Managing users via Directory Synchronization¶
Attention
This is a feature that currently requires a user with "System Administrator" privileges. This will be made available for other privilege levels in a later release.
We provide a tool called ad-connect
to seamlessly integrate users from a local user directory into Kopano Cloud. To use ad-connect
at first a new configuration needs to be created.
After a click on "Add synchonization" the Application ID and Secret Token are shown. Please take note of the secret, as it will only be shown once.
On the same page the latest version of ad-connect can be downloaded. In the archive you will find a binary for your platform, an example configuration and a readme file with more details.
Modify the example adc.yaml
to match your environment. It could for example look like this:
settings:
dry-run: true
no-update: false
no-create: false
no-delete: false
delete-disables: true
no-update-provider-mismatch: true
create-as-disabled: false
backend:
ldap:
addr: ldap://your-ldap-server.local
bind_dn: cn=readonly,dc=lg,dc=local
bind_password: readonly
base_dn: dc=lg,dc=local
scope: sub
sync:
page_size: 20
filter: (objectClass=inetOrgPerson)
authentication:
username_attribute: mail
username_filter_template: (&(objectClass=inetOrgPerson)(mail=%s))
timeout: 5
A note regarding the settings part in adc.yaml
As can be seen from the synchronization configuration settings, it is possible to define these settings both on the server side when adding the synchronization configuration and on the client side. In the case of conflicting configuration values, the server will override the client's settings, e.g. if the server only allows dry runs, the client will never be able to actually import users into the server.
ad-connect
has two modes of operation. When called with the imp
parameter it imports users from the configured ldap source and when called with the run
parameter it connects to Kopano Cloud, keeps running and waits for the sync command. Since the run
command is long and should be restarted on error, it is recommended to run ot via systemd for example. To do this, extract the files e.g. to /opt/exchange4all/ad-connect
and add a service configuration file called adc.cfg
with the following structure:
AD_CONNECT_ADDR=address-of-server:443
AD_CONNECT_AUTH=client-id:client-secret
AD_CONNECT_CONFIG=/opt/exchange4all/ad-connect/adc.yaml
And finally install a systemd unit with the following content:
[Unit]
Description=ad-connect
After=network.target
[Service]
User=nobody
Group=nobody
WorkingDirectory=/opt/exchange4all/ad-connect
ExecStart=/opt/exchange4all/ad-connect/bin/adc
EnvironmentFile=/opt/exchange4all/ad-connect/adc.cfg
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
Restart=always
[Install]
WantedBy=multi-user.target
Note
Other options for running the tool, such as a proper installer for Windows and Linux systems and an OCI container, will be available in a later release.