1 Topic by armouredking

  • armouredking
  • Member
  • Offline
  • Registered: 2022-07-01
  • Posts: 7

Topic: iRedMail LDAP LoadModule Questions

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.0
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: Debian 11
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello all. I am attempting to find a way to use the LDAP server supplied with iRedMail installer with BookStack. There is a GitHub issue BSA#3550 (cannot add any links per post message, apologies for inconvenience) for discussion with BSA dev. I have already set it up to work with Authelia without issue, and with Nextcloud using forum post "Query LDAP Mailinglist Membership for NextCloudOwnCloud". BookStack requires the memberOf array attribute, which is not utilised by default with iRedMail's configured LDAP server, but is available in /usr/lib/ldap. To that end, I found the following forum topic "General LDAP Setup Question" regarding enabling the memberOf module for overlay.

Questions:

  • Is the above post still something required? I initially tried to use moduleLoad in slapd.conf, but this does not do anything on reset of SLAPD process. Using either:

    • ldapmodify -a -x -D "cn=Manager,dc=dpcs,dc=xyz" -W -H ldapi://

    • ldapmodify -Q -Y EXTERNAL -H ldapi:///

    gives a permission error.

  • However, unlike the post above, there are actual files in slapd.d, so it seems like iRedMail LDAP is using dynamic now? Is the process static or dynamic? If dynamic, what is the required login to access cn=config? The Manager login is the root to my knowledge, so I'm not sure what "admin" password is needed if dynamic modify is required. If static, I do not know why changing slapd.conf has no impact on ldap modules.

  • slapd.conf has entries for moduleLoad back_mdb, back_monitor, and pw-sha2, but the output of

    • slapcat -n 0 | grep olcModuleLoad
      shows only the following (missing back_monitor, pw-sha2):

    • olcModuleLoad: {0}back_mdb

    and

    • less /etc/ldap/slapd.d/'cn=config'/'cn=module{0}.ldif'
      shows the following:

    • # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
      # CRC32 eaca156b
      dn: cn=module{0}
      objectClass: olcModuleList
      cn: module{0}
      olcModulePath: /usr/lib/ldap
      olcModuleLoad: {0}back_mdb
      structuralObjectClass: olcModuleList
      entryUUID: 7d7cd06a-77fd-103c-9981-e7f0d4b47def
      creatorsName: cn=admin,cn=config
      createTimestamp: 20220604025509Z
      entryCSN: 20220604025509.340238Z#000000#000#000000
      modifiersName: cn=admin,cn=config
      modifyTimestamp: 20220604025509Z

    Is this correct? Is the only module loaded back_mdb despite the other two being in the slapd.conf file? Why does adding moduleLoad memberof and refint also not do anything?

  • Are there any concerns with using memberOf overlay with iRedAdmin?

Relevant part of /etc/ldap/slapd.conf prior to any edits to add memberOf overlay module:

# List of arguments that were passed to the server
argsfile    /var/run/slapd/slapd.args

modulepath /usr/lib/ldap
moduleload back_mdb
moduleload back_monitor

# Support password verification with SSHA512. Require OpenLDAP-2.4.32 or later.
moduleload pw-sha2

# The syncprov overlay
#moduleload syncprov.la

# SSL cert files. if no need to access OpenLDAP from another host, it's ok to
# disable TLS/SSL support.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: iRedMail LDAP LoadModule Questions

I read the github issue: https://github.com/BookStackApp/BookStack/issues/3550

- iRedMail is designed for mail services, so using "memberOfGroup=<email>" is a lot easier for LDAP queries in Postfix/Dovecot/...
- iRedMail uses slapd.conf, not slapd.d.
- You can add and manage memberof overlay manually.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: iRedMail LDAP LoadModule Questions

Please try this in /etc/ldap/slapd.conf:

1) Load module memeberof.la for overlay AFTER "moduleload back_mdb" line:

moduleload memberof.la

2) Enable memberof overlay under "database mdb" block which has your ldap suffix. for example:

# Below 3 lines are your existing database settings.
database    mdb
suffix      dc=a,dc=io
directory   /var/lib/ldap/a.io

# Add overlay and specify the `memberof-group-oc` parameter.
# OpenLDAP uses objectclass "groupOfNames" as "memberof-group-oc" by default,
# we replace it by mailList here.
overlay memberof
memberof-group-oc mailList

# ... OMIT OTHER EXISTING CONFIGURATIONS HERE ...

Then restart "slapd" service.

Try to search mail users with "ldapsearch" command:

ldapsearch -x -D "cn=manager,dc=xx,dc=xx" -W objectclass=mailUser dn mail memberOf

If you already have some mailing list, then you should see some results in console output.

