1

Topic: Iredmail as ldap server for FreeNAS-11.1-U5

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): Iredmail 0.9.8
- Linux/BSD distribution name and version: Linux 4.15.17-1-pve
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes IredAdmin-Pro-LDAP-3.1
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Dear Zhang,

We like to have iredmail ldap to be used ldap server for FreeNas-11.1, in short. We just want to manupulate users in IredMail and the users will be reflected in our Freenas user account. Every time we add user in Iremail, It will reflect in Freenas automatically and I can used it to assign right to its folder.

Do you have any Idea how to implement it? Please guide us.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Iredmail as ldap server for FreeNAS-11.1-U5

This should be very easy, but i don't know how to configure LDAP parameters on FreeNAS web admin panel.

Summary:

1: Make sure OpenLDAP is listening on all your network interfaces instead of 127.0.0.1.
2: make sure firewall on FreeBSD allows access from your FreeNAS.
3: configure FreeNAS to use OpenLDAP on iRedMail server for user authentication.

For #3, i checked FreeNAS doc and screenshot of web admin panel here: https://doc.freenas.org/11/directoryservice.html#ldap

- Hostname: ip address or hostname of your iRedMail server
- Base DN: o=domains,dc=xx,dc=xx  (you should replace "dc=xx,dc=xx" by the real ldap suffix. You can find it in /etc/postfix/ldap/*.cf)
- Bind DN and password:  You can find both in /etc/postfix/ldap/*.cf, e.g. "cn=vmail,dc=xx,dc=xx".

3 (edited by napoleon.lam 2018-10-03 16:30:04)

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Dear Zhang,
  I got this error messages, Notice: samba extensions not detected. CIFS authentication to LDAP disabled.
so the next step is to install samba extensions on iredmail server?

Thanks
Napoleon

4

Re: Iredmail as ldap server for FreeNAS-11.1-U5

iRedMail doesn't integrate Samba, i'm afraid that you have to do it by yourself.

but i don't understand why it requires Samba and CIFS support if it just needs to query some accounts for authentication.

is it possible to disable Samba support requirement in FreeNAS?  I saw there's an option "Samba Schema" (checkbox), maybe uncheck it and try again?

5

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Dear Zhang,

   I thought you have said it is very easy, I found out it need to do many things on ldap, like adding the schema using ldapadd, ldapmodify command, and it will end up in no sufficient right.
  I am thinking if we got it right and smooth, it could be great help for iredmail community, because i believe some else will use iredadmin as their smb server ldap server presently and future, and this guide will help them most.

Thanks
Napoleon

6

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Dear Zhang,
   i found out after i install samba on the iredmail server and check the samba schema, the error message is gone, and it seem like connect successfully to the iredmail server by freenas. i can see the samba.schema using ldap software, but what should i do next? as every user in iredmail did not have samba attribute.

Thanks
Napoleon

7

Re: Iredmail as ldap server for FreeNAS-11.1-U5

napoleon.lam wrote:

but what should i do next? as every user in iredmail did not have samba attribute.

I'm not sure why Samba schema is required by FreeNAS, i wonder is it possible to disable Samba schema requirement in FreeNAS web admin panel?

8

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Hi Zhang,

I double check this morning,

uncheck Samba Schema will have this error  Notice: samba extensions not detected. CIFS authentication to LDAP disabled.

check Samba Schema no error message display.

I think Samba Schema is needed, as of this guideline

Note LDAP authentication for CIFS shares will be disabled unless the LDAP directory has been configured for and populated with Samba attributes. The most popular script for performing this task is smbldap-tools and instructions for using it can be found at The Linux Samba-OpenLDAP Howto. In addition, the LDAP server must support SSL/TLS and the certificate for the LDAP server needs to be imported.

from
https://doc.freenas.org/9.3/freenas_dir … rvice.html

i have problem on how to populate with samba attribute cause i don't know how to make it work.
as i don't know how to config the smb.conf

anyway i have seen my iredmail server have samba attribute using ldap admin software, just don't know how to populate it.

Have you try before manipulate the ldap databases by using ldapadd command?

