Provided by: kopano-server_8.7.0-7.2ubuntu2_amd64 bug

NAME

       kopano-ldap.cfg - The Kopano LDAP configuration file

SYNOPSIS

       ldap.cfg

DESCRIPTION

       The ldap.cfg is a configuration file for LDAP user plugin. All options to correctly
       retrieve user and group information can be set here.

FILE FORMAT

       The file consists of one big section, but parameters can be grouped by functionality.

       The parameters are written in the form:

       name = value

       The file is line-based. Each newline-terminated line represents either a comment, nothing,
       a parameter or a directive. A line beginning with `#' is considered a comment, and will be
       ignored by Kopano. Parameter names are case sensitive. Lines beginning with `!' are
       directives.

       Directives are written in the form:

       !directive [argument(s)]

       The following directives exist:

       include
           Include and process argument

           Example: !include common.cfg

       propmap
           Propmap delivers the capabilities to map additional attributes to addressbook
           properties (e.g. firstname, lastname, telephonenumber).

           In the propmap the configuration names must be the hex property tag of the requested
           property. The value given to the configuration name must be the LDAP attribute to
           which the property should be mapped.

           Example: !propmap ldap.propmap.cfg

EXPLANATION OF EACH PARAMETER

   ldap_host, ldap_port, ldap_protocol
       These historic directives specify a single LDAP server to use. Its use is discouraged in
       favor of ldap_uri.

       Defaults: ldap_host=localhost, ldap_port=389, ldap_protocol=ldap

   ldap_uri
       Specifies the URI of one or more LDAP server(s) to use, without any DN portion, such as
       "ldap://server:389/", "ldaps://server:636/" or "ldapi:///". If ldap_uri is set, the values
       of the historic directives ldap_host, ldap_port and ldap_protocol are ignored.

       Default: (empty, such that URI list is constructed from ldap_host, ldap_port,
       ldap_protocol)

   ldap_starttls
       Request that any LDAP connections be secured with TLS, and reject the connection if this
       security cannot be established. See the OpenLDAP documentation for setting up ldap.cfg and
       TLS requirements.

       Default: no

   ldap_server_charset
       The charset that the LDAP server uses to store strings. All strings sent to the LDAP
       server or retrieved from the server will be interpreted in this charset. In most setups,
       utf-8 is used, but may also be iso-8859-15. All charsets supported by the system iconv()
       are supported here.

       Default: utf-8

   ldap_bind_user
       The bind dn as to connect to the LDAP server. Leave empty to connect anonymous.

       Default value is empty.

   ldap_bind_passwd
       When ldap_bind_user is a valid DN, this should be filled in too.

       Default value is empty.

   ldap_network_timeout
       The timeout for network operations in seconds.

       Default: 30

   ldap_last_modification_attribute
       This value is used to detect changes in the item in the LDAP server. Since it is a
       standard LDAP attribute, you should never have to change this. It is mainly used for
       addressbook synchronisation between your server and your offline data.

       Default: modifyTimeStamp

   ldap_page_size
       Limit result sets in pages of this size, downloading fewer results at a time from the LDAP
       server.

       Default: 1000

   ldap_search_base
       This is the subtree entry where all objects are defined in the LDAP server.

       Default: dc=kopano,dc=com

   ldap_object_type_attribute
       An object is defined by this attribute what type it is, e.g. user, group, etc. Every
       object type should have a unique value in this attribute in order to define what which
       entry is.

       The value of this attribute must be specified in the ldap_*_type_attribute_value settings.
       Each of those settings may specify multiple values for the type attribute, separated by
       comma's. All of these values must be present in the objects type attribute for a match to
       be made and the object to be recognised as that type.

       It is possible for ambiguities to arise by setting the same string for multiple
       ldap_*_type_attribute_value settings. This ambiguity will be resolved by preferring
       objects with more matching values. If the ambiguity cannot be resolved in this way, then
       the first possibility is chosen from the list (addresslist, tenant, dynamic group, group,
       contact, user).

       Default: objectClass

   ldap_user_type_attribute_value
       The value in ldap_object_type_attribute which defines a user.

