1 Topic by sam-the-man

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Topic: ldap backend auth?

I am wondering. When using iRedMail with LDAP backend, it looks for users that are already in LDAP and automatically give mail access?

Or you must create separate mail users which are different from the other LDAP entries, just stored there?

I want single sign on with LDAP authentication for all apps on my server. I want one user entry in ldap to log on to every software including mail.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by sam-the-man

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

The reason I am confused is because it seems as if you add users with the control panel, but then it leads me to believe that two different sets of users are being created??

3 Reply by sam-the-man

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

I guess my question is how to map iredmail to ldap structure? I want use inetorgperson object

4 Reply by sam-the-man

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

So for each user, I have two objectClasses?

inetOrgPerson and one for iredmail (for e-mail) or can only use inegorgperson for both?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: ldap backend auth?

I recommend you try to explore iRedMail OpenLDAP schema, then you will find answers.

iRedMail will use 4 objectclasses for mail user:

objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: amavisAccount
objectClass: mailUser

6 Reply by sam-the-man

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

You are pro support, very very helpful. Thank you very much. smile

7 Reply by sam-the-man (edited by sam-the-man 2011-07-25 09:26:56)

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

where is iRedMail schema? it is easy to add a user using .ldif file? I'm just confused, I don't know what the fields are because can't see schema or add tutorial sad im sort of new to linux

I need to add user to ldap, that will also have all credentials (name, address, etc) and CAN use mail and all other logins. Also need to store SSHA1 password but not sure how. Im sending you a 5 dollar donation for your current help and support and there will be more to come. Can you instruct me how to do this here or by PM? I come to help here because it now seeems I will base my open source development environment around iRedMail server. It installs apache2 as well right?

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: ldap backend auth?

Thanks very much for your donation.

All you need is shipped in iRedMail.

* iRedMail-0.7.2/samples/iredmail.schema: OpenLDAP schema file used in iRedMail.
* iRedMail-0.7.2/tools/create_mail_user_OpenLDAP.*: Scripts used to create new mail users. You can find what attributes we used.
* Password is stored in SSHA by default.
* You can manage mail accounts with iRedAdmin (name, address, etc). iRedAdmin open source edition is shipped in iRedMail, you can access it via httpS://your_server/iredadmin/.

9 Reply by sam-the-man

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

in LDAP manager, there is no way to add attributes. I can't even find the objectClass variable. How do I edit a user's objectClass variables with phpmyldap

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: ldap backend auth?

You can manage LDAP attributes/objectclasses with phpLDAPadmin, it's accessible via httpS://your_server/phpldapadmin/

11 Reply by sam-the-man (edited by sam-the-man 2011-07-26 01:17:45)

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

Alright, I am getting it now.

The way iRedMail manages domains is a bit strange - a little different from how I would do it without iRedMail.

Do I place all of my users under ou=Users, which is under my "main" domain, which is under o=Domains?

In normal environment, I create:
dc=localhost
--o=Example Inc.
----ou=People
------user
------user
------user

etc.

With iRedMail, I have

   
   
+--> dc=localhost (4)
---> cn=vmail
---> cn=vmailadmin
+--> o=domainAdmins (1)
| ---> mail=postmaster@mydomain.com
+--> o=domains (1)
| +--> domainName=mydomain.com (4)
| | ---> ou=Aliases
| | ---> ou=Externals
| | ---> ou=Groups
| | +--> ou=Users (2)
| | | ---> mail=neacys@mydomain.com
| | | ---> mail=www@mydomain.com

if mydomain.com is the only mail domain I will host on my server, then I can create all of my other users (which will use other services than iRedMail - jira, confluence, etc), then I can just add all of my users in ou=Users?

If I am to use LDAP for ALL accounts including iRedMail, users must use "mail" as prefix instead of UID or username?

Instead, could work if it was uid=neacys (instead of mail=neacys@mydomain.com)? neacys will be username for all services in network (neacys@mydomain.com) is only login for mail. For all other, just "neacys".


Also,

| | ---> ou=Aliases
| | ---> ou=Externals
| | ---> ou=Groups

I can erase these? Or needed for iRedMail?


EDIT: Is it correct to say that iRedMail auths(binds) via "email"?

