Link mailAlternativeAddress with proxyAddresses

patrickgf · August 1, 2017, 10:36pm

I have users in my UCS Samba4 Directory that have mailAlternativeAddress email addresses (along with a primary address).
I have an other server that needs to validate user email address over “Active Directory”,
I can validate the primary email but not the mailAlternativeAddress.
I can’t find a Active Directory property that maps to the mailAlternativeAddress value.
I’ve found some discussion about using the “proxyAddresses” property
and believe that would work fine for me (I don’t use MS Exchange).
But I can’t find anyway to get the proxyAddresses to match/update from the mailAlternativeAddress.

Is there a way to access the “mailAlternativeAddress” value through the Samba4 directory?
Thanks

scheinig · August 2, 2017, 10:55am

You can set UCR-Values for the AD-Connector:

ucr set connector/ad/mapping/group/alternativemail=true
ucr set connector/ad/mapping/user/alternativemail=true
ucr set connector/ad/mapping/group/primarymail=true
ucr set connector/ad/mapping/user/primarymail=true

Does it help?

patrickgf · August 2, 2017, 1:28pm

I found a discussion of that and tried it but could not see that it made any difference.
I thought maybe that only applied when you are connecting to a Windows Active Directory?
and not when you are using the UCS Samba4 as the directory server?

ThistleHope · August 2, 2017, 2:49pm

I do not have a testing environment at hand - can you check if you have the connector mapping variables also for the S4 connector? easiest way would be:

# ucr search --brief mapping

That should show you all the mapping variables. If I did understand right, you would need to tell the S4 connector, that it should map the proxy/alternative adresses correctly (since you have a system that access the samba4 of the UCS).

Hope that did help a bit, and kind regards.

patrickgf · August 2, 2017, 2:59pm

root@email:~# ucr search --brief mapping
connector/ad/mapping/group/language: de
connector/s4/mapping/computer/syncmode:
connector/s4/mapping/computer_dc/syncmode:
connector/s4/mapping/container/ignorelist: mail,kerberos,MicrosoftDNS
connector/s4/mapping/container/syncmode:
connector/s4/mapping/dc/ignorelist:
connector/s4/mapping/dc/syncmode:
connector/s4/mapping/dns/forward_zone/./static/ipv4:
connector/s4/mapping/dns/forward_zone/./static/ipv6:
connector/s4/mapping/dns/host_record/./static/ipv4:
connector/s4/mapping/dns/host_record/./static/ipv6:
connector/s4/mapping/dns/ignorelist: _ldap._tcp.Default-First-Site-Name._site
connector/s4/mapping/dns/position:
connector/s4/mapping/dns/srv_record/./location:
connector/s4/mapping/dns/syncmode:
connector/s4/mapping/gpo/ignorelist:
connector/s4/mapping/gpo/ntsd:
connector/s4/mapping/gpo/syncmode:
connector/s4/mapping/gpo: true
connector/s4/mapping/group/grouptype: true
connector/s4/mapping/group/ignorelist: Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self
connector/s4/mapping/group/language: en
connector/s4/mapping/group/syncmode:
connector/s4/mapping/group/table/.:
connector/s4/mapping/group/table/Printer-Admins: Print Operators
connector/s4/mapping/msprintconnectionpolicy/ignorelist:
connector/s4/mapping/msprintconnectionpolicy/syncmode:
connector/s4/mapping/msprintconnectionpolicy:
connector/s4/mapping/ou/ignorelist:
connector/s4/mapping/ou/syncmode:
connector/s4/mapping/sid/sid_to_ucs:
connector/s4/mapping/sid: true
connector/s4/mapping/sid_to_s4:
connector/s4/mapping/syncmode: sync
connector/s4/mapping/user/ignorelist: root,ucs-s4sync
connector/s4/mapping/user/syncmode:
connector/s4/mapping/windowscomputer/ignorelist:
connector/s4/mapping/wmifilter/ignorelist:
connector/s4/mapping/wmifilter/syncmode:
connector/s4/mapping/wmifilter:
listener/module/wellknownsidnamemapping:

And then if I run:
ucr set connector/ad/mapping/group/alternativemail=true
ucr set connector/ad/mapping/user/alternativemail=true
ucr set connector/ad/mapping/group/primarymail=true
ucr set connector/ad/mapping/user/primarymail=true