4 Reply by armouredking (edited by armouredking 2022-07-05 21:46:20)

  • armouredking
  • Member
  • Offline
  • Registered: 2022-07-01
  • Posts: 7

Re: iRedMail LDAP LoadModule Questions

These changes do not appear to work.

I have attempted the following combinations:

# List of arguments that were passed to the server
argsfile    /var/run/slapd/slapd.args

modulepath /usr/lib/ldap
moduleload back_mdb
moduleload back_monitor
moduleload memberof

# Support password verification with SSHA512. Require OpenLDAP-2.4.32 or later.
moduleload pw-sha2
# List of arguments that were passed to the server
argsfile    /var/run/slapd/slapd.args

modulepath /usr/lib/ldap
moduleload back_mdb
moduleload back_monitor
moduleload memberof.la

# Support password verification with SSHA512. Require OpenLDAP-2.4.32 or later.
moduleload pw-sha2
# List of arguments that were passed to the server
argsfile    /var/run/slapd/slapd.args

modulepath /usr/lib/ldap
moduleload back_mdb
moduleload memberof.la
moduleload back_monitor

# Support password verification with SSHA512. Require OpenLDAP-2.4.32 or later.
moduleload pw-sha2

With this (redacted with domain.tld but actual settings correct):

# Database used to store mail accounts
database    mdb
suffix      dc=domain,dc=tld
directory   /var/lib/ldap/domain.tld
#envflags    writemap

# Add overlay and specify the memberof-group-oc parameter
# OpenLDAP uses objectclass "groupOfNames" as "memberof-group-oc" by default,
# we replace it by mailList here.
overlay memberof
memberof-group-oc mailList

rootdn      cn=Manager,dc=domain,dc=tld

However, there is no change to LDAP. memberof does not appear, is not selectable, and does not show as enabled:

root@mx:~# slapcat -n 0 | grep olcOverlay
root@mx:~# slapcat -n 0 | grep olcModuleLoad
olcModuleLoad: {0}back_mdb
root@mx:~#

It does not appear as if any "moduleload" parameter is being respected except the database one. back_monitor and pw-sha2 at a minimum should show up as well (as these were default with the install) but they do not. And memberof never gets added, regardless of where positioned in file.

Edit: for completeness, here is output of ldap search:

root@mx:/etc/ldap# ldapsearch -Z -H 'ldap://ldap.domain.tld:389' -ZZ -LLL -D 'cn=manager,dc=domain,dc=tld' -W objectclass=mailUser dn mail memberOf
Enter LDAP Password:
dn: mail=postmaster@domain.tld,ou=Users,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: postmaster@domain.tld

dn: mail=watchdog@domain.tld,ou=Users,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: watchdog@domain.tld

dn: mail=no-reply@domain.tld,ou=Users,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: no-reply@domain.tld

dn: mail=user1@domain.tld,ou=Users,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: user1@domain.tld

dn: mail=user2@domain.tld,ou=Users,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: user2@domain.tld

dn: mail=@domain.tld,ou=Users,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: @domain.tld

dn: mail=user3@domain.tld,ou=Users,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: user3@domain.tld

root@mx:/etc/ldap#

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: iRedMail LDAP LoadModule Questions

memberOf only appears if you explicitly search it.

6 Reply by armouredking

  • armouredking
  • Member
  • Offline
  • Registered: 2022-07-01
  • Posts: 7

Re: iRedMail LDAP LoadModule Questions

ZhangHuangbin wrote:

memberOf only appears if you explicitly search it.

Apologies, I edited original reply to include ldapsearch output. I needed to clean out all the information. MemberOf does not appear. But it should show up as an enabled module as well, without ldapsearch no?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: iRedMail LDAP LoadModule Questions

Do the test this way:

- add a subscribable mailing list, and add some member(s)
- run ldapsearch with filter "objectclass=mailList" and attribute "mail memberOf".

8 Reply by armouredking

  • armouredking
  • Member
  • Offline
  • Registered: 2022-07-01
  • Posts: 7

Re: iRedMail LDAP LoadModule Questions

root@mx:/etc/ldap# ldapsearch -Z -H 'ldap://ldap.domain.tld:389' -ZZ -LLL -D 'cn=manager,dc=domain,dc=tld' -W objectclass=mailList mail memberOf
Enter LDAP Password:
dn: mail=announce@domain.tld,ou=Groups,domainName=domain.tld,o=domains,dc=domain,dc=
 tld
mail: announce@domain.tld

dn: mail=genauth@domain.tld,ou=Groups,domainName=domain.tld,o=domains,dc=domain,dc=x
 yz
mail: genauth@domain.tld

dn: mail=list1@domain.tld,ou=Groups,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: list1@domain.tld

dn: mail=list2@domain.tld,ou=Groups,domainName=domain.tld,o=domains,dc=domain,dc=tld
mail: list2@domain.tld

dn: mail=testing@domain.tld,ou=Groups,domainName=domain.tld,o=domains,dc=domain,dc=x
 yz
mail: testing@domain.tld

The Testing@ list is the one I added. Still no impact.