Thanks
Napoleon

9 (edited by napoleon.lam 2018-10-05 11:20:19)

Re: Iredmail as ldap server for FreeNAS-11.1-U5

1. below is i used ldap admin, clear seen it have samba schema now.
2. i have checked the uses samba schema. the connection seem success

I hope anybody with the experiences of using freenas as file server which used iredmail user thru ldap connection can give me some guide.

right now is that I could not populate the ldap with samba schema as I don't know how

Post's attachments

freenas-samba.PNG
freenas-samba.PNG 26.15 kb, file has never been downloaded. 

ldapupdatesuccessfully.PNG
ldapupdatesuccessfully.PNG 22.34 kb, file has never been downloaded. 

sambainiredmail.PNG
sambainiredmail.PNG 47.27 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

10 (edited by napoleon.lam 2018-10-11 17:36:54)

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Dear Zhang,
  I have some breakthrough on having freenas to used iredmail ldap, i know what attributes is lacking in iredadmin so it can make freenas to use it successfully, i have test and it work. I am using ldapvi tools to add necessary attributes in the ldap.
Now i know what to do, i like to try to changes some code in your iredadmin so that once i create users, and mail list, it will add necessary attributes on its ldap to have work. And now I want to ask?

1. On creating user or group in iredadmin, what is the code i need to modify? and where is it?

I found the forum https://forum.iredmail.org/topic3050-ir … entry.html
is this the script adding data on ldap?

Thanks
Napoleon

11

Re: Iredmail as ldap server for FreeNAS-11.1-U5

napoleon.lam wrote:

I found the forum https://forum.iredmail.org/topic3050-ir … entry.html
is this the script adding data on ldap?

Yes.

Would you mind sharing what attributes/values you need to add? Maybe i have better idea for customization without breaking iRedAdmin(-Pro) upgrading process.

12 (edited by napoleon.lam 2018-10-12 15:28:19)

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Hi Zhang,
  Sure, the additional attributes I need to add for users are:
14.2    upon enter the ldap that look like vi add the following to every user to make accessible from freenas
               objectClass: sambaSamAccount
               objectClass: posixAccount
               objectClass: top
               uidNumber: 1004
               gidnumber: 505
               memberuid: (please change this to iredmail uid like napoleon.lam)
               sambaSID: S-1-5-21-1045372319-2979546414-3360713982-3008
               sambaLMPassword: 722AC01404A7515648116059303999A (this is generatel when I enter password from phpldapadmin. It can also enter as plain text)
                sambaNTPassword: AAF696F5A0CC601A636A0364D5BF882
                sambaPwdCanChange: 0
                sambaPwdLastSet: 1537512632 (this is date set and should be date before you used this account. Use this converter https://www.epochconverter.com/)
                sambaPwdMustChange: 1569048632 (this is the date set and should be set farther than this user can used)
                gidNumber: 505

14.3    Also, please set the group first just as below
                      dn: cn=IT,sambaDomainName=WORKGROUP,dc=mydomain,dc=com
                      cn: IT
                      displayName: IT
                      gidNumber: 505
                      memberUid: napoleon.lam
                      memberUid: mario.li
                      objectClass: posixGroup
                      objectClass: sambaGroupMapping
                      objectClass: top
                      sambaGroupType: 2
                      sambaSID: S-1-5-21-1045372319-2979546414-3360713982-2010 <this is autogenerate and I just changes any of it>

13 (edited by napoleon.lam 2018-10-12 15:34:53)

