Comparaison des versions

Ancienne version 4

changes.mady.by.user Marie Piochon

Sauvegardée le

comparé à

Nouvelle version 5

changes.mady.by.user Sabine Prouvost

Sauvegardée le

Légende

  • Ces lignes ont été ajoutées. Ce mot a été ajouté.
  • Ces lignes ont été supprimées. Ce mot a été supprimé.
  • La mise en forme a été modifiée.
Commentaire: Published by Scroll Versions from space DA and version BM-3.5

...

Sv translation
languageen


Introduction

BlueMind allows you to import users or groups from an LDAP directory (e.g. OpenLDAP). LDAP imports are incremental (new entries are added, and changes to data are recorded). Set up and execution of LDAP imports are domain-specific.

Imported user passwords are then validated against the LDAP server.

New users can connect to BlueMind even if their information has not been imported yet. Their BlueMind account will be created in the process if authentication is successful.

BlueMind users and groups are populated from the LDAP directory:

  • during installation and set up, through the initial import
  • regularly and automatically through scheduled jobs
  • on the spot, when an unknown user logs in.
Info

LDAP synchronization is designed based on a directory schema of the InetOrgPerson type .

Volet
borderWidth3

On this page:

Sommaire
maxLevel2

Related:

Installation

To access LDAP synchronization functionalities, you must install the plugin "ldap-import".

To do this, log into the server and use the following command to start installation:

Bloc de code
languagebash
titleDebian/Ubuntu
sudo aptitupde update
sudo aptitude install bm-plugin-admin-console-ldap-import bm-plugin-core-ldap-import
Bloc de code
languagebash
titleRedHat/CentOS
yum update
yum install bm-plugin-admin-console-ldap-import bm-plugin-core-ldap-import

Once installation is complete, restart the "bm-core" component using the following command:

Bloc de code
languagebash
bmctl restart

Set up

Only the global administrator is able to configure LDAP synchronization for a domain. Domain administrators are able to view settings and launch import jobs.

  • Log in as global administrator admin0@global.virt
  • Go to System Management > Modify Domains and select the domain you want to set up
  • Go to the "Directories" tab

FieldNote
LDAP server name or IP address

LDAP server host name or IP address.

Syntax:

  • hostname: connect to the LDAP server using an unencrypted connection on port 389
  • ssl:hostname : connect to the LDAP server using an SSL connection on port 636
  • tls:hostname : connect to the LDAP server using a TLS connection on port 389
Root directorySpecify the LDAP root directory
User DNDN of the root user used to connect to the LDAP server
PasswordThe user password used to connect to the LDAP server
LDAP filter for usersOnly users validated by this filter will be imported into BlueMind
LDAP filter for groupsOnly users validated by this filter will be imported into BlueMind
External IDAttribute of an invariant and unique LDAP entry identifier used to bind an LDAP entry to a BlueMind entry.
Split domain group

This field can be left empty.

It will be ignored if the split domain functionality is not configured for BlueMind.

Emails sent to members of this group will be redirected to another mail server in the same domain (through split domain configuration).

LDAP-BlueMind mapping

User attributes

BlueMindLDAP AttributeNote
loginuid
firstnamegivenName
lastnamesn
descriptiondescription
mail

mail

mailLocalAddress

mailAlternateAddress

gosaMailAlternateAddress

BlueMind's default email address is defined from the first LDAP attribute of the following: "mail", "mailLocalAddress", "mailAlternateAddress", or "gosaMailAlternateAddress".

The others will be used as alias email addresses.

user mail quota

mailQuotaSize

mailQuota

Must be expressed in bytes in LDAP.

The first of these LDAP attributes to be found is used.

work phonestelephoneNumber
home phoneshomePhone
mobile phonesmobile
faxfacsimileTelephoneNumber
pagerpager
memberOfmemberOfList of groups the user is a member of. BlueMind users can only be added to LDAP groups imported previously.
photoID jpegPhotoProfile picture: attribute content is imported as profile picture for related account 

Group attributes

BlueMindAttribut LDAPNote
namecn
descriptiondescription
mailmail
membermemberUidOnly users and groups already imported into BlueMind will be added to the group

Role assignment

From BlueMind 3.5, access to applications goes through the roles that are assigned to users. As LDAP imports do not handle roles, no roles are assigned to users when they are imported and users are unable to access applications (webmail, contacts, calendar).

The easiest and most effective way of handling this is through groups:

  • in LDAP, assign one (or several, if desired) common group to users
  • launch an initial import: the group(s) are imported into BlueMind along with the users
  • go to the admin section and assign the desired roles to the group(s)
Info

Roles are maintained during subsequent imports and updates.

In the future, simply ascribe new users to those groups in order to assign them the desired roles.

Astuce
titleModification des rôlesEditing Roles

As new versions are released, new roles and improvements to features are regularly added to BlueMind.

E.g. BlueMind

Lors de sorties de nouvelles versions, BlueMind est régulièrement amené à apporter de nouveaux rôles au fur et à mesure de ses améliorations, notamment pour des fonctionnalités dont les utilisateurs bénéficiaient déjà.

Ainsi, par exemple, la version 3.5.9 de BlueMind permet à l'administrateur d'activer ou désactiver la possibilité pour ses utilisateurs de connecter Thunderbird via un nouveau rôle. Jusqu'à cette version tous les utilisateurs avaient cette possibilité là.

Afin de s'assurer que lors de la mise à jour le nouveau droit sera bien activé chez les utilisateurs déjà existant, il convient de désigner le ou les groupes dans lesquels on a placé les utilisateurs provenant du LDAP comme étant des groupes par défaut.

allows administrators to enable or disable the ability for BlueMind users to connect to Thunderbird through new roles. In earlier versions, all users had this ability.

To make sure that after the update the new right will be enabled for existing users, you must set the group(s) in which LDAP users have been ascribed to are as default groups.

To do this, go to the group(s)' admin page, check the "Default group" box and savePour cela, se rendre sur la fiche d'administration du groupe, cocher la case ad hoc et enregistrer la fiche :