How to reset the LDAP association and force the LDAP synchronization for account and groups

This article describes how to reset the LDAP association and force the LDAP synchronization for accounts and groups.

Resolution

When the Axigen accounts and groups are synchronized to an OpenLDAP server, Axigen stores for each account and group the LDAP ID, respectively the value of the entryUUID LDAP attribute of the corresponding LDAP entry.

The synchronization between Axigen and OpenLDAP is described in the KB article available at: https://www.axigen.com/kb/show/267

There may be situations when the administrator wishes to reset the LDAP association in Axigen and force the synchronization of accounts and groups to the OpenLDAP server. For example, if the OpenLDAP server is replaced with a new server which contains the OU structure but not the accounts and groups, or if the LDAP database is restored without preserving the entryUUID values.

The LDAP ID associated to the Axigen account or group can be seen by using the show registryinformation CLI command, as shown below. It is visible in the Associated LDAP ID field.

For the examples below, the associated LDAP IDs are:

  • ba00a5fc-6d4f-1036-9601-df0305cba63d — for the "acct1" account
  • 3247b3f2-6d50-1036-9602-df0305cba63d — for the "group1" group

Example:

	<#> update domain ts9.gecadco.local
	+OK: command successful
	<domain#> update account acct1
	+OK: command successful
	<domain-account#> show registryinformation

	The registry information:
	Creation Date = Thu, 12 Jan 2017 22:15:48 +0200
	Modification Date = Thu, 12 Jan 2017 22:17:13 +0200
	POP3 Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	POP3 Last Login IP = 0.0.0.0
	IMAP Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	IMAP Last Login IP = 0.0.0.0
	OLK Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	OLK Last Login IP = 0.0.0.0
	OLK Last Connector Version = 0.0.0.0.0
	WebMail Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	WebMail Last Login IP = 0.0.0.0
	Active Sync Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	Active Sync Last Login IP = 0.0.0.0
	Internal ID = 0x00000CB4
	Internal Mbox Container ID = 0x01001495
	Configuration Version = 10.0.0
	Mbox Storage Version = 5.0.2
	Associated LDAP ID = ba00a5fc-6d4f-1036-9601-df0305cba63d
	Associated LDAP DN = cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local
	Configuration Status = Ok
	Domain storage id = 00-00-7DE7-5317C0B4-68E49F22
	Mbox size = 0 Kb
	Mbox message count = 0 message(s)
	Mbox folder count = 13 folder(s)
	Mbox removed folder count = 0 folder(s)
	Mbox removed folder cleanup = not running
	Mbox Storage Status = Ok
	Password can be changed = yes
	Password in warning interval = no
	Password status = active

	+OK: command successful
	<domain-account#> 


	<domain-account#> back
	switching back to previous context.
	+OK: command successful


	<domain#> update group group1
	+OK: command successful
	<domain-group#> show registryinformation

	The registry information:
	Creation Date = Thu, 12 Jan 2017 22:19:42 +0200
	Modification Date = Thu, 12 Jan 2017 22:19:42 +0200
	Internal ID = 0x000007DA
	Configuration Version = 10.0.0
	Associated LDAP ID = 3247b3f2-6d50-1036-9602-df0305cba63d
	Associated LDAP DN = cn=group1,ou=Groups,dc=ts9,dc=gecadco,dc=local
	Configuration Status = Ok
	Domain storage id = 00-00-7DE7-5317C0B4-68E49F22

	+OK: command successful
	<domain-group#> 

When a change is performed to the account or to the group in Axigen and the synchronization direction is Axigen to LDAP or both ways, the entryUUID value is searched in LDAP in order to synchronize the respective change to LDAP. If the entryUUID value is missing or it is different, a "Lost association" error message will be logged in Axigen's LDAP synchronization log, similar to the one below, and the change will not be synchronized to LDAP:

	2017-01-12 22:17:13 +0200 16 ts9 USERDB:00000006: >> LDAP bind user='cn=admin,dc=ts9,dc=gecadco,dc=local'
	2017-01-12 22:17:13 +0200 08 ts9 USERDB:00000006: Connected to server ldap://192.168.100.100:389 from domain ts9.gecadco.local
	2017-01-12 22:17:13 +0200 08 ts9 USERDB:00000006: Begin synchronize ADD/MODIFY operation for user acct1 with id 0x00000CB4 on domain ts9.gecadco.local
	2017-01-12 22:17:13 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='ou=Users,dc=ts9,dc=gecadco,dc=local' filter='(&(entryUUID=BA00A5FC-6D4F-1036-9601-DF0305CBA63D)(mailHost=ts9.gecadco.local))'
	2017-01-12 22:17:13 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='ou=Users,dc=ts9,dc=gecadco,dc=local' filter='(&(objectClass=inetOrgPerson)(uid=acct1)(mailHost=ts9.gecadco.local))'
	2017-01-12 22:17:13 +0200 08 ts9 USERDB:00000006: End synchronize ADD/MODIFY operation for user with id 0x00000CB4 on domain ts9.gecadco.local with result 'Lost association'

In order to force the synchronization, the administrator will reset the LDAP association for the account or group using the reset ldapassociation CLI command and then will perform a new change in order to trigger the synchronization.

