1

Topic: openldap error

Hi

We also use openldap to authenticate users ssh or ftp, and we modify in slapd.conf
the section  # Domain attrs.  and  # User attrs. we add line

by *            read

at the top of the two list, this for permit  correct authentication on ssh users.

After this modify when i change quota in IredAdmin we have this error:

Error: {'desc': 'Insufficient access'}

If i remove the line above in IredAdmin run correctly, but ldapsearch -x don't run and authentication on ssh is noot correctly.

Can you help me?

Thanks

Enrico

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: openldap error

Can you paste the whole LDAP ACL rules? (you can replace your domain name before post)
And, a short introduction about how you implement SSH + LDAP integration is better.

3

Re: openldap error

ZhangHuangbin wrote:

Can you paste the whole LDAP ACL rules? (you can replace your domain name before post)
And, a short introduction about how you implement SSH + LDAP integration is better.


This is the ACL rule:

#
# Set permission for LDAP attrs.
#
access to attrs="userPassword,mailForwardingAddress"
    by anonymous    auth
    by self         write
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by users        none

access to attrs="cn,sn,telephoneNumber"
    by anonymous    auth
    by self         write
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by users        read

# Domain attrs.
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainAdmin,domainGlobalAdmin,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber"
    by *            read
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by users        read
   
# User attrs.
access to attrs="employeeNumber,homeDirectory,mailMessageStore,mail,accountStatus,userSenderBccAddress,userRecipientBccAddress,mailForwardingAddress,mailQuota,backupMailAddress,shadowAddress"
    by *            read
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by users        read
#
# Set ACL for vmail/vmailadmin.
#
access to dn="cn=vmail,dc=pippo,dc=pluto,dc=org"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by users                        none

access to dn="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"
    by anonymous                    auth
    by self                         write
    by users                        none

#
# Allow users to access their own domain subtree.
# Allow domain admin to modify accounts under same domain.
#
access to dn.regex="domainName=([^,]+),o=domains,dc=pippo,dc=pluto,dc=org$"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=it"  write
    by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=pippo,dc=pluto,dc=org$" write
    by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=pippo,dc=pluto,dc=org$" read
    by users                        none

#
# Enable vmail/vmailadmin.
#
access to dn.subtree="o=domains,dc=pippo,dc=pluto,dc=org"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=pippo,dc=pluto,dc=org$" read
    by users                        read

access to dn.subtree="o=domainAdmins,dc=pippo,dc=pluto,dc=org"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by users                        none

#
# Set permission for "cn=*,dc=pippo,dc=pluto,dc=org".
#
access to dn.regex="cn=[^,]+,dc=pippo,dc=pluto,dc=org"
    by anonymous                    auth
    by self                         write
    by users                        none

#
# Set default permission.
#
access to *
    by *                            read
    by anonymous                    auth
    by self                         write
    by users                        read

4

Re: openldap error

"by * read" is conflict with "by users none".
You can try to replace "by users none" by "by * read".

==== OR ====
Move "by * read" AFTER or BEFORE "by users none".

Rule order is important.

WARNING: backup slapd.conf before you modify it.

5 (edited by Casa.it 2010-06-23 21:34:20)

Re: openldap error

ZhangHuangbin wrote:

"by users none"

replace all "by users none"  with "by * read" ?

this configuration don't run with iredAdmin if I replace after run?

I have modify only this part..

# Domain attrs.
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainAdmin,domainGlobalAdmin,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber"
    by *            read
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by users        read
   
# User attrs.
access to attrs="employeeNumber,homeDirectory,mailMessageStore,mail,accountStatus,userSenderBccAddress,userRecipientBccAddress,mailForwardingAddress,mailQuota,backupMailAddress,shadowAddress"
    by *            read
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=pippo,dc=pluto,dc=org"   read
    by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write
    by users        read

thks

6 (edited by Casa.it 2010-06-23 21:49:49)

Re: openldap error

SOLVED

I move the write rule on the top..


by dn.exact="cn=vmailadmin,dc=pippo,dc=pluto,dc=org"  write

and now is ok..

thks