1ZARAFA-LDAP.CFG(5) Zarafa user reference ZARAFA-LDAP.CFG(5)
2
3
4
6 zarafa-ldap.cfg - The Zarafa LDAP configuration file
7
9 ldap.cfg
10
12 The ldap.cfg is a configuration file for LDAP user plugin. All options
13 to correctly retrieve user and group information can be set here.
14
16 The file consists of one big section, but parameters can be grouped by
17 functionality.
18
19 The parameters are written in the form:
20
21 name = value
22
23 The file is line-based. Each newline-terminated line represents either
24 a comment, nothing, a parameter or a directive. A line beginning with
25 `#´ is considered a comment, and will be ignored by Zarafa. Parameter
26 names are case sensitive. Lines beginning with `!´ are directives.
27
28 Directives are written in the form:
29
30 !directive [argument(s)]
31
32 The following directives exist:
33
34 include
35 Include and process argument
36
37 Example: !include common.cfg
38
39 propmap
40 Propmap delivers the capabilities to map additional attributes to
41 addressbook properties (e.g. firstname, lastname, telephonenumber).
42
43 In the propmap the configuration names must be the hex propery tag
44 of the requested property. The value given to the configuration
45 name must be the LDAP attribute to which the property should be
46 mapped.
47
48 Example: !propmap ldap.propmap.cfg
49
51 ldap_host
52 The hostname or ip-adress of the LDAP server.
53
54 Default: localhost
55
56 ldap_port
57 The port number of the LDAP server. LDAP normally runs on port 389.
58
59 Default: 389
60
61 ldap_protocol
62 The protocol to be used to connect to the LDAP server. Can be
63 either ´ldap´ or ´ldaps´ for SSL connections. You will probably
64 have to specify port 636 for ldap_port also. Zarafa will not use
65 STARTTLS for such an SSL connection but instead will connect
66 directly to an SSL encrypted port.
67
68 Default: ldap
69
70 ldap_server_charset
71 The charset that the LDAP server uses to store strings. All strings
72 sent to the LDAP server or retrieved from the server will be
73 interpreted in this charset. In most setups, utf-8 is used, but may
74 also be iso-8859-15. All charsets supported by the system iconv()
75 are supported here.
76
77 Default: utf-8
78
79 ldap_bind_user
80 The bind dn as to connect to the LDAP server. Leave empty to
81 connect anonymous.
82
83 Default value is empty.
84
85 ldap_bind_passwd
86 When ldap_bind_user is a valid DN, this should be filled in too.
87
88 Default value is empty.
89
90 ldap_network_timeout
91 The timeout for network operations in seconds.
92
93 Default: 30
94
95 ldap_last_modification_attribute
96 This value is used to detect changes in the item in the LDAP
97 server. Since it is a standard LDAP attribute, you should never
98 have to change this. It is mainly used for addressbook
99 synchronisation between your server and your offline data.
100
101 Default: modifyTimeStamp
102
103 ldap_search_base
104 This is the subtree entry where all objects are defined in the LDAP
105 server.
106
107 Default: dc=zarafa,dc=com
108
109 ldap_object_type_attribute
110 An object is defined by this attribute what type it is, eg. user,
111 group, etc. Every object type should have a unique value in this
112 attribute in order to define what which enrty is.
113
114 The value of this attribute must be specified in the
115 ldap_*_type_attribute_value settings. Each of those settings may
116 specify multiple values for the type attribute, separated by
117 comma´s. All of these values must be present in the objects type
118 attribute for a match to be made and the object to be recognised as
119 that type.
120
121 It is possible for ambiguities to arise by setting the same string
122 for multiple ldap_*_type_attribute_value settings. This ambiguity
123 will be resolved by preferring objects with more matching values.
124 If the ambiguity cannot be resolved in this way, then the first
125 possibility is chosen from the list (addresslist, tenant, dynamic
126 group, group, contact, user).
127
128 Default: objectClass
129
130 ldap_user_type_attribute_value
131 The value in ldap_object_type_attribute which defines a user.
132
133 Default for OpenLDAP: posixAccount
134
135 Default for ADS: user
136
137 ldap_group_type_attribute_value
138 The value in ldap_object_type_attribute which defines a group.
139
140 Default for OpenLDAP: posixGroup
141
142 Default for ADS: group
143
144 ldap_contact_type_attribute_value
145 The value in ldap_object_type_attribute which defines a contact.
146
147 Default for OpenLDAP: inetOrgPerson
148
149 Default for ADS: contact
150
151 ldap_company_type_attribute_value
152 The value in ldap_object_type_attribute which defines a tenant.
153 This option is only used in multi-tenancy installations.
154
155 Default for OpenLDAP: organizationalUnit
156
157 Default for ADS: zarafa-company
158
159 ldap_addresslist_type_attribute_value
160 The value in ldap_object_type_attribute which defines an
161 addresslist.
