LDAP Synchronization Tool Administrator Guide This guide is for systems administrators configuring the LDAP Synchronization Tool to update the information used by MessageLabs in the provision of its email services.

System Version 1.0 Tool Version 0.1.10 Guide Version 1.02 2006-06-07

2

Table of Contents

1 Introduction 3 1.1 About this guide 3 1.2 Further information 3 1.3 Support 3 1.4 Feedback 3 1.5 Conventions 3

2 Background 4 2.1 Overview 4 2.2 Features 5

3 Preparation 6 3.1 Downloading the tool 6 3.2 Obtaining a license key 8

4 Quick Start 9 4.1 Prerequisites 9 4.2 Installation 10 4.3 First time settings 14 4.4 Creating new configuration 15

5 Performing the Synchronization 24

6 Logging 25

7 Command Line Operation 26

8 Automatic Operation 27

9 Appendices 29

Appendix A – License details 29

Appendix B – Standard RegEx Strings 30

Appendix C – LDAP Filters 31

Appendix D – With or Without JRE? 32

Appendix E – Troubleshooting 33

3

1 Introduction

The LDAP Synchronization tool assists clients with the task of managing the update of their Registered Addresses in order to allow this activity to be automated. This tool may operate alongside the ClientNet portal interface that provides for the manual upload and manipulation of Registered Address data

The LDAP Synchronization tool (called Schemus Synchronizer or Schemus) is an application that extracts email addresses from a variety of directory sources and synchronizes these with the MessageLabs Email service.

Schemus provides a “wizard” to easily guide you through the process of configuring the data to extract from your Directory System.

Once correctly configured the synchronization process may either be run from the graphical interface or from the command line and scheduled to operate automatically, optionally sending an email notification reporting its outcome at each invocation.

1.1 About this guide

This guide is for systems administrators configuring the LDAP Synchronization Tool to update the information used by MessageLabs in the provision of its email services.

1.2 Further information

This guide contains all the information required to perform the initial setup and ongoing administration of the LDAP Synchronization Tool. Further information may be available in the KnowledgeBase on ClientNet – please see section 1.3 for details.

1.3 Support

If you require technical support on any MessageLabs service, the most efficient method of resolving your problem is to log in to MessageLabs ClientNet (https://clients.messagelabs.com), where you can refer to the KnowledgeBase for solutions to many problems, or where you can log a call with MessageLabs Global technical Support (GTS) at any time 24/7. Alternatively, you can call us on the numbers listed at the back of this guide, or email support@messagelabs.com

1.4 Feedback

We welcome your feedback – if you have any comments or questions about this guide or the services and features described in it, please email us at feedback@messagelabs.com

1.5 Conventions

Throughout this guide the following text styles are used:

Text to type into the computer

Output from a computer terminal

Description associated with an illustrative figure

A link to a web site

When a section of the guide is only relevant to a restricted set of Operating System platforms the text will appear in a box with one or more logos indicating the platform or platforms:

The Windows Operating System

The Linux Operating System

The Solaris Operating System

4

2 Background

MessageLabs provides a means by which clients can protect themselves from dictionary-type spam attacks, by registering their valid email addresses in order to allow MessageLabs to reject any email destined for invalid addresses. To assist clients in the task of maintaining the registration of their valid addresses, MessageLabs provides the LDAP Synchronization Tool, ‘Schemus’. This tool synchronizes the update of Registered Addresses in order to allow this task to be automated and, for example, integrated with staff leaver and joiner procedures. This tool may operate alongside the ClientNet portal interface that facilitates the manual upload and manipulation of the Registered Address data

The synchronization of Registered Addresses is accomplished using:

a. a secure HTTP-based interface to the MessageLabs synchronization service; b. the LDAP Synchronization tool provided to extract address data from the client’s directory data sources and export this data

via the synchronization service.

2.1 Overview

The LDAP Synchronization Tool is provided as a Java executable that will operate on a range of platforms supported by the Sun Java Runtime Environment (JRE). The tool operates either in an interactive mode through a graphical user interface, or as a command line application suitable for invocation by other scheduling services (e.g. Windows Scheduler). In the interactive mode, a wizard interface guides the user through the configuration steps to establish connection and extraction of address data from LDAP-based directory sources, with testing and verification of each step.

The tool is installed on a suitable system within your network, thus simplifying the task of accessing local directories and minimizing security risks by ensuring that direct access to your directories from outside the firewall is not required.

When run interactively, a full update of all address information may be performed. Otherwise, when run from the command line, the tool will calculate the incremental changes since the last run and pass only these changes to MessageLabs as shown in the diagram below. Since MessageLabs also operates “harvesting” of your sender addresses in order to automatically update the Registered Address list, the tool may also refresh its local change-tracking database from the list held by MessageLabs.

5

2.2 Features

The LDAP Synchronization tool provides the following features:

● Wizard-based configuration – guiding the user through each configuration step; ● Templates for common mail system directories - including Microsoft Exchange 2000 and 5.5; ● Configuration testing – checking of each wizard step, and full configuration verification; ● Filtering – allowing specific or “wild-carded” addresses to be excluded or converted; ● Safety thresholds – update limits may be set in order to detect anomalous situations; ● Reporting – comprehensive logging and optional alerting via email notifications; ● Custom configuration – advanced settings to refine the LDAP operations; ● Multi-platform operation – a direct benefit of Java application portability; ● Full control of automation – invocation from task schedulers or by other client tools; ● Safe test mode – no modification of live data using test output to text files.

6

3 Preparation

You will need to decide on a suitable system within your network on which to install and run Schemus. This system should have internal network access to your directory system (via LDAP) and have external network access to the MessageLabs service (via HTTPS).

If you intend to run the tool on an automated basis then you should also decide on whether the tool is to be invoked by a scheduling system (e.g. MS Windows Scheduler) or by other applications. For automated use it is important to note that the tool builds a local database, for the purposes of tracking changes to your source data, and so it is best if only a single instance of the tool is synchronizing any given set of source data.

3.1 Downloading the tool

You may download the Schemus tool from the ClientNet portal as shown below – note that the “Address Registration” page is only visible where specifically provisioned by MessageLabs.

7

Before downloading the Schemus tool from ClientNet, decide whether you need the version with or without the Java Runtime Environment (JRE). If you already have JRE 1.5 or greater then either download image may be used, otherwise you will need to download the image with the JRE included.

Read Appendix D in this manual for details on how to discover what JRE you are running and the impact of installing Schemus with a JRE.

8

3.2 Obtaining a license key

In order to enable the tool to use the MessageLabs synchronization interface (i.e. the remote HTTPS interface) you will need to acquire a license key. This key can be requested from the ClientNet portal and will be supplied to you in a confirmation email.

Please note that you may use the tool without a key, in order to prepare and test for live synchronization, by using the text file export capability to assess the collection of email address data.

9

4 Quick Start

This section of the manual is a step-by-step guide for administrators who want to use Schemus to synchronize email address data from their local LDAP directory server to their MessageLabs account.

4.1 Prerequisites

Before starting, ensure that you have the following items to hand:

● MessageLabs ClientNet portal account details Note: MessageLabs strongly encourages you to establish a separate ClientNet account for synchronization purposes

● Schemus license key Note: this is required to activate the MessageLabs synchronization interface

● Address of your Directory Access Server and any authentication details you might need to be able to perform searches on it

Note: authentication may be possible anonymously.

Having downloaded the install image you should open a terminal and ensure that the execute bit is set before running the script. For example,

$ chmod +x Schemus_linux_jre.sh

$ ./Schemus_linux_jre.sh

10

4.2 Installation

Before starting the Schemus installation image take the usual precaution of ensuring that all other applications running on the machine are closed. Then run the installer:

Figure 1 - Initial dialog on the Windows Platform

Throughout the installation press the “Next >” button to progress to the next stage. When the “Next >” button is disabled it means that additional information is required on the page before progressing.

Click the “Next >” button now to move to the license agreement dialog.

Read through the license agreement and click the “I accept the agreement” radio button to enable the “Next >” button. Clicking the “Cancel” button aborts the installer.

Click the “Next >” button now to move to the installation location dialog.

11

Figure 2 – Installation location dialog on Windows Platform

The default install location will vary depending on the platform. Clicking on the directory window will automatically change the text of the directory path at the top of the window to that directory and then append “schemus”. So in figure 2, clicking on “Common Files” will change the text to “C:\Program Files\Common Files\schemus”.

If you don’t want to install in the sub-directory “schemus”, change the text of the directory path before clicking “Next >”.

12

Figure 3 shows the dialog to select where Schemus appears on your Windows Start Menu folder. If you want Schemus available to all users, ensure that the box is ticked.

Figure 3 – Selecting the Start Menu Folder

Click on “Next >” to move to the Windows shortcut dialog.

Ensure the “Create a desktop icon” box is ticked if you want an icon to appear on the desktop in addition to the one accessible from the Start Menu. This dialog is your last chance to update the installation options as clicking “Next>” will start the copying phase of the installer.

13

Figure 4 shows the dialog to select where Schemus places a symbolic link on your filing system. Tick the “Don’t create symlinks” if you want to run Schemus from its installed directory only.

Figure 4 – Selecting the Symbolic link location

This dialog is your last chance to update the installation options as clicking “Next>” will start the copying phase of the installer.

Once the copying of files has completed the installer will display any release notes and change logs. The release notes will contain any additional information that has been introduced since this guide was written. Additional features and bug fixes will appear in this list as well as the history of changes.

Click “Next >” to move to the end of the installer and “Click Finish” to quit the installer.

14

4.3 First time settings

Start Schemus and select “Settings…” from the “Edit” menu. Enter the client identity that you were provided with for registration purposes and the associated Schemus key that was returned to you. The licensing procedure is covered in detail in Appendix A.

Click on “MessageLabs” in the left panel:

Figure 5 – Configuring your MessageLabs details

Unless instructed to do so by MessageLabs, do not change the default value in the Access URL. If you change this line by accident, click on the “Reset Defaults” button to put the original value back into this field.

The “Username” and “Password” are the account details for the ClientNet account that you will use for synchronization purposes. MessageLabs strongly encourages you to establish a separate ClientNet account for this purpose. Once these details have been entered the “Apply” button will be enabled and clicking the button attempts to connect to MessageLabs using them. If you receive an error dialog when you press the “Apply” button then it may be that your local network is setup to prohibit direct access to the Internet on port 443 (the default http secure communication port). If in doubt, start your Internet browser and look at the connection settings being used for that. If you need to access the Internet through a proxy then change the “HTTP Proxy” setting to “Manual” and enter the connection details in the newly appeared fields.

Click “OK” to close the Schemus settings dialog.

15

4.4 Creating new configuration

Before Schemus can be used you need to create a configuration profile specifying details of the source and destination mail systems.

Figure 6 – Creating the first configuration

To create a profile for the first time, either click the “New Configuration” button in the center of the dialog or click the "New" button located to the right of the “Configuration” drop down list or select “New” from the “File” menu.

A new window will appear and the wizard will lead you through the configuration process. At each stage of the wizard the "Next >" button will be enabled once sufficient details have been entered to allow you to proceed.

16

Figure 7 – The Configuration Wizard

The panel on the left hand side of the window displays how far through the creation process you are. If you wish to go back to modify a previous answer either click the appropriate heading on this panel or successively click the "< Back" button.

The “Configuration Name” should be unique to other configurations and may contain most characters allowed by your operating system. When the Schemus synchronizer is used in automatic mode (covered later in this chapter) the name will be used to specify the configuration that you are using. For this reason you are recommended to restrict the characters to alphanumeric so the name may easily be given as a command line parameter. For this step-by-step guide, we shall use the name “example”. Enter your name and click the “Next >” button.

Note that the name at the top of the left hand side panel has changed to “example” and that “Data source” is now highlighted in the panel. As you progress through the wizard the panel names will be enabled behind your current position.

Select an LDAP server from the “Server Type” drop down list appropriate to your network. The different options in this list seed future default entries in the wizard, such as the LDAP search. Click the “Next >” button to continue to move onto entering your LDAP server details.

The “Host Name” is the address of your directory access server. Example addresses are, “dsa.mydomain.com” and “192.168.0.135”. Unless you know to the contrary, leave the “Port number” set to 389 (this is the default port number used for communicating with an LDAP server in plain text mode). Changing the communication protocol may change this default setting.

Although you may be able to retrieve search details from the LDAP server anonymously, connecting in this mode may restrict the number of search results.

If the protocol used to communicate with the server is not “plain” then you will need to ensure that either the server uses a certificate which has been signed by a trust point already held in cacerts or that if the server uses a self-signed certificate then it has been imported. You can import your certificate into the file {installation directory}/jre/lib/security/cacerts using the utility {installation directory}/jre/bin/keytool. Further documentation may be found on the Sun website in http://java.sun.com/j2se/1.5.0/docs/tooldocs

Clicking the “Next >” button will move onto editing your LDAP search criteria. If there are problems with your LDAP connection details, from the previous dialog, then these will be shown in red at the bottom of the dialog. Click the “< Back” button to amend your LDAP server settings.

17

Figure 8 – Specifying where and how to search the LDAP server

This dialog allows you to select at what level of the hierarchical tree structure to search for email entries.

The "Search base" field, and drop down list and arrow buttons below it, allow you to navigate over the LDAP directory. Initially the search base field will show the text <Enter search base or browse list below> but clicking on the text will clear it. The drop down list will contain all the entries at that top level of the directory. Selecting an entry from the drop down list will result in that entry appearing in the search base field. To move to that position in the tree click the right arrow button. The drop down list will now contain all entries at your new position in the hierarchical tree. Clicking on the left arrow button moves you back up the tree. When you are at the top of the tree the button is disabled. Most LDAP servers will not allow you to search for entries at their root and it may be necessary to manually type in a search base before you can browse further.

The "Search scope" field contains three options for selecting the depth at which entries are looked for at the point in the tree specified by the search base field.

● "One-level" will search for all objects at the level specified in the search base field. ● "Object" will search for a single object specified by the search base. ● "Sub-tree" will search from the level specified in the search base field downwards.

The "Search filter" is the type of object to return data on. See appendix C for a description on how to specify a different search filter.

The "Mail attribute" are the attributes within the object returned by the search filter that contain the mail address.

The "Alias Attribute" is an optional alternative to the Mail attribute.

The default settings for the Search filter and attributes are derived from the type of LDAP server you selected in the previous dialog.

Click “Next >” to test your search settings. All being well you should see a list of up to 20 e-mail addresses.

Click “Next >” to progress onto the Data repository dialog. As this step-by-step guide is demonstrating how to synchronize an LDAP server to a MessageLabs account, select “MessageLabs” from the “Repository Type” drop down list.

Click “Next >” to progress to the MessageLabs ClientNet account details. Having previously set these by using the “Settings” dialog from the “Edit” menu, these settings should already be entered correctly.

Click “Next” to progress to selecting the Domains.

18

Figure 9 – Selecting domains from the MessageLabs server

There may be a slight pause when contacting the MessageLabs server, whilst this is ongoing there will be a graphic displayed in the “Available domains” list. For each domain you intend to use, select it and click the “>” button to move the domain into the right column.

Click the “Next >” button to move to the filter configuration.

19

Figure 10 – Configuring email filters

The email filters dialog has the primary purpose of allowing you to exclude email addresses, but may also be used to modify email addresses before they are written to the destination data repository. Each line may contain a different pattern to match against with an optional replacement line.

Clicking the icon at the start of each line changes the pattern entry to instead specify a filename. The file should contain a collection of email addresses with each address separated by a new line.

To exclude email addresses simply type the address into the left hand column (the pattern) with no replacement entry in the right hand column. As email addresses are discovered from the source data repository (either a file or LDAP server) they will be checked against patterns in this column and removed. The rules for matching the email addresses against the pattern are determined by the setting of the drop down list, at the bottom of the screen, which may either be set to "Regular expressions" or "Wildcards".

To modify email addresses include a replacement address in the right hand column (the replacement). The replacement rule will be applied against the matching pattern in the left hand column.

When “Wild cards” are selected in the drop down list, the character * may be used to match zero or more characters. The character ? may be used to match a single character. If a replacement email address is used then only the result of the first matching * may be used in the replacement.

For complex pattern matching and replacements, set the drop down list to "Regular expressions". This is described in detail in Appendix B.

Click the “Next >” button to progress to the limits configuration

20

Figure 11 – Configuring threshold limits

The limits configuration provides a safeguard against accidental deletion of email addresses on your data repository. By warning you when thresholds have been exceeded this will protect you from mistakes in your configuration, in particular the previous filter configuration.

An example of the dialog that is shown when the threshold limit is exceeded is shown below:

Figure 12 – Exceeding the threshold limits

When Schemus Synchronizer is operating in command line mode, if a threshold limit is exceeded the synchronization will not be performed.

Click the “Next >” button to progress to the Notification configuration.

21

Figure 13 – Configuring Notification emails

This dialog allows you to automatically send an email containing a summary of the synchronization process every time it happens and whether or not it was successful. Sending a notification summary is recommended if you intend to setup Schemus to operate automatically.

The "Email notifications" drop down list set to “Summary” enables the sending of a summary email.

The "SMTP Mail server" is the host name of the server to use to deliver the email (e.g. smtp.mydomain.com or mail.mydomain.com).

The "To" and "cc" fields contain the email address to send the summary email to.

The "From" field is the address to use for originating the email.

22

An example email summary notification might look like this:

Schemus Synchronization report

Update operation with MessageLabs completed

Time: Thu May 11 16:43:36 BST 2006

Host: tyke.mydomain.com

User: tony

Configuration:example

Updated domains

None

Up-to-date domains

finance.mdtips.co.uk

mdhottips.co.uk

Unknown domains

example.com

regtest.blue.com

regtest.red.com

Updates

None

Invalid addresses

None

Failed updates

None

Addresses in domains not configured on the repository

250 additions

0 deletions

Click the “Next >” button to progress onto the final configuration dialog to verify your settings.

23

Figure 14 – Verifying settings

Clicking the “Verify” button will simultaneously test your configuration entries. As each test is performed the left hand margin will

change from an hourglass to a green tick. If you get a against any line then click the relevant line in the left hand panel to correct it. Once you are content with your settings click “Finish” to save your settings and close the configuration wizard dialog.

24

5 Performing the Synchronization

Once you have created a new configuration, you can select it from the drop down list on the configuration window (to get to the configuration window select “Configuration” from the “View” menu).

Figure 15 – The Configuration Window

The functions on the left hand panel are also accessible from the “Configuration” menu with the exception of “Delete” (removes your currently selected configuration) which is only available from the “Configuration” menu.

“Test Update” looks at the email addresses on your source (file or LDAP server) and lists which are additions, removals or exclusions but does not change any details on your repository.

“Update” compares the email addresses held on your repository and only sends those that have been removed or deleted.

“Replace” resets your repository contents and resends all the email addresses.

25

6 Logging

Both the GUI and the command line version of Schemus Synchronizer produce logging. Each message generated has a time and date that the event occurred, a logging level, the configuration (if any) that was being used, the user that Schemus was being run as and the component of Schemus that was the source of the logging.

Figure 16 – The logging window

The logging window is displayed from the “View” menu by selecting “Logs”.

The “Log level” sets the importance of messages that are shown. It is an accumulative setting, in that if you select INFO you will also get SEVERE and WARNING levels of logging displayed.

The “Log file” is the name of the directory, below the root logging directory that stores the logging lines. For Windows this is located in “Documents and Settings\All Users\Application Data\Schemus\application\log”; for Linux and Solaris this is located in “.schemus/application/log”. The name of the log file is made from the year, the month, the day and an extension, which is the number of the invocation of Schemus that generated the message.

The “Logger” is the component of Schemus that sourced the message and the drop down list allows you to restrict the messages shown to a particular component and sub-components. So selecting “schemus.sync” would show messages from the components “schemus.sync.source”, “schemus.sync.repository”, “schemus.sync.repository.add” and “schemus.sync.repository.remove”, but selecting “schemus.sync.source” would just show messages from the “schemus.sync.source” component.

Component Description

schemus All components

Schemus.settings Creation of new configuration entries or changes to existing configuration

schemus.sync All synchronization operations

Schemus.sync.source Operations to the source repository (normally an LDAP server)

Schemus.sync.repository All modifications to the destination repository

Schemus.sync.repository.add Email addresses added to the destination repository

Schemus.sync.repository.remove Email addresses removed from the destination repository

Clicking on a line in the message list will display any additional information at the bottom of the window.