Example:

	<#> update domain ts9.gecadco.local
	+OK: command successful
	<domain#> update account acct1
	+OK: command successful
	<domain-account#> reset ldapassociation
	+OK: command successful
	<domain-account#> show registryinformation

	The registry information:
	Creation Date = Thu, 12 Jan 2017 22:15:48 +0200
	Modification Date = Thu, 12 Jan 2017 22:46:27 +0200
	POP3 Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	POP3 Last Login IP = 0.0.0.0
	IMAP Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	IMAP Last Login IP = 0.0.0.0
	OLK Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	OLK Last Login IP = 0.0.0.0
	OLK Last Connector Version = 0.0.0.0.0
	WebMail Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	WebMail Last Login IP = 0.0.0.0
	Active Sync Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	Active Sync Last Login IP = 0.0.0.0
	Internal ID = 0x00000CB4
	Internal Mbox Container ID = 0x01001495
	Configuration Version = 10.0.0
	Mbox Storage Version = 5.0.2
	Associated LDAP ID = (none)
	Associated LDAP DN = (none)
	Configuration Status = Ok
	Domain storage id = 00-00-7DE7-5317C0B4-68E49F22
	Mbox size = 0 Kb
	Mbox message count = 0 message(s)
	Mbox folder count = 13 folder(s)
	Mbox removed folder count = 0 folder(s)
	Mbox removed folder cleanup = not running
	Mbox Storage Status = Ok
	Password can be changed = yes
	Password in warning interval = no
	Password status = active

	+OK: command successful
	<domain-account#> 

After performing the change on the account, the synchronization log will be similar to:

  • if the entryUUID value was missing a new entry is added:
    			2017-01-12 22:47:36 +0200 16 ts9 USERDB:00000006: >> LDAP bind user='cn=admin,dc=ts9,dc=gecadco,dc=local'
    			2017-01-12 22:47:36 +0200 08 ts9 USERDB:00000006: Connected to server ldap://192.168.100.100:389 from domain ts9.gecadco.local
    			2017-01-12 22:47:36 +0200 08 ts9 USERDB:00000006: Begin synchronize ADD/MODIFY operation for user acct1 with id 0x00000CB4 on domain ts9.gecadco.local
    			2017-01-12 22:47:36 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='ou=Users,dc=ts9,dc=gecadco,dc=local' filter='(&(objectClass=inetOrgPerson)(uid=acct1)(mailHost=ts9.gecadco.local))'
    			2017-01-12 22:47:36 +0200 16 ts9 USERDB:00000006: >> LDAP add entry DN 'cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local'
    			2017-01-12 22:47:36 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local' filter='null'
    			2017-01-12 22:47:36 +0200 08 ts9 USERDB:00000006: End synchronize ADD/MODIFY operation for user with id 0x00000CB4 on domain ts9.gecadco.local with result 'Success'
    		
  • if the entryUUID value was different the account is associated to that LDAP entry:
    			2017-01-12 22:53:12 +0200 16 ts9 USERDB:00000006: >> LDAP bind user='cn=admin,dc=ts9,dc=gecadco,dc=local'
    			2017-01-12 22:53:12 +0200 08 ts9 USERDB:00000006: Connected to server ldap://192.168.100.100:389 from domain ts9.gecadco.local
    			2017-01-12 22:53:12 +0200 08 ts9 USERDB:00000006: Begin synchronize ADD/MODIFY operation for user acct1 with id 0x000007D9 on domain ts9.gecadco.local
    			2017-01-12 22:53:12 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='ou=Users,dc=ts9,dc=gecadco,dc=local' filter='(&(objectClass=inetOrgPerson)(uid=acct1)(mailHost=ts9.gecadco.local))'
    			2017-01-12 22:53:12 +0200 16 ts9 USERDB:00000006: >> LDAP modify entry DN 'cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local'
    			2017-01-12 22:53:12 +0200 08 ts9 USERDB:00000006: End synchronize ADD/MODIFY operation for user with id 0x000007D9 on domain ts9.gecadco.local with result 'Success'
    		

and the CLI command will show the new associated LDAP ID:

