LDAP in the Carbonio CE mail server is one of the key elements. LDAP is a structured repository of settings for accounts, domains, classes of service, and servers that are part of the Carbonio CE infrastructure. Carbonio also allows the use of external LDAP servers, including Active Directory. In this article, we will talk about what exactly and how exactly is stored in Carbonio LDAP and how the administrator can interact with it.
LDAP Features and Structure
One of the main features of Carbonio LDAP is user authentication using an internal authentication mechanism. It is in LDAP that user password hashes are stored, which are verified when they try to log in. In the case of using external LDAP servers for authentication, such as Active Directory and others, Carbonio LDAP sends a password hash to them and, based on the response received, either log the user into the account or refuses it.
Authentication takes into account the status of the user. For example, if the administrator has locked or suspended the account, the login will fail even if the password was entered correctly. Account status data is also stored in LDAP.
The data stored in LDAP is a tree of nested directories. Thanks to such a device, each stored object in LDAP can be found using a specific search query and, accordingly, its parameters are loaded. You can visually view the structure of Carbonio LDAP in any LDAP browser.
You can also get data from Carbonio LDAP using the LDAP search utility. To do this, you need to specify a search query that indicates the user from which the login will be performed, as well as specify its password.
For example:
ldapsearch -x -h email.carbonio.loc -D uid=zextras,ou=People,dc=carbonio,dc=loc -w P@$$w0rD
In this command, we have defined our user as having the name zextras, placed in the People category of the carbonio.loc domain. The result of this request will be to get the folders from LDAP available to this user.
LDAP Editing
Data in Carbonio LDAP is stored at several levels. Among them:
- Global Configuration
- User
- Server
- Domain
- Class of Service
The Global Configuration stores the default settings for Carbonio domains and servers. If the administrator does not explicitly specify any settings for them when creating a new domain or adding a server, they will be automatically filled with settings from the global configuration.
The command line currently provides more options for the administrator. To get the current setting value, use the command
carbonio prov getConfigand to change it use
carbonio prov modifyConfigTo get a list of all global settings use
carbonio prov getAllConfig
In the domain settings, you can configure many things related to authentication mechanisms, the formation of a global address book, and so on. For example, it is allowed to use different LDAPs in different mail domains located in the same mail system, so that some users are authenticated using Carbonio LDAP, and others using Active Directory.
Carbonio’s graphical admin panel allows you to configure the SMTP relay domain, public domain name, global address book, web client graphics, quotas, authentication options, and more.
To set up a domain on the command line, use the below command to get the current domain settings
carbonio prov getDomain carbonio.locand to change them use
carbonio prov modifyDomain carbonio.locTo get a list of all domains, use
carbonio prov getAllDomains
To set up users in the Administrator Console, you must first select a domain, and then the required account in the corresponding list. In addition to accounts, a domain can also have mailing lists, resource accounts, and aliases. They, like users, can be created, deleted, and edited in the admin panel after selecting the appropriate domain.
To set up a user on the command line, use the below command to get the current domain settings
carbonio prov getAccount zextras@carbonio.locand to change them use
carbonio prov modifyAccount zextras@carbonio.locTo get a list of all accounts on the server, use
carbonio prov -l getAllAccountsWhen using the getAccount and modifyAccount parameters, the data is loaded and written to Carbonio LDAP in the appropriate folder.
While the global settings contain default settings for domains created in Carbonio, Classes of Service contain default settings for users that are created. Unlike global settings, which can only have one, multiple Classes of Service with different settings can be created within one mail system. Due to this, by creating a user and assigning him a Class of Service, the administrator can literally in one click determine which functions of the mail system will be available to the new user.
You can create and delete Classes of Service on a special tab in the Admin Panel. To edit their capabilities, select the desired class of service and go to the relevant sections.
The command line for editing Classes of Service uses the below command to get the current COS settings
carbonio prov getCos defaultand to change them use
carbonio prov modifyCos defaultYou can manage server settings from the command line using the command below to get the current server settings
carbonio prov getServer email.carbonio.locand to change them use
carbonio prov modifyServer email.carbonio.loc
When using a command like carbonio prov, reading and writing parameters in Carbonio LDAP are done through the API. The administrator can write to LDAP directly using the -l option. For security reasons, it is recommended to write data only through the API, since any typo can lead to the appearance of parameters with incorrect values, and at the same time to the most unpredictable errors in the mail system.
LDAP is also involved in the formation of the Global Address Book and autocomplete suggestions. Both are formed based on search queries to Carbonio LDAP. By default, the GAL is formed based on users of the same domain. In order for all users of the mail system to get into it, set the value of the zimbraGalInternalSearchBase parameter for the domain to ROOT carbonio prov modifyDomain carbonio.loc zimbraGalInternalSearchBase ROOT
