1 Topic by mskaraca

  • mskaraca
  • Member
  • Offline
  • Registered: 2023-09-12
  • Posts: 2

Topic: iRedMail with freeIPA LDAP server integration

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.4 OPENLDAP edition.
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: ubuntu 22.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): RedHat Identity management (aka freeIPA)
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi. I have already had an LDAP server (Redhat Identity Management server also known as freeIPA server). instead of openLDAP, I want to use this as my LDAP server.

my e-mail domain is: abra.co.uk
my LDAP domain: abra.local

I know, they are different..

I have followed your AD integration doc. I have successfully created ldap user to query LDAP users in my RedHat IDm server.
but I think I have a problem with filters and result_attributes. postmap returns nothing and I am sharing the verbose output below. any help is much appreciated..

Note: I have not created any mail group. I also need help on this

I have changed ad_sender_login_maps.cf with the following:
/etc/postfix/ad_sender_login_maps.cf

server_host     = freeipa.abra.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = uid=vmail,cn=users,cn=accounts,dc=abra,dc=local
bind_pw         = ***
search_base     = cn=users,cn=accounts,dc=abra,dc=local
scope           = sub
query_filet     = (uid=%u)
result_attribute= uid
debuglevel      = 0

root@mail:~# cat /etc/postfix/ad_virtual_mailbox_maps.cf
server_host     = freeipa.abra.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = uid=vmail,cn=users,cn=accounts,dc=abra,dc=local
bind_pw         = ***
search_base     = cn=users,cn=accounts,dc=abra,dc=local
scope           = sub
query_filter    = (uid=%u)
result_attribute= uid
result_format   = %d/%u/Maildir/
debuglevel      = 0

root@mail:~# cat /etc/postfix/ad_virtual_group_maps.cf
server_host     = freeipa.abra.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = uid=vmail,cn=users,cn=accounts,dc=abra,dc=local
bind_pw         = ***
search_base     = cn=users,cn=accounts,dc=abra,dc=local
scope           = sub
query_filter    = (&(objectClass=group)(mail=%u@abra.local))
special_result_attribute = member
#leaf_result_attribute = mail
result_attribute= uid
debuglevel      = 0

