This document explains how to enable JAMES to use an LDAP directory as a Users Repository.

We have tried to make the LDAP implementation of UsersRepository as flexible a possible, recognising that each installation will have a unique directory schema.
We assume that all users that a James Mailserver will handle fall within one single-rooted tree. The root of this tree, ie the lowest node in the directory which is an ancestor for all users served by this mailserver and the mailserver, is called the LDAPRoot. (See diagram)

It is entirely possible that an organization may have more than one mail server. Consequently, the fact that a user is in the Directory does not imply that this mailserver should handle mail for them.

This implementation of UsersRepository creates one node (object) for each set of mail users. The set called 'LocalUsers' is the set of users whose mail is handled by this server. Other sets include any mail-lists handled by the server. Each member of a set is recorded as an attribute of these objects. These nodes are child nodes of the mailserver.

The mailserver will accept mail for local delivery if the user part of the email address matches a member of LocalUsers and if the domain/host part of the email address matches the first servername . (Set servernames autodetect to false and enter the domain served as the first servername, e.g. apache.org).

For POP3 authentication, the mailserver first finds the user entry in the directory, underLDAPRoot, whose attribute, specified as MailAttribute in conf, matches user@domain. The mailserver authenticates the POP3 user if it can bind to the directory as that user entry with the offered password.

This implementation does not set passwords in the directory. Use a dummy password when invoking adduser in RemoteManger.

If ManageGroupAttribute is set to TRUE (as it is by default), then the RemoteManger will add/remove the full DN of the email group to/from the user entry. This facilty allows users to ask the directory what is my mailserver and what email lists am I subscribed to?

	Root of Directory Example: dc=org May not be referenced in conf.xml | |
-------------------------------------------------------------------------------------------------
| Subtree not served by James e.g.: dc=w3c, dc=org	| Subtree served by James e.g.: dc=apache, dc=org "LDAPRoot" |	| Subtree not served by James e.g.: dc=xml, dc=org
	---------------------------------------------------- | This mailserver cn=mailserver.apache.org | --------------- | A user cn=King Arthur memberOfGroup= cn=LocalUsers etc | A user cn=Morgan LeFay | Another mailserver cn=oldmail.apache.org | LocalUsers member=Arthur | list-james member=Arthur

Six entries in JAMES.conf.xml must be set for this to work:

• change usersManager - type to ldap.
• Set the ldapServer element to point to the correct host and port
• Set LDAPRoot and ThsServerRDN.
• Set the direcory FDN and password that should be used to write to the directory.
• Unless all your users have email addresses of the form, name@the-machine-running-James, set servernames-autodetect to false and apecify the your email domain as the first servername.