1 Topic by it-3414

  • it-3414
  • Member
  • Offline
  • Registered: 2021-06-24
  • Posts: 11

Topic: LDAP-based group ACL (SOGo, and other external services)

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4.2
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: ubuntu 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx):nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I'm not sure if that has been posted already (I only found https://forum.iredmail.org/post11173.html#p11173 and https://forum.iredmail.org/topic3059-ir … oups.html) so in case not, this is how I got LDAP-group based ACL for SOGo resources (e.g calendar) to work. Together with the authentication of external services (https://docs.iredmail.org/iredadmin-pro … vices.html) I think OpenLDAP based iRedmail is a great authentication service for other apps which usually use group ACLs (e.g. we use Nextcloud and rely heavily on AD groups). I hope I haven't overseen anything, as I'm quite new to iRedmail, and openLDAP.

Therefore, **I would also like to know if this approach is safe?** E.g. the ldap resource will not disappear/cause problems with iRedmail updates, etc?  Maybe it is better to not use ou=Groups (where iRedmail stores mailLists), but a separate ou (e.g. ou=customgroups) to store the group ACLs?

There are 2 things needed:
1) another SOGoUserSource to get the groups (to not interfere with the user-authentication)
{
    // Used for groups
    type = ldap;
    id = groups;
    canAuthenticate = YES;
    isAddressBook = NO;
    displayName = "LDAP Groups";

    hostname = "ldap://127.0.0.1:389";
    baseDN = "domainName=%d,o=domains,dc=MYDOMAIN,dc=net";
    bindDN = "cn=vmail,dc=MYDOMAIN,dc=net";
    bindPassword = "XXXXX";
    filter = "objectClass=groupOfNames"; #<<-- NEW filter

    bindAsCurrentUser = YES;


    // The algorithm used for password encryption when changing
    // passwords without Password Policies enabled.
    // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
    userPasswordAlgorithm = ssha512;
    GroupObjectClasses = (groupOfNames); #<<--- NEW (maybe not needed?)

    CNFieldName = cn;
    IDFieldName = cn;
    // value of UIDFieldName must be unique on entire server
    UIDFieldName = cn;
}

2) a openldap resource for group membership (I used phpldapadmin to create it):

# Entry 1: cn=grpnames4@MYDOMAIN.net,ou=Groups,domainName=...
dn: cn=grpnames4@MYDOMAIN.net,ou=Groups,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAINonal,dc=net
cn: grpnames4@MYDOMAIN.net
member: mail=it7@MYDOMAIN.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
member: mail=it5@MYDOMAIN.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
objectclass: groupOfNames
objectclass: top


After restart of SOGo, you should be able to search for the group-name when sharing resources, and upon adding ACLs and subscribing, the group members should see the resources.

If you add another group member in openLDAP later on, you need to additionally subscribe the user (but that was the same when using AD groups, and can be done via the sogo-tool). If you remove a user, it will take a couple of minutes until the resource disappears for this user.

Regarding SOGo, and SuperUsers: does it matter which user I add in "SOGoSuperUsernames" ? Should it be the postmaster, or can it be any other user?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: LDAP-based group ACL (SOGo, and other external services)

it-3414 wrote:

1) another SOGoUserSource to get the groups (to not interfere with the user-authentication)

It's ok to add new config section in SOGoUseSource.

it-3414 wrote:

2) a openldap resource for group membership (I used phpldapadmin to create it):
# Entry 1: cn=grpnames4@MYDOMAIN.net,ou=Groups,domainName=...
dn: cn=grpnames4@MYDOMAIN.net,ou=Groups,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAINonal,dc=net
cn:
member: mail=it7@MYDOMAIN.net,...
member: mail=it5@MYDOMAIN.net,...
objectclass: groupOfNames
objectclass: top

iRedAdmin-Pro already manages the "member" attribute for mailing lists, so i guess you don't need new entries under "ou=Groups". Did you check existing group objects?

3 Reply by it-3414

  • it-3414
  • Member
  • Offline
  • Registered: 2021-06-24
  • Posts: 11

Re: LDAP-based group ACL (SOGo, and other external services)

Hello ZhangHuan,

the problem is that the mailing list are of objectClass "mailList", which is not used by SOGo. I could configure SOGo to use this objectclass instead of e.g. groupOfNames (e.g. GroupObjectClasses = (mailList);

However, the problem is that members of mailLists are not added to the OpenLDAP entry of a mailList. I also don't see this information in the user LDAP entry, so I guess this is handled/stored somewhere else?

