Contents
Overview
This document provides information about using AD to populate a mail list membership list via the LDAP interface. The University’s AD server, ad.uillinois.edu, contains thousands of entries and refining your query is essential in retrieving useful results. Additional information about the Sympa “LDAP 2-level query inclusion” can be found at: www.sympa.community/manual/customize/data-sources.html
Please note, currently only AD groups of up to 1,500 members can be synchronized via LDAP by Sympa, due to an LDAP limitation in Sympa.
Background
Lightweight Directory Access Protocol (LDAP)
- A standard approach for interacting with distributed directory information services.
LDAP Data Interchange Format (LDIF)
- LDIF defines the protocol used to describe directory information. LDAP clients and services us LDIF to navigate, import, export and describe changes in the directory information.
- Common LDIF fields include:
| Filter | Friendly Name | Function |
| DN: | distinguished name | The name that uniquely identifies an entry in the directory. |
| DC: | domain component | Refers to each component of the domain.E.g. ad.uillinois.edu is written as: dc=ad,dc=uillinois,dc=edu |
| OU: | organizational unit | Organization unit or user group |
| CN: | common name | Name of an individual object (person’s name, meeting room, job title, thing, etc.) for whom/which you are querying |
- LDIF technical details and examples can be found in RFC2849, http://tools.ietf.org/html/rfc2849.
Using LDAP to Populate Mail list Members
- This example constructs an AD query to include member names from the “**-faculty” group and their email addresses in the list’s membership list.
Access the config page by clicking on: (admin) > Edit List Config > Data sources setup and scroll to “LDAP 2-level query inclusion”.
See here for another example, and more details on these AD attributes:
https://answers.uillinois.edu/illinois/127518
How often does the Campus Mailing List server sync with LDAP?
The sync is controlled by two settings at the bottom of this config page:
– inclusion timeout (default = 86,400 seconds or 24 hrs)
– inclusion timeout for message distribution (default = 5 minute)
In this case, Sympa will query the LDAP server on a daily basis AND it also checks before a message is distributed to the list. If the sync has exceeded 5 minutes from the last update then Sympa will sync again before message distribution and the subscriber list will never be more than 5 minutes stale.
The privileged owner can change these settings to meet their needs.
Active Directory – Tools and Syntax
LDAP Tools
We recommend you install an LDAP admin tool to help navigate the AD space. Useful tools include:
- Apache Directory Studio – http://directory.apache.org/
- Microsoft’s “Active directory Users and Computers” utility that is available from the “Microsoft Remote Server Administration Tools”
Both tools are freely available and will let you navigate the LDAP directory structure to help create useful queries. Below is a screenshot of Microsoft’s utility. Refining the search space using LDIF and specific queries is key to useful results.
LDAP Syntax
Microsoft LDAP queries and syntax specific to AD can be found at: http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx