############################################################## # LDAP/ACTIVE DIRECTORY USER PLUGIN SETTINGS # # Any of these directives that are required, are only required if the # userplugin parameter is set to ldap. # LDAP host name/IP address # Optional, default = localhost #ldap_host = ldap-master # LDAP port # Optional, default = 389 # Use 636 for ldaps #ldap_port = 389 # LDAP protocol # Optional, default = ldap # use 'ldaps' for SSL encryption. Make sure /etc/ldap/ldap.conf is # configured correctly with TLS_CACERT #ldap_protocol = ldap ldap_uri = ldap://ldap-master:389 ldap://ldap-slave:389 # The charset that strings are stored in on the LDAP server. Normally this # is utf-8, but this can differ according to your setup. The charset specified # here must be supported by your iconv(1) setup. See iconv -l for all charset ldap_server_charset = utf-8 # The DN of the user to bind as for normal operations (not used for # authentication if ldap_authentication_method is set to "bind" # Optional, default = empty (anonymous bind) # The userPassword attribute must be readable for this user if the # ldap_authentication_method option is set to password. #ldap_bind_user = cn=admin,cn=users,dc=zarafa,dc=com ldap_bind_user = # LDAP bind password # Optional, default = empty (no password) ldap_bind_passwd = # The timeout for network operations in seconds ldap_network_timeout = 30 # When an object (user/group/company) is changed, this attribute will also change: # Active directory: uSNChanged # LDAP: modifyTimestamp ldap_last_modification_attribute = modifyTimestamp ########## # Object settings # Top level search base, every object should be available under this tree ldap_search_base = dc=syn-3 # attribute name which is used in ldap_user_search_filter ldap_object_type_attribute = objectClass #(use shadowAccount instead of posixAccount, because samba-computers are also accounts!) ldap_user_type_attribute_value = shadowAccount ldap_group_type_attribute_value = posixGroup ldap_contact_type_attribute_value = zarafa-contact ldap_company_type_attribute_value = zarafa-company ldap_addresslist_type_attribute_value = zarafa-addresslist ldap_dynamicgroup_type_attribute_value = zarafa-dynamicgroup ########## # There should be no need to edit any values below this line ########## ########## # User settings # Extra search for users using this LDAP filter. See ldap_search(3) or RFC # 2254 for details on the filter syntax. # Hint: Use the zarafaAccount attribute in the filter to differentiate # between non-zarafa and zarafa users. # Optional, default = empty (match everything) # For active directory, use: # (objectCategory=Person) # For LDAP with posix users: # no need to use the search filter. ldap_user_search_filter = # unique user id for find the user # Required # For active directory, use: # objectGuid ** WARNING: This WAS: objectSid ** Updates *WILL* fail! ** # For LDAP with posixAccount, use: # uidNumber ldap_user_unique_attribute = uidNumber # Type of unique user id # default: text # For active directory, use: # binary # For LDAP with posix user, use: # text ldap_user_unique_attribute_type = text # Optional, default = cn # For active directory, use: # cn or displayName # For LDAP with posix user, use: # cn ldap_fullname_attribute = cn # Optional, default = uid # Active directory: sAMAccountName # LDAP: uid ldap_loginname_attribute = uid # Optional, default = userPassword # Active directory: unicodePwd # LDAP: userPassword ldap_password_attribute = userPassword # If set to bind, users are authenticated by trying to bind to the # LDAP tree using their username + password. Otherwise, the # ldap_password_attribute is requested and checked. # Optional, default = bind # Choices: bind, password # Active directory: bind # LDAP: password #ldap_authentication_method = password ldap_authentication_method = bind # Optional, default = mail # Active directory: mail # LDAP: mail ldap_emailaddress_attribute = mail # Optional, default = zarafaAliases # Active directory: zarafaAliases # LDAP: zarafaAliases # DatuX: 3-oct-2011: Disabled this because it causes zarafa to 'resolve' the aliases to the primary adres. This causes confusion and doesnt allow mailrules that filters on such adresses. ( also see https://jira.zarafa.com/browse/ZCP-4850. same 'feature' exists for to-adresses) # DatuX: 2-mar-2020: reenabled to get rid of 'on behalf of' messages. ldap_emailaliases_attribute = alias # Whether the user is an admin. The field is interpreted as a # boolean, 0 and false (case insensitive) meaning no, all other values # yes. # Optional, default = zarafaAdmin # Active directory: zarafaAdmin # LDAP: zarafaAdmin ldap_isadmin_attribute = zarafaAdmin # Whether a user is a non-active user. This means that the user will # not count towards your user count, but the user will also not be # able to log in # Optional, default = empty # Active directory: zarafaSharedStoreOnly # LDAP: zarafaSharedStoreOnly