Part 8. Set up mail server authentication through the OpenLDAP

The list of articles cycle

OpenLDAP is an open implementation of LDAP, developed by the OpenLDAP project, distributed under its own free OpenLDAP Public License.

OpenLDAP consists of three main components:

  • slapd - an independent LDAP daemon and related overlays and tools;
  • libraries that implement LDAP protocol;
  • utilities, tools and auxiliary clients


OpenLDAP installation

To install, execute the command:

# apt install slapd ldap-utils



Enter the administrative password upon request.

We need two modules for the work. The first is for the mdb database, and the second module is the monitor necessary to create and dynamically support the branch about the current status of the slapd daemon.

To do this, create an add-mod.ldif file and write to it


dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulePath: /usr/lib/ldap




Then we will execute the command:


ldapadd -QY EXTERNAL -H ldapi:/// -f add-mod.ldif


Adding Data Schemes

For the further work we will need in OpenLDAP the following schemes:

  • core.ldif

  • cosine.ldif

  • nis.ldif

  • inetorgperson.ldif

  • openldap.ldif

  • misc.ldif


If some scheme is missing, it can be connected by a command like

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif


Files with the necessary schemas are in the folder /etc/ldap/schema/

You can see which schemas are already connected in the folder /etc/ldap/slapd.d/cn=config/cn=schema


Database initialization

We will create our own database for the domain. To do this, create a file db.ldif and write it into it


dn: olcDatabase=mdb,cn=config

objectClass: olcMdbConfig

olcDatabase: mdb

olcSuffix: dc=study,dc=local

olcDbDirectory: /var/lib/ldap

olcDbMaxsize: 1073741824

olcRootDN: cn=admin,dc=study,dc=local

olcRootPW: password

olcDbIndex: cn,sn,mail pres,eq,approx,sub

olcAccess: {0}to *

  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

  by * break

olcAccess: {1}to attrs=userPassword

  by self write

  by anonymous auth

  by * none

olcAccess: {2}to *

  by self write

  by * read


dn: olcDatabase=monitor,cn=config

objectClass: olcDatabaseConfig

olcDatabase: monitor


Next, we transfer data from it to the LDAP with the command:

ldapadd -QY EXTERNAL -H ldapi:/// -f db.ldif


To change permissions, create file acl-mod.ldif and write to


dn: olcDatabase={-1}frontend,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to *

  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage

  by * break

olcAccess: {1}to dn.base=""

  by * read

olcAccess: {2}to dn.base="cn=subschema"

  by * read


olcAccess: {1}to attrs=userPassword

  by self write

  by anonymous auth

olcAccess: {2}to *

  by * read


Next with a command

ldapadd -QY EXTERNAL -H ldapi:/// -f acl-mod.ldif

transfer data to the LDAP


Verify that the administrator account has access to the directory service:

ldapwhoami -WD cn=admin,dc=study,dc=local

Enter LDAP Password:


Now we will create our domain tree. Create a file tree.ldif and write to it


dn: dc=study,dc=local

dc: study

objectClass: top

objectClass: domain


dn: ou=users,dc=study,dc=local

ou: Users

objectClass: top

objectClass: organizationalUnit

description: Central location for UNIX users


dn: ou=groups,dc=study,dc=local

ou: Groups

objectClass: top

objectClass: organizationalUnit

description: Central location for UNIX groups


And we will add these data by the command

ldapmodify -a -xWD cn=admin,dc=study,dc=local -f tree.ldif



PhpLDAPadmin — This is a web application for administering servers Lightweight Directory Access Protocol (LDAP). It is written in PHP, and is licensed under the GNU General Public License. The application is available in 14 languages and supports UTF-8 encoding for directory content.

Install the LDAP Web Console with the command:

# apt install phpldapadmin


For the initial settings in the configuration file /etc/phpldapadmin/config.php change lines










Creating users and aliases


Before creating any user, you need to create a group with a random name in the groups container. This is due to the fact that any user must belong to at least one group.

At the http://server-ip/phpldapadmin link, go to the phpldapadmin interface. Next, we move to the branch “users”, and by clicking on "Create new entry here," we’ll create a new "Generic: Posix Group" object.


We give a name to our group, for example, “All”


The next step is to confirm the data entry to LDAP.