root@mail:~# postmap -q vmail@abra.co.uk ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
postmap: dict_ldap_debug: ldap_create
postmap: dict_ldap_debug: ldap_url_parse_ext(ldap://freeipa.abra.local:389)
postmap: dict_ldap_debug: ldap_sasl_bind
postmap: dict_ldap_debug: ldap_send_initial_request
postmap: dict_ldap_debug: ldap_new_connection 1 1 0
postmap: dict_ldap_debug: ldap_int_open_connection
postmap: dict_ldap_debug: ldap_connect_to_host: TCP freeipa.abra.local:389
postmap: dict_ldap_debug: ldap_new_socket: 4
postmap: dict_ldap_debug: ldap_prepare_socket: 4
postmap: dict_ldap_debug: ldap_connect_to_host: Trying 192.168.10.211:389
postmap: dict_ldap_debug: ldap_pvt_connect: fd: 4 tm: 10 async: 0
postmap: dict_ldap_debug: ldap_ndelay_on: 4
postmap: dict_ldap_debug: attempting to connect:
postmap: dict_ldap_debug: connect errno: 115
postmap: dict_ldap_debug: ldap_int_poll: fd: 4 tm: 10
postmap: dict_ldap_debug: ldap_is_sock_ready: 4
postmap: dict_ldap_debug: ldap_ndelay_off: 4
postmap: dict_ldap_debug: ldap_pvt_connect: 0
postmap: dict_ldap_debug: ldap_open_defconn: successful
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ber_scanf fmt ({it) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({i) ber:
postmap: dict_ldap_debug: ber_flush2: 75 bytes to sd 4
postmap: dict_ldap_debug: ldap_result ld 0x55cdd1541e20 msgid 1
postmap: dict_ldap_debug: wait4msg ld 0x55cdd1541e20 msgid 1 (timeout 10000000 usec)
postmap: dict_ldap_debug: wait4msg continue ld 0x55cdd1541e20 msgid 1 all 1
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Connections:
postmap: dict_ldap_debug: * host: freeipa.abra.local  port: 389  (default)
postmap: dict_ldap_debug: * from: IP=192.168.10.214:45622
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Mon Sep 11 23:12:10 2023
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 1,  origid 1, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0x55cdd1541e20 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0x55cdd1541e20 response count 0
postmap: dict_ldap_debug: ldap_chkResponseList ld 0x55cdd1541e20 msgid 1 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x55cdd1541e20 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0x55cdd1541e20 msgid 1 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents:
postmap: dict_ldap_debug: ldap_find_request_by_msgid: msgid 1, lr 0x55cdd1545a70 lr->lr_refcnt = 1
postmap: dict_ldap_debug: read1msg: ld 0x55cdd1541e20 msgid 1 message type bind
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: read1msg: ld 0x55cdd1541e20 0 new referrals
postmap: dict_ldap_debug: read1msg:  mark request completed, ld 0x55cdd1541e20 msgid 1
postmap: dict_ldap_debug: request done: ld 0x55cdd1541e20 msgid 1
postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <>
postmap: dict_ldap_debug: ldap_return_request: lrx 0x55cdd1545a70, lr 0x55cdd1545a70
postmap: dict_ldap_debug: ldap_return_request: lrx->lr_msgid 1, lrx->lr_refcnt is now 0, lr is still present
postmap: dict_ldap_debug: ldap_free_request (origid 1, msgid 1)
postmap: dict_ldap_debug: ldap_free_request_int: lr 0x55cdd1545a70 msgid 1 removed
postmap: dict_ldap_debug: ldap_do_free_request: asked to free lr 0x55cdd1545a70 msgid 1 refcnt 0
postmap: dict_ldap_debug: ldap_parse_result
postmap: dict_ldap_debug: ber_scanf fmt ({iAA) ber:
postmap: dict_ldap_debug: ber_scanf fmt (}) ber:
postmap: dict_ldap_debug: ldap_msgfree
postmap: dict_ldap_debug: ldap_search_ext
postmap: dict_ldap_debug: put_filter: "(uid=vmail)"
postmap: dict_ldap_debug: put_filter: simple
postmap: dict_ldap_debug: put_simple_filter: "uid=vmail"
postmap: dict_ldap_debug: ldap_send_initial_request
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ber_scanf fmt ({it) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({) ber:
postmap: dict_ldap_debug: ber_flush2: 84 bytes to sd 4
postmap: dict_ldap_debug: ldap_result ld 0x55cdd1541e20 msgid 2
postmap: dict_ldap_debug: wait4msg ld 0x55cdd1541e20 msgid 2 (timeout 10000000 usec)
postmap: dict_ldap_debug: wait4msg continue ld 0x55cdd1541e20 msgid 2 all 1
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Connections:
postmap: dict_ldap_debug: * host: freeipa.abra.local  port: 389  (default)
postmap: dict_ldap_debug: * from: IP=192.168.10.214:45622
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Mon Sep 11 23:12:10 2023
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 2,  origid 2, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0x55cdd1541e20 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0x55cdd1541e20 response count 0
postmap: dict_ldap_debug: ldap_chkResponseList ld 0x55cdd1541e20 msgid 2 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x55cdd1541e20 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0x55cdd1541e20 msgid 2 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 74 contents:
postmap: dict_ldap_debug: ldap_find_request_by_msgid: msgid 2, lr 0x55cdd1545f30 lr->lr_refcnt = 1
postmap: dict_ldap_debug: read1msg: ld 0x55cdd1541e20 msgid 2 message type search-entry
postmap: dict_ldap_debug: ldap_return_request: lrx 0x55cdd1545f30, lr 0x55cdd1545f30
postmap: dict_ldap_debug: ldap_return_request: lrx->lr_msgid 2, lrx->lr_refcnt is now 0, lr is still present
postmap: dict_ldap_debug: wait4msg ld 0x55cdd1541e20 9 s 999132 us to go
postmap: dict_ldap_debug: wait4msg continue ld 0x55cdd1541e20 msgid 2 all 1
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Connections:
postmap: dict_ldap_debug: * host: freeipa.abra.local  port: 389  (default)
postmap: dict_ldap_debug: * from: IP=192.168.10.214:45622
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Mon Sep 11 23:12:10 2023
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 2,  origid 2, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0x55cdd1541e20 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0x55cdd1541e20 Response Queue:
postmap: dict_ldap_debug:  * msgid 2,  type 100
postmap: dict_ldap_debug:   ld 0x55cdd1541e20 response count 1
postmap: dict_ldap_debug: ldap_chkResponseList ld 0x55cdd1541e20 msgid 2 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x55cdd1541e20 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0x55cdd1541e20 msgid 2 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents:
postmap: dict_ldap_debug: ldap_find_request_by_msgid: msgid 2, lr 0x55cdd1545f30 lr->lr_refcnt = 1
postmap: dict_ldap_debug: read1msg: ld 0x55cdd1541e20 msgid 2 message type search-result
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: read1msg: ld 0x55cdd1541e20 0 new referrals
postmap: dict_ldap_debug: read1msg:  mark request completed, ld 0x55cdd1541e20 msgid 2
postmap: dict_ldap_debug: request done: ld 0x55cdd1541e20 msgid 2
postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <>
postmap: dict_ldap_debug: ldap_return_request: lrx 0x55cdd1545f30, lr 0x55cdd1545f30
postmap: dict_ldap_debug: ldap_return_request: lrx->lr_msgid 2, lrx->lr_refcnt is now 0, lr is still present
postmap: dict_ldap_debug: ldap_free_request (origid 2, msgid 2)
postmap: dict_ldap_debug: ldap_free_request_int: lr 0x55cdd1545f30 msgid 2 removed
postmap: dict_ldap_debug: ldap_do_free_request: asked to free lr 0x55cdd1545f30 msgid 2 refcnt 0
postmap: dict_ldap_debug: adding response ld 0x55cdd1541e20 msgid 2 type 101:
postmap: dict_ldap_debug: ldap_parse_result
postmap: dict_ldap_debug: ber_scanf fmt ({iAA) ber:
postmap: dict_ldap_debug: ber_scanf fmt (}) ber:
postmap: dict_ldap_debug: ldap_first_attribute
postmap: dict_ldap_debug: ber_scanf fmt ({xl{) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({ax}) ber:
postmap: dict_ldap_debug: ldap_get_values_len
postmap: dict_ldap_debug: ber_scanf fmt ({x{{a) ber:
postmap: dict_ldap_debug: ber_scanf fmt ([V]) ber:
postmap: dict_ldap_debug: ldap_next_attribute
postmap: dict_ldap_debug: ldap_msgfree
postmap: dict_ldap_debug: ldap_free_connection 1 1
postmap: dict_ldap_debug: ldap_send_unbind
postmap: dict_ldap_debug: ber_flush2: 7 bytes to sd 4
postmap: dict_ldap_debug: ldap_free_connection: actually freed

