Link mailAlternativeAddress with proxyAddresses

mail
s4-connector

#1

I have users in my UCS Samba4 Directory that have mailAlternativeAddress email addresses (along with a primary address).
I have an other server that needs to validate user email address over “Active Directory”,
I can validate the primary email but not the mailAlternativeAddress.
I can’t find a Active Directory property that maps to the mailAlternativeAddress value.
I’ve found some discussion about using the “proxyAddresses” property
and believe that would work fine for me (I don’t use MS Exchange).
But I can’t find anyway to get the proxyAddresses to match/update from the mailAlternativeAddress.

Is there a way to access the “mailAlternativeAddress” value through the Samba4 directory?
Thanks


#2

You can set UCR-Values for the AD-Connector:

ucr set connector/ad/mapping/group/alternativemail=true
ucr set connector/ad/mapping/user/alternativemail=true
ucr set connector/ad/mapping/group/primarymail=true
ucr set connector/ad/mapping/user/primarymail=true

Does it help?


#3

I found a discussion of that and tried it but could not see that it made any difference.
I thought maybe that only applied when you are connecting to a Windows Active Directory?
and not when you are using the UCS Samba4 as the directory server?


#4

I do not have a testing environment at hand - can you check if you have the connector mapping variables also for the S4 connector? easiest way would be:

# ucr search --brief mapping

That should show you all the mapping variables. If I did understand right, you would need to tell the S4 connector, that it should map the proxy/alternative adresses correctly (since you have a system that access the samba4 of the UCS).

Hope that did help a bit, and kind regards.


#5

root@email:~# ucr search --brief mapping
connector/ad/mapping/group/language: de
connector/s4/mapping/computer/syncmode:
connector/s4/mapping/computer_dc/syncmode:
connector/s4/mapping/container/ignorelist: mail,kerberos,MicrosoftDNS
connector/s4/mapping/container/syncmode:
connector/s4/mapping/dc/ignorelist:
connector/s4/mapping/dc/syncmode:
connector/s4/mapping/dns/forward_zone/./static/ipv4:
connector/s4/mapping/dns/forward_zone/.
/static/ipv6:
connector/s4/mapping/dns/host_record/./static/ipv4:
connector/s4/mapping/dns/host_record/.
/static/ipv6:
connector/s4/mapping/dns/ignorelist: _ldap._tcp.Default-First-Site-Name._site
connector/s4/mapping/dns/position:
connector/s4/mapping/dns/srv_record/./location:
connector/s4/mapping/dns/syncmode:
connector/s4/mapping/gpo/ignorelist:
connector/s4/mapping/gpo/ntsd:
connector/s4/mapping/gpo/syncmode:
connector/s4/mapping/gpo: true
connector/s4/mapping/group/grouptype: true
connector/s4/mapping/group/ignorelist: Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self
connector/s4/mapping/group/language: en
connector/s4/mapping/group/syncmode:
connector/s4/mapping/group/table/.
:
connector/s4/mapping/group/table/Printer-Admins: Print Operators
connector/s4/mapping/msprintconnectionpolicy/ignorelist:
connector/s4/mapping/msprintconnectionpolicy/syncmode:
connector/s4/mapping/msprintconnectionpolicy:
connector/s4/mapping/ou/ignorelist:
connector/s4/mapping/ou/syncmode:
connector/s4/mapping/sid/sid_to_ucs:
connector/s4/mapping/sid: true
connector/s4/mapping/sid_to_s4:
connector/s4/mapping/syncmode: sync
connector/s4/mapping/user/ignorelist: root,ucs-s4sync
connector/s4/mapping/user/syncmode:
connector/s4/mapping/windowscomputer/ignorelist:
connector/s4/mapping/wmifilter/ignorelist:
connector/s4/mapping/wmifilter/syncmode:
connector/s4/mapping/wmifilter:
listener/module/wellknownsidnamemapping:

And then if I run:
ucr set connector/ad/mapping/group/alternativemail=true
ucr set connector/ad/mapping/user/alternativemail=true
ucr set connector/ad/mapping/group/primarymail=true
ucr set connector/ad/mapping/user/primarymail=true

I get this:
root@email:~# ucr search --brief mapping
connector/ad/mapping/group/alternativemail: true
connector/ad/mapping/group/language: de
connector/ad/mapping/group/primarymail: true
connector/ad/mapping/user/alternativemail: true
connector/ad/mapping/user/primarymail: true
connector/s4/mapping/computer/syncmode:
connector/s4/mapping/computer_dc/syncmode:
connector/s4/mapping/container/ignorelist: mail,kerberos,MicrosoftDNS
connector/s4/mapping/container/syncmode:
connector/s4/mapping/dc/ignorelist:
connector/s4/mapping/dc/syncmode:
connector/s4/mapping/dns/forward_zone/./static/ipv4:
connector/s4/mapping/dns/forward_zone/.
/static/ipv6:
connector/s4/mapping/dns/host_record/./static/ipv4:
connector/s4/mapping/dns/host_record/.
/static/ipv6:
connector/s4/mapping/dns/ignorelist: _ldap._tcp.Default-First-Site-Name._site
connector/s4/mapping/dns/position:
connector/s4/mapping/dns/srv_record/./location:
connector/s4/mapping/dns/syncmode:
connector/s4/mapping/gpo/ignorelist:
connector/s4/mapping/gpo/ntsd:
connector/s4/mapping/gpo/syncmode:
connector/s4/mapping/gpo: true
connector/s4/mapping/group/grouptype: true
connector/s4/mapping/group/ignorelist: Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self
connector/s4/mapping/group/language: en
connector/s4/mapping/group/syncmode:
connector/s4/mapping/group/table/.
:
connector/s4/mapping/group/table/Printer-Admins: Print Operators
connector/s4/mapping/msprintconnectionpolicy/ignorelist:
connector/s4/mapping/msprintconnectionpolicy/syncmode:
connector/s4/mapping/msprintconnectionpolicy:
connector/s4/mapping/ou/ignorelist:
connector/s4/mapping/ou/syncmode:
connector/s4/mapping/sid/sid_to_ucs:
connector/s4/mapping/sid: true
connector/s4/mapping/sid_to_s4:
connector/s4/mapping/syncmode: sync
connector/s4/mapping/user/ignorelist: root,ucs-s4sync
connector/s4/mapping/user/syncmode:
connector/s4/mapping/windowscomputer/ignorelist:
connector/s4/mapping/wmifilter/ignorelist:
connector/s4/mapping/wmifilter/syncmode:
connector/s4/mapping/wmifilter:
listener/module/wellknownsidnamemapping:

