Central contact database

xentity · March 5, 2023, 1:08pm

Hey there.

I have UCS up and running. Beside this, I have also OpenXchange, Zammad, Dolibarr (on seperate vms) and deskphones. In an ideal world, I put external contacts (e.g. partners, vendors) into UCS. Once a day we push these contacts to the other servers or allow the direct requests via LDAP to have names, e-mail addresses and phone numbers in place.

I put a test contact to UCS as contact, but the phone was not able to find that contact. If I search for this name in LDAP, I cannot find it as well.

Question: is this the right approach? If yes, is it right to create a contact rather than a user? User feels odd to me (especially to create a username).

pixel · March 6, 2023, 10:14am

I personally use the UCS (director node) / ADS exclusively for users. Not for contacts.

Is Open-Xchange installed on a UCS VM? Then contacts / addresses IMHO belong there.

You can then connect mobile devices to OX.

with best
sven

xentity · March 7, 2023, 8:57pm

Thx for your reply.

I have no clue, how the desk phones can access the data, if I put all the contacts to Open Xchange.

Or let me rephrase my question: if I create contacts in UCS (UMC > Users > Contacts), where can I find these contacts in the LDAP tree?

xentity · March 7, 2023, 9:54pm

If I put a contact into UMC

I cannot find it in LDAP:

# extended LDIF
#
# LDAPv3
# base <dc=xentity,dc=lan> with scope subtree
# filter: (objectClass=contact)
# requesting: ALL
#

# search reference
ref: ldaps://xentity.lan/CN=Configuration,DC=xentity,DC=lan

# search reference
ref: ldaps://xentity.lan/DC=DomainDnsZones,DC=xentity,DC=lan

# search reference
ref: ldaps://xentity.lan/DC=ForestDnsZones,DC=xentity,DC=lan

# search result
search: 2
result: 0 Success <-------------------

# numResponses: 4
# numReferences: 3

pixel · March 8, 2023, 1:38pm

ok, I read over “deskphones”. My mistake. Yes, these cannot access OX addresses. At least I don’t know of any way.

I use a PBX which provides the address books for the secphones.

Unfortunately I don’t know how this works with the UCS-LDAP.

jlk · March 13, 2023, 4:44pm

Hey xentity,

your LDAP search filter is wrong. There are several ways to find the user: I would suggest to first use udm so that the object can be located and with the DN a ldap search should work.

root@pdn ~# udm users/contact list

DN: cn=Test User 1,cn=users,dc=jlk-test,dc=intranet
  birthday: None
  city: None
  cn: Test User 1
  country: None
  description: A test contact
  displayName: Test User
  employeeNumber: None
  employeeType: None
  firstname: Test
  initials: None
  jpegPhoto: None
  lastname: User
  organisation: None
  physicalDeliveryOfficeName: None
  postcode: None
  preferredDeliveryMethod: None
  preferredLanguage: None
  street: None
  title: None

root@pdn ~# univention-ldapsearch -LLL "cn=Test User 1"
dn: cn=Test User 1,cn=users,dc=jlk-test,dc=intranet
cn: Test User 1
sn: User
givenName: Test
description: A test contact
displayName: Test User
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: univentionObject
objectClass: organizationalPerson
univentionObjectType: users/contact

So as you can see the objectClass contact is not set.

Regarding the topic itself: I would suggest to save contacts to UCS and use LDAP connections for your applications if available. Open-Xchange is able to provide a addressbook from LDAP: https://documentation.open-xchange.com/7.10.6/middleware/contacts/contacts_provider_ldap.html

You only have to think for a structure in UCS that allows you to filter your contacts - Maybe a dedicated LDAP container for contact objects beneath /users or a common denominator like univentionObjectType=users/contact.

Regards
Jan-Luca

xentity · March 13, 2023, 8:53pm

Hey @jlk,

many thanks for your hints. I used udm users/contact list to see the lists of test contacts and used univention-ldapsearch -LLL "cn=Test User 1" to look for the one test user. Indeed, the objectClass contact is not set:

root@ucs01:~# univention-ldapsearch -LLL "cn=Test User 1"
dn: cn=Test User 1,ou=xentity,dc=xentity,dc=lan
homePhone: None
mobile: None
objectClass: univentionObject
objectClass: person
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
univentionObjectType: users/contact
sn: User
givenName: Test
description: Test User
displayName: Test User
o: private
employeeNumber: 1
employeeType: worker
mail: testuser@domain1.com
cn: Test User 1

However, if I use the following ldap searches, I do not yield the expected (contact) result:

ldapsearch -vvvvvv -H ldaps://ucs01.xentity.lan -b "ou=xentity,dc=xentity,dc=lan" -D "cn=ldap-read,ou=Benutzer,ou=xentity,dc=xentity,dc=lan" "(&(objectClass=person)(sn=User))" -w "--------"

ldapsearch -vvvvvv -H ldaps://ucs01.xentity.lan -b "ou=xentity,dc=xentity,dc=lan" -D "cn=ldap-read,ou=Benutzer,ou=xentity,dc=xentity,dc=lan" "(&(objectClass=person)(o=private))" -w "---------"

ldapsearch -vvvvvv -H ldaps://ucs01.xentity.lan -b "ou=xentity,dc=xentity,dc=lan" -D "cn=ldap-read,ou=Benutzer,ou=xentity,dc=xentity,dc=lan" "(sn=Us*)" -w "---------"

ldapsearch -vvvvvv -H ldaps://ucs01.xentity.lan -b "ou=xentity,dc=xentity,dc=lan" -D "cn=ldap-read,ou=Benutzer,ou=xentity,dc=xentity,dc=lan" "(cn=Test*)" -w "---------"

If I use univention-ldapsearch -LLL with the exact same filters again, the results are as expected. Looks like a bug? If I search for normal users (e.g. my user name), I have no problems with ldapssearch from remote. It is just strange with contacts.

Cheers, Dennis

xentity · March 17, 2023, 10:24pm

I guess, I found the solution. UCS has two LDAP interfaces: 389/636 for the samba service and an LDAP service on 7389/7636. If you create a contact, it is not stored in the Samba LDAP (nor in the global catalog on 3268/3269), but in the “normal” LDAP on 7389/7636.

I’m not sure what is synced in which directory, maybe someone can enlighten that.

Long story short:
ldapsearch -vvvvvv -H ldaps://<server>:7636 -b "<treebase>" -D "<bind user>" "(&(objectClass=person)(sn=User))" -w "<secret>" works,
ldapsearch -vvvvvv -H ldaps://<server>:636 -b "<treebase>" -D "<bind user>" "(&(objectClass=person)(sn=User))" -w "<secret>" works not. In sense of: it does not show ldap contacts.

May it also helps others.

jlk · March 20, 2023, 1:42pm

Hey xenity,

glad that you figured that out - The Samba integration is documented here: 9.1. Operation of a Samba domain based on Active Directory — Univention Corporate Server - Manual for users and administrators
Having a quick glance I was unable to tell what is synchronized exactly, I guess that contact objects are ignore by default.
More about the S4-Connector can be found here too: https://help.univention.com/tag/s4-connector

And one final note: To search the Samba LDAP we also have a wrapper like univention-ldapsearch: univention-s4search