'\" t .\" Title: kopano-ldap.cfg .\" Author: [see the "Author" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: November 2016 .\" Manual: Kopano Core user reference .\" Source: Kopano 8 .\" Language: English .\" .TH "KOPANO\-LDAP.CFG" "5" "November 2016" "Kopano 8" "Kopano Core user reference" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" kopano-ldap.cfg \- The Kopano LDAP configuration file .SH "SYNOPSIS" .PP \fBldap.cfg\fR .SH "DESCRIPTION" .PP The ldap.cfg is a configuration file for LDAP user plugin. All options to correctly retrieve user and group information can be set here. .SH "FILE FORMAT" .PP The file consists of one big section, but parameters can be grouped by functionality. .PP The parameters are written in the form: .PP \fBname\fR = \fIvalue\fR .PP The file is line\-based. Each newline\-terminated line represents either a comment, nothing, a parameter or a directive. A line beginning with `#\*(Aq is considered a comment, and will be ignored by Kopano. Parameter names are case sensitive. Lines beginning with `!\*(Aq are directives. .PP Directives are written in the form: .PP !\fBdirective\fR \fI[argument(s)] \fR .PP The following directives exist: .PP \fBinclude\fR .RS 4 Include and process \fIargument\fR .PP Example: !include common.cfg .RE .PP \fBpropmap\fR .RS 4 Propmap delivers the capabilities to map additional attributes to addressbook properties (e.g. firstname, lastname, telephonenumber). .PP In the propmap the configuration names must be the hex property tag of the requested property. The value given to the configuration name must be the LDAP attribute to which the property should be mapped. .PP Example: !propmap ldap.propmap.cfg .RE .SH "EXPLANATION OF EACH PARAMETER" .SS ldap_host .PP The hostname or ip\-adress of the LDAP server. .PP Default: \fIlocalhost\fR .SS ldap_port .PP The port number of the LDAP server. LDAP normally runs on port 389. .PP Default: \fI389\fR .SS ldap_protocol .PP The protocol to be used to connect to the LDAP server. Can be either \*(Aqldap\*(Aq or \*(Aqldaps\*(Aq for SSL connections. You will probably have to specify port 636 for ldap_port also. Kopano will not use STARTTLS for such an SSL connection but instead will connect directly to an SSL encrypted port. .PP Default: \fIldap\fR .SS ldap_uri .PP Instead of using ldap_host, ldap_port and ldap_protocol, you may also use ldap_uri which should specify the URI of the LDAP server like \*(Aqldap://server:389\*(Aq. If ldap_uri is set, the values of ldap_host, ldap_port and ldap_protocol are ignored. You may also specify multiple space\-separated LDAP server URI\*(Aqs. .PP Default: .SS ldap_server_charset .PP The charset that the LDAP server uses to store strings. All strings sent to the LDAP server or retrieved from the server will be interpreted in this charset. In most setups, utf\-8 is used, but may also be iso\-8859\-15. All charsets supported by the system iconv() are supported here. .PP Default: \fIutf\-8\fR .SS ldap_bind_user .PP The bind dn as to connect to the LDAP server. Leave empty to connect anonymous. .PP Default value is empty. .SS ldap_bind_passwd .PP When ldap_bind_user is a valid DN, this should be filled in too. .PP Default value is empty. .SS ldap_network_timeout .PP The timeout for network operations in seconds. .PP Default: \fI30\fR .SS ldap_last_modification_attribute .PP This value is used to detect changes in the item in the LDAP server. Since it is a standard LDAP attribute, you should never have to change this. It is mainly used for addressbook synchronisation between your server and your offline data. .PP Default: \fImodifyTimeStamp\fR .SS ldap_page_size .PP Limit result sets in pages of this size, downloading fewer results at a time from the LDAP server. .PP Default: \fI1000\fR .SS ldap_search_base .PP This is the subtree entry where all objects are defined in the LDAP server. .PP Default: \fIdc=kopano,dc=com\fR .SS ldap_object_type_attribute .PP An object is defined by this attribute