it will not work as windows library will not trust the certificate.