Back to Knowledge Base
Jan 25, 2017

How to Reset the LDAP Association and Force the LDAP Synchronization for Account and Groups

This article describes how to reset the LDAP association and force the LDAP synchronization for accounts and groups.

Solution

When the Axigen accounts and groups are synchronized to an OpenLDAP server, Axigen stores for each account and group the LDAP ID, respectively the value of the entryUUID LDAP attribute of the corresponding LDAP entry.

The synchronization between Axigen and OpenLDAP is described in the KB article available at: https://www.axigen.com/kb/show/267

There may be situations when the administrator wishes to reset the LDAP association in Axigen and force the synchronization of accounts and groups to the OpenLDAP server. For example, if the OpenLDAP server is replaced with a new server which contains the OU structure but not the accounts and groups, or if the LDAP database is restored without preserving the entryUUID values.

The LDAP ID associated to the Axigen account or group can be seen by using the show registryinformation CLI command, as shown below. It is visible in the Associated LDAP ID field.

For the examples below, the associated LDAP IDs are:

  • ba00a5fc-6d4f-1036-9601-df0305cba63d — for the "acct1" account
  • 3247b3f2-6d50-1036-9602-df0305cba63d — for the "group1" group

Example:

    <#> update domain ts9.gecadco.local
    +OK: command successful
     update account acct1
    +OK: command successful
     show registryinformation

    The registry information:
    Creation Date = Thu, 12 Jan 2017 22:15:48 +0200
    Modification Date = Thu, 12 Jan 2017 22:17:13 +0200
    POP3 Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    POP3 Last Login IP = 0.0.0.0
    IMAP Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    IMAP Last Login IP = 0.0.0.0
    OLK Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    OLK Last Login IP = 0.0.0.0
    OLK Last Connector Version = 0.0.0.0.0
    WebMail Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    WebMail Last Login IP = 0.0.0.0
    Active Sync Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    Active Sync Last Login IP = 0.0.0.0
    Internal ID = 0x00000CB4
    Internal Mbox Container ID = 0x01001495
    Configuration Version = 10.0.0
    Mbox Storage Version = 5.0.2
    Associated LDAP ID = ba00a5fc-6d4f-1036-9601-df0305cba63d
    Associated LDAP DN = cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local
    Configuration Status = Ok
    Domain storage id = 00-00-7DE7-5317C0B4-68E49F22
    Mbox size = 0 Kb
    Mbox message count = 0 message(s)
    Mbox folder count = 13 folder(s)
    Mbox removed folder count = 0 folder(s)
    Mbox removed folder cleanup = not running
    Mbox Storage Status = Ok
    Password can be changed = yes
    Password in warning interval = no
    Password status = active

    +OK: command successful
     


     back
    switching back to previous context.
    +OK: command successful


     update group group1
    +OK: command successful
     show registryinformation

    The registry information:
    Creation Date = Thu, 12 Jan 2017 22:19:42 +0200
    Modification Date = Thu, 12 Jan 2017 22:19:42 +0200
    Internal ID = 0x000007DA
    Configuration Version = 10.0.0
    Associated LDAP ID = 3247b3f2-6d50-1036-9602-df0305cba63d
    Associated LDAP DN = cn=group1,ou=Groups,dc=ts9,dc=gecadco,dc=local
    Configuration Status = Ok
    Domain storage id = 00-00-7DE7-5317C0B4-68E49F22

    +OK: command successful

When a change is performed to the account or to the group in Axigen and the synchronization direction is Axigen to LDAP or both ways, the entryUUID value is searched in LDAP in order to synchronize the respective change to LDAP. If the entryUUID value is missing or it is different, a "Lost association" error message will be logged in Axigen's LDAP synchronization log, similar to the one below, and the change will not be synchronized to LDAP:

    2017-01-12 22:17:13 +0200 16 ts9 USERDB:00000006: >> LDAP bind user='cn=admin,dc=ts9,dc=gecadco,dc=local'
    2017-01-12 22:17:13 +0200 08 ts9 USERDB:00000006: Connected to server ldap://192.168.100.100:389 from domain ts9.gecadco.local
    2017-01-12 22:17:13 +0200 08 ts9 USERDB:00000006: Begin synchronize ADD/MODIFY operation for user acct1 with id 0x00000CB4 on domain ts9.gecadco.local
    2017-01-12 22:17:13 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='ou=Users,dc=ts9,dc=gecadco,dc=local' filter='(&(entryUUID=BA00A5FC-6D4F-1036-9601-DF0305CBA63D)(mailHost=ts9.gecadco.local))'
    2017-01-12 22:17:13 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='ou=Users,dc=ts9,dc=gecadco,dc=local' filter='(&(objectClass=inetOrgPerson)(uid=acct1)(mailHost=ts9.gecadco.local))'
    2017-01-12 22:17:13 +0200 08 ts9 USERDB:00000006: End synchronize ADD/MODIFY operation for user with id 0x00000CB4 on domain ts9.gecadco.local with result 'Lost association'

In order to force the synchronization, the administrator will reset the LDAP association for the account or group using the reset ldapassociation CLI command and then will perform a new change in order to trigger the synchronization.