26

7 Command Line Operation

Schemus may be operated from both the Graphic User Interface (GUI) application or from the command line. Invoking Schemus from the command line is the first stage to configuring it to operate automatically.

The command line version of the Schemus Synchronizer on the Linux and Solaris platforms is called “schemusc” and is located in the install directory. Assuming the installation directory is on your path, first make sure that the GUI version of Schemus Synchronizer is not running then open a terminal and type:

$schemusc –config example

The command line version of the Schemus Synchronizer on the Windows platform is called “schemusc.exe” and is located in the install directory. So assuming it has been installed in the default location, first make sure that the GUI version of Schemus Synchronizer is not running then open a command prompt and type:

C:\>cd “\Program files\schemus”

C:\Program files\schemus>schemusc –config example

27

8 Automatic Operation

Automatically invoking Schemus involved using Cron jobs on Linux and Solaris and Scheduled Tasks on Windows. Before attempting to setup automatic operation you are recommended to ensure that you have successfully managed to operate Schemus Synchronizer from the command line.

For the Windows platform, start the “Scheduled Tasks” from the Windows Control Panel. Click on “Add Scheduled Task” to start the wizard. Click the “Next >” button to choose the application.

Select the application name “schemusc” from the application list and click the “Next>” button.

Figure 17 – The Windows Scheduler Wizard

Change the name of the task to contain your command line from the previous section; which will probably be of the form “SchemusC config example” then continue through the rest of the wizard to select when and how often you would like Schemus Synchronizer to run.

For the Linux platform, simply create a script file that invokes your schemusc command and put this script in the directory “/etc/cron.daily” or whichever is applicable for the frequency you wish to run the synchronization process.

#!/bin/sh Schemusc –config example

28

For the Solaris platform, use the command “crontab –e” to add a script in the same form as the Linux platform.

29

9 Appendices

Appendix A – License details

To use MessageLabs synchronization interface a license key is required and should be given to you by your supplier or may be requested via ClientNet.

The key may be entered from the Settings menu, which is under the Edit menu. Select “License” from the left hand panel and click the “Add license” tab.

The “Licensed to” field is the client identity supplied to you for registration purposes. The “License key” is an alphanumeric field with no spaces.

30

Appendix B – Standard RegEx Strings

Regular expressions, or RegEx, are a powerful mechanism for matching a sequence of simple characters. The following description is a brief taster for what RegEx can do.

Regular expressions are case sensitive, so a lowercase a is distinct from an uppercase A.

The simplest rule is using the “/” character which matches the enclosed characters as a subset. For example,

/the/ matches against there.

Characters enclosed between [] will match against a disjunction of characters. For example,

/[tT]he/ matches against There and there

[] may also be used on a range of characters separated by a – character. For example,

[0-9] will match on any digit.

[A-Z] will match any uppercase alpha character

[A-Za-z0-9] will match any alphanumeric character

^ is the “not” character, so [^0-9] matches against any character that is not a digit.

* matches against zero or more occurrences of the previous character or expression.

+ matches against one or more occurrences of the previous character or expression.

? matches zero or one occurrences of the previous character or expression.

(n) matches n occurrences of the previous character or expression.

(n,m) matches from n to m occurrences of the previous character or expression.

(n,) matches at least n occurrences of the previous character or expression.

31

Appendix C – LDAP Filters

LDAP Search Filters are used in two places within Schemus Synchronizer. The first is used to select which objects are returned when browsing for the search base. The second identifies which objects in your directory are to be examined for email address attributes. It is expected that you would more commonly need to modify the second of these two filters.

Syntax

LDAP Search Filters are defined using a notation that is fully described within RFC 2254 “The String Representation of LDAP Search Filters”, this can be found online at http://rfc.net/rfc2254.html.

In order to establish your own filters you will also need an understanding of the schema used by your directory. The schema defines the objects and their attributes that together comprise your directory content.