E.g. on my (fresh 1.4.2 iRedmail), a mailing list with 2 members (just tested and working), the OpenLDAP entry for this mailList is this:

# Entry 1: mail=group-ml-3@MYDOMAIN.net,ou=Groups,domainNa...
dn: mail=group-ml-3@MYDOMAIN.net,ou=Groups,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
accesspolicy: public
accountstatus: active
cn: maillist4
enabledservice: mail
enabledservice: deliver
enabledservice: mlmmj
mail: group-ml-3@MYDOMAIN.net
mailinglistid: 78911955-XXX-ID
member: mail=it5@MYDOMAIN.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
mtatransport: mlmmj:MYDOMAIN.net/group-ml-3
objectclass: mailList

so there is only one member (I guess the first one when creating the maillist?)

At the user side, I also don't see any attribute for memberOf:

# Entry 1: mail=i...@mydomain.net,ou=Users,domainName=MYDOMAIN
dn: mail=i...@mydomain.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
accountstatus: active
amavislocal: TRUE
cn: IT6
enabledservice: sogo
enabledservice: imap
enabledservice: sievetls
enabledservice: sievesecured
enabledservice: lmtp
enabledservice: dsync
enabledservice: shadowaddress
enabledservice: indexer-worker
enabledservice: sieve
enabledservice: imaptls
enabledservice: senderbcc
enabledservice: managesievesecured
enabledservice: deliver
enabledservice: recipientbcc
enabledservice: mail
enabledservice: smtpsecured
enabledservice: lib-storage
enabledservice: sogoactivesync
enabledservice: smtp
enabledservice: sogowebmail
enabledservice: smtptls
enabledservice: lda
enabledservice: displayedInGlobalAddressBook
enabledservice: imapsecured
enabledservice: doveadm
enabledservice: forward
enabledservice: quota-status
enabledservice: sogocalendar
enabledservice: managesievetls
enabledservice: internal
enabledservice: managesieve
homedirectory: /var/vmail/vmail1/MYDOMAIN.net/i/t/6/it6-2021.
12.08.15.26.38/
mail: i...@mydomain.net
mailboxfolder: Maildir
mailboxformat: maildir
mailquota: 5368709120
objectclass: inetOrgPerson
objectclass: mailUser
objectclass: shadowAccount
objectclass: amavisAccount
preferredlanguage: en_US
shadowlastchange: 18969
sn: it6
uid: it6
userpassword: {SSHA512}XXXXX


I have iRedadmin Pro, so I add new maillist members via this interface. But yet they don't show up in OpenLDAP, but the maillist still works.

4 Reply by it-3414

  • it-3414
  • Member
  • Offline
  • Registered: 2021-06-24
  • Posts: 11

Re: LDAP-based group ACL (SOGo, and other external services)

so if I cannot handle Group ACLs via maillists, is it safe to store the groupOfNames objects inside ou=Groups?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: LDAP-based group ACL (SOGo, and other external services)

it-3414 wrote:

so if I cannot handle Group ACLs via maillists, is it safe to store the groupOfNames objects inside ou=Groups?

It's ok to store it.

But maybe we can improve (or "fix") iRedAdmin-Pro to achieve what you need, this way might be the best. Your opinion?

6 Reply by it-3414 (edited by it-3414 2021-12-23 20:46:34)

  • it-3414
  • Member
  • Offline
  • Registered: 2021-06-24
  • Posts: 11

Re: LDAP-based group ACL (SOGo, and other external services)

There is already functionality in Pro to manage access to external services (ADDITIONAL_ENABLED_USER_SERVICES), so that is great. For me, those group memberships will not change very often, and i have a graphical interface via phpLDAPadmin. That gives me flexibility to e.g. adapt to the requirements for Group ACLs of other services (SOGo can be configured to use mailList, but maybe another service is not so flexible).

I just started to use iRedmail (we have yet to migrate), and I think the one functionality I miss are app passwords, and TOTP for the iredadmin interface. About app passwords please find my reply here: https://forum.iredmail.org/topic17646-m … sword.html

not sure if this is easy to achieve that for dovecot, postfix, and SOGo? From my research, there is no mailclient which would support more than a simple password for all of the different required protocols (imap, smtp, caldav, carddav).

I thought about 2 users sharing each mailbox/calendar/address book, but this is too complicated, because in dovecot you can only share a folder, but not a whole mailbox. sorry to be off-topic.