162
163 Default: zarafa-addresslist
164
165 ldap_dynamicgroup_type_attribute_value
166 The value in ldap_object_type_attribute which defines a dynamic
167 group.
168
169 Default: zarafa-dynamicgroup
170
171 ldap_user_search_filter
172 Adds an extra filter to the user search.
173
174 Hint: Use the zarafaAccount attribute in the filter to
175 differentiate between non-zarafa and zarafa users.
176
177 Default for OpenLDAP is empty.
178
179 Default for ADS: (objectCategory=Person)
180
181 ldap_user_unique_attribute
182 This is the unique attribute of a user which is never going to
183 change, unless the user is removed from LDAP. When this value
184 changes, Zarafa will remove the previous user and store from the
185 database, and create a new user with this unique value.
186
187 Default for OpenLDAP: uidNumber
188
189 Default for ADS: objectGuid
190
191 ldap_user_unique_attribute_type
192 Contents type for the ldap_user_unique_attribute. This value can be
193 binary or text.
194
195 Default for OpenLDAP: text
196
197 Default for ADS: binary
198
199 ldap_fullname_attribute
200 This value is the fullname of a user. It will be used on outgoing
201 messages, and store names.
202
203 Default: cn
204
205 ldap_loginname_attribute
206 This value is the loginname of a user. This is what the user uses
207 to login on zarafa. The DAgent will use this value to open the
208 store of the user.
209
210 Default for OpenLDAP: uid
211
212 Default for ADS: sAMAccountName
213
214 ldap_password_attribute
215 This value is the password of a user. When using
216 ldap_authentication_method = password, this value will be checked.
217 The ldap_bind_user should have enough access rights to read the
218 password field.
219
220 Default for OpenLDAP: userPassword
221
222 Default for ADS: unicodePwd
223
224 ldap_authentication_method
225 This value can be bind or password. When set to bind, the plugin
226 will authenticate by opening a new connection to the LDAP server as
227 the user with the given password. When set to password, the plugin
228 will read and match the password field from the LDAP server itself.
229 When set to password, the ldap_bind_user should have enough access
230 rights to read the password field.
231
232 Default for OpenLDAP: userPassword
233
234 Default for ADS: bind
235
236 ldap_emailaddress_attribute
237 This value is the email address of a user. It will be used to set
238 the From on outgoing messages.
239
240 Default: mail
241
242 ldap_emailaliases_attribute
243 This value is the email aliases of a user. It can be used to find
244 extra valid email accounts for incoming email. These email
245 addresses cannot be used for outgoing email.
246
247 Default: zarafaAliases
248
249 ldap_isadmin_attribute
250 This value indicates if a user has administrator rights. 0 or not
251 presents means no. 1 means yes. In multi-tenancy environment a
252 value of 1 means that the user is administrator over his own
253 tenant. A value of 2 means he is administrator over all companies
254 within the environment.
255
256 Default: zarafaAdmin
257
258 ldap_nonactive_attribute
259 This value indicates if a user is nonactive. Nonactive users cannot
260 login, but the store can be used as a shared store for other users.
261
262 By default this option is set to empty. Doing this will effectively
263 disable the availability of the nonactive user feature and will
264 assign all users to be active. The nonactive attribute provided by
265 the Zarafa schema for nonactive users is zarafaSharedStoreOnly
266
267 Default: empty
268
269 ldap_resource_type_attribute
270 This attribute can change the type of a non-active user. The value
271 of this attribute can be room or equipment to make it such a
272 resource. If this attribute is not present, or not one of the
273 previously described values, the user will be a normal non-active
274 user.
275
276 Default: zarafaResourceType
277
278 ldap_resource_capacity_attribute
279 Resources often have a limited capacity. Use this attribute to
280 control this value. user.
281
282 Default: zarafaResourceCapacity
283
284 ldap_sendas_attribute
285 This attribute contains the list of users for which the user can
286 use the sendas feature.
287
288 Default: zarafaSendAsPrivilege
289
290 ldap_sendas_attribute_type
291 Contents type for the ldap_sendas_attribute this value can be dn,
292 binary or text.
293
294 Default for OpenLDAP: text
295
296 Default for ADS: dn
297
298 ldap_sendas_relation_attribute
299 This value is used to find the users in the sendas list.
300
301 Defaults to empty value, using the ldap_user_unique_attribute
302 setting. By using the DN, you can also add groups to the sendas
303 list.
