[Kolab-devel] Active Directory synchronization in Kolab 2

Henning Holtschneider henning at loca.net
Mon Sep 19 14:25:13 CEST 2005


On Monday 19 September 2005 09:55, Bernhard Reiter wrote:

> so far I do not know anybody who uses this.
> The inactive code should be close to the real thing though
> as kolabd only needs to get a trigger and then reads
> the contents itself via ldap, if I remember correctly.

That's the way it worked with Kolab 1. But I'm not sure how much of kolabd has 
changed from Kolab 1 (ZFOS) to Kolab 2. I only had a quick look the other day 
and didn't understand why the AD synchronization didn't work right away after 
I set up kolab.conf. I think I will have to examine this a bit closer.

> > If true, are there any plans to do so
> > in the foreseeable future?
>
> Not that I am aware of.
> It would be a small project to develop this,
> so if  a customer of the Kolab-Konsortium wants this,
> we might have it pretty fast.

Ok. I've got two customers who are interested in Active Directory integration 
but their installations are too small to have them fund the entire 
development. We have already written a COM plugin for the Active Directory 
MMC so that's it's possible to configure the Kolab-specific LDAP attributes 
from there. There were two outstanding issues with Kolab 1 that lead us to 
halt the project at that point:

1. changing the username and/or email address in the AD resulted in the 
mailbox on the Kolab server to be deleted and re-created. This could be 
prevented when using the AD UUID as the UID on the Kolab server. It didn't 
work well with Kolab 1 (ZFOS) because the custom UIDs had been removed, but 
with Kolab 2 it shouldn't be a problem anymore.

2. As far as I know, the plaintext password is needed to log into the 
POP3/IMAP server (the connection is being encrypted, but the password is 
still sent "as is"). But the AD user password in only available encrypted on 
a Windows machine. So, for true AD integration on the client side, we either 
need some kind of Kerberos authentication on the IMAP server or the 
integration stops at the Toltec Connector password dialog. This doesn't sound 
to grave at first, but most companies have password policies in place that 
force the users to change their passwords every couple of weeks. With the 
current way of authentication, the users would have to change their Toltec 
password manually each time they change their AD password. That's 
impractical.

Anyway, I will keep an eye on this as time permits. But If anyone out there 
can provide funding to take this half-finished project to the checkered flag, 
please contact me!

Regards,
Henning Holtschneider
--
LocaNet oHG - http://www.loca.net
Lindemannstrasse 81, D-44137 Dortmund
tel +49 231 91596-25, fax +49 231 91596-55
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20050919/ba7546bd/attachment.sig>


More information about the devel mailing list