Part 8. Set up mail server authentication through the OpenLDAP
- Details
- Category: Mail Server
- Published: Wednesday, 26 June 2019 11:06
- Written by Super User
- Hits: 2921
OpenLDAP is an open implementation of LDAP, developed by the OpenLDAP project, distributed under its own free OpenLDAP Public License.
OpenLDAP consists of three main components:
- slapd - an independent LDAP daemon and related overlays and tools;
- libraries that implement LDAP protocol;
- utilities, tools and auxiliary clients
OpenLDAP installation
To install, execute the command:
# apt install slapd ldap-utils
Enter the administrative password upon request.
We need two modules for the work. The first is for the mdb database, and the second module is the monitor necessary to create and dynamically support the branch about the current status of the slapd daemon.
To do this, create an add-mod.ldif file and write to it
dn:
cn=module,cn=config
objectClass:
olcModuleList
cn:
module
olcModulePath:
/usr/lib/ldap
olcModuleLoad:
back_mdb.la
olcModuleLoad:
back_monitor.la
Then we will execute the command:
ldapadd -QY EXTERNAL -H ldapi:/// -f add-mod.ldif
Adding Data Schemes
For the further work we will need in OpenLDAP the following schemes:
-
core.ldif
-
cosine.ldif
-
nis.ldif
-
inetorgperson.ldif
-
openldap.ldif
-
misc.ldif
If some scheme is missing, it can be connected by a command like
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
Files with the necessary schemas are in the folder /etc/ldap/schema/
You can see which schemas are already connected in the folder /etc/ldap/slapd.d/cn=config/cn=schema
Database initialization
We will create our own database for the domain. To do this, create a file db.ldif and write it into it
dn: olcDatabase=mdb,cn=config
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=study,dc=local
olcDbDirectory: /var/lib/ldap
olcDbMaxsize: 1073741824
olcRootDN: cn=admin,dc=study,dc=local
olcRootPW: password
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * break
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: {2}to *
by self write
by * read
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
Next, we transfer data from it to the LDAP with the command:
ldapadd -QY EXTERNAL -H ldapi:/// -f db.ldif
To change permissions, create file acl-mod.ldif and write to
dn:
olcDatabase={-1}frontend,cn=config
changetype:
modify
add:
olcAccess
olcAccess:
{0}to *
by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage
by
* break
olcAccess:
{1}to dn.base=""
by
* read
olcAccess:
{2}to dn.base="cn=subschema"
by
* read
olcAccess:
{1}to attrs=userPassword
by
self write
by
anonymous auth
olcAccess:
{2}to *
by
* read
Next
with a command
ldapadd -QY EXTERNAL -H ldapi:/// -f acl-mod.ldif
transfer data to the LDAP
Verify that the administrator account has access to the directory service:
ldapwhoami -WD cn=admin,dc=study,dc=local
Enter LDAP Password:
Now we will create our domain tree. Create a file tree.ldif and write to it
dn: dc=study,dc=local
dc: study
objectClass: top
objectClass: domain
dn: ou=users,dc=study,dc=local
ou: Users
objectClass: top
objectClass: organizationalUnit
description: Central location for UNIX users
dn: ou=groups,dc=study,dc=local
ou: Groups
objectClass: top
objectClass: organizationalUnit
description: Central location for UNIX groups
And we will add these data by the command
ldapmodify -a -xWD cn=admin,dc=study,dc=local -f tree.ldif
PhpLDAPAdmin
PhpLDAPadmin — This is a web application for administering servers Lightweight Directory Access Protocol (LDAP). It is written in PHP, and is licensed under the GNU General Public License. The application is available in 14 languages and supports UTF-8 encoding for directory content.
Install the LDAP Web Console with the command:
# apt install phpldapadmin
For the initial settings in the configuration file /etc/phpldapadmin/config.php change lines
$servers→setValue('server','base',array('dc=example,dc=com'));
to
$servers→setValue('server','base',array('dc=study,dc=local'));
and
$servers→setValue('login','bind_id','cn=admin,dc=example,dc=com');
to
$servers→setValue('login','bind_id','cn=admin,dc=study,dc=local');
Creating users and aliases
Preparation
Before creating any user, you need to create a group with a random name in the groups container. This is due to the fact that any user must belong to at least one group.
At the http://server-ip/phpldapadmin link, go to the phpldapadmin interface. Next, we move to the branch “users”, and by clicking on "Create new entry here," we’ll create a new "Generic: Posix Group" object.
We give a name to our group, for example, “All”
The next step is to confirm the data entry to LDAP.