304
305 Default for OpenLDAP is empty.
306
307 Default for ADS: distinguishedName
308
309 ldap_user_certificate_attribute
310 The attribute which contains the user´s public certificate to be
311 used for encrypted S/MIME messages. Both Active Directory and
312 OpenLDAP use the same ldap attribute by default. The format of the
313 certificate should be the binary DER format.
314
315 Default: userCertificate
316
317 ldap_group_search_filter
318 Adds an extra filter to the group search.
319
320 Hint: Use the zarafaAccount attribute in the filter to
321 differentiate between non-zarafa and zarafa groups.
322
323 Default for OpenLDAP is empty.
324
325 Default for ADS: (objectCategory=Group)
326
327 ldap_group_unique_attribute
328 This is the unique attribute of a group which is never going to
329 change, unless the group is removed from LDAP. When this value
330 changes, Zarafa will remove the previous group from the database,
331 and create a new group with this unique value.
332
333 Default for OpenLDAP: gidNumber
334
335 Default for ADS: objectSid
336
337 ldap_group_unique_attribute_type
338 Contents type for the ldap_group_unique_attribute this value can be
339 binary or text.
340
341 Default for OpenLDAP: text
342
343 Default for ADS: binary
344
345 ldap_groupname_attribute
346 This value is the name of a group.
347
348 Default: cn
349
350 ldap_groupmembers_attribute
351 This value is the member list of a group.
352
353 Default for OpenLDAP: memberUid
354
355 Default for ADS: member
356
357 ldap_groupmembers_attribute_type
358 Contents type for the ldap_groupmembers_attribute this value can be
359 dn, binary or text.
360
361 Default for OpenLDAP: text
362
363 Default for ADS: dn
364
365 ldap_groupmembers_relation_attribute
366 This value is used to find the users in a group if
367 ldap_groupmembers_attribute_type is text.
368
369 Defaults to empty value, using the ldap_user_unique_attribute
370 setting.
371
372 Default is empty.
373
374 ldap_group_security_attribute
375 If this attribute is present, you can make a group a security
376 group. These groups can be used to place permissions on folders.
377
378 Default for OpenLDAP: zarafaSecurityGroup
379
380 Default for ADS: groupType
381
382 ldap_group_security_attribute_type
383 The type of the ldap_group_security_attribute is very different for
384 ADS and OpenLDAP. The value of this option can be boolean or ads.
385 The ads option only looks at the highest bit in the numeric value
386 of the groupType attribute.
387
388 Default for OpenLDAP: boolean
389
390 Default for ADS: ads
391
392 ldap_company_search_filter
393 Add an extra filter to the tenant search.
394
395 Hint: Use the zarafaAccount attribute in the filter to
396 differentiate between non-zarafa and zarafa companies.
397
398 Default for OpenLDAP is empty.
399
400 Default for ADS: (objectCategory=Company)
401
402 ldap_company_unique_attribute
403 This is the unique attribute of a tenant which is never going to
404 change, unless the tenant is removed from LDAP. When this value
405 changes, Zarafa will remove the previous tenant from the database,
406 and create a new tentant with this unique value.
407
408 Default for OpenLDAP: ou
409
410 Default for ADS: objectSid
411
412 ldap_company_unique_attribute_type
413 Contents type for the ldap_company_unique_attribute this value can
414 be binary or text.
415
416 Default for OpenLDAP: text
417
418 Default for ADS: binary
419
420 ldap_companyname_attribute
421 This value is the name of a tenant.
422
423 Default: cn
424
425 ldap_company_view_attribute
426 This attribute contains the list of tenants which can view the
427 members of the tenant where this attribute is set on. tenants which
428 are not listed in this attribute cannot see the presence of the
429 tenant space itself nor its members.
430
431 Default: zarafaViewPrivilege
432
433 ldap_company_view_attribute_type
434 Contents type for the ldap_company_view_attribute this value can be
435 dn, binary or text.
436
437 Default for OpenLDAP: text
438
439 Default for ADS: dn
440
441 ldap_company_view_relation_attribute
442 The attribute of the tenant which is listed in
443 ldap_company_view_attribute.
444
445 Default: Empty, using the ldap_company_unique_attribute
446
447 ldap_company_admin_attribute
448 This attribute contains the list of users outside of the selected
449 tenant space who are administrator over the selected tenant space.
450 Note that local users should not be listed as administrator here,
451 those users need the ldap_isadmin_attribute attribute.