ldap_nonactive_attribute = zarafaSharedStoreOnly # A nonactive store, or resource, can be specified to be a user, room or equipment. # Set it to 'room' or 'equipment' to make such types. If set to empty, # or wrong word, or 'user' it will be a nonactive user. # Optional, default = zarafaResourceType # Active directory: zarafaResourceType # LDAP: zarafaResourceType ldap_resource_type_attribute = zarafaResourceType # Numeric resource capacity # Optional, default = zarafaResourceCapacity # Active directory: zarafaResourceCapacity # LDAP: zarafaResourceCapacity ldap_resource_capacity_attribute = zarafaResourceCapacity # Optional # The attribute which indicates which users are allowed # to send on bahalf of the selected user ldap_user_sendas_attribute = zarafaSendAsPrivilege # Optional, default = text # Active directory: dn # LDAP: text ldap_user_sendas_attribute_type = text # The attribute of the user which is listed in the # ldap_user_sendas_attribute # Empty default, using ldap_user_unique_attribute ldap_user_sendas_relation_attribute = uid # Optional, default = userCertificate # Active directory: userCertificate # LDAP: userCertificate ldap_user_certificate_attribute = userCertificate # Load extra user properties from the propmap file #!propmap /etc/zarafa/ldap.propmap.cfg ########## # Group settings # Search for groups using this LDAP filter. See ldap_search(3) for # details on the filter syntax. # Hint: Use the zarafaAccount attribute in the filter to differentiate # between non-zarafa and zarafa groups. # Optional, default = empty (match everything) # For active directory, use: # (objectCategory=Group) # For LDAP with posix groups, use: # no need to set the search filter ldap_group_search_filter = # unique group id for find the group # Required # For active directory, use: # objectSid # For LDAP with posix group, use: # gidNumber ldap_group_unique_attribute = gidNumber # Type of unique group id # default: text # For active directory, use: # binary # For LDAP with posix group, use: # text ldap_group_unique_attribute_type = text # Optional, default = cn # Active directory: cn # LDAP: cn ldap_groupname_attribute = cn # Optional, default = member # Active directory: member # LDAP: memberUid ldap_groupmembers_attribute = memberUid # Optional, default = text # Active directory: dn # LDAP: text ldap_groupmembers_attribute_type = text # The attribute of the user which is listed in ldap_groupmember_attribute # Active directory: empty, matching dn's # LDAP: uidNumber, matching users in ldap_user_unique_attribute ldap_groupmembers_relation_attribute = uid # A group can also be used for security, eg. setting permissions on folders. # This makes a group a security group. The zarafaSecurityGroup value is boolean. # Optional, default = zarafaSecurityGroup # Active directory = groupType # LDAP: zarafaSecurityGroup ldap_group_security_attribute = zarafaSecurityGroup # In ADS servers, a special bitmask action is required on the groupType field. # This is actived by setting the ldap_group_security_attribute_type to `''ads`'' # Otherwise, just the presence of the field will make the group security enabled. # Optional, default = boolean # Active directory = ads # LDAP: boolean ldap_group_security_attribute_type = boolean ########## # Company settings # Search for companies using this LDAP filter. # Hint: Use the zarafaAccount attribute in the filter to differentiate # between non-zarafa and zarafa companies. # Optional, default = empty (match everything) # For active directory, use: # (objectCategory=Company) # For LDAP with posix users, use: # no need to set the filter ldap_company_search_filter = # unique company id for find the company # Active directory: objectGUID # LDAP: ou ldap_company_unique_attribute = ou # Optional, default = text # Active directory: binary # LDAP: text ldap_company_unique_attribute_type = text # Optional, default = ou # Active directory: ou # LDAP: ou ldap_companyname_attribute = ou # Optional # The attribute which indicates which companies are allowed # to view the members of the selected company ldap_company_view_attribute = zarafaViewPrivilege # Optional, default = text ldap_company_view_attribute_type = text # The attribute of the company which is listed in the # ldap_company_view_attribute # Empty default, using ldap_company_unique_attribute ldap_company_view_relation_attribute = # Optional # The attribute which indicates which users from different companies # are administrator over the selected company. ldap_company_admin_attribute = zarafaAdminPrivilege # Optional, default = text # Active directory: dn # LDAP: text ldap_company_admin_attribute_type = text # The attribute of the company which is listed in the # ldap_company_admin_attribute # Empty default, using ldap_user_unique_attribute ldap_company_admin_relation_attribute = # The attribute which indicates which user is the system administrator # for the specified