1 Topic by stuartc

  • stuartc
  • Member
  • Offline
  • Registered: 2020-05-04
  • Posts: 5

Topic: using remote ldap server.

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  1.2 OPENLDAP edition.
- Deployed with iRedMail Easy or the downloadable installer?   downloadable
- Linux/BSD distribution name and version:   Ubuntu 18.04 Debian.
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx):   Nginx
- Manage mail accounts with iRedAdmin-Pro?   Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Ok so I am trying to setup remote LDAP server and point the iRedmail server to it. 
I have done a ton of web searches related to this topic.

So far nothing works and there is nothing current.

Given the changes to openLDAP has anyone been able to do this?
I run into issues trying to convert th amavis.schmea and the iredmail.schem  to an ldif format.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by stuartc

  • stuartc
  • Member
  • Offline
  • Registered: 2020-05-04
  • Posts: 5

Re: using remote ldap server.

stuartc wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  1.2 OPENLDAP edition.
- Deployed with iRedMail Easy or the downloadable installer?   downloadable
- Linux/BSD distribution name and version:   Ubuntu 18.04 Debian.
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx):   Nginx
- Manage mail accounts with iRedAdmin-Pro?   Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Ok so I am trying to setup remote LDAP server and point the iRedmail server to it. 
I have done a ton of web searches related to this topic.

So far nothing works and there is nothing current.

Given the changes to openLDAP has anyone been able to do this?
I run into issues trying to convert the amavis.schmea and the iredmail.schem  to an ldif format.

Ok managed to get the remote ldap server working with a copy of the iredmail local ldap data. 
I have managed to change all the required files to point the iredmail at the remote ldap server.
This post was missing some stuff:   https://forum.iredmail.org/topic7878-ir … e-box.html

I can now authenticate and login to the iredmail admin service.
How ever I get errors when trying to add a user or edit a user.
When trying to add a user I get this:
Error: INSUFFICIENT_ACCESS({'info': u'no write access to parent', 'desc': u'Insufficient access'},)

Given that the ldap is an exact clone of the local I would think it would work but I am guessing I need to alter something to get the access since I am coming in remotely.
Any one able to help on this please?

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Online
  • Registered: 2009-05-06
  • Posts: 31,088

Re: using remote ldap server.

stuartc wrote:

Error: INSUFFICIENT_ACCESS({'info': u'no write access to parent', 'desc': u'Insufficient access'},)

It means the bind dn you used for ldap connection doesn't have required privilege.

4 Reply by stuartc (edited by stuartc 2020-05-12 05:02:36)

  • stuartc
  • Member
  • Offline
  • Registered: 2020-05-04
  • Posts: 5

Re: using remote ldap server.

ZhangHuangbin wrote:
stuartc wrote:

Error: INSUFFICIENT_ACCESS({'info': u'no write access to parent', 'desc': u'Insufficient access'},)

It means the bind dn you used for ldap connection doesn't have required privilege.

ya.  I got passed that as well and now I have iRedmail fully functioning using a remote ldap server.

How ever what did you guys to that breaks the
   ldapadd -Y EXTERNAL -H ldapi:/// -f  <ldif file>
and
   ldapmodify -Y EXTERNAL -H ldapi:/// -f <ldif file>

I can not alter the cn=config at all with out the ability to do this.   I get a 50 error.  not an auth as that is automaticly root.
Since the ldap is external and we need to alter it to support other applications like apache, and Posix SSH authentication as well as a few others.  I have tried digging into the ACL's but noghting I alter seems to help.
Would love to know what all was changed to block this.

On a standalone ldap server:
# ldapadd -Y EXTERNAL -H ldapi:/// -f core-fd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core-fd,cn=schema,cn=config"

on this ldap setup to support iredmail:
# ldapadd -Y EXTERNAL -H ldapi:/// -f core-fd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core-fd,cn=schema,cn=config"
ldap_add: Insufficient access (50)

Got any ideas?

