Aug 5, 2024: iRedMail-1.7.1 has been released.

**Casa.it** · 2010-06-23 20:29:18

Casa.it
Member
Offline

Registered: 2010-06-15
Posts: 75

Topic: openldap error

Hi

We also use openldap to authenticate users ssh or ftp, and we modify in slapd.conf
the section # Domain attrs. and # User attrs. we add line

by * read

at the top of the two list, this for permit correct authentication on ssh users.

After this modify when i change quota in IredAdmin we have this error:

Error: {'desc': 'Insufficient access'}

If i remove the line above in IredAdmin run correctly, but ldapsearch -x don't run and authentication on ssh is noot correctly.

Can you help me?

Thanks

Enrico

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2010-06-23 20:36:44

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,082

Re: openldap error

Can you paste the whole LDAP ACL rules? (you can replace your domain name before post)
And, a short introduction about how you implement SSH + LDAP integration is better.

**Casa.it** · 2010-06-23 20:52:06

Casa.it
Member
Offline

Registered: 2010-06-15
Posts: 75

Re: openldap error

ZhangHuangbin wrote:

Can you paste the whole LDAP ACL rules? (you can replace your domain name before post)
And, a short introduction about how you implement SSH + LDAP integration is better.

This is the ACL rule:

#
# Set permission for LDAP attrs.
#
access to attrs="userPassword,mailForwardingAddress"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by users none

access to attrs="cn,sn,telephoneNumber"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by users read

# Domain attrs.
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainAdmin,domainGlobalAdmin,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber"
by * read
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by users read

# User attrs.
access to attrs="employeeNumber,homeDirectory,mailMessageStore,mail,accountStatus,userSenderBccAddress,userRecipientBccAddress,mailForwardingAddress,mailQuota,backupMailAddress,shadowAddress"
by * read
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by users read
#
# Set ACL for vmail/vmailadmin.
#
access to dn="cn=vmail,dc=pippo,dc=pluto,dc=org"
by anonymous auth
by self write
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by users none

access to dn="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"
by anonymous auth
by self write
by users none

#
# Allow users to access their own domain subtree.
# Allow domain admin to modify accounts under same domain.
#
access to dn.regex="domainName=([^,]+),o=domains,dc=pippo,dc=pluto,dc=org$"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=it" write
by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=pippo,dc=pluto,dc=org$" write
by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=pippo,dc=pluto,dc=org$" read
by users none

#
# Enable vmail/vmailadmin.
#
access to dn.subtree="o=domains,dc=pippo,dc=pluto,dc=org"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=pippo,dc=pluto,dc=org$" read
by users read

access to dn.subtree="o=domainAdmins,dc=pippo,dc=pluto,dc=org"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by users none

#
# Set permission for "cn=*,dc=pippo,dc=pluto,dc=org".
#
access to dn.regex="cn=[^,]+,dc=pippo,dc=pluto,dc=org"
by anonymous auth
by self write
by users none

#
# Set default permission.
#
access to *
by * read
by anonymous auth
by self write
by users read

**ZhangHuangbin** · 2010-06-23 21:18:47

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,082

Re: openldap error

"by * read" is conflict with "by users none".
You can try to replace "by users none" by "by * read".

==== OR ====
Move "by * read" AFTER or BEFORE "by users none".

Rule order is important.

WARNING: backup slapd.conf before you modify it.

**Casa.it** · 2010-06-23 21:23:39

Casa.it
Member
Offline

Registered: 2010-06-15
Posts: 75

Re: openldap error

ZhangHuangbin wrote:

"by users none"

replace all "by users none" with "by * read" ?

this configuration don't run with iredAdmin if I replace after run?

I have modify only this part..

# Domain attrs.
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainAdmin,domainGlobalAdmin,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber"
by * read
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by users read

# User attrs.
access to attrs="employeeNumber,homeDirectory,mailMessageStore,mail,accountStatus,userSenderBccAddress,userRecipientBccAddress,mailForwardingAddress,mailQuota,backupMailAddress,shadowAddress"
by * read
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org" read
by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write
by users read

thks

**Casa.it** · 2010-06-23 21:38:15

Casa.it
Member
Offline

Registered: 2010-06-15
Posts: 75

Re: openldap error

SOLVED

I move the write rule on the top..

by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org" write

and now is ok..

thks

Aug 5, 2024: iRedMail-1.7.1 has been released.

openldap error

Posts: 6

1 Topic by Casa.it 2010-06-23 20:29:18

Topic: openldap error

2 Reply by ZhangHuangbin 2010-06-23 20:36:44

Re: openldap error

3 Reply by Casa.it 2010-06-23 20:52:06

Re: openldap error

4 Reply by ZhangHuangbin 2010-06-23 21:18:47

Re: openldap error

5 Reply by Casa.it 2010-06-23 21:23:39 (edited by Casa.it 2010-06-23 21:34:20)

Re: openldap error

6 Reply by Casa.it 2010-06-23 21:38:15 (edited by Casa.it 2010-06-23 21:49:49)

Re: openldap error

Posts: 6