Example:

    <#> update domain ts9.gecadco.local
    +OK: command successful
     update account acct1
    +OK: command successful
     reset ldapassociation
    +OK: command successful
     show registryinformation

    The registry information:
    Creation Date = Thu, 12 Jan 2017 22:15:48 +0200
    Modification Date = Thu, 12 Jan 2017 22:46:27 +0200
    POP3 Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    POP3 Last Login IP = 0.0.0.0
    IMAP Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    IMAP Last Login IP = 0.0.0.0
    OLK Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    OLK Last Login IP = 0.0.0.0
    OLK Last Connector Version = 0.0.0.0.0
    WebMail Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    WebMail Last Login IP = 0.0.0.0
    Active Sync Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    Active Sync Last Login IP = 0.0.0.0
    Internal ID = 0x00000CB4
    Internal Mbox Container ID = 0x01001495
    Configuration Version = 10.0.0
    Mbox Storage Version = 5.0.2
    Associated LDAP ID = (none)
    Associated LDAP DN = (none)
    Configuration Status = Ok
    Domain storage id = 00-00-7DE7-5317C0B4-68E49F22
    Mbox size = 0 Kb
    Mbox message count = 0 message(s)
    Mbox folder count = 13 folder(s)
    Mbox removed folder count = 0 folder(s)
    Mbox removed folder cleanup = not running
    Mbox Storage Status = Ok
    Password can be changed = yes
    Password in warning interval = no
    Password status = active

    +OK: command successful

After performing the change on the account, the synchronization log will be similar to:

  • if the entryUUID value was missing a new entry is added: 
                2017-01-12 22:47:36 +0200 16 ts9 USERDB:00000006: >> LDAP bind user='cn=admin,dc=ts9,dc=gecadco,dc=local'
            2017-01-12 22:47:36 +0200 08 ts9 USERDB:00000006: Connected to server ldap://192.168.100.100:389 from domain ts9.gecadco.local
            2017-01-12 22:47:36 +0200 08 ts9 USERDB:00000006: Begin synchronize ADD/MODIFY operation for user acct1 with id 0x00000CB4 on domain ts9.gecadco.local
            2017-01-12 22:47:36 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='ou=Users,dc=ts9,dc=gecadco,dc=local' filter='(&(objectClass=inetOrgPerson)(uid=acct1)(mailHost=ts9.gecadco.local))'
            2017-01-12 22:47:36 +0200 16 ts9 USERDB:00000006: >> LDAP add entry DN 'cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local'
            2017-01-12 22:47:36 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local' filter='null'
            2017-01-12 22:47:36 +0200 08 ts9 USERDB:00000006: End synchronize ADD/MODIFY operation for user with id 0x00000CB4 on domain ts9.gecadco.local with result 'Success'
  • if the entryUUID value was different the account is associated to that LDAP entry: 
                2017-01-12 22:53:12 +0200 16 ts9 USERDB:00000006: >> LDAP bind user='cn=admin,dc=ts9,dc=gecadco,dc=local'
            2017-01-12 22:53:12 +0200 08 ts9 USERDB:00000006: Connected to server ldap://192.168.100.100:389 from domain ts9.gecadco.local
            2017-01-12 22:53:12 +0200 08 ts9 USERDB:00000006: Begin synchronize ADD/MODIFY operation for user acct1 with id 0x000007D9 on domain ts9.gecadco.local
            2017-01-12 22:53:12 +0200 16 ts9 USERDB:00000006: >> LDAP search DN='ou=Users,dc=ts9,dc=gecadco,dc=local' filter='(&(objectClass=inetOrgPerson)(uid=acct1)(mailHost=ts9.gecadco.local))'
            2017-01-12 22:53:12 +0200 16 ts9 USERDB:00000006: >> LDAP modify entry DN 'cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local'
            2017-01-12 22:53:12 +0200 08 ts9 USERDB:00000006: End synchronize ADD/MODIFY operation for user with id 0x000007D9 on domain ts9.gecadco.local with result 'Success'

and the CLI command will show the new associated LDAP ID:

