LDAP synchronization

The Axigen Solution: Overview & Architecture

The LDAP/Active Directory synchronization feature built into the Axigen mail server product aims to provide data and option setting synchronization between the email service and an external directory database providing service on the network. This feature facilitates the administration and configuration processes as it ensures and maintains the consistency of the two sub-systems with minimum interaction and supervision overhead.

Before attempting to interact with this feature, you need to have a firm understanding of the LDAP directory services and their administration or of the Microsoft Active Directory management process. Neither training in this respect nor support for are documented herein, as they fall under the sole responsibility of the customer, with the exception of specific options and procedures needed to be used in order to achieve certain tasks.

The Active Directory (AD) is based on regular LDAP implementations and the same methods can be used to access it as for the OpenLDAP software package. Consequently, the LDAP sync feature is compatible with both solutions. If one is interested in using the LDAP sync feature, one will have to make sure the minimum requirements are met, so incompatibility issues are avoided entirely.

Minimum requirements

This section lists the software requirements that the systems involved in the LDAP sync communication process and in the management of the entire solution should meet. The hardware requirements are not listed in this section as they can vary to great extent from one environment to another. For details on the hardware required in specific scenarios you should contact either the Sales Department or the Professional Services department for information.

  1. Mandatory Software Packages:
    1. An operating system compatible with the Axigen messaging solution, version 7.0 or newer
    2. The Axigen messaging solution, version 7.0 or newer
  2. Optional Software Packages:
    1. OpenLDAP Version 2.4.11 or later. Any version that supports the multi-master replication technology (optional).
    2. Active Directory Services – Included in Windows Server 2003 editions (optional).

Either one of the optional packages are compatible. However, you need to have at least one of them available and correctly configured in order to use the LDAP Sync feature.

Feature design & data flow

This section explains the behavior of the synchronization process and the options available to be set for this synchronization between the Axigen mail server and the supported directory database of your choice. The design and data flow section includes an overview of the technology and the processes it involves as well as a list of possible configurations for the sync process.

LDAP integration design

The standard LDAP (OpenLDAP) schema extension files are provided within the Axigen installation package to permit an OpenLDAP server administrator to extend the currently used schema (if any) with the Axigen mail server specific attributes. These attributes must be present in the schema file for the sync process to work as expected. If the attributes are not available, the sync process will fail and unexpected errors may be encountered.

Syncing information that is not available (or NULL) from one service to the other (either from LDAP to Axigen or vice versa) can lead to the destruction of already existing information in the destination system. Special care must be advised while performing such operations as they may lead to irreparable loss of data.

The Axigen server, being configured to perform automatic syncs with an LDAP server, performs periodical queries in the directory database to detect changes. Whenever a change of a relevant LDAP entry is received, a specific event, that triggers a sync action, is generated. A relevant LDAP entry has to match either the account filter or the group filter (depending on what is being synced), in the appropriate LDAP "BaseDN" property for that entry.

The following LDAP service configuration options (in the case of accounts and, respectively, groups) are used when inquiring the LDAP server for changes:

  • The LDAP BaseDN setting - This setting refers to the top of the directory tree that is used in the sync process.
  • The entry Object Class type - The class refers to the type of object listed in the database. This affects the other sync options that are specific to each object type.
  • Additional Filters - This value specifies the filters that apply to each entry. It is dependent on the object class type above.
  • The LDAP Polling Interval - LDAP searches (that detect changes) are performed periodically, based on the settings configured in the LDAP connector (the LDAP polling interval value).

When changes between the two databases are detected, they are queued up for syncing. After no more changes are detected for the entries in the LDAP database, the Axigen service will wait for the "LDAP Polling Interval" seconds before looking up changes in the database again. This process is repeated over and over and ensures that the consistency between the two databases is achieved regularly.

Active Directory integration design

The Active Directory integration involves the use of the Axigen extension provided, to allow extending the standard AD schema with the required Axigen attributes, as well as a Management Console (MMC) property page, to allow graphical editing of Axigen specific attributes when an account is modified to include the aforementioned properties.

The Axigen server, being configured to perform automatic syncs with an Active Directory service, performs periodical queries in the directory database to detect changes. Whenever a change of a relevant Active Directory entry is received, a specific event, that triggers a sync action, is generated. A relevant Active Directory entry has to match either the account filter or the group filter (depending on what is being synced), in the appropriate Active Directory "BaseDN" property for that entry.