       Default for OpenLDAP: posixAccount

       Default for ADS: user

   ldap_group_type_attribute_value
       The value in ldap_object_type_attribute which defines a group.

       Default for OpenLDAP: posixGroup

       Default for ADS: group

   ldap_contact_type_attribute_value
       The value in ldap_object_type_attribute which defines a contact.

       Default for OpenLDAP: inetOrgPerson

       Default for ADS: contact

   ldap_company_type_attribute_value
       The value in ldap_object_type_attribute which defines a tenant. This option is only used
       in multi-tenancy installations.

       Default for OpenLDAP: organizationalUnit

       Default for ADS: kopano-company

   ldap_addresslist_type_attribute_value
       The value in ldap_object_type_attribute which defines an addresslist.

       Default: kopano-addresslist

   ldap_dynamicgroup_type_attribute_value
       The value in ldap_object_type_attribute which defines a dynamic group.

       Default: kopano-dynamicgroup

   ldap_user_search_filter
       Adds an extra filter to the user search.

       Hint: Use the kopanoAccount attribute in the filter to differentiate between non-kopano
       and kopano users.

       Default for OpenLDAP is empty.

       Default for ADS: (objectCategory=Person)

   ldap_user_unique_attribute
       This is the unique attribute of a user which is never going to change, unless the user is
       removed from LDAP. When this value changes, Kopano will remove the previous user and store
       from the database, and create a new user with this unique value.

       Default for OpenLDAP: uidNumber

       Default for ADS: objectGUID

   ldap_user_unique_attribute_type
       Contents type for the ldap_user_unique_attribute. This value can be binary or text.

       Default for OpenLDAP: text

       Default for ADS: binary

   ldap_fullname_attribute
       This value is the fullname of a user. It will be used on outgoing messages, and store
       names.

       Default: cn

   ldap_loginname_attribute
       This value is the loginname of a user. This is what the user uses to login on kopano. The
       DAgent will use this value to open the store of the user.

       Default for OpenLDAP: uid

       Default for ADS: sAMAccountName

   ldap_password_attribute
       This value is the password of a user. When using ldap_authentication_method = password,
       this value will be checked. The ldap_bind_user should have enough access rights to read
       the password field.

       Default for OpenLDAP: userPassword

       Default for ADS: unicodePwd

   ldap_authentication_method
       This value can be bind or password. When set to bind, the plugin will authenticate by
       opening a new connection to the LDAP server as the user with the given password. When set
       to password, the plugin will read and match the password field from the LDAP server
       itself. When set to password, the ldap_bind_user should have enough access rights to read
       the password field.

       Default for OpenLDAP: bind

       Default for ADS: bind

   ldap_emailaddress_attribute
       This value is the email address of a user. It will be used to set the From on outgoing
       messages.

       Default: mail

   ldap_emailaliases_attribute
       This value is the email aliases of a user. It can be used to find extra valid email
       accounts for incoming email. These email addresses cannot be used for outgoing email.

       Default: kopanoAliases

   ldap_isadmin_attribute
       This value indicates if a user has administrator rights. 0 or not presents means no. 1
       means yes. In multi-tenancy environment a value of 1 means that the user is administrator
       over his own tenant. A value of 2 means he is administrator over all companies within the
       environment.

       Default: kopanoAdmin

   ldap_nonactive_attribute
       This value indicates if a user is nonactive. Nonactive users cannot login, but the store
       can be used as a shared store for other users.

       Setting this value to 1 will make a mailbox nonactive. The nonactive attribute provided by
       the Kopano schema for nonactive users is kopanoSharedStoreOnly

       Default: kopanoSharedStoreOnly

   ldap_resource_type_attribute
       This attribute can change the type of a non-active user. The value of this attribute can
       be room or equipment to make it such a resource. If this attribute is not present, or not
       one of the previously described values, the user will be a normal non-active user.

       Default: kopanoResourceType

   ldap_resource_capacity_attribute
       Resources often have a limited capacity. Use this attribute to control this value. user.

       Default: kopanoResourceCapacity

   ldap_sendas_attribute
       This attribute contains the list of users for which the user can use the sendas feature.