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by mskaraca

  • mskaraca
  • Member
  • Offline
  • Registered: 2023-09-12
  • Posts: 2

Re: iRedMail with freeIPA LDAP server integration

Hi
I solved my problem. here are the steps . I hope it will give benefit to other people

freeIPA LDAP entegrasyonu:

There is an official doc for AD integration. I have used this doc.
docs.iredmail.org/active.directory.html
this also opened some ideas on solution:
forum.iredmail.org/topic15548-external-domain-with-ldap-ad-authentication.htm

First step is to create a user to talk with the LDAP (freeIPA) server
maler/yourSecretPassword (on freeIPA)

With the following query, we understood that, we can query users from our LDAP server
  ldapsearch -x -H ldap://ipa.abra.local -D 'uid=maler,cn=users,cn=accounts,dc=abra,dc=local' -W -b 'cn=users,cn=accounts,dc=abra,dc=local'

2. Step
POSTFIX integration
Note: we have a special case here
mail domain is: abra.com
LDAP domain is: abra.local
so we needed to constrcurt result format for the offical one (abra.com) not for the LDAP one
Create necessary files for external LDAP (freeIPA) configuration

root@mail:~# cat /etc/postfix/ad_sender_login_maps.cf
server_host     = ipa.abra.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = uid=maler,cn=users,cn=accounts,dc=abra,dc=local
bind_pw         = yourSecretPassword
search_base     = cn=users,cn=accounts,dc=abra,dc=local
scope           = sub
query_filter    = (&(objectClass=person)(uid=%u))
result_attribute= mail
result_format    = %u@abra.com
debuglevel      = 0
root@mail:~# cat /etc/postfix/ad_virtual_mailbox_maps.cf
server_host     = ipa.abra.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = uid=maler,cn=users,cn=accounts,dc=abra,dc=local
bind_pw         = yourSecretPassword
search_base     = cn=users,cn=accounts,dc=abra,dc=local
scope           = sub
query_filter    =  (&(objectClass=person)(uid=%u))
result_attribute= mail
result_format   = abra.com/%u/Maildir/
debuglevel      = 0
root@mail:~# cat /etc/postfix/ad_virtual_group_maps.cf
server_host     = ipa.abra.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = uid=maler,cn=users,cn=accounts,dc=abra,dc=local
bind_pw         = yourSecretPassword
search_base     = cn=groups,cn=accounts,dc=abra,dc=local
scope           = sub
query_filter    = (&(objectClass=posixgroup)(cn=%u))
special_result_attribute = member
#leaf_result_attribute = mail
result_attribute= uid
debuglevel      = 0