what type it is, e.g. user, group, etc. Every object type should have a unique value in this attribute in order to define what which entry is. .PP The value of this attribute must be specified in the ldap_*_type_attribute_value settings. Each of those settings may specify multiple values for the type attribute, separated by comma\*(Aqs. All of these values must be present in the objects type attribute for a match to be made and the object to be recognised as that type. .PP It is possible for ambiguities to arise by setting the same string for multiple ldap_*_type_attribute_value settings. This ambiguity will be resolved by preferring objects with more matching values. If the ambiguity cannot be resolved in this way, then the first possibility is chosen from the list (addresslist, tenant, dynamic group, group, contact, user). .PP Default: \fIobjectClass\fR .SS ldap_user_type_attribute_value .PP The value in \fBldap_object_type_attribute\fR which defines a user. .PP Default for OpenLDAP: \fIposixAccount\fR .PP Default for ADS: \fIuser\fR .SS ldap_group_type_attribute_value .PP The value in \fBldap_object_type_attribute\fR which defines a group. .PP Default for OpenLDAP: \fIposixGroup\fR .PP Default for ADS: \fIgroup\fR .SS ldap_contact_type_attribute_value .PP The value in \fBldap_object_type_attribute\fR which defines a contact. .PP Default for OpenLDAP: \fIinetOrgPerson\fR .PP Default for ADS: \fIcontact\fR .SS ldap_company_type_attribute_value .PP The value in \fBldap_object_type_attribute\fR which defines a tenant. This option is only used in multi\-tenancy installations. .PP Default for OpenLDAP: \fIorganizationalUnit\fR .PP Default for ADS: \fIkopano\-company\fR .SS ldap_addresslist_type_attribute_value .PP The value in \fBldap_object_type_attribute\fR which defines an addresslist. .PP Default: \fIkopano\-addresslist\fR .SS ldap_dynamicgroup_type_attribute_value .PP The value in \fBldap_object_type_attribute\fR which defines a dynamic group. .PP Default: \fIkopano\-dynamicgroup\fR .SS ldap_user_search_filter .PP Adds an extra filter to the user search. .PP Hint: Use the kopanoAccount attribute in the filter to differentiate between non\-kopano and kopano users. .PP Default for OpenLDAP is empty. .PP Default for ADS: \fI(objectCategory=Person)\fR .SS ldap_user_unique_attribute .PP This is the unique attribute of a user which is never going to change, unless the user is removed from LDAP. When this value changes, Kopano will remove the previous user and store from the database, and create a new user with this unique value. .PP Default for OpenLDAP: \fIuidNumber\fR .PP Default for ADS: \fIobjectGuid\fR .SS ldap_user_unique_attribute_type .PP Contents type for the \fBldap_user_unique_attribute\fR. This value can be \fIbinary\fR or \fItext\fR. .PP Default for OpenLDAP: \fItext\fR .PP Default for ADS: \fIbinary\fR .SS ldap_fullname_attribute .PP This value is the fullname of a user. It will be used on outgoing messages, and store names. .PP Default: \fIcn\fR .SS ldap_loginname_attribute .PP This value is the loginname of a user. This is what the user uses to login on kopano. The DAgent will use this value to open the store of the user. .PP Default for OpenLDAP: \fIuid\fR .PP Default for ADS: \fIsAMAccountName\fR .SS ldap_password_attribute .PP This value is the password of a user. When using \fBldap_authentication_method\fR = \fIpassword\fR, this value will be checked. The \fBldap_bind_user\fR should have enough access rights to read the password field. .PP Default for OpenLDAP: \fIuserPassword\fR .PP Default for ADS: \fIunicodePwd\fR .SS ldap_authentication_method .PP This value can be \fIbind\fR or \fIpassword\fR. When set to bind, the plugin will authenticate by opening a new connection to the LDAP server as the user with the given password. When set to password, the plugin will read and match the password field from the LDAP server itself. When set to password, the \fBldap_bind_user\fR should have enough access rights to read the password field. .PP Default for OpenLDAP: \fIbind\fR .PP Default for ADS: \fIbind\fR .SS ldap_emailaddress_attribute .PP This value is the email address of a user. It will be used to set the From on outgoing messages. .PP Default: \fImail\fR .SS ldap_emailaliases_attribute .PP This value is the email aliases of a user. It can be used to find extra valid email accounts for incoming email. These email addresses cannot be used for outgoing email. .PP Default: \fIkopanoAliases\fR .SS ldap_isadmin_attribute .PP This value indicates if a user has administrator rights. 