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: iRedMail LDAP LoadModule Questions

I tested yesterday the same way, and it works for me. sad

10 Reply by armouredking

  • armouredking
  • Member
  • Offline
  • Registered: 2022-07-01
  • Posts: 7

Re: iRedMail LDAP LoadModule Questions

Okay, I'm not sure exactly what I did, but currently my file looks like this:

argsfile    /var/run/slapd/slapd.args

modulepath /usr/lib/ldap
moduleload back_mdb
moduleload back_monitor
moduleload memberof

# Support password verification with SSHA512. Require OpenLDAP-2.4.32 or later.
moduleload pw-sha2
# User object
index mailForwardingAddress,shadowAddress   eq,pres,sub
index backupMailAddress,memberOfGroup   eq,pres,sub
index userRecipientBccAddress,userSenderBccAddress  eq,pres,sub
index mobile,departmentNumber eq,pres,sub

# MemberOf Setups
overlay memberof
memberof-group-oc mailList

This by itself did not make memberOf show up. I created a new mailing list and a new mail user account after playing around a while, assigned it to the new list, and then memberOf started showing up in ldapsearch. So I went to each user, removed them from their lists, saved, then added them back to their lists. Finally memberOf started working. Apparently the user objects needed to be refreshed I guess, it doesn't automatically apply?

Now there is a new problem(?), but I'm not sure if it is hurting anything other than graphics. Previously, in my iRedAdmin-Pro, Users under domain section it would display something like this:

Display Name Alias# MailingList# CheckMark Graph Cog Address etc etc

However, now the MailingList# is gone. The users are assigned, but the little icon is not there. I went to check inside the LDAP to see if I could notice the difference between accounts, and there was something missing - memberOfGroup is not on the accounts! Does memberOf overlay remove memberOfGroup?

Post's attachments

Untitled.png
Untitled.png 6.1 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: iRedMail LDAP LoadModule Questions

armouredking wrote:

Apparently the user objects needed to be refreshed I guess, it doesn't automatically apply?

According to OpenLDAP manual page, the memberof overlay maintains the 'memberOf' attribute automatically, so it should appear automatically.

armouredking wrote:

Does memberOf overlay remove memberOfGroup?

memberof has nothing to do with "memberOfGroup" attribute.

This works for me too. It displays the "L1" (number is different on my machine) mark.
Are you sure this user belongs to some mailing list(s)?

12 Reply by armouredking (edited by armouredking 2022-07-06 13:15:28)

  • armouredking
  • Member
  • Offline
  • Registered: 2022-07-01
  • Posts: 7

Re: iRedMail LDAP LoadModule Questions

It does work automatically, as long as you update the user. ie, I don't have to manually create the mappings. Its just that turning it on didn't automatically apply the memberOf attributes, making me think it wasn't enabled.

So yes, the users have lists, but the L# doesn't show up anymore. As an example, the account with A2 in the picture above should also have an L2 (see attached).

Post's attachments

Screenshot 2022-07-05 221401.png
Screenshot 2022-07-05 221401.png 3.84 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: iRedMail LDAP LoadModule Questions

I can not reproduce this issue. sad

14 Reply by armouredking (edited by armouredking 2022-07-06 22:32:52)

  • armouredking
  • Member
  • Offline
  • Registered: 2022-07-01
  • Posts: 7

Re: iRedMail LDAP LoadModule Questions

Is there a log that states where iRedAdmin-Pro is doing/not doing things? It is not changing memberOfGroup attribute in the LDAP database, and it is also not removing member from mailLists when you unclick the checkbox on the user.

To be clear, the web UI shows the user being added or removed, but the actual LDAP entries do not change. It will add a user if they are not already in the group, but it will not remove them from it ever. Using the checkbox under Domain->User-> or the drop down menu in Domain->Mailing List->Member->Remove Selected Members does not remove a user from the group in LDAP. The Web UI shows it as removed (the user no longer shows up in the mailing list under Members) but the LDAP attribute is not changed.

The Web UI also does not update if the changes are made via LDAP. If I make a change to LDAP (ie, remove the member attribute from a mailList) the WebUI does not show this change (the user will still appear to belong in the group; unchecking or deleting the user will remove the user from the WebUI without any error in the webpage but they are already removed). memberOf overlay will update the user when I add them via LDAP, but the WebUI does not show them added to the mailList.