5 Reply by stuartc

  • stuartc
  • Member
  • Offline
  • Registered: 2020-05-04
  • Posts: 5

Re: using remote ldap server.

stuartc wrote:
ZhangHuangbin wrote:
stuartc wrote:

Error: INSUFFICIENT_ACCESS({'info': u'no write access to parent', 'desc': u'Insufficient access'},)

It means the bind dn you used for ldap connection doesn't have required privilege.

ya.  I got passed that as well and now I have iRedmail fully functioning using a remote ldap server.

How ever what did you guys to that breaks the
   ldapadd -Y EXTERNAL -H ldapi:/// -f  <ldif file>
and
   ldapmodify -Y EXTERNAL -H ldapi:/// -f <ldif file>

I can not alter the cn=config at all with out the ability to do this.   I get a 50 error.  not an auth as that is automaticly root.
Since the ldap is external and we need to alter it to support other applications like apache, and Posix SSH authentication as well as a few others.  I have tried digging into the ACL's but noghting I alter seems to help.
Would love to know what all was changed to block this.

On a standalone ldap server:
# ldapadd -Y EXTERNAL -H ldapi:/// -f core-fd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core-fd,cn=schema,cn=config"

on this ldap setup to support iredmail:
# ldapadd -Y EXTERNAL -H ldapi:/// -f core-fd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core-fd,cn=schema,cn=config"
ldap_add: Insufficient access (50)

Got any ideas?

The primary reason is to be able to setup replication to a slave server.   I have 2 files in ldif format that I use to set up master/slave replication. 
The first contains:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov.la

And the 2nd contains:
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

These are required on the master and yet both fail due to 50 error.

What do i need to change to fix this?

6 Reply by chandan

  • chandan
  • Member
  • Offline
  • Registered: 2021-11-25
  • Posts: 2

Re: using remote ldap server.

I am apologize for new topic here.
I have tried to create new topic on forum but i didn't find the way :

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  1.5 OPENLDAP edition.
- Deployed with iRedMail Easy or the downloadable installer?   downloadable
- Linux/BSD distribution name and version:   Ubuntu 20.04 Debian.
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx):   Nginx
- Manage mail accounts with iRedAdmin-Pro?   Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====


I have installed two ubuntu servers, one for iRedmail setup with ldap backend and second for Open ldap configuration.

I am trying to setup remote LDAP server and point the iRedmail server to it.
I have done a ton of web searches related to this topic.

So far nothing works and there is nothing current.

Given the changes to openLDAP has anyone been able to do this?

I have changed the remote ldap host IP and bind_dn and bind_pw (Remote ldap with those credentials I am able to login in ldap admin) .

"I didnt change the search_base url."

Postfix (LDAP): i change server_host = ip pf my LDAP server
    * Configuration files:
        - /etc/postfix/ldap/virtual_mailbox_domains.cf
        - /etc/postfix/ldap/relay_domains.cf
        - /etc/postfix/ldap/transport_maps_domain.cf
        - /etc/postfix/ldap/transport_maps_user.cf
        - /etc/postfix/ldap/virtual_mailbox_maps.cf
        - /etc/postfix/ldap/sender_login_maps.cf
        - /etc/postfix/ldap/virtual_alias_maps.cf
        - /etc/postfix/ldap/virtual_group_maps.cf
        - /etc/postfix/ldap/virtual_group_members_maps.cf
        - /etc/postfix/ldap/catchall_maps.cf
        - /etc/postfix/ldap/recipient_bcc_maps_domain.cf
        - /etc/postfix/ldap/recipient_bcc_maps_user.cf
        - /etc/postfix/ldap/sender_bcc_maps_domain.cf
        - /etc/postfix/ldap/sender_bcc_maps_user.cf

Dovecot:
    * Configuration files:
       
       - /etc/dovecot/dovecot-ldap.conf

Copied required file in remote ldap server - location: /etc/ldap/schema
* amavis.schema
* iredmail.schema
* ldap_init.ldif

All required ports are open.

I dont know what I am missing, can you please some one help me.
I am waiting for the postive response.

Thank you.