1

Topic: iRedMail LDAP QNAP integration

Are there any success stories of integration QNAP with IRedmail-OpenLDAP ?

I'm trying to integrate my QNAP TS-832PXU-RP with my IRedmail-Pro/OpenLDAP server to allow users to authenticate with email accounts. So I ssh-ed to QNAP, made corresponding changes to

/etc/config/nss_ldap.conf

host mail.mydomain.org
base o=domains,dc=mydomain,dc=org
uri ldap://mail.mydomain.org/
ssl off
rootbinddn cn=vmail,dc=mydomain,dc=org
pam_login_attribute mail
nss_base_passwd ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one?(accountStatus=active)
nss_base_shadow ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one
nss_base_group ou=Groups,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one
tls_checkpeer no
bind_policy soft
bind_timelimit 2
tls_ciphers ES3cRET0:!MD5
nss_initgroups_ignoreusers admin

And then restarted /etc/init.d/ldap.sh

However login is successful now, getent passwd/group returns no LDAP users, it also still uses uid attribute to login (i.e. username, not username@mydomain.org) and allows blocked users to login to QNAP (ignores (accountStatus=active) filter).

Tried to map attributes (nss_map_attribute uid mail) without any luck.

Any ideas how to make QNAP work together with iRedmail?

P.S. Also empty domain user list in QNAP "Control Panel/Users/Domain users", however domain users seen in online users dashboard widget.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Stable release is out.

2

Re: iRedMail LDAP QNAP integration

Didn't try such integration before. I'm afraid you're on your own. Don't forget to turn on debug mode in OpenLDAP to check the ldap filters used by QNAP.

3

Re: iRedMail LDAP QNAP integration

BTW, switched loglevel in /etc/ldap/slapd.conf to 256 , restarted slapd, but yet got empty /var/log/openldap/openldap.log . Did I missed something ?

4

Re: iRedMail LDAP QNAP integration

So I finally got OpenLDAP logs

```
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 fd=21 ACCEPT from IP=172.16.88.67:41828 (IP=0.0.0.0:389)
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=0 BIND dn="cn=vmail,dc=mydomain,dc=org" method=128
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=0 BIND dn="cn=vmail,dc=mydomain,dc=org" mech=SIMPLE ssf=0
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=0 RESULT tag=97 err=0 text=
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=1 SRCH attr=supportedControl
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=2 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org" scope=2 deref=0 filter="(&(?objectClass=sambaDomain)(?sambaDomainName=WORKGROUP))"
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=2 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=3 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org" scope=2 deref=0 filter="(&(?sambaDomainName=WORKGROUP)(?objectClass=sambaDomain))"
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=3 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=4 do_add: invalid dn (sambaDomainName=WORKGROUP,ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org)
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=4 RESULT tag=105 err=34 text=invalid DN
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 fd=21 closed (connection lost)
```

Looks like QNAP treats any LDAP like AD

5

Re: iRedMail LDAP QNAP integration

Better check QNAP document to figure out which attributes are required.
On iRedMail side, OpenLDAP is just a LDAP server, it should work when you specify correct ldap base dn, bind dn, bind password, and filter.

6

Re: iRedMail LDAP QNAP integration

So I partially succeedded. A minimal requirement for LDAP/QNAP integration is objectCalss=posixAccout, uidNumber and gidNumber attributes for user entry. As I metioned, you can specify all in /etc/config/nss_ldap.conf (and additional filters also), but UI wizard will not respect your changes.
=nss_ldap.conf ===================
host ldap.mydomain.org
base dc=mydomain,dc=org
uri ldap://mail.mydomain.org/
ssl off
rootbinddn cn=vmailadmin,dc=mydomain,dc=org
nss_base_passwd ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one?(accountStatus=active)
nss_base_shadow ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one
nss_base_group ou=Groups,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one
tls_checkpeer no
bind_policy soft
bind_timelimit 2
tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5
nss_initgroups_ignoreusers admin
================================

you should also add user filter to /etc/afp.conf
===============================
user filter (accountStatus=active)
===============================

With this scenario you can make AFP, NFS and Web UI work with your LDAP, but not Samba. QNAP Samba fully relies on AD objectClasses like sambaAccount and sambaDomain, so you need fully functional AD controller (maybe samba4), but not LDAP.

In short, QNAP Samba does not support LDAP, its AD only.

Here is OpenLDAP logs
==================================================

ldap slapd[6782]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000024 etime=0.000167 nentries=1 text=

ldap slapd[6782]: conn=1001 op=2 SRCH base="dc=npl,dc=ru" scope=2 deref=0 filter="(&(?objectClass=sambaDomain)(?sambaDomainName=NPL))"

ldap slapd[6782]: conn=1001 op=2 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass

ldap slapd[6782]: conn=1001 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000023 etime=0.000667 nentries=0 text=

ldap slapd[6782]: conn=1001 op=3 SRCH base="dc=npl,dc=ru" scope=2 deref=0 filter="(&(?sambaDomainName=NPL)(?objectClass=sambaDomain))"

ldap slapd[6782]: conn=1001 op=3 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass

ldap slapd[6782]: conn=1001 op=3 SEARCH RESULT tag=101 err=0 qtime=0.000025 etime=0.000156 nentries=0 text=

ldap slapd[6782]: conn=1001 op=4 do_add: invalid dn (sambaDomainName=NPL,dc=npl,dc=ru)

ldap slapd[6782]: conn=1001 op=4 RESULT tag=105 err=34 qtime=0.000022 etime=0.000295 text=invalid DN

ldap slapd[6782]: conn=1001 fd=12 closed (connection lost)

==========================

And here is corresponding QNAP Samba daemon log

==========================

../../source3/passdb/pdb_ldap.c:6753(pdb_ldapsam_init_common)

  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.

../../source3/passdb/pdb_interface.c:184(make_pdb_method_name)

  pdb backend ldapsam:ldap://mail.npl.ru did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

../../source3/smbd/server.c:2008(main)

  smbd version 4.13.17 started.

  Copyright Andrew Tridgell and the Samba Team 1992-2020

========================