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Zhang,

  This is my research and finding on how to have freenas work with iredmail ldap
1    yum update
2    yum install openssh openssh-client openssh-server
3    yum install vim
4    yum install bzip2
5    systemctl start sshd
6    systemctl enable sshd
7    Install firewall and config
7.1    Yum install firewalld
7.2    firewall-cmd --get-active-zone
7.3    firewall-cmd --zone=iredmail --list-all
7.4    firewall-cmd --add-service={ldap,ldaps} --permanent
7.5    firewall-mcd --reload
8    install iredmail server
8.1    download the latest iRedmail package
8.2    unpack using tar -xvf iRedMail-0.9.8.tar.bz2
8.3    cd iRedMail-0.9.8
8.4    bash iRedMail.sh
9    install iRedAdmin-Pro
9.1    download the latest iRedAdmin-Pro package
9.2    tar xvf iRedAdmin-Pro-LDAP-3.1.tar.bz2
9.3    cd iRedAdmin-Pro-LDAP-3.1
9.4    bash upgrade_iredadmin.sh
10    install samba
10.1    yum install smbldap-tools
10.2    yum install samba*
11    config the server to import samba scheme
11.1    vim /etc/openldap/slapd.conf
11.2    add this on the appropriate line “include /etc/openldap/schema/samba.schema”
11.3    add this on nearly last line
11.4    index sambaSID                eq
11.5    index sambaPrimaryGroupSID    eq
11.6    index sambaDomainName         eq
11.7    index sambaGroupType eq
11.8    index sambaSIDList eq
11.9    to make things simple, you can used plain password for Manager by adding rootpw secret (secret is your password) you can also used the ssha one provided all your connection is using the ssha. I used plain password for more clarity in explanation.
12    the iredmail should have samba schema, you can check using ldap admin (ldap free windows software) but this is a view only software, we need to have one that can edit as the iredadmin did not add the necessary attributes need for freesamba so we install ldapvi
13    install ldapvi
13.1    yum install ldapvi
14    manipulate the ldap using ldapvi
14.1    ldapvi --discover --host ct-mailfree -D, --user cn=Manager,dc=mydomain,dc=com -w, --password secret
14.2    upon enter the ldap that look like vi add the following to every user to make accessible from freenas
14.2.1    objectClass: inetOrgPerson
14.2.2    objectClass: sambaSamAccount
14.2.3    objectClass: posixAccount
14.2.4    objectClass: top
                sambaSID: S-1-5-21-1045372319-2979546414-3360713982-3008
                uidNumber: 1004
14.2.5    gidnumber: 505
14.2.6    memberuid: (please change this to iredmail uid like napoleon.lam)
14.2.7    sambaLMPassword: 722AC01404A7515648116059303999A (this is generatel when I enter password from phpldapadmin. It can also enter as plain text)
14.2.8    sambaNTPassword: AAF696F5A0CC601A636A0364D5BF882
14.2.9    sambaPwdCanChange: 0
14.2.10    sambaPwdLastSet: 1537512632 (this is date set and should be date before you used this account. Use this converter https://www.epochconverter.com/)
14.2.11    sambaPwdMustChange: 1569048632 (this is the date set and should be set farther than this user can used)
14.2.12    gidNumber: 505
14.3    Also, please set the group first just as below
14.3.1    Use the word “add” in front to add
                      Add dn: cn=IT,sambaDomainName=WORKGROUP,dc=mydomain,dc=com
                      cn: IT
                      displayName: IT
                      gidNumber: 505
                      memberUid: napoleon.lam
                      memberUid: mario.li
                      objectClass: posixGroup
                      objectClass: sambaGroupMapping
                      objectClass: top
                      sambaGroupType: 2
                      sambaSID: S-1-5-21-1045372319-2979546414-3360713982-2010 <this is autogenerate and I just changes any of it>

14.4    type :wq! (just like vi for write and quit) then type y to confirm, if some error, press e to edit and correct.
14.5    The command to use ldapvi http://www.lichteblau.com/ldapvi/manual/
15    Check the entry again to verify if the entry is successfully added by ldapvi --discover --host ct-mailfree -D, --user cn=Manager,dc=mydomain,dc=com -w, --password secret
16    systemctl restart slapd (to restart the slapd)
17    ----------------------------------------------on part of freenas------------------------------------------------------------------
18    Download the freenas iso FreeNAS-11.1-U5.iso from websites and upload to pve
19    Should allocate another freespace for freenas data, I used add harddisk with give more, also install to choose bios
20    Create volume and some dataset (first used the default one)
21    Configure the ldap by:
21.1    Choose Directoy->LDAP
21.2    Hostname: <ip of iredmail server>:389
21.3    Base DN: dc=mydomain,dc=com
21.4    Bind DN: cn=Manager,dc=mydomain,dc=com
21.5    Bind password: <use the password found on slapd.conf>
22    Press “Advanced Mode” and check the Samba Schema
23    Press save. (It need around 10 seconds and will display “ldap update successfully” other it will said failed and you should find out why and resolve it.
24    Press the “Rebuild Directory Service Cache” for immediate effect of ldap retrieval from iredmail
25    Please check the success on ldap access from iredmail by
25.1    Using the give permission on dataset
25.1.1    Choose view volumes->share and click “change permission”.
25.1.2    Click the drop down box beside Owner (user) you should see the iredmail user you have process (I means add the samba attributes using ldapvi)
25.1.3    To check the group, click the group drop down box and you should see the group you create using ldapvi, the group is needed for freenas.
25.2    Or using command to check by
25.2.1    click the Shell on freenas gui
25.2.2    type getent passed
25.2.3    it will display the iredmail user.
26    Using this 2 kind of checking. It prove you know how to configure the ldap on iredmail correctly and freenas ldap configuration.
27    -----------------------------------------------configure folder right------------------------------------------------------
28    Create the superuser for folder rights assigned on iredmail (I used postmaster and add its samba attributes)
29    After the necessary users and group have been created in ldap of iredmail.
30    Go to view volumes ->change permission and on user, select the superuser you have created, on group, select the necessary group assign to this folder (group make it more simple on right management)
31    Click on Sharing -> Windows (SMB) and create every share on every dataset, on each share:
31.1    uncheck the Apply Default Permissions, browsable to Network Clients.
31.2    uncheck the Allow Guest Access.
31.3    check the Access Based Share Enumeration and click OK
31.4    Create another top share for top folder which this time
31.4.1    Check the “Apply Default Permissions”
31.4.2    Check the “Browsable to Network Clients”
31.4.3    Uncheck the “Access Based Shared Enumeration” and click OK
32    On windows client, try to access the freenas by type \\<IP address>
33    When it prompt for user and password type <IP address>\superuser (superuser is one you create on step 28 and 30 assigned right on view volume)
34    Click in the top share you created on 31.4 and on every folder you can seen, right click and click “Property”->security->edit remove “everyone” entry and click Apply.
35    After you done, try to login as ordinary user and you can only see folder you have priviledge of.