The following LDAP service configuration options (in the case of accounts and, respectively, groups) are used when inquiring the LDAP server for changes:

  • The LDAP BaseDN setting - refers to the top of the directory tree that is used in the sync process.
  • The entry Object Class type - refers to the type of object listed in the database. This affects the other sync options that are specific to each object type.
  • Additional Filters - this value specifies the filters that apply to each entry. It is dependent on the object class type above.
  • The LDAP Polling Interval - LDAP searches (that detect changes) are performed periodically, based on the settings configured in the LDAP connector (the LDAP polling interval value).

Active Directory searches (that detect changes) are performed periodically, based on the parameter configured in the LDAP connector (LDAP polling interval). If changes are detected, they are queued. After no more changes exist in LDAP, the thread sleeps for "LDAP Polling Interval" seconds, then a new search is performed.

Synchronization options

To understand the synchronization methods and options, the association between the Axigen object and the LDAP / Active Directory entries needs to be taken into account. When the first successful synchronization of an Axigen account or group with an LDAP entry takes place, Axigen stores an identification of the corresponding LDAP / AD entry for further reference. Once this process takes place, the Axigen account or group will only be synchronized with the specific entry it was associated with and no other.

The association cannot be removed easily and should not be necessary in regular conditions. However, to perform this task, an administrative account with sufficient privileges needs to use the Axigen command line interface to remove it. The association between these elements can therefore only be removed by means of a CLI command.

1. Bidirectional synchronization

To perform bidirectional syncs between LDAP /AD and Axigen entries, the LDAP connector needs to be configured to reflect this fact. In the LDAP Connector configuration available in the Axigen WebAdmin interface, the "Synchronization direction" option needs to be set up with the "Both Ways" value.

Bidirectional syncs also need to have another parameter set up to be used in solving conflicts that may appear during the syncs. Conflicts arise when an entry was changed during the "LDAP Polling Interval" both in LDAP / AD and Axigen. This is not a situation encountered often, but it has to be addressed nonetheless. In this sense, the connector can be instructed which source of information will take precedence in case conflicts appear. By setting up the "Conflict resolution" option, one of the following three resolutions is attained:

  • Axigen wins. This case states that the changes performed in Axigen will take precedence and get written to LDAP / AD. The changes performed in the LDAP / AD configuration prior to the sync will be lost and only the changes performed in the Axigen configuration will remain.
  • LDAP wins. This case states that the changes performed in LDAP / AD will take precedence and get written to Axigen. The changes performed in the Axigen configuration prior to the sync will be lost and only the changes performed in the LDAP / AD configuration will remain.
  • No change. This case discards all changes and no service takes precedence. The entry is not modified at all and all changes, performed in both LDAP or AD and Axigen, are lost. The initial configuration will be kept without altering it in any way.

Depending on the setup requirements and the goals one wishes to achieve, only one of these bidirectional mechanisms can be used at any given time. You may, however, define more than one connector in the configuration of your Axigen server, each using a different sync mechanism.

2. LDAP/AD to Axigen synchronization

While using the LDAP / AD to Axigen sync method, the LDAP changes or modifications always take precedence. In addition, all changes expressly performed within the Axigen configuration will not be synced to LDAP or Active Directory, but will be disregarded completely.

You should use this method especially when you use an Active Directory setup and you plan on using the MMC add-on snap-in to manage the Axigen configuration for the users, and then sync it to the server itself to be applied. This method can also be applied if you use and OpenLDAP database and you are used to manipulating the settings of various other network services through its contents.

3. Axigen to LDAP/AD synchronization

While using the Axigen to LDAP / AD sync method, the Axigen changes or modifications always take precedence. In addition, all changes expressly performed within the LDAP / AD database will not be synced to Axigen, but will be disregarded completely.

This method should be used by administrators that use LDAP exclusively for Axigen related purposes and use the Axigen administration interface to perform changes setting regularly. It is also possible to use this method with Active Directory, though some seasoned administrators will always prefer using the AD specific administration tools over a new interface for each product.