       Default: kopanoSendAsPrivilege

   ldap_sendas_attribute_type
       Contents type for the ldap_sendas_attribute this value can be dn, binary or text.

       Default for OpenLDAP: text

       Default for ADS: dn

   ldap_sendas_relation_attribute
       This value is used to find the users in the sendas list.

       Defaults to empty value, using the ldap_user_unique_attribute setting. By using the DN,
       you can also add groups to the sendas list.

       Default for OpenLDAP is empty.

       Default for ADS: distinguishedName

   ldap_user_certificate_attribute
       The attribute which contains the user's public certificate to be used for encrypted S/MIME
       messages. Both Active Directory and OpenLDAP use the same ldap attribute by default. The
       format of the certificate should be the binary DER format.

       Default: userCertificate

   ldap_group_search_filter
       Adds an extra filter to the group search.

       Hint: Use the kopanoAccount attribute in the filter to differentiate between non-kopano
       and kopano groups.

       Default for OpenLDAP is empty.

       Default for ADS: (objectCategory=Group)

   ldap_group_unique_attribute
       This is the unique attribute of a group which is never going to change, unless the group
       is removed from LDAP. When this value changes, Kopano will remove the previous group from
       the database, and create a new group with this unique value.

       Default for OpenLDAP: gidNumber

       Default for ADS: objectSid

   ldap_group_unique_attribute_type
       Contents type for the ldap_group_unique_attribute this value can be binary or text.

       Default for OpenLDAP: text

       Default for ADS: binary

   ldap_groupname_attribute
       This value is the name of a group.

       Default: cn

   ldap_groupmembers_attribute
       This value is the member list of a group.

       Default for OpenLDAP: memberUid

       Default for ADS: member

   ldap_groupmembers_attribute_type
       Contents type for the ldap_groupmembers_attribute this value can be dn, binary or text.

       Default for OpenLDAP: text

       Default for ADS: dn

   ldap_groupmembers_relation_attribute
       This value is used to find the users in a group if ldap_groupmembers_attribute_type is
       text.

       Defaults to empty value, using the ldap_user_unique_attribute setting.

       Default is empty.

   ldap_group_security_attribute
       If this attribute is present, you can make a group a security group. These groups can be
       used to place permissions on folders.

       Default for OpenLDAP: kopanoSecurityGroup

       Default for ADS: groupType

   ldap_group_security_attribute_type
       The type of the ldap_group_security_attribute is very different for ADS and OpenLDAP. The
       value of this option can be boolean or ads. The ads option only looks at the highest bit
       in the numeric value of the groupType attribute.

       Default for OpenLDAP: boolean

       Default for ADS: ads

   ldap_company_search_filter
       Add an extra filter to the tenant search.

       Hint: Use the kopanoAccount attribute in the filter to differentiate between non-kopano
       and kopano companies.

       Default for OpenLDAP is empty.

       Default for ADS: (objectCategory=Company)

   ldap_company_unique_attribute
       This is the unique attribute of a tenant which is never going to change, unless the tenant
       is removed from LDAP. When this value changes, Kopano will remove the previous tenant from
       the database, and create a new tenant with this unique value.

       Default for OpenLDAP: ou

       Default for ADS: objectSid

   ldap_company_unique_attribute_type
       Contents type for the ldap_company_unique_attribute this value can be binary or text.

       Default for OpenLDAP: text

       Default for ADS: binary

   ldap_companyname_attribute
       This value is the name of a tenant.

       Default: cn

   ldap_company_view_attribute
       This attribute contains the list of tenants which can view the members of the tenant where
       this attribute is set on. tenants which are not listed in this attribute cannot see the
       presence of the tenant space itself nor its members.

       Default: kopanoViewPrivilege

   ldap_company_view_attribute_type
       Contents type for the ldap_company_view_attribute this value can be dn, binary or text.

       Default for OpenLDAP: text

       Default for ADS: dn

   ldap_company_view_relation_attribute
       The attribute of the tenant which is listed in ldap_company_view_attribute.