452
453 Default: zarafaAdminPrivilege
454
455 ldap_company_admin_attribute_type
456 Contents type for the ldap_company_admin_attribute this value can
457 be dn, binary or text.
458
459 Default for OpenLDAP: text
460
461 Default for ADS: dn
462
463 ldap_company_admin_relation_attribute
464 The attribute of the user which is listed in
465 ldap_company_admin_attribute.
466
467 Default: Empty, using the ldap_user_unique_attribute
468
469 ldap_company_system_admin_attribute
470 This attribute contains the user who acts as the system
471 administrator of this tenatn space. This can either be a local user
472 or a user from a different tenant space. At the moment this user is
473 set as the sender of quota warning emails.
474
475 Default: zarafaSystemAdmin
476
477 ldap_company_system_admin_attribute_type
478 Contents type for the ldap_company_system_admin_attribute this
479 value can be dn, binary or text.
480
481 Default for OpenLDAP: text
482
483 Default for ADS: dn
484
485 ldap_company_system_admin_relation_attribute
486 The attribute of the user which is listed in
487 ldap_system_admin_attribute.
488
489 Default: Empty, using the ldap_user_unique_attribute
490
491 ldap_addresslist_search_filter
492 Add a filter to the addresslist search.
493
494 Hint: Use the zarafaAccount attribute in the filter to
495 differentiate between non-zarafa and zarafa addresslists.
496
497 Default: (objectClass=zarafa-addresslist)
498
499 ldap_addresslist_unique_attribute
500 This is the unique attribute of a addresslist which is never going
501 to change, unless the addresslist is removed from LDAP. When this
502 value changes, Zarafa will remove the previous addresslist from the
503 database, and create a new addresslist with this unique value.
504
505 Default: cn
506
507 ldap_addresslist_unique_attribute_type
508 Contents type for the ldap_addresslist_unique_attribute this value
509 can be dn, binary or text. On LDAP this value should be text. On
510 ADS this value should be dn
511
512 Default: text
513
514 ldap_addresslist_filter_attribute
515 This is the name of the attribute on the addresslist object that
516 specifies the filter to be applied for this addresslist. All users
517 matching this filter AND matching the default
518 ldap_user_search_filter will be included in the addresslist.
519
520 Default: zarafaFilter
521
522 ldap_addresslist_search_base_attribute
523 This is the name of the attribute on the addresslist object that
524 specifies the search base to be applied for this addresslist.
525
526 Default: zarafaBase
527
528 ldap_addresslist_name_attribute
529 The attribute containing the name of the addresslist
530
531 Default: cn
532
533 ldap_dynamicgroup_search_filter
534 Add an extra filter to the dynamicgroup search.
535
536 Hint: Use the zarafaAccount attribute in the filter to
537 differentiate between non-zarafa and zarafa dynamic groups.
538
539 Default is empty.
540
541 ldap_dynamicgroup_unique_attribute
542 This is the unique attribute of a dynamicgroup which is never going
543 to change, unless the dynamicgroup is removed from LDAP. When this
544 value changes, Zarafa will remove the previous dynamicgroup from
545 the database, and create a new dynamicgroup with this unique value.
546
547 Default: cn
548
549 ldap_dynamicgroup_unique_attribute_type
550 Contents type for the ldap_dynamicgroup_unique_attribute this value
551 can be binary or text. On LDAP this value should be text. On ADS
552 this value should be binary
553
554 Default: text
555
556 ldap_dynamicgroup_filter_attribute
557 This is the name of the attribute on the dynamicgroup object that
558 specifies the filter to be applied for this dynamicgroup. All users
559 matching this filter AND matching the default search filters for
560 objects will be included in the dynamicgroup.
561
562 Default: zarafaFilter
563
564 ldap_dynamicgroup_search_base_attribute
565 This is the name of the attribute on the dynamicgroup object that
566 specifies the search base to be applied for this dynamicgroup.
567
568 Default: zarafaBase
569
570 ldap_dynamicgroup_name_attribute
571 The attribute containing the name of the dynamicgroup.
572
573 Default: cn
574
575 ldap_quotaoverride_attribute
576 Default: zarafaQuotaOverride
577
578 ldap_warnquota_attribute
579 Default: zarafaQuotaWarn
580
581 ldap_softquota_attribute
582 Default: zarafaQuotaSoft
583
584 ldap_hardquota_attribute
585 Default: zarafaQuotaHard
586
587 ldap_userdefault_quotaoverride_attribute
588 Default: zarafaUserDefaultQuotaOverride
589
590 ldap_userdefault_warnquota_attribute
591 Default: zarafaUserDefaultQuotaWarn
592
593 ldap_userdefault_softquota_attribute
594 Default: zarafaUserDefaultQuotaSoft
595
596 ldap_userdefault_hardquota_attribute
597 Default: zarafaUserDefaultQuotaHard
598
599 ldap_quota_multiplier
600 This value is used to multiply the quota values to bytes. When the
601 values in LDAP are in Kb, use 1024 here.
