Skip to content

Managing users via Directory Synchronization

Attention

This is a feature that currently requires a user with "System Administrator" privileges. This will be made available for other privilege levels in a later release.

We provide a tool called ad-connect to seamlessly integrate users from a local user directory into Kopano Cloud. To use ad-connect at first a new configuration needs to be created.

Add new synchronization configuration
Add new synchronization configuration

After a click on "Add synchonization" the Application ID and Secret Token are shown. Please take note of the secret, as it will only be shown once.

Synchronization configuration overview
Synchronization configuration overview

On the same page the latest version of ad-connect can be downloaded. In the archive you will find a binary for your platform, an example configuration and a readme file with more details.

Synchronization configuration settings
Synchronization configuration settings

Modify the example adc.yaml to match your environment. It could for example look like this:

settings:
  dry-run: true
  no-update: false
  no-create: false
  no-delete: false
  delete-disables: true
  no-update-provider-mismatch: true
  create-as-disabled: false

backend:
  ldap:
    addr: ldap://your-ldap-server.local
    bind_dn: cn=readonly,dc=lg,dc=local
    bind_password: readonly
    base_dn: dc=lg,dc=local
    scope: sub

    sync:
      page_size: 20
      filter: (objectClass=inetOrgPerson)

    authentication:
      username_attribute: mail
      username_filter_template: (&(objectClass=inetOrgPerson)(mail=%s))
      timeout: 5

A note regarding the settings part in adc.yaml

As can be seen from the synchronization configuration settings, it is possible to define these settings both on the server side when adding the synchronization configuration and on the client side. In the case of conflicting configuration values, the server will override the client's settings, e.g. if the server only allows dry runs, the client will never be able to actually import users into the server.

ad-connect has two modes of operation. When called with the imp parameter it imports users from the configured ldap source and when called with the run parameter it connects to Kopano Cloud, keeps running and waits for the sync command. Since the run command is long and should be restarted on error, it is recommended to run ot via systemd for example. To do this, extract the files e.g. to /opt/exchange4all/ad-connect and add a service configuration file called adc.cfg with the following structure:

AD_CONNECT_ADDR=address-of-server:443
AD_CONNECT_AUTH=client-id:client-secret
AD_CONNECT_CONFIG=/opt/exchange4all/ad-connect/adc.yaml

And finally install a systemd unit with the following content:

[Unit]
Description=ad-connect
After=network.target

[Service]
Type=simple
User=nobody
Group=nogroup
WorkingDirectory=/opt/exchange4all/ad-connect
ExecStart=/opt/exchange4all/ad-connect/bin/adc run
EnvironmentFile=/opt/exchange4all/ad-connect/adc.cfg
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
Restart=always
RestartSec=10
TimeoutStopSec=30
KillMode=process

[Install]
WantedBy=multi-user.target

Note

Other options for running the tool, such as a proper installer for Windows and Linux systems and an OCI container, will be available in a later release.