But if I make changes in the UCS webUI to the mailAlternativeAddress,
I don’t see any changes in the proxyAddresses.


#6

Okay: with the above commands, you configure variables for the AD-Connector. If you do not have this installed (unlikely if there is no Windows Server around) you would need to make the same changes for the S4 connector. Since I cannot test this currently please be aware that this may not work (if the mapping for the S4 connector has to be configured otherwise):

ucr set connector/s4/mapping/group/alternativemail=true
ucr set connector/s4/mapping/user/alternativemail=true
ucr set connector/s4/mapping/group/primarymail=true
ucr set connector/s4/mapping/user/primarymail=true

Maybe you can find these variables or the handling of mailAlternativeAdresses regarding especially the S4 connector in the documentation, SDB or forum too. Would be worth a look IMHO.


#7

Okay here is the results:
root@email:~# ucr search --brief mapping
connector/ad/mapping/group/alternativemail: true
connector/ad/mapping/group/language: de
connector/ad/mapping/group/primarymail: true
connector/ad/mapping/user/alternativemail: true
connector/ad/mapping/user/primarymail: true
connector/s4/mapping/computer/syncmode:
connector/s4/mapping/computer_dc/syncmode:
connector/s4/mapping/container/ignorelist: mail,kerberos,MicrosoftDNS
connector/s4/mapping/container/syncmode:
connector/s4/mapping/dc/ignorelist:
connector/s4/mapping/dc/syncmode:
connector/s4/mapping/dns/forward_zone/./static/ipv4:
connector/s4/mapping/dns/forward_zone/.
/static/ipv6:
connector/s4/mapping/dns/host_record/./static/ipv4:
connector/s4/mapping/dns/host_record/.
/static/ipv6:
connector/s4/mapping/dns/ignorelist: _ldap._tcp.Default-First-Site-Name._site
connector/s4/mapping/dns/position:
connector/s4/mapping/dns/srv_record/./location:
connector/s4/mapping/dns/syncmode:
connector/s4/mapping/gpo/ignorelist:
connector/s4/mapping/gpo/ntsd:
connector/s4/mapping/gpo/syncmode:
connector/s4/mapping/gpo: true
connector/s4/mapping/group/alternativemail: true
connector/s4/mapping/group/grouptype: true
connector/s4/mapping/group/ignorelist: Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self
connector/s4/mapping/group/language: en
connector/s4/mapping/group/primarymail: true
connector/s4/mapping/group/syncmode:
connector/s4/mapping/group/table/.
:
connector/s4/mapping/group/table/Printer-Admins: Print Operators
connector/s4/mapping/msprintconnectionpolicy/ignorelist:
connector/s4/mapping/msprintconnectionpolicy/syncmode:
connector/s4/mapping/msprintconnectionpolicy:
connector/s4/mapping/ou/ignorelist:
connector/s4/mapping/ou/syncmode:
connector/s4/mapping/sid/sid_to_ucs:
connector/s4/mapping/sid: true
connector/s4/mapping/sid_to_s4:
connector/s4/mapping/syncmode: sync
connector/s4/mapping/user/alternativemail: true
connector/s4/mapping/user/ignorelist: root,ucs-s4sync
connector/s4/mapping/user/primarymail: true
connector/s4/mapping/user/syncmode:
connector/s4/mapping/windowscomputer/ignorelist:
connector/s4/mapping/wmifilter/ignorelist:
connector/s4/mapping/wmifilter/syncmode:
connector/s4/mapping/wmifilter:
listener/module/wellknownsidnamemapping:

Also tried “service univention-s4-connector restart” does not appear to make a difference.
I will try to search for the terms you suggested.


#8

I could not get the fields to sync between Samba4 and LDAP.
So I used the ldbedit command to test a change to a single client
and then did an automated process using ldbmodify to add the secondary email address to each client.

Here is an example of the bash script I ran on the UCS,
feeding it a file containing “username,secondaryEmailAddress”

#!/bin/bash base_dn="dc=example,dc=com" for line in $(cat $1) do shortname=$(echo "$line" | cut -d, -f1) email2=$(echo "$line" | cut -d, -f2) ldif_temp_file_name=~/customer-ad-ldif-to-add-second-email.txt echo "dn: cn=$shortname,cn=Users,$base_dn changetype: modify replace: proxyAddresses proxyAddresses: $email2" > $ldif_temp_file_name ldbmodify -H /var/lib/samba/private/sam.ldb $ldif_temp_file_name rm $ldif_temp_file_name done