Creating users
Now let's create our first user – it will be the user with the name “mailadmin”, with the rights to read the data from LDAP.
To do this, in the "users" section, click on "Create new entry here" and create a new "Generic: User Account" object.
In the next window, fill in all required fields and enter the password. “Common Name” and “Password” fields will be important to us. Other fields, even mandatory, you can fill with random data.
We will create the first user of the mail server with the name "user". It is created in the same way as the mailadmin user, but you must also enter his email address. To do this, click on the "Add new attribute" from the top of the window and add an “email” attribute from the drop-down list.
Enter the user's mailing address in the new field.
Other users are created similarly.
Create aliases.
Email aliases are best created as user groups. In the phpLDAPAdmin interface there is a template for an object of type "Generic: Posix Group", but we do not like this template. The group members are defined by uid in it, but Postfix latest versions are not able to get user dn from uid. Therefore, we will use groups like "groupofnames".
To do this, you can create a gr.ldif file and write to it:
dn: cn=mygroup,ou=groups,dc=study,dc=local
objectClass: groupofnames
objectClass: inetLocalMailRecipient
cn: mygroup
description: All users
member: cn=user,ou=users,dc=study,dc=local
Then you can add data from this file to LDAP and add the mailRoutingAddress field via the web interface and enter the aliase mailing address with the command.
ldapadd -x -D cn=admin,dc=study,dc=local -W -f gr.ldif
But, in my opinion, it would be better to create your own template for phpLDAPAdmin and use it. To do this, create a file named groupOfNames.xml in the /etc/phpldapadmin/templates/creation directory with the contents:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<title>Mail Aliase Group</title>
<!-- <regexp>^ou=.*,</regexp> -->
<icon>images/ou.png</icon>
<description>New groupOfNames</description>
<askcontainer>1</askcontainer>
<rdn>cn</rdn>
<visible>1</visible>
<objectClasses>
<objectClass id="groupOfNames"></objectClass>
<objectClass id="inetLocalMailRecipient"></objectClass>
</objectClasses>
<attributes>
<attribute id="cn">
<display>Group</display>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="member">
<display>member</display>
<hint></hint>
<order>2</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="mailRoutingAddress">
<display>mailRoutingAddress</display>
<hint></hint>
<order>3</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
</attributes>
</template>
After the relogin, an object template with the name "Mail Aliase Group" will appear in the interface.
When creating a group using this template, we can immediately specify the group's email address and add the required users with the format we want.
Postfix configuring
In the file /etc/postfix/ldap_virtual_mailbox_maps.cf let’s write:
server_host = 127.0.0.1
bind = yes
bind_dn = cn=mailadmin,ou=users,dc=study,dc=local
bind_pw = mailadmin
search_base = ou=users,dc=study,dc=local
query_filter = (&(mail=%s))
result_attribute = mail
result_format = %d/%u/
And un file /etc/postfix/ldapalias write
server_host = 127.0.0.1
bind = no
bind_dn = cn=mailadmin,ou=users,dc=study,dc=local
bind_pw = mailadmin
search_base = dc=study,dc=local
query_filter = (&(objectclass=inetLocalMailRecipient)(mailRoutingAddress=%s))
special_result_attribute = member
leaf_result_attribute = mail
Check correctness Postfix configuration
Once we have set up the connection to LDAP, we need to check the data that will be returned to Postfix.
To verify the processing of mailboxes, we will execute the command:
postmap -q This email address is being protected from spambots. You need JavaScript enabled to view it. ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
As a result, we should get output:
study.local/user/
In order to verify the processing of aliases, we will execute the command:
postmap -q This email address is being protected from spambots. You need JavaScript enabled to view it. ldap:/etc/postfix/ldapalias
As a result, we should get output:
This email address is being protected from spambots. You need JavaScript enabled to view it.
If the correct data is returned, then this Postfix setting is complete.
Dovecot configuring
In the file /etc/dovecot/dovecot-ldap.conf.ext let’s write
hosts = 127.0.0.1
auth_bind = yes
ldap_version = 3
base = dc=study,dc=local
dn = cn=mailadmin,ou=users,dc=study,dc=local
dnpass = mailadmin
deref = never
scope = subtree
user_attrs = uidNumber=5000,gidNumber=5000,mail=mail=maildir:/var/mail/%d/%n
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
pass_attrs = uidNumber=5000,gidNumber=5000,mail=mail=maildir:/var/mail/%d/%n
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
To check the Dovecot configuration, you must contact the IMAP server using the mail client or the telnet utility.
You can buy the book "Mail server based on Postfix, Dovecot and RoundCube" in electronic form in the store