I get this:
root@email:~# ucr search --brief mapping
connector/ad/mapping/group/alternativemail: true
connector/ad/mapping/group/language: de
connector/ad/mapping/group/primarymail: true
connector/ad/mapping/user/alternativemail: true
connector/ad/mapping/user/primarymail: true
connector/s4/mapping/computer/syncmode:
connector/s4/mapping/computer_dc/syncmode:
connector/s4/mapping/container/ignorelist: mail,kerberos,MicrosoftDNS
connector/s4/mapping/container/syncmode:
connector/s4/mapping/dc/ignorelist:
connector/s4/mapping/dc/syncmode:
connector/s4/mapping/dns/forward_zone/./static/ipv4:
connector/s4/mapping/dns/forward_zone/./static/ipv6:
connector/s4/mapping/dns/host_record/./static/ipv4:
connector/s4/mapping/dns/host_record/./static/ipv6:
connector/s4/mapping/dns/ignorelist: _ldap._tcp.Default-First-Site-Name._site
connector/s4/mapping/dns/position:
connector/s4/mapping/dns/srv_record/./location:
connector/s4/mapping/dns/syncmode:
connector/s4/mapping/gpo/ignorelist:
connector/s4/mapping/gpo/ntsd:
connector/s4/mapping/gpo/syncmode:
connector/s4/mapping/gpo: true
connector/s4/mapping/group/grouptype: true
connector/s4/mapping/group/ignorelist: Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self
connector/s4/mapping/group/language: en
connector/s4/mapping/group/syncmode:
connector/s4/mapping/group/table/.:
connector/s4/mapping/group/table/Printer-Admins: Print Operators
connector/s4/mapping/msprintconnectionpolicy/ignorelist:
connector/s4/mapping/msprintconnectionpolicy/syncmode:
connector/s4/mapping/msprintconnectionpolicy:
connector/s4/mapping/ou/ignorelist:
connector/s4/mapping/ou/syncmode:
connector/s4/mapping/sid/sid_to_ucs:
connector/s4/mapping/sid: true
connector/s4/mapping/sid_to_s4:
connector/s4/mapping/syncmode: sync
connector/s4/mapping/user/ignorelist: root,ucs-s4sync
connector/s4/mapping/user/syncmode:
connector/s4/mapping/windowscomputer/ignorelist:
connector/s4/mapping/wmifilter/ignorelist:
connector/s4/mapping/wmifilter/syncmode:
connector/s4/mapping/wmifilter:
listener/module/wellknownsidnamemapping:

But if I make changes in the UCS webUI to the mailAlternativeAddress,
I don’t see any changes in the proxyAddresses.

ThistleHope · August 2, 2017, 3:06pm

Okay: with the above commands, you configure variables for the AD-Connector. If you do not have this installed (unlikely if there is no Windows Server around) you would need to make the same changes for the S4 connector. Since I cannot test this currently please be aware that this may not work (if the mapping for the S4 connector has to be configured otherwise):

ucr set connector/s4/mapping/group/alternativemail=true
ucr set connector/s4/mapping/user/alternativemail=true
ucr set connector/s4/mapping/group/primarymail=true
ucr set connector/s4/mapping/user/primarymail=true

Maybe you can find these variables or the handling of mailAlternativeAdresses regarding especially the S4 connector in the documentation, SDB or forum too. Would be worth a look IMHO.

patrickgf · August 2, 2017, 4:07pm

Okay here is the results:
root@email:~# ucr search --brief mapping
connector/ad/mapping/group/alternativemail: true
connector/ad/mapping/group/language: de
connector/ad/mapping/group/primarymail: true
connector/ad/mapping/user/alternativemail: true
connector/ad/mapping/user/primarymail: true
connector/s4/mapping/computer/syncmode:
connector/s4/mapping/computer_dc/syncmode:
connector/s4/mapping/container/ignorelist: mail,kerberos,MicrosoftDNS
connector/s4/mapping/container/syncmode:
connector/s4/mapping/dc/ignorelist:
connector/s4/mapping/dc/syncmode:
connector/s4/mapping/dns/forward_zone/./static/ipv4:
connector/s4/mapping/dns/forward_zone/./static/ipv6:
connector/s4/mapping/dns/host_record/./static/ipv4:
connector/s4/mapping/dns/host_record/./static/ipv6:
connector/s4/mapping/dns/ignorelist: _ldap._tcp.Default-First-Site-Name._site
connector/s4/mapping/dns/position:
connector/s4/mapping/dns/srv_record/./location:
connector/s4/mapping/dns/syncmode:
connector/s4/mapping/gpo/ignorelist:
connector/s4/mapping/gpo/ntsd:
connector/s4/mapping/gpo/syncmode:
connector/s4/mapping/gpo: true
connector/s4/mapping/group/alternativemail: true
connector/s4/mapping/group/grouptype: true
connector/s4/mapping/group/ignorelist: Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self
connector/s4/mapping/group/language: en
connector/s4/mapping/group/primarymail: true
connector/s4/mapping/group/syncmode:
connector/s4/mapping/group/table/.:
connector/s4/mapping/group/table/Printer-Admins: Print Operators
connector/s4/mapping/msprintconnectionpolicy/ignorelist:
connector/s4/mapping/msprintconnectionpolicy/syncmode:
connector/s4/mapping/msprintconnectionpolicy:
connector/s4/mapping/ou/ignorelist:
connector/s4/mapping/ou/syncmode:
connector/s4/mapping/sid/sid_to_ucs:
connector/s4/mapping/sid: true
connector/s4/mapping/sid_to_s4:
connector/s4/mapping/syncmode: sync
connector/s4/mapping/user/alternativemail: true
connector/s4/mapping/user/ignorelist: root,ucs-s4sync
connector/s4/mapping/user/primarymail: true
connector/s4/mapping/user/syncmode:
connector/s4/mapping/windowscomputer/ignorelist:
connector/s4/mapping/wmifilter/ignorelist:
connector/s4/mapping/wmifilter/syncmode:
connector/s4/mapping/wmifilter:
listener/module/wellknownsidnamemapping:

Also tried “service univention-s4-connector restart” does not appear to make a difference.
I will try to search for the terms you suggested.

patrickgf · August 3, 2017, 9:26pm

I could not get the fields to sync between Samba4 and LDAP.
So I used the ldbedit command to test a change to a single client
and then did an automated process using ldbmodify to add the secondary email address to each client.

Here is an example of the bash script I ran on the UCS,
feeding it a file containing “username,secondaryEmailAddress”

#!/bin/bash base_dn="dc=example,dc=com" for line in $(cat $1) do shortname=$(echo "$line" | cut -d, -f1) email2=$(echo "$line" | cut -d, -f2) ldif_temp_file_name=~/customer-ad-ldif-to-add-second-email.txt echo "dn: cn=$shortname,cn=Users,$base_dn changetype: modify replace: proxyAddresses proxyAddresses: $email2" > $ldif_temp_file_name ldbmodify -H /var/lib/samba/private/sam.ldb $ldif_temp_file_name rm $ldif_temp_file_name done

chris.g · April 12, 2023, 7:48am

I’m reviving this old thread as i need to sync this too and it still doesn’t seem to work.
I don’t understand why the sync of this important attribute ist not implemented by default.

Is there any comprehensive documentation on how to sync arbitrary attributes between UCS and Samba4.
For example using /etc/univention/connector/s4/localmaping.py with some custom transform code (as we need to transform multiple mailAlternativeAddress into one proxyAddresses)?

chris.g · April 12, 2023, 9:17am

The documentation I’ve found is pretty much useless and the code is not well documented which makes it really hard to understand what the attributes are used for.

Based on what I’ve read in the code i created this piece of code for /etc/univention/connector/s4/localmaping.py:

import univention.s4connector.s4


def mapping_hook(s4_mapping):
    def mailAlternativeAddress_to_proxyAddresses(connector, key, obj):
        return "; ".join([f'smtp:{m}' for m in obj['attributes']['mailAlternativeAddress']])


    def proxyAddresses_to_mailAlternativeAddress(connector, key, obj):
        return [m.replace('smtp:', '') for m in obj['attributes']['proxyAddresses'].split(';')]


    s4_mapping['user'].attributes['mailAlternativeAddress'] = univention.s4connector.attribute(
        ucs_attribute='mailAlternativeAddress',
        ldap_attribute='mailAlternativeAddress',
        con_attribute='proxyAddresses',
        reverse_attribute_check=True,
        single_value=False,
        mapping=(mailAlternativeAddress_to_proxyAddresses, proxyAddresses_to_mailAlternativeAddress),
    )
    return s4_mapping

Still, I really have no idea what single_value and reverse_attribute_check do mean in this context and if their setting is correct.

Will this work or did i mess up? I really don’t wanna test this out without more information as i don’t have a proper test system to play with.

chris.g · September 19, 2023, 10:51am

Here is a working version.

import univention.s4connector.s4.mapping


def mapping_hook(s4_mapping):
    def mailAlternativeAddress_to_proxyAddresses(connector, key, obj):
        return [f'smtp:{m.decode("utf-8")}'.encode("utf-8") for m in obj['attributes']['mailAlternativeAddress']]


    def proxyAddresses_to_mailAlternativeAddress(connector, key, obj):
        return [m.decode("utf-8").replace('smtp:', '').encode("utf-8") for m in obj['attributes']['proxyAddresses'] if m.decode("utf-8").startswith("smtp:")]

    s4_mapping['user'].attributes['mailAlternativeAddress'] = univention.s4connector.attribute(
        ucs_attribute='mailAlternativeAddress',
        ldap_attribute='mailAlternativeAddress',
        con_attribute='proxyAddresses',
        reverse_attribute_check=True,
        single_value=False,
        mapping=(mailAlternativeAddress_to_proxyAddresses, proxyAddresses_to_mailAlternativeAddress),
    )

    return s4_mapping