1

Topic: iRedMail LDAP QNAP integration

Are there any success stories of integration QNAP with IRedmail-OpenLDAP ?

I'm trying to integrate my QNAP TS-832PXU-RP with my IRedmail-Pro/OpenLDAP server to allow users to authenticate with email accounts. So I ssh-ed to QNAP, made corresponding changes to

/etc/config/nss_ldap.conf

host mail.mydomain.org
base o=domains,dc=mydomain,dc=org
uri ldap://mail.mydomain.org/
ssl off
rootbinddn cn=vmail,dc=mydomain,dc=org
pam_login_attribute mail
nss_base_passwd ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one?(accountStatus=active)
nss_base_shadow ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one
nss_base_group ou=Groups,domainName=mydomain.org,o=domains,dc=mydomain,dc=org?one
tls_checkpeer no
bind_policy soft
bind_timelimit 2
tls_ciphers ES3cRET0:!MD5
nss_initgroups_ignoreusers admin

And then restarted /etc/init.d/ldap.sh

However login is successful now, getent passwd/group returns no LDAP users, it also still uses uid attribute to login (i.e. username, not username@mydomain.org) and allows blocked users to login to QNAP (ignores (accountStatus=active) filter).

Tried to map attributes (nss_map_attribute uid mail) without any luck.

Any ideas how to make QNAP work together with iRedmail?

P.S. Also empty domain user list in QNAP "Control Panel/Users/Domain users", however domain users seen in online users dashboard widget.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Stable release is out.

2

Re: iRedMail LDAP QNAP integration

Didn't try such integration before. I'm afraid you're on your own. Don't forget to turn on debug mode in OpenLDAP to check the ldap filters used by QNAP.

3

Re: iRedMail LDAP QNAP integration

BTW, switched loglevel in /etc/ldap/slapd.conf to 256 , restarted slapd, but yet got empty /var/log/openldap/openldap.log . Did I missed something ?

4

Re: iRedMail LDAP QNAP integration

So I finally got OpenLDAP logs

```
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 fd=21 ACCEPT from IP=172.16.88.67:41828 (IP=0.0.0.0:389)
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=0 BIND dn="cn=vmail,dc=mydomain,dc=org" method=128
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=0 BIND dn="cn=vmail,dc=mydomain,dc=org" mech=SIMPLE ssf=0
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=0 RESULT tag=97 err=0 text=
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=1 SRCH attr=supportedControl
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=2 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org" scope=2 deref=0 filter="(&(?objectClass=sambaDomain)(?sambaDomainName=WORKGROUP))"
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=2 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=3 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org" scope=2 deref=0 filter="(&(?sambaDomainName=WORKGROUP)(?objectClass=sambaDomain))"
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=3 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=4 do_add: invalid dn (sambaDomainName=WORKGROUP,ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=org)
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 op=4 RESULT tag=105 err=34 text=invalid DN
Sep 20 16:25:46 mydomain slapd[2155779]: conn=1022 fd=21 closed (connection lost)
```

Looks like QNAP treats any LDAP like AD

5

Re: iRedMail LDAP QNAP integration

Better check QNAP document to figure out which attributes are required.
On iRedMail side, OpenLDAP is just a LDAP server, it should work when you specify correct ldap base dn, bind dn, bind password, and filter.