602
603 Default: 1
604
605 ldap_quota_userwarning_recipients_attribute
606 This attribute contains the list of users who will recieve an email
607 when a user exceeds his quota. User who exceeds his quota will be
608 automatically added to the recipients list, this list only
609 indicates who else will be notified.
610
611 Default: zarafaQuotaUserWarningRecipients
612
613 ldap_quota_userwarning_recipients_attribute_type
614 Contents type for the ldap_quota_userwarning_recipients_attribute
615 this value can be dn, binary or text. On LDAP this value should be
616 text. On ADS this value should be dn
617
618 Default: text
619
620 ldap_quota_userwarning_recipients_relation_attribute
621 The attribute of the user which is listed in
622 ldap_quota_userwarning_recipients_attribute
623
624 Default: Empty, using ldap_user_unique_attribute
625
626 ldap_quota_companywarning_recipients_attribute
627 This attribute contains the list of users who will recieve an email
628 when a tenant exceeds its quota. The system administrator of the
629 tenant that is over quota will automatically be added to the
630 recipients list, this list only indicates who else will be
631 notified.
632
633 Default: zarafaQuotaCompanyWarningRecipients
634
635 ldap_quota_companywarning_recipients_attribute_type
636 Contents type for the
637 ldap_quota_companywarning_recipients_attribute this value can be
638 dn, binary or text. On LDAP this value should be text. On ADS this
639 value should be dn
640
641 Default: text
642
643 ldap_quota_companywarning_recipients_relation_attribute
644 The attribute of the user which is listed in
645 ldap_quota_companywarning_recipients_attribute
646
647 Default: Empty, using ldap_user_unique_attribute
648
649 ldap_addressbook_hide_attribute
650 The attribute indicating the object must be hidden from the
651 addressbook. The object will still be detected as zarafa user and
652 is allowed to login and work as regular zarafa user, but will not
653 be visible in the addressbook for other users.
654
655 Default: zarafaHidden
656
657 ldap_object_search_filter
658 When searching in the addressbook, this filter will be used.
659 Normally, the zarafa server will only search in the unique
660 attribute, loginname, fullname and emailaddress. You might want to
661 search in more fields, like ´lastname´. Zarafa also uses a postfix
662 wildcard only. Using the ´*´ wildcard with prefixes makes a search
663 slower, but can return more results.
664
665 Hint: Use the zarafaAccount attribute in the filter to
666 differentiate between non-zarafa and zarafa objects.
667
668 You can set a custom search filter here. ´%s´ will be replaced with
669 the string being searched.
670
671 Active Directory has a shortcut for searching in the addressbook
672 using the ´anr´ attribute. This is recommended on ADS
673 installations.
674
675 Default:
676
677 Recommended for ADS installations: (anr=%s)
678
679 Optional for OpenLDAP installations:
680 (|(mail=%s*)(uid=%s*)(cn=*%s*)(fullname=*%s*)(givenname=*%s*)(lastname=*%s*)(sn=*%s*))
681
682 ldap_filter_cutoff_elements
683 When the ldap plugin retrieves information from the LDAP Server,
684 large queries can be created to retrieve data for multiple objects
685 at once. These large queries can perform badly on some LDAP server
686 implementations. This option limits the number of elements that can
687 be retrieved in one search filter and therefore limits the size of
688 the filter. Instead, a broader search filter is created which
689 retrieves all objects from the LDAP server. This results in
690 slightly higher processing overhead and network activity, but with
691 the bonus that the query can be served by the LDAP server much
692 faster (a factor of 40 in 5000-object queries has been observed).
693
694 Setting this value to 0 will never limit the filter, setting it to
695 a value of 1 will always limit the filter (since all queries will
696 be retrieving one or more objects).
697
698 Default: 1000
699
701 /etc/zarafa/server.cfg
702 The server configuration file.
703
704 /etc/zarafa/ldap.cfg
705 The Zarafa LDAP configuration file.
706
708 Written by Zarafa.
709
711 zarafa-server(1) zarafa-server.cfg(5)
712
713
714
715Zarafa 7.0 August 2011 ZARAFA-LDAP.CFG(5)