	<domain-account#> show registryinformation

	The registry information:
	Creation Date = Thu, 12 Jan 2017 22:15:48 +0200
	Modification Date = Thu, 12 Jan 2017 22:47:36 +0200
	POP3 Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	POP3 Last Login IP = 0.0.0.0
	IMAP Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	IMAP Last Login IP = 0.0.0.0
	OLK Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	OLK Last Login IP = 0.0.0.0
	OLK Last Connector Version = 0.0.0.0.0
	WebMail Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	WebMail Last Login IP = 0.0.0.0
	Active Sync Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
	Active Sync Last Login IP = 0.0.0.0
	Internal ID = 0x00000CB4
	Internal Mbox Container ID = 0x01001495
	Configuration Version = 10.0.0
	Mbox Storage Version = 5.0.2
	Associated LDAP ID = 180e3c14-6d54-1036-9603-df0305cba63d
	Associated LDAP DN = cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local
	Configuration Status = Ok
	Domain storage id = 00-00-7DE7-5317C0B4-68E49F22
	Mbox size = 0 Kb
	Mbox message count = 0 message(s)
	Mbox folder count = 13 folder(s)
	Mbox removed folder count = 0 folder(s)
	Mbox removed folder cleanup = not running
	Mbox Storage Status = Ok
	Password can be changed = yes
	Password in warning interval = no
	Password status = active

	+OK: command successful
	<domain-account#> 

For groups, the show registryinformation and reset ldapassociation CLI commands are the same, but they need to be issued in the group's CLI context instead of account context.

In order to automate the LDAP association reset and the synchronization to LDAP, the "axigen-ldapForceSync.py" Python script is available at the link: https://www.axigen.com/mail-server/scripts.php

This script can be used to reset the LDAP association for accounts and groups and to synchronize them to an LDAP database which contains the structure for the domain and the Organizational Units for the accounts and the groups.

The script requires a version 2.6 or 2.7 of Python and it is necessary to place in the same directory the cli2.py script available at the same link.

Before using the script, it is necessary to edit it and in the section below to change the parameters to match your server:

	### Configuration parameters block
	AXIGEN_PYLIB_DIR="/opt/axigen/scripts/lib"
	CLI_HOST=os.getenv("CLI_HOST","127.0.0.1")
	CLI_PORT=7000
	CLI_ADMIN_USER="admin"
	CLI_ADMIN_PASS="myPASS"
	### End of configuration parameters block

The script resets the LDAP association for the accounts and for the groups and then, to trigger the LDAP synchronization, it modifies and then restores back the aolScreenName attribute for the accounts and for the groups it adds and then removes the postmaster account to the group.

The script can be run as follows:

  • to reset and synchronize to LDAP all the accounts and groups on the server:
    			python axigen-ldapForceSync.py
    		
  • to reset and synchronize to LDAP the accounts and groups from one domain:
    			python axigen-ldapForceSync.py domainname.tld
    		
  • to only reset the LDAP association without attempting the synchronization to LDAP:
    			NO_UPDATE=true ./axigen-ldapForceSync.py
    		
    or:
    			NO_UPDATE=true ./axigen-ldapForceSync.py domainname.tld
    		
  • to not reset the LDAP association and to not perform LDAP synchronization, but instead to only list the associated LDAP ID for each account and group:
    			DRY_RUN=true ./axigen-ldapForceSync.py
    		
    or:
    			DRY_RUN=true ./axigen-ldapForceSync.py domainname.tld
    		
    This option can be used to verify if the accounts and groups have been synchronized, after running the script initially. The script will display the associated LDAP ID or none if the LDAP synchronization failed, for example:
    			2017-01-12 16:02:32 userReset[872fb67a-e845-1035-9c3a-fb8c9db9325b] user1@ts9.gecadco.local
    			2017-01-12 16:02:32 userReset[(none)] user2@ts9.gecadco.local
    			2017-01-12 16:02:33 userReset[8740cf50-e845-1035-9c3d-fb8c9db9325b] user3@ts9.gecadco.local
    		

The concepts, the CLI commands and the script presented in this article are also applicable when Axigen is synchronized with an Active Directory server.

Applies to
Releases: Axigen 9.0.xAxigen 10.0.x
OS: LinuxWindowsSolaris
Distros: RPM based distrosDEB based distrosUbuntuDEB based distros amd64Windows x64RPM based distros x64DEB based distros amd64Solaris 10 x64FreeBSD 9.2FreeBSD 9.2 amd64