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: ldap backend auth?

sam-the-man wrote:

if mydomain.com is the only mail domain I will host on my server, then I can create all of my other users (which will use other services than iRedMail - jira, confluence, etc), then I can just add all of my users in ou=Users?

Yes.

sam-the-man wrote:

If I am to use LDAP for ALL accounts including iRedMail, users must use "mail" as prefix instead of UID or username?

I suggest keeping original LDAP structure, so that you can manage mail accounts with iRedAdmin.

sam-the-man wrote:

Instead, could work if it was uid=neacys (instead of mail=neacys@mydomain.com)? neacys will be username for all services in network (neacys@mydomain.com) is only login for mail. For all other, just "neacys".

Mail user created by iRedAdmin has 4 objectclassess, one of them requires attribute 'uid', so you can keep original LDAP structure and use 'uid', it doesn't matter at all.

13 Reply by sam-the-man (edited by sam-the-man 2011-07-26 23:32:36)

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

What is "Aliases" ou?

And externals

EDIT: Last question. This is very important.

I want e-mail address to be "shawn.neacy@mydomain.com" I want neacys to be UID, and use to log on to other web applications on the network. Is it possible to re-create "neacys@mydomain.com" to match the above "shawn.neacy@mydomain.com", but still add 'neacys' to uid, so that for other LDAP enabled services, I can use that as the login name?

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: ldap backend auth?

sam-the-man wrote:

What is "Aliases" ou?
And externals

ou=Aliases is used to store mail aliases.
ou=Externals is used to store external members of mail lists.

It's recommended to keep them if you're not sure what they're used for, also, they will be created automatically if you manage mail accounts with iRedAdmin.

sam-the-man wrote:

I want e-mail address to be "shawn.neacy@mydomain.com" I want neacys to be UID, and use to log on to other web applications on the network. Is it possible to re-create "neacys@mydomain.com" to match the above "shawn.neacy@mydomain.com", but still add 'neacys' to uid, so that for other LDAP enabled services, I can use that as the login name?

iRedMail uses 'mail' as LDAP rdn for mail user accounts, so full dn of mail user looks like below:

mail=user@example.com,ou=Users,domainName=example.com,o=domains,dc=iredmail,dc=org

As i mentioned in previous reply, you can add 'uid' for mail user. UID is not required to be same as username part of email address, so you can use mail=shawn.neacy@mydomain.com and uid=neacys for same user.

15 Reply by sam-the-man (edited by sam-the-man 2011-07-26 23:40:44)

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

And is up to other applications, I just specify "uid" is name to use for binds (logins), and I can pick which ldap data field I want to use for username? That allows roundcube logins at "shawn.neacy@mydomain.com" and then for other app, lets say confluence.mydomain.com, I can use neacys and the same password too?

Sorry for my questions, I send another donation very soon for your time and effort. Thank you.

16 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: ldap backend auth?

sam-the-man wrote:

And is up to other applications, I just specify "uid" is name to use for binds (logins), and I can pick which ldap data field I want to use for username? That allows roundcube logins at "shawn.neacy@mydomain.com" and then for other app, lets say confluence.mydomain.com, I can use neacys and the same password too?

We don't officially support third-party application integration, but here are some opinions:

- You can assign both attributes "mail" and "uid" to same user, and it has only one password (attribute "userPassword").
- You must bind to LDAP server with full dn. e.g. mail=user@example.com,ou=Users,domainName=example.com,o=domains,dc=iredmail,dc=org. 'mail=user@example.com' or 'uid=user' is not correct.
- You can use whatever LDAP attribute for username, e.g. mail, uid, cn, etc.

Basically, you need to know how to bind to LDAP server, how to search LDAP server with a LDAP filter. Here's a great free book: http://www.zytrax.com/books/ldap/ and OpenLDAP official document is available here: http://www.openldap.org/

In my opinion, you're trying to design a LDAP server for your applications, it's not a iRedMail issue anymore. I suggest you read some tutorials (e.g. online book mentioned in this post) before designing.

17 Reply by sam-the-man

  • sam-the-man
  • Member
  • Offline
  • Registered: 2011-07-24
  • Posts: 87

Re: ldap backend auth?

Thx smile I'm learning fast - I just had specific questions here, because iRedMail needs priority over LDAP DB smile