Categories of synced data

The following categories of data and individual element changes are considered relevant with respect to the LDAP / Active Directory synchronization:

  1. Account objects - The account objects are user accounts present in the Axigen domain storage and directory entries that are associated with them. For the account sync to work, the "Account base DN" option must be specified in the LDAP connector configuration.
  2. Group objects - To sync groups the "Enable Group Synchronization" check-box must be enabled in the LDAP connector configuration and the "Group base DN" must be specified correctly.

For these two types of objects, the following table lists available events that result in sync actions. The last column (Account Type) also specifies the permissions required to make the listed changes in the server's configuration. Some changes require administrative privileges while others can be performed by account owners:

Regarding the list of contact information data that can be synced between Axigen and LDAP or AD services, only the ones listed below are included:

  • Account owner First Name;
  • Account owner Last Name;
  • Account owner Nickname;
  • Account owner Personal Email;
  • Account owner Business Email;
  • Account owner Phone;
  • Account owner Mobile Phone;
  • Account owner Home Phone;
  • Account owner Business Phone;
  • Account owner Home Address;
  • Account owner Business Address.

These values refer to the Axigen account personal information only and do not include any data related to Contacts or other data that may be stored by that account (address book, contact details, appointments, attendees etc.)

Integration processes

This section describes the configuration options and example setups that need to be used during the implementation of the LDAP/AD sync feature in new and existing setups. The integration consists in specific steps and procedures that must be abided to in order to achieve a successful integration of the sub-systems.

Important notices

1. Always back-up the information that may be damaged or lost in the synchronization process. Failure to do so may result in permanent data loss.

2. Make sure you fully understand the implications of each setting you change before committing or saving any new configurations. Changes that are not saved are automatically discarded by the server.

3. Once you enable the automatic sync process, make sure you only perform changes in a single administration interface to avoid inconsistencies. Failure to do so may result in changes not being applied correctly or being discarded during the sync process.

4. Do not use "Both Ways" sync methods unless absolutely necessary. Although conflict resolution takes care of any conflicts, changes performed on the same database by multiple agents can often lead to unexpected results and make any issue debugging process tedious.

Axigen LDAP connector configuration

This section describes the settings available in Axigen's configuration that apply to the LDAP synchronization feature and affect its behavior. Some of them are also briefly described in other sections of the documentation, but for centralization purposes all options will be explained in this section as well.

1. Synchronization options

The following screenshot provides a section preview of the modal window used during the creation of a new LDAP connector within the Axigen WebAdmin interface. The same options are available in the connector properties page, once it was created:

Option names and functions:

  • Server type - Specifies the type of LDAP server to use while performing the synchronization. This option can take two values only:
    • OpenLDAP – Enable this option if you plan on using an OpenLDAP type of server.
    • ActiveDirectory – Enable this option if you plan on using an Active Directory service.
  • Timeout - Specifies the maximum allotted time for each lookup being performed. Once this set value is exceeded, the lookup is terminated and a timeout is returned and logged.
  • Synchronization direction - This option specifies the source and destination of the sync. It can have one of the following values:
    • Axigen to LDAP – By using this setting only information from the Axigen storage is synced to LDAP. Any changes made in LDAP do not get saved at all and are discarded.
    • LDAP to Axigen – By using this setting only information from the LDAP database is synced to Axigen. Any changes made in Axigen do not get saved at all and are discarded.
    • Both ways – By using this option you will let both Axigen and LDAP update the entry configuration. While this option is enabled, the "Conflict resolution" option must be set up correctly.
  • Conflict resolution - This option is only available if the synchronization direction is set to "Both ways" and specifies which of the two possible sources takes precedence in case a conflict arises. It can take one of the following three values:
    • Axigen wins – By using this option, Axigen changes take precedence over LDAP changes.
    • LDAP wins – By using this option, LDAP changes take precedence over Axigen changes.
    • No change – By using this option, all conflicts are ignored and the changes discarded.