Creating users

Now let's create our first user – it will be the user with the name “mailadmin”, with the rights to read the data from LDAP.

To do this, in the "users" section, click on "Create new entry here" and create a new "Generic: User Account" object.



In the next window, fill in all required fields and enter the password. “Common Name” and “Password” fields will be important to us. Other fields, even mandatory, you can fill with random data.


We will create the first user of the mail server with the name "user". It is created in the same way as the mailadmin user, but you must also enter his email address. To do this, click on the "Add new attribute" from the top of the window and add an “email” attribute from the drop-down list.


Enter the user's mailing address in the new field.

Other users are created similarly.


Create aliases.

Email aliases are best created as user groups. In the phpLDAPAdmin interface there is a template for an object of type "Generic: Posix Group", but we do not like this template. The group members are defined by uid in it, but Postfix latest versions are not able to get user dn from uid. Therefore, we will use groups like "groupofnames".

To do this, you can create a gr.ldif file and write to it:


dn: cn=mygroup,ou=groups,dc=study,dc=local

objectClass: groupofnames

objectClass: inetLocalMailRecipient

cn: mygroup

description: All users

member: cn=user,ou=users,dc=study,dc=local


Then you can add data from this file to LDAP and add the mailRoutingAddress field via the web interface and enter the aliase mailing address with the command.

ldapadd -x -D cn=admin,dc=study,dc=local -W -f gr.ldif


But, in my opinion, it would be better to create your own template for phpLDAPAdmin and use it. To do this, create a file named groupOfNames.xml in the /etc/phpldapadmin/templates/creation directory with the contents:


<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<!DOCTYPE template SYSTEM "template.dtd">


<title>Mail Aliase Group</title>

<!-- <regexp>^ou=.*,</regexp> -->


<description>New groupOfNames</description>






<objectClass id="groupOfNames"></objectClass>

<objectClass id="inetLocalMailRecipient"></objectClass>




<attribute id="cn">





<attribute id="member">







<attribute id="mailRoutingAddress">










After the relogin, an object template with the name "Mail Aliase Group" will appear in the interface.

When creating a group using this template, we can immediately specify the group's email address and add the required users with the format we want.


Postfix configuring

In the file /etc/postfix/ let’s write:

server_host =

bind = yes

bind_dn = cn=mailadmin,ou=users,dc=study,dc=local

bind_pw = mailadmin

search_base = ou=users,dc=study,dc=local

query_filter = (&(mail=%s))

result_attribute = mail

result_format = %d/%u/


And un file /etc/postfix/ldapalias write

server_host =

bind = no

bind_dn = cn=mailadmin,ou=users,dc=study,dc=local

bind_pw = mailadmin

search_base = dc=study,dc=local

query_filter = (&(objectclass=inetLocalMailRecipient)(mailRoutingAddress=%s))

special_result_attribute = member

leaf_result_attribute = mail


Check correctness Postfix configuration

Once we have set up the connection to LDAP, we need to check the data that will be returned to Postfix.

To verify the processing of mailboxes, we will execute the command:

postmap -q This email address is being protected from spambots. You need JavaScript enabled to view it. ldap:/etc/postfix/

As a result, we should get output:



In order to verify the processing of aliases, we will execute the command:

postmap -q This email address is being protected from spambots. You need JavaScript enabled to view it. ldap:/etc/postfix/ldapalias

As a result, we should get output:

This email address is being protected from spambots. You need JavaScript enabled to view it.


If the correct data is returned, then this Postfix setting is complete.


Dovecot configuring

In the file /etc/dovecot/dovecot-ldap.conf.ext let’s write

hosts =

auth_bind = yes

ldap_version = 3

base = dc=study,dc=local

dn = cn=mailadmin,ou=users,dc=study,dc=local

dnpass = mailadmin

deref = never

scope = subtree

user_attrs = uidNumber=5000,gidNumber=5000,mail=mail=maildir:/var/mail/%d/%n

user_filter = (&(objectClass=inetOrgPerson)(mail=%u))

pass_attrs = uidNumber=5000,gidNumber=5000,mail=mail=maildir:/var/mail/%d/%n

pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))


To check the Dovecot configuration, you must contact the IMAP server using the mail client or the telnet utility.


The list of articles cycle

You can buy the book

"Mail server based on Postfix,

Dovecot and RoundCube"

in electronic form in the store