       Default: Empty, using the ldap_company_unique_attribute

   ldap_company_admin_attribute
       This attribute contains the list of users outside of the selected tenant space who are
       administrator over the selected tenant space. Note that local users should not be listed
       as administrator here, those users need the ldap_isadmin_attribute attribute.

       Default: kopanoAdminPrivilege

   ldap_company_admin_attribute_type
       Contents type for the ldap_company_admin_attribute this value can be dn, binary or text.

       Default for OpenLDAP: text

       Default for ADS: dn

   ldap_company_admin_relation_attribute
       The attribute of the user which is listed in ldap_company_admin_attribute.

       Default: Empty, using the ldap_user_unique_attribute

   ldap_company_system_admin_attribute
       This attribute contains the user who acts as the system administrator of this tenatn
       space. This can either be a local user or a user from a different tenant space. At the
       moment this user is set as the sender of quota warning emails.

       Default: kopanoSystemAdmin

   ldap_company_system_admin_attribute_type
       Contents type for the ldap_company_system_admin_attribute this value can be dn, binary or
       text.

       Default for OpenLDAP: text

       Default for ADS: dn

   ldap_company_system_admin_relation_attribute
       The attribute of the user which is listed in ldap_system_admin_attribute.

       Default: Empty, using the ldap_user_unique_attribute

   ldap_addresslist_search_filter
       Add a filter to the addresslist search.

       Hint: Use the kopanoAccount attribute in the filter to differentiate between non-kopano
       and kopano addresslists.

       Default: (objectClass=kopano-addresslist)

   ldap_addresslist_unique_attribute
       This is the unique attribute of a addresslist which is never going to change, unless the
       addresslist is removed from LDAP. When this value changes, Kopano will remove the previous
       addresslist from the database, and create a new addresslist with this unique value.

       Default: cn

   ldap_addresslist_unique_attribute_type
       Contents type for the ldap_addresslist_unique_attribute this value can be dn, binary or
       text. On LDAP this value should be text. On ADS this value should be dn

       Default: text

   ldap_addresslist_filter_attribute
       This is the name of the attribute on the addresslist object that specifies the filter to
       be applied for this addresslist. All users matching this filter AND matching the default
       ldap_user_search_filter will be included in the addresslist.

       Default: kopanoFilter

   ldap_addresslist_search_base_attribute
       This is the name of the attribute on the addresslist object that specifies the search base
       to be applied for this addresslist.

       Default: kopanoBase

   ldap_addresslist_name_attribute
       The attribute containing the name of the addresslist

       Default: cn

   ldap_dynamicgroup_search_filter
       Add an extra filter to the dynamicgroup search.

       Hint: Use the kopanoAccount attribute in the filter to differentiate between non-kopano
       and kopano dynamic groups.

       Default is empty.

   ldap_dynamicgroup_unique_attribute
       This is the unique attribute of a dynamicgroup which is never going to change, unless the
       dynamicgroup is removed from LDAP. When this value changes, Kopano will remove the
       previous dynamicgroup from the database, and create a new dynamicgroup with this unique
       value.

       Default: cn

   ldap_dynamicgroup_unique_attribute_type
       Contents type for the ldap_dynamicgroup_unique_attribute this value can be binary or text.
       On LDAP this value should be text. On ADS this value should be binary

       Default: text

   ldap_dynamicgroup_filter_attribute
       This is the name of the attribute on the dynamicgroup object that specifies the filter to
       be applied for this dynamicgroup. All users matching this filter AND matching the default
       search filters for objects will be included in the dynamicgroup.

       Default: kopanoFilter

   ldap_dynamicgroup_search_base_attribute
       This is the name of the attribute on the dynamicgroup object that specifies the search
       base to be applied for this dynamicgroup.

       Default: kopanoBase

   ldap_dynamicgroup_name_attribute
       The attribute containing the name of the dynamicgroup.