0 or not presents means no. 1 means yes. In multi\-tenancy environment a value of 1 means that the user is administrator over his own tenant. A value of 2 means he is administrator over all companies within the environment. .PP Default: \fIkopanoAdmin\fR .SS ldap_nonactive_attribute .PP This value indicates if a user is nonactive. Nonactive users cannot login, but the store can be used as a shared store for other users. .PP Setting this value to 1 will make a mailbox nonactive. The nonactive attribute provided by the Kopano schema for nonactive users is \fIkopanoSharedStoreOnly\fR .PP Default: \fIkopanoSharedStoreOnly\fR .SS ldap_resource_type_attribute .PP This attribute can change the type of a non\-active user. The value of this attribute can be \fIroom\fR or \fIequipment\fR to make it such a resource. If this attribute is not present, or not one of the previously described values, the user will be a normal non\-active user. .PP Default: \fIkopanoResourceType\fR .SS ldap_resource_capacity_attribute .PP Resources often have a limited capacity. Use this attribute to control this value. user. .PP Default: \fIkopanoResourceCapacity\fR .SS ldap_sendas_attribute .PP This attribute contains the list of users for which the user can use the sendas feature. .PP Default: \fIkopanoSendAsPrivilege\fR .SS ldap_sendas_attribute_type .PP Contents type for the \fBldap_sendas_attribute\fR this value can be \fIdn\fR, \fIbinary\fR or \fItext\fR. .PP Default for OpenLDAP: \fItext\fR .PP Default for ADS: \fIdn\fR .SS ldap_sendas_relation_attribute .PP This value is used to find the users in the sendas list. .PP Defaults to empty value, using the \fBldap_user_unique_attribute\fR setting. By using the DN, you can also add groups to the sendas list. .PP Default for OpenLDAP is empty. .PP Default for ADS: \fIdistinguishedName\fR .SS ldap_user_certificate_attribute .PP The attribute which contains the user\*(Aqs public certificate to be used for encrypted S/MIME messages. Both Active Directory and OpenLDAP use the same ldap attribute by default. The format of the certificate should be the binary DER format. .PP Default: \fIuserCertificate\fR .SS ldap_group_search_filter .PP Adds an extra filter to the group search. .PP Hint: Use the kopanoAccount attribute in the filter to differentiate between non\-kopano and kopano groups. .PP Default for OpenLDAP is empty. .PP Default for ADS: \fI(objectCategory=Group)\fR .SS ldap_group_unique_attribute .PP This is the unique attribute of a group which is never going to change, unless the group is removed from LDAP. When this value changes, Kopano will remove the previous group from the database, and create a new group with this unique value. .PP Default for OpenLDAP: \fIgidNumber\fR .PP Default for ADS: \fIobjectSid\fR .SS ldap_group_unique_attribute_type .PP Contents type for the \fBldap_group_unique_attribute\fR this value can be \fIbinary\fR or \fItext\fR. .PP Default for OpenLDAP: \fItext\fR .PP Default for ADS: \fIbinary\fR .SS ldap_groupname_attribute .PP This value is the name of a group. .PP Default: \fIcn\fR .SS ldap_groupmembers_attribute .PP This value is the member list of a group. .PP Default for OpenLDAP: \fImemberUid\fR .PP Default for ADS: \fImember\fR .SS ldap_groupmembers_attribute_type .PP Contents type for the \fBldap_groupmembers_attribute\fR this value can be \fIdn\fR, \fIbinary\fR or \fItext\fR. .PP