Hope this can help you

14

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Dear Zhang,
  The problem now is that adding user should add this attributes, also iredmail do not have groups object posixGroup, need to add that separately, one suggest is using mail list and add 2 object maillist object and posixGroup object

Napoleon

15

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Hi Zhang,
  I now working on the iredldif.py this is a phython script, (i will try) what is the best IDE software to test its syntax?

Thanks
Napoleon

16

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Dear Zhang,
  I have successfully modify the iredldif.py as of follow
  ldif = [('objectClass', ['inetOrgPerson', 'mailUser', 'shadowAccount', 'amavisAccount','sambaSamAccount','posixAccount','top']),
            ('mail', [mail]),
            ('userPassword', passwd),
            ('sn', [username]),
            ('uid', [username]),
#samba need attributes
            ('sambaSID',['S-1-5-21-1045372319-2979546414-3360713982-1011']),
            ('uidNumber',['1011']),
            ('gidNumber',['505']),
            ('sambaLMPassword',['722AC01404A751564811605930312345']),
            ('sambaNTPassword',['AAF696F5A0CC601A636A0364D5B67890']),
            ('sambaPwdCanChange',['0']),
            ('sambaPwdLastSet',['1537512632']),
            ('sambaPwdMustChange',['1569048632']),
#end samba attributes
            ('storageBaseDirectory', [storageBaseDirectory]),
            ('mailMessageStore', [mailMessageStore]),
            ('homeDirectory', [homeDirectory]),
            ('accountStatus', ['active']),
            ('enabledService', enabled_services),
            # shadowAccount integration.
            ('shadowLastChange', [str(ldaputils.get_days_of_shadow_last_change())]),


   I have test by hardcode the data, and it seem this will give the freenas able to see the user once i add.
but i have said hardcode, somedata should be system generate like

           ('sambaSID',[should be system generate]),
            ('uidNumber',['should be system generate']),
            ('gidNumber',['should be system generate']),
            ('sambaLMPassword',['should be system generate']),
            ('sambaNTPassword',['should be system generate']),
            ('sambaPwdCanChange',['should be system generate']),
            ('sambaPwdLastSet',['should be system generate']),
            ('sambaPwdMustChange',['should be system generate']),

now i working on it how, please let me know if you have some better code
Napoleon

17

Re: Iredmail as ldap server for FreeNAS-11.1-U5

napoleon.lam wrote:

somedata should be system generate like
           ('sambaSID',[should be system generate]),
            ('uidNumber',['should be system generate']),
            ('gidNumber',['should be system generate']),
            ('sambaLMPassword',['should be system generate']),
            ('sambaNTPassword',['should be system generate']),
            ('sambaPwdCanChange',['should be system generate']),
            ('sambaPwdLastSet',['should be system generate']),
            ('sambaPwdMustChange',['should be system generate']),

For uidNumber and gidNumber, it's easy to get by Python code. but you need to figure out how to generate others. Especially sambaSID.

18

Re: Iredmail as ldap server for FreeNAS-11.1-U5

Dear Zhang,
  Do you have update related python script that can generate also the samba attributes when creating users or group now?

Thanks
Napoleon

19

Re: Iredmail as ldap server for FreeNAS-11.1-U5

napoleon.lam wrote:

  Do you have update related python script that can generate also the samba attributes when creating users or group now?

I don't have code for Samba related attributes, sorry.