       Default: cn

   ldap_quotaoverride_attribute
       Default: kopanoQuotaOverride

   ldap_warnquota_attribute
       Default: kopanoQuotaWarn

   ldap_softquota_attribute
       Default: kopanoQuotaSoft

   ldap_hardquota_attribute
       Default: kopanoQuotaHard

   ldap_userdefault_quotaoverride_attribute
       Default: kopanoUserDefaultQuotaOverride

   ldap_userdefault_warnquota_attribute
       Default: kopanoUserDefaultQuotaWarn

   ldap_userdefault_softquota_attribute
       Default: kopanoUserDefaultQuotaSoft

   ldap_userdefault_hardquota_attribute
       Default: kopanoUserDefaultQuotaHard

   ldap_quota_multiplier
       This value is used to multiply the quota values to bytes. When the values in LDAP are in
       Kb, use 1024 here.

       Default: 1

   ldap_quota_userwarning_recipients_attribute
       This attribute contains the list of users who will receive an email when a user exceeds
       his quota. User who exceeds his quota will be automatically added to the recipients list,
       this list only indicates who else will be notified.

       Default: kopanoQuotaUserWarningRecipients

   ldap_quota_userwarning_recipients_attribute_type
       Contents type for the ldap_quota_userwarning_recipients_attribute this value can be dn,
       binary or text. On LDAP this value should be text. On ADS this value should be dn

       Default: text

   ldap_quota_userwarning_recipients_relation_attribute
       The attribute of the user which is listed in ldap_quota_userwarning_recipients_attribute

       Default: Empty, using ldap_user_unique_attribute

   ldap_quota_companywarning_recipients_attribute
       This attribute contains the list of users who will receive an email when a tenant exceeds
       its quota. The system administrator of the tenant that is over quota will automatically be
       added to the recipients list, this list only indicates who else will be notified.

       Default: kopanoQuotaCompanyWarningRecipients

   ldap_quota_companywarning_recipients_attribute_type
       Contents type for the ldap_quota_companywarning_recipients_attribute this value can be dn,
       binary or text. On LDAP this value should be text. On ADS this value should be dn

       Default: text

   ldap_quota_companywarning_recipients_relation_attribute
       The attribute of the user which is listed in
       ldap_quota_companywarning_recipients_attribute

       Default: Empty, using ldap_user_unique_attribute

   ldap_addressbook_hide_attribute
       The attribute indicating the object must be hidden from the addressbook. The object will
       still be detected as kopano user and is allowed to login and work as regular kopano user,
       but will not be visible in the addressbook for other users.

       Default: kopanoHidden

   ldap_object_search_filter
       When searching in the addressbook, this filter will be used. Normally, the storage server
       will only search in the unique attribute, loginname, fullname and emailaddress. You might
       want to search in more fields, like 'lastname'. Kopano also uses a postfix wildcard only.
       Using the '*' wildcard with prefixes makes a search slower, but can return more results.

       Hint: Use the kopanoAccount attribute in the filter to differentiate between non-kopano
       and kopano objects.

       You can set a custom search filter here. '%s' will be replaced with the string being
       searched.

       Active Directory has a shortcut for searching in the addressbook using the 'anr'
       attribute. This is recommended on ADS installations.

       Default:

       Recommended for ADS installations: (anr=%s)

       Optional for OpenLDAP installations: (|(mail=%s*)(uid=%s*)(cn=*%s*)
       (fullname=*%s*)(givenname=*%s*)(lastname=*%s*)(sn=*%s*))

   ldap_filter_cutoff_elements
       When the ldap plugin retrieves information from the LDAP Server, large queries can be
       created to retrieve data for multiple objects at once. These large queries can perform
       badly on some LDAP server implementations. This option limits the number of elements that
       can be retrieved in one search filter and therefore limits the size of the filter.
       Instead, a broader search filter is created which retrieves all objects from the LDAP
       server. This results in slightly higher processing overhead and network activity, but with
       the bonus that the query can be served by the LDAP server much faster (a factor of 40 in
       5000-object queries has been observed).

       Setting this value to 0 will never limit the filter, setting it to a value of 1 will
       always limit the filter (since all queries will be retrieving one or more objects).

       Default: 1000

FILES

       /etc/kopano/server.cfg
           The server configuration file.

       /etc/kopano/ldap.cfg
           The Kopano LDAP configuration file.

AUTHOR

       Written by Kopano.

SEE ALSO

       kopano-server(8), kopano-server.cfg(5)