1

Topic: How to use IRM with GOsa

This is a brief summary how to use IRM with GOsa (a framework for managing accounts and systems in LDAP). I hope this is useful for those with a similar need as mine, ie to use IRM with an external LDAP.

- assumptions:
  - users stored in gosa, domain example.com
  - irm installed with first domain example.com

- user data stored in gosa:
,--------,
| dn: uid=abc,ou=people,dc=example,dc=com
| sn: Def
| givenName: Abc
| uid: abc
| cn: Abc Def
| structuralObjectClass: inetOrgPerson
| creatorsName: cn=admin,dc=example,dc=com
| createTimestamp: 20090719113731Z
| homeDirectory: /home/abc
| loginShell