The Search Base Filter

This filter is used in the LDAP configuration (shown in figure 8) to select which objects are returned when browsing for the search base. The filter is found within Settings via the Edit menu; selecting LDAP on the left panel. The default value for this LDAP filter is shown below:

(!(| (objectclass=person) (objectclass=applicationentity) (objectclass=applicationprocess) (objectclass=device) (objectclass=organizationalrole) (objectclass=groupofnames) (objectclass=groupofuniquenames) ))

In the default LDAP filter shown above, the “!” character means “not” and the “|” character means “or”. So the filter returns any objects that do not match any of the object classes shown in the list.

The Search Query Filter

Schemus allows you to define the filter that targets which objects in your directory are to be examined for email address attributes. This filter appears in the LDAP search configuration dialog as the “search filter”. Here the filter specifies which objects are retrieved, before the mail attribute values are extracted.

Examples

If you wished to include all objects in your search query, you would use the filter:

(objectclass=*)

The following filter will include all MS Exchange 2000 users that are currently enabled:

(&(objectclass=user)(msexchuserAccountcontrol=0))

The following filter will include all objects that define users and groups – note that in MS Exchange 2000 these groups would include both Security groups and Mailing lists

(|(objectclass=user)(objectclass=group))

If you wished to exclude the system mailbox objects found in MS Exchange 2000 from the search described above, then you could modify the filter as follows:

(&(|(objectclass=user)(objectclass=group)) (!(cn=SystemMailbox*)))

32

Appendix D – With or Without JRE?

For all platforms, whether or not you install the Java Runtime Environment (JRE) is optional.

The JRE may be installed independently of Schemus so that it is available to multiple applications or a separate copy may be installed for each application (with a JRE). The current release of Schemus needs JRE version 1.5.

The advantage of installing a JRE with each application is that removing or updating the global JRE doesn’t have the potential for stopping your application from working. The main disadvantage is that the JRE is multiple megabytes in size, so installing a copy for each application consumes disc space. With the cost of storage devices decreasing and their size increasing the safest option is probably to install Schemus with its own JRE.

To discover the version of JRE, start the Control Panel and double-click “Java Plug-in”. The version number is displayed in the “About” tab.

Alternately visit the following website, which will display your Java version:

http://www.java.com/en/download/help/testvm.xml

To discover the version of JRE on your machine visit the following website:

http://www.java.com/en/download/help/testvm.xml

33

Appendix E – Troubleshooting

Answers to frequently asked questions (FAQ) are available from the MessageLabs KnowledgeBase:

https://clients.messagelabs.com/Support

34

www.messagelabs.com info@messagelabs.com Freephone UK 0800 917 7733 Toll free US 1-866-460-0000

Europe HEADQUARTERS 1270 Lansdowne Court Gloucester Business Park Gloucester, GL3 4AB United Kingdom T +44 (0) 1452 627 627 F +44 (0) 1452 627 628 LONDON 3rd Floor 40 Whitfield Street London, W1T 2RH United Kingdom T +44 (0) 207 291 1960 F +44 (0) 207 291 1937 NETHERLANDS Teleport Towers Kingsfordweg 151 1043 GR Amsterdam Netherlands T +31 (0) 20 491 9600 F +31 (0) 20 491 7354 BELGIUM / LUXEMBOURG Cullinganlaan 1B B-1831 Diegem Belgium T +32 (0) 2 403 12 61 F +32 (0) 2 403 12 12 DACH Feringastraße 9 85774 Unterföhring Munich Germany T +49 (0) 89 189 43 990 F +49 (0) 89 189 43 999 © MessageLabs 2006 All rights reserved

Americas AMERICAS HEADQUARTERS 512 Seventh Avenue 6th Floor New York, NY 10018 USA T +1 646 519 8100 F +1 646 452 6570 CENTRAL REGION 7760 France Avenue South Suite 1100 Bloomington, MN 55435 USA T +1 952 886 7541 F +1 952 886 7498 Asia Pacific HONG KONG 1601 Tower II 89 Queensway Admiralty Hong Kong T +852 2111 3650 F +852 2111 9061 AUSTRALIA Level 6 107 Mount Street, North Sydney NSW 2060 Australia T +61 2 8208 7100 F +61 2 9954 9500 SINGAPORE Level 14 Prudential Tower 30 Cecil Street Singapore 049712 T +65 62 32 2855 F +65 6232 2300