Default for OpenLDAP: \fItext\fR .PP Default for ADS: \fIdn\fR .SS ldap_groupmembers_relation_attribute .PP This value is used to find the users in a group if \fBldap_groupmembers_attribute_type\fR is \fItext\fR. .PP Defaults to empty value, using the \fBldap_user_unique_attribute\fR setting. .PP Default is empty. .SS ldap_group_security_attribute .PP If this attribute is present, you can make a group a security group. These groups can be used to place permissions on folders. .PP Default for OpenLDAP: \fIkopanoSecurityGroup\fR .PP Default for ADS: \fIgroupType\fR .SS ldap_group_security_attribute_type .PP The type of the \fBldap_group_security_attribute\fR is very different for ADS and OpenLDAP. The value of this option can be \fIboolean\fR or \fIads\fR. The ads option only looks at the highest bit in the numeric value of the groupType attribute. .PP Default for OpenLDAP: \fIboolean\fR .PP Default for ADS: \fIads\fR .SS ldap_company_search_filter .PP Add an extra filter to the tenant search. .PP Hint: Use the kopanoAccount attribute in the filter to differentiate between non\-kopano and kopano companies. .PP Default for OpenLDAP is empty. .PP Default for ADS: \fI(objectCategory=Company)\fR .SS ldap_company_unique_attribute .PP This is the unique attribute of a tenant which is never going to change, unless the tenant is removed from LDAP. When this value changes, Kopano will remove the previous tenant from the database, and create a new tenant with this unique value. .PP Default for OpenLDAP: \fIou\fR .PP Default for ADS: \fIobjectSid\fR .SS ldap_company_unique_attribute_type .PP Contents type for the \fBldap_company_unique_attribute\fR this value can be \fIbinary\fR or \fItext\fR. .PP Default for OpenLDAP: \fItext\fR .PP Default for ADS: \fIbinary\fR .SS ldap_companyname_attribute .PP This value is the name of a tenant. .PP Default: \fIcn\fR .SS ldap_company_view_attribute .PP This attribute contains the list of tenants which can view the members of the tenant where this attribute is set on. tenants which are not listed in this attribute cannot see the presence of the tenant space itself nor its members. .PP Default: \fIkopanoViewPrivilege\fR .SS ldap_company_view_attribute_type .PP Contents type for the \fBldap_company_view_attribute\fR this value can be \fIdn\fR, \fIbinary\fR or \fItext\fR. .PP Default for OpenLDAP: \fItext\fR .PP Default for ADS: \fIdn\fR .SS ldap_company_view_relation_attribute .PP The attribute of the tenant which is listed in \fBldap_company_view_attribute\fR. .PP Default: Empty, using the \fBldap_company_unique_attribute\fR .SS ldap_company_admin_attribute .PP This attribute contains the list of users outside of the selected tenant space who are administrator over the selected tenant space. Note that local users should not be listed as administrator here, those users need the \fBldap_isadmin_attribute\fR attribute. .PP Default: \fIkopanoAdminPrivilege\fR .SS ldap_company_admin_attribute_type .PP Contents type for the \fBldap_company_admin_attribute\fR this value can be \fIdn\fR, \fIbinary\fR or \fItext\fR. .PP Default for OpenLDAP: \fItext\fR .PP Default for ADS: \fIdn\fR .SS ldap_company_admin_relation_attribute .PP The attribute of the user which is listed in \fBldap_company_admin_attribute\fR. .PP Default: Empty, using the \fBldap_user_unique_attribute\fR .SS ldap_company_system_admin_attribute .PP This attribute contains the user who acts as the system administrator of this tenatn space. This can either be a local user or a user from a different tenant space. At the moment this user is set as the sender of quota warning emails. .PP Default: \fIkopanoSystemAdmin\fR .SS ldap_company_system_admin_attribute_type .PP Contents type for the \fBldap_company_system_admin_attribute\fR this value can be \fIdn\fR, \fIbinary\fR or \fItext\fR. .PP Default for OpenLDAP: \fItext\fR .PP Default for ADS: \fIdn\fR .SS ldap_company_system_admin_relation_attribute .PP The attribute of the user which is listed in \fBldap_system_admin_attribute\fR. .PP Default: Empty, using the \fBldap_user_unique_attribute\fR .SS ldap_addresslist_search_filter .PP Add a filter to the addresslist search. .PP Hint: Use the kopanoAccount attribute in the filter to differentiate between non\-kopano and kopano addresslists. .PP Default: \fI(objectClass=kopano\-addresslist)\fR .SS ldap_addresslist_unique_attribute .PP This is the unique attribute of a addresslist which is never going to change, unless the addresslist is removed from LDAP. When this value changes, Kopano will remove the previous addresslist from the database, and create a new addresslist with this unique value. .PP Default: \fIcn\fR .SS ldap_addresslist_unique_attribute_type .PP Contents type for the \fBldap_addresslist_unique_attribute\fR this value can be \fIdn\fR, \fIbinary\fR or \fItext\fR. On LDAP this value should be \fItext\fR. On ADS this value should be \fIdn\fR .PP Default: \fItext\fR .SS ldap_addresslist_filter_attribute .PP This is the name of the attribute on the addresslist object that specifies the filter to be applied for this addresslist. All users matching this filter AND matching the default ldap_user_search_filter will be included in the addresslist. .PP Default: \fIkopanoFilter\fR .SS ldap_addresslist_search_base_attribute .PP This is the name of the attribute on the addresslist object that specifies the search base to be applied for this addresslist. .PP Default: \fIkopanoBase\fR .SS ldap_addresslist_name_attribute .PP The attribute containing the name of the addresslist .PP Default: \fIcn\fR .SS ldap_dynamicgroup_search_filter .PP Add an extra filter to the dynamicgroup search. .PP Hint: Use the kopanoAccount attribute in the filter to differentiate between non\-kopano and kopano dynamic groups. .PP Default is empty. .SS ldap_dynamicgroup_unique_attribute .PP This is the unique attribute of a dynamicgroup which is never going to change, unless the dynamicgroup is removed from LDAP. When this value changes, Kopano will remove the previous dynamicgroup from the database, and create a new dynamicgroup with this unique value. .PP Default: \fIcn\fR .SS ldap_dynamicgroup_unique_attribute_type .PP Contents type for the \fBldap_dynamicgroup_unique_attribute\fR this value can be \fIbinary\fR or \fItext\fR. On LDAP this value should be \fItext\fR. On ADS this value should be \fIbinary\fR .PP Default: \fItext\fR .SS ldap_dynamicgroup_filter_attribute .PP This is the name of the attribute on the dynamicgroup object that specifies the filter to be applied for this dynamicgroup. All users matching this filter AND matching the default search filters for objects will be included in the dynamicgroup. .PP Default: \fIkopanoFilter\fR .SS ldap_dynamicgroup_search_base_attribute .PP This is the name of the attribute on the dynamicgroup object that specifies the search base to be applied for this dynamicgroup. .PP Default: \fIkopanoBase\fR .SS ldap_dynamicgroup_name_attribute .PP The attribute containing the name of the dynamicgroup. .PP Default: \fIcn\fR .SS ldap_quotaoverride_attribute .PP Default: \fIkopanoQuotaOverride\fR .SS ldap_warnquota_attribute .PP Default: \fIkopanoQuotaWarn\fR .SS ldap_softquota_attribute .PP Default: \fIkopanoQuotaSoft\fR .SS ldap_hardquota_attribute .PP Default: \fIkopanoQuotaHard\fR .SS ldap_userdefault_quotaoverride_attribute .PP Default: \fIkopanoUserDefaultQuotaOverride\fR .SS ldap_userdefault_warnquota_attribute .PP Default: \fIkopanoUserDefaultQuotaWarn\fR .SS ldap_userdefault_softquota_attribute .PP Default: \fIkopanoUserDefaultQuotaSoft\fR .SS ldap_userdefault_hardquota_attribute .PP Default: \fIkopanoUserDefaultQuotaHard\fR .SS ldap_quota_multiplier .PP This value is used to multiply the quota values to bytes. When the values in LDAP are in Kb, use 1024 here. .PP Default: \fI1\fR .SS ldap_quota_userwarning_recipients_attribute .PP This attribute contains the list of users who will receive an email when a user exceeds his quota. User who exceeds