company. ldap_company_system_admin_attribute = zarafaSystemAdmin # Optional, default = text # Active directory: dn # LDAP: text ldap_company_system_admin_attribute_type = text # The attribute of the company which is listed in the # ldap_company_system_admin attribute # Empty default, using ldap_user_unique_attribute ldap_company_system_admin_relation_attribute = ########## # Addresslist settings # Add a filter to the addresslist search # Hint: Use the zarafaAccount attribute in the filter to differentiate # between non-zarafa and zarafa addresslists. # Optional, default = empty (match everything) ldap_addresslist_search_filter = # This is the unique attribute of a addresslist which is never going # to change, unless the addresslist is removed from LDAP. When this # value changes, Zarafa will remove the previous addresslist from the # database, and create a new addresslist with this unique value ldap_addresslist_unique_attribute = cn # This value can be 'text' or 'binary'. For OpenLDAP, only text is used. ldap_addresslist_unique_attribute_type = text # This is the name of the attribute on the addresslist object that # specifies the filter to be applied for this addresslist. All users # matching this filter AND matching the default # ldap_user_search_filter will be included in the addresslist ldap_addresslist_filter_attribute = zarafaFilter # This is the name of the attribute on the addresslist object that # specifies the search base to be applied for this addresslist. ldap_addresslist_search_base_attribute = zarafaBase # The attribute containing the name of the addresslist ldap_addresslist_name_attribute = cn ########## # Dynamicgroup settings # Add a filter to the dynamicgroup search # Hint: Use the zarafaAccount attribute in the filter to differentiate # between non-zarafa and zarafa dynamic groups. # Optional, default = empty (match everything) ldap_dynamicgroup_search_filter = # This is the unique attribute of a dynamicgroup which is never going # to change, unless the dynamicgroup is removed from LDAP. When this # value changes, Zarafa will remove the previous dynamicgroup from the # database, and create a new dynamicgroup with this unique value ldap_dynamicgroup_unique_attribute = cn # This value can be 'text' or 'binary'. For OpenLDAP, only text is used. ldap_dynamicgroup_unique_attribute_type = text # This is the name of the attribute on the dynamicgroup object that # specifies the filter to be applied for this dynamicgroup. All users # matching this filter AND matching the default # ldap_user_search_filter will be included in the dynamicgroup ldap_dynamicgroup_filter_attribute = zarafaFilter # This is the name of the attribute on the dynamicgroup object that # specifies the search base to be applied for this dynamicgroup. ldap_dynamicgroup_search_base_attribute = zarafaBase # The attribute containing the name of the dynamicgroup ldap_dynamicgroup_name_attribute = cn ########## # Quota settings # Optional # The attribute which indicates which users (besides the user who exceeds his quota) # should also receive a warning mail when a user exceeds his quota. ldap_quota_userwarning_recipients_attribute = zarafaQuotaUserWarningRecipients # Optional, default = text # Active directory: dn # LDAP: text ldap_quota_userwarning_recipients_attribute_type = text # Optional, default empty ldap_quota_userwarning_recipients_relation_attribute = # Optional # The attribute which indicates which users should receive a warning mail # when a company exceeds his quota. ldap_quota_companywarning_recipients_attribute = zarafaQuotaCompanyWarningRecipients # Optional, default = text # Active directory: dn # LDAP: text ldap_quota_companywarning_recipients_attribute_type = text # Optional, default empty ldap_quota_companywarning_recipients_relation_attribute = # Whether to override the system wide quota settings ldap_quotaoverride_attribute = zarafaQuotaOverride ldap_warnquota_attribute = ldap_softquota_attribute = ldap_hardquota_attribute = # Whether to override the system wide quota settings for all users within the company ldap_userdefault_quotaoverride_attribute = zarafaUserDefaultQuotaOverride ldap_userdefault_warnquota_attribute = ldap_userdefault_softquota_attribute = ldap_userdefault_hardquota_attribute = # Mapping from the quota attributes to a number of bytes. Qmail-LDAP # schema uses bytes (1), ADS uses kilobytes (1024*1024). ldap_quota_multiplier = 1 ########## # Misc. settings # Attribute which indicates if the user should be hidden from addressbook ldap_addressbook_hide_attribute = zarafaHidden # LDAP object search filter. %s in this filter will be replaced with # the object being searched. # Hint: Use the zarafaAccount attribute in the filter to differentiate # between non-zarafa and zarafa objects. # Default: empty # ADS recommended: (anr=%s) # OpenLDAP optional: (|(mail=%s*)(uid=%s*)(cn=*%s*)(fullname=*%s*)(givenname=*%s*)(lastname=*%s*)(sn=*%s*)) ldap_object_search_filter =