2. Directory lookup options

The following screenshot provides a section preview of the modal window used during the creation of a new LDAP connector within the Axigen WebAdmin interface. The same options are available in the connector properties page, once it was created:

Option names and functions:

  • Account base DN - This setting refers to the top of the directory tree that is used in the sync process for the user account objects.
  • Enable Group Synchronization - While this option is enabled group synchronization is activated for the LDAP connector in question. If this option is disabled, the "Group base DN" option is not available.
  • Group base DN - This setting refers to the top of the directory tree that is used in the sync process for the group objects. This option is not available while the "Enable Group Synchronization" option is disabled.
  • Use custom schema - While this option is enabled, a custom LDAP schema file may be loaded and used during the sync process. If this option is disabled, the "Custom schema file" variable is not available. Do not enable this option if you plan on using Active Directory instead of LDAP.
  • Custom schema file - This setting contains the path to the custom schema file to use. This option is not available while the "Use custom schema" option is disabled.

While configuring the LDAP connector, certain expanding variables can be used to substitute domain, account and other variable elements. The table below lists all of the usable variables, their meaning and an example of how they expand in practice:

3. Domain-specific options

The following screenshot provides a section preview of the domain-related options within the Axigen WebAdmin interface. The same options are available for all domains by entering their properties page, once they were created:

 

Option names and functions:

  • Enable LDAP synchronization. While this option is enabled, syncing for accounts and/or groups can take place for the objects part of this domain. While this option is enabled, a correct LDAP connector must also be specified.
  • LDAP connector. This option is not available unless the "Enable LDAP synchronization" option is active. To set the domain to synchronize with a LDAP service, you have to choose the correct connector from the drop-down list.

To enable and select a LDAP connector that is to be used during the sync process, you need to have one already defined and correctly configured.

Active Directory integration

The integration and configuration process that relates to the Active Directory is performed entirely using the Microsoft Management Console (MMC) and the add-in snap-in provided for this purpose as an extension. This snap-in application can be downloaded free of charge from the download page from Axigen's website.

Once the installation of the ".msi" (Microsoft Installer) package for the snap-in is complete, the integration process can begin and the configuration of the existing Active Directory accounts can be performed. Before any actions can be performed, the Axigen mail server has to be configured correctly to use the AD server for syncing purposes. For this reason, an LDAP connector must exist before the following procedure is executed. If the Axigen is not correctly configured, the sync process will fail.

With the "Axigen AD extension" package installed, a new tab will appear in the "Properties" section of the domain accounts. This tab can be accessed whether the selected account has the Axigen extensions enabled or not. To activate the Axigen extensions you need to right-click the account and select the "Create Axigen Account" option. This tab contents, for an account that has the Axigen extension enabled, is depicted in the following screenshot:

The options and configuration changes performed in this section apply exclusively to the Axigen mail server configuration for this account. Service related changes and account information do not apply and are not inherited by the domain data of this account. Changing the contact information for this account (e.g. first name) will not change the "first name" attribute of this account in the Active Directory database.

All changes applied to the account in the Axigen section feature this behavior. This approach is used in order to prevent inconsistencies and conflicts that may occur by completely separating the Axigen data from the regular account properties.

Options and settings available while using the Active Directory add-in include:

  • Alias management - This section allows the addition, modification and removal of email account aliases. These aliases can be used during the login procedure and for email delivery purposes.
  • Configuration inheritance - This section allows the modification of the default (implicit) inheritance scheme (settings inherited from the domain level configuration).
  • Service management - This section allows explicit definition of access levels for the email services, including SMTP, IMAP, POP3, WebMail and remote POP.

  • Quota management - This section allows the configuration of the maximum allowed storage space that can be used by the account. By default this setting is inherited from the domain level. The following screenshot depicts the available service-related options:
  • Restriction management - This section allows the explicit definition of certain restrictions related to password enforcement, email number, folder number etc. By default the settings here are inherited from the domain level.
    • Password - The password enforcement section allows the configuration of various rules that aim to increase the difficulty of password guessing. To change the default inherited options here, you need to click the "Set Explicit" button and the make the necessary modifications.
    • Sessions - Allows the configuration of maximum concurrence values accepted per service for the respective account. To change the defaults you need to click the "Set Explicit" button next to the required option and make the changes.
    • WebMail - Allows the configuration of attachment size and number as well as the maximum message size for WebMail generated messages. To change the defaults you need to click the "Set Explicit" button next to the required option and make the changes.
    • Body Filtering - This option applies to HTML message contents read through the WebMail interface. To change the defaults you need to click the "Set Explicit" button next to the required option and make the changes.
    • Message Sending - This section allows the setup of limitations on the number of messages delivered by the account in a certain time interval. To change the default inherited options here, you need to click the "Set Explicit" button and the make the necessary modifications.
    • Remote POP - Allows the definition of a maximum number of RPOP accounts and the minimum RPOP polling time. To change the defaults you need to click the "Set Explicit" button next to the required option and make the changes.
    • Temporary Email - Allows the activation or deactivation of this feature for the account, the number of addresses that can be created and the maximum expiry time for each of them. To change the defaults you need to click the "Set Explicit" button next to the required option and make the changes.
    • Send / Receive - Options that limit the behavior of send or received emails by this account. To change the defaults you need to click the "Set Explicit" button next to the required option and make the changes.
  • Contact information management - This section allows the modification of the contact data for the account owner (first name, address, email address, phone number etc.). These settings can be changed by the account owner upon login in the WebMail interface, through the use of the "Settings" panel.