his quota will be automatically added to the recipients list, this list only indicates who else will be notified. .PP Default: \fIkopanoQuotaUserWarningRecipients\fR .SS ldap_quota_userwarning_recipients_attribute_type .PP Contents type for the \fBldap_quota_userwarning_recipients_attribute\fR this value can be \fIdn\fR, \fIbinary\fR or \fItext\fR. On LDAP this value should be \fItext\fR. On ADS this value should be \fIdn\fR .PP Default: \fItext\fR .SS ldap_quota_userwarning_recipients_relation_attribute .PP The attribute of the user which is listed in \fBldap_quota_userwarning_recipients_attribute\fR .PP Default: Empty, using \fIldap_user_unique_attribute\fR .SS ldap_quota_companywarning_recipients_attribute .PP This attribute contains the list of users who will receive an email when a tenant exceeds its quota. The system administrator of the tenant that is over quota will automatically be added to the recipients list, this list only indicates who else will be notified. .PP Default: \fIkopanoQuotaCompanyWarningRecipients\fR .SS ldap_quota_companywarning_recipients_attribute_type .PP Contents type for the \fBldap_quota_companywarning_recipients_attribute\fR this value can be \fIdn\fR, \fIbinary\fR or \fItext\fR. On LDAP this value should be \fItext\fR. On ADS this value should be \fIdn\fR .PP Default: \fItext\fR .SS ldap_quota_companywarning_recipients_relation_attribute .PP The attribute of the user which is listed in \fBldap_quota_companywarning_recipients_attribute\fR .PP Default: Empty, using \fIldap_user_unique_attribute\fR .SS ldap_addressbook_hide_attribute .PP The attribute indicating the object must be hidden from the addressbook. The object will still be detected as kopano user and is allowed to login and work as regular kopano user, but will not be visible in the addressbook for other users. .PP Default: \fIkopanoHidden\fR .SS ldap_object_search_filter .PP When searching in the addressbook, this filter will be used. Normally, the storage server will only search in the unique attribute, loginname, fullname and emailaddress. You might want to search in more fields, like \*(Aqlastname\*(Aq. Kopano also uses a postfix wildcard only. Using the \*(Aq*\*(Aq wildcard with prefixes makes a search slower, but can return more results. .PP Hint: Use the kopanoAccount attribute in the filter to differentiate between non\-kopano and kopano objects. .PP You can set a custom search filter here. \*(Aq%s\*(Aq will be replaced with the string being searched. .PP Active Directory has a shortcut for searching in the addressbook using the \*(Aqanr\*(Aq attribute. This is recommended on ADS installations. .PP Default: .PP Recommended for ADS installations: \fI(anr=%s)\fR .PP Optional for OpenLDAP installations: \fI(|(mail=%s*)(uid=%s*)(cn=*%s*)\:(fullname=*%s*)(givenname=*%s*)(lastname=*%s*)(sn=*%s*))\fR .SS ldap_filter_cutoff_elements .PP When the ldap plugin retrieves information from the LDAP Server, large queries can be created to retrieve data for multiple objects at once. These large queries can perform badly on some LDAP server implementations. This option limits the number of elements that can be retrieved in one search filter and therefore limits the size of the filter. Instead, a broader search filter is created which retrieves all objects from the LDAP server. This results in slightly higher processing overhead and network activity, but with the bonus that the query can be served by the LDAP server much faster (a factor of 40 in 5000\-object queries has been observed). .PP Setting this value to 0 will never limit the filter, setting it to a value of 1 will always limit the filter (since all queries will be retrieving one or more objects). .PP Default: \fI1000\fR .RE .SH "FILES" .PP /etc/kopano/server.cfg .RS 4 The server configuration file. .RE .PP /etc/kopano/ldap.cfg .RS 4 The Kopano LDAP configuration file. .RE .SH "AUTHOR" .PP Written by Kopano. .SH "SEE ALSO" .PP \fBkopano-server\fR(8), \fBkopano-server.cfg\fR(5)