     show registryinformation

    The registry information:
    Creation Date = Thu, 12 Jan 2017 22:15:48 +0200
    Modification Date = Thu, 12 Jan 2017 22:47:36 +0200
    POP3 Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    POP3 Last Login IP = 0.0.0.0
    IMAP Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    IMAP Last Login IP = 0.0.0.0
    OLK Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    OLK Last Login IP = 0.0.0.0
    OLK Last Connector Version = 0.0.0.0.0
    WebMail Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    WebMail Last Login IP = 0.0.0.0
    Active Sync Last Login Date = Thu, 01 Jan 1970 02:00:00 +0200
    Active Sync Last Login IP = 0.0.0.0
    Internal ID = 0x00000CB4
    Internal Mbox Container ID = 0x01001495
    Configuration Version = 10.0.0
    Mbox Storage Version = 5.0.2
    Associated LDAP ID = 180e3c14-6d54-1036-9603-df0305cba63d
    Associated LDAP DN = cn=acct1,ou=Users,dc=ts9,dc=gecadco,dc=local
    Configuration Status = Ok
    Domain storage id = 00-00-7DE7-5317C0B4-68E49F22
    Mbox size = 0 Kb
    Mbox message count = 0 message(s)
    Mbox folder count = 13 folder(s)
    Mbox removed folder count = 0 folder(s)
    Mbox removed folder cleanup = not running
    Mbox Storage Status = Ok
    Password can be changed = yes
    Password in warning interval = no
    Password status = active

    +OK: command successful

For groups, the show registryinformation and reset ldapassociation CLI commands are the same, but they need to be issued in the group's CLI context instead of account context.

In order to automate the LDAP association reset and the synchronization to LDAP, the "axigen-ldapForceSync.py" Python script is available at the link: https://www.axigen.com/mail-server/scripts/

This script can be used to reset the LDAP association for accounts and groups and to synchronize them to an LDAP database which contains the structure for the domain and the Organizational Units for the accounts and the groups.

The script requires a version 2.6 or 2.7 of Python and it is necessary to place in the same directory the cli2.py script available at the same link.

Before using the script, it is necessary to edit it and to change the parameters in the section below to match your server:

    ### Configuration parameters block
    AXIGEN_PYLIB_DIR="/opt/axigen/scripts/lib"
    CLI_HOST=os.getenv("CLI_HOST","127.0.0.1")
    CLI_PORT=7000
    CLI_ADMIN_USER="admin"
    CLI_ADMIN_PASS="myPASS"
    ### End of configuration parameters block

The script resets the LDAP association for the accounts and for the groups and then, to trigger the LDAP synchronization, it modifies and then restores back the aolScreenName attribute for the accounts and for the groups it adds and then removes the postmaster account to the group.

The script can be run as follows:

  • to reset and synchronize to LDAP all the accounts and groups on the server: 
                python axigen-ldapForceSync.py
  • to reset and synchronize to LDAP the accounts and groups from one domain: 
                python axigen-ldapForceSync.py domainname.tld
  • to only reset the LDAP association without attempting the synchronization to LDAP: 
                NO_UPDATE=true ./axigen-ldapForceSync.py
    or: 
                NO_UPDATE=true ./axigen-ldapForceSync.py domainname.tld
  • to not reset the LDAP association and to not perform LDAP synchronization, but instead to only list the associated LDAP ID for each account and group: 
                DRY_RUN=true ./axigen-ldapForceSync.py
    or: 
                DRY_RUN=true ./axigen-ldapForceSync.py domainname.tld
    This option can be used to verify if the accounts and groups have been synchronized after initially running the script. The script will display the associated LDAP ID or none if the LDAP synchronization failed, for example: 
                2017-01-12 16:02:32 userReset[872fb67a-e845-1035-9c3a-fb8c9db9325b] user1@ts9.gecadco.local
            2017-01-12 16:02:32 userReset[(none)] user2@ts9.gecadco.local
            2017-01-12 16:02:33 userReset[8740cf50-e845-1035-9c3d-fb8c9db9325b] user3@ts9.gecadco.local

The concepts, the CLI commands, and the script presented in this article are also applicable when Axigen is synchronized with an Active Directory server.

OS: LinuxWindows
Distros: DEB based distros amd64Windows x64RPM based distros x64DEB based distros amd64
script active directory openldap LDAP synchronization LDAP association
Quick link: https://www.axigen.com/kb/show/364 Copy link

Axigen is a premium, scalable, all-in-one Windows & Linux mail server software. A free mail server version is available for personal and lab use, along with the business mail server and the MSP mail server, for Managed Service Providers, which also include features like personal organizer, groupware, AntiVirus, AntiSpam, or advanced security policies. The carrier-class ISP mail server solution completes the Axigen offering and comes with clustering support, delegated administration, extensive APIs, as well as a cloud-native, Kubernetes based deployment option.

Axigen uses cookies. By using our services, you’re agreeing to our Cookie Policy. GOT IT