In order to gain access to these settings the Active Directory administrator needs to enable the Axigen configuration for each account. This process requires each account to be added the Axigen set of parameters and enabling the sync options for the account. To perform this step and activate the Axigen configuration for a user account in the Active Directory database, you need to open the "Domain Users and Computers" snap-in and right-click one of the user accounts. Within the right-click menu a new option will be available if the snap-in was installed correctly:

In order to remove the Axigen-related properties of the account the same process should be repeated, only instead of the "Create Axigen Account" the "Remove Axigen Account" option should be chosen.

Once the "Axigen Account" is appended to the Active Directory user, the sync for this account will be performed by Axigen on each lookup if modifications are detected. The sync process will take place in one direction or the other depending on the settings defined for the LDAP connector used to perform the sync.

OpenLDAP integration

The integration between the Axigen mail server and the OpenLDAP software package and service is rather straight-forward in the sense that only some initial configuration is involved for the latter solution with the rest of the details being synced from the mail server database automatically. To set up the LDAP service appropriately, you must first make sure the version you are running is compatible with Axigen. You need to be using a LDAP version newer than 2.4. If you are not running a correct version you have to upgrade your LDAP server before attempting to run the sync. It is important to run the latest version of LDAP to make sure the integration is performed as smoothly as possible.

The sync process in OpenLDAP can generate a lot of stress for the application. The LDAP protocol and database structure was created and optimized for few writes and many reads and therefore can generate problems with performance in case a flood of updates (syncs) takes place.

Once you have a supported LDAP version, you need to configure it appropriately before populating the database. The configuration file should include the correct schemas for the objects to be created and managed:

Also very important, you have to enable support for the second version of the LDAP protocol:

Following are the recommended database options, as well as the indexing options that are normally used for the Axigen entry value (expected) contents:

Of course, you always have to replace the "dc=" sections with the domain name you plan on using and the administrative password which is only provided here for reference purposes. The indexing options should be specified at all times if you plan on having a decent performance for your lookups. Failure to set the indexing options before populating the database may result in additional future configuration overhead to apply this change.

To enable replication support, you need to enable the following configuration options in the LDAP configuration file:

In the above example, the "syncprov-checkpoint" arguments create a new checkpoint every 30 minutes or every 100 operations. Also, the "sessionlog" will be limited to 1.000 entries and if you plan on making (or expect) a lot of syncs to take place in a short while (or at once), you should consider increasing this number of kept records.

Lastly, you have to enable support for "Member-of" support (for groups) if you plan on using this feature:

This concludes the LDAP configuration file contents and requirements. On top of this initial setup you will have to consider a couple of more details before moving on with the integration. First off, if you already have a populated LDAP database you should either use another (different) database for Axigen related syncs or upgrade the current entry layout to match the following design:

  • Root node layout:
  • Organization node layout:
  • Groups unit layout:
  • User unit layout:

Based on the node and unit (entry) layout above you should be able to generate the appropriate LDIF files for your specific scenario. Relevant information on the actual properties attached to the Axigen entries in LDAP can be found in the LDAP schema file called "axigen.schema".

In addition to this approach you may also choose to let Axigen sync the data and automatically create the entries in the LDAP server through the regular update process of the database. In fact the second approach is the recommended one in most cases, except of course if you already have a populated database that may be corrupted during this process.