We checked that this configuration is working:

postmap -q maler@abra.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
postmap -q maler@abra.com ldap:/etc/postfix/ad_sender_login_maps.cf
# i created this group (mailers) and made all users members of this group on freeIPA
postmap -q mailers@abra.com ldap:/etc/postfix/ad_virtual_group_maps.cf

3. Step
DOVECOT integration
root@mail:~# cat /etc/dovecot/dovecot-ldap.conf
hosts           = ipa.abra.local:389
ldap_version    = 3
auth_bind       = yes
dn              = uid=maler,cn=users,cn=accounts,dc=abra,dc=local
dnpass          = yourSecretPassword
base            = cn=users,cn=accounts,dc=abra,dc=local
scope           = subtree
deref           = never
debug_level     = 0

# Below two are required by command 'doveadm mailbox ...'
iterate_attrs   = uid=user
iterate_filter  = (&(objectClass=person)(uid=*))

user_filter     = (&(objectClass=person)(uid=%n))
user_attrs      = mail=master_user,mail=user,=home=/var/maler/maler1/%Ld/%Ln/,=mail=maildir:~/Maildir/

# Used for dn lookup
pass_filter     = (&(objectClass=person)(uid=%n))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT

We tested this config with
telnet localhost 143

. login maler@abra.com yourSecretPassword


4th step
ROUNDCUBE (mail web interface) integration

root@mail:~# cat /opt/www/roundcubemail/config/config.inc.php

// Global LDAP address book.
$config['ldap_public']["global_ldap_abook"] = array(
    'name'              => 'Global LDAP Address Book',
    'hosts'             => array('ipa.abra.local'),
    'port'              => 389,
    'use_tls'           => false,
    'ldap_version'      => '3',
    'network_timeout'   => 10,
    'user_specific'     => false,

    // Search mail users under same domain.
    'base_dn'       => 'cn=users,cn=accounts,dc=abra,dc=local',
    'bind_dn'       => 'uid=maler,cn=users,cn=accounts,dc=abra,dc=local',
    'bind_pass'     => "yourSecretPassword",

    'hidden'        => false,
    'searchonly'    => false,
    'writable'      => false,

    'search_fields' => array('mail', 'cn', 'sn', 'givenName' ),

    // mapping of contact fields to directory attributes
    'fieldmap' => array(
        'name'          => 'cn',
        'surname'       => 'sn',
        'firstname'     => 'givenName',
        'title'         => 'title',
        'email'         => 'mail:*',
    ),
    'sort'          => 'cn',
    'scope'         => 'sub',
    'filter'        => '(|(objectclass=person)(objectclass=group))',
    'fuzzy_search'  => true,
    'vlv'           => false,   // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
    'sizelimit'     => '0',     // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
    'timelimit'     => '0',     // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
    'referrals'     => false,  // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups

    'group_filters' => array(
        'departments' => array(
            'name'    => 'Mailing Lists',
            'scope'   => 'sub',
            'base_dn' => 'domainName=%d,o=domains,dc=abra,dc=co,dc=uk',
            'filter'  => '(&(|(objectclass=mailList)(objectClass=mailAlias))(accountStatus=active)(enabledService=displayedInGlobalAddressBook))',
            'name_attr' => 'cn',
            'email'     => 'mail',
        ),
    ),
);
$config['autocomplete_addressbooks'] = array('sql', 'global_ldap_abook');

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: iRedMail with freeIPA LDAP server integration

Thanks for sharing. smile

4 Reply by abderaouf.omari

  • abderaouf.omari
  • Member
  • Offline
  • Registered: 2024-02-07
  • Posts: 1

Re: iRedMail with freeIPA LDAP server integration

Hello mskaraca,

your feedback was very helpful for me and my setup, but i have a problem when the FreeIPA user has ipaUserAuthType set to otp in FreeIPA world mean password+otp in the password filed.

unfortunately i think that dovecot make multiple request to ldap backend and this is very bad when you have totp with 60s.

is there any workaround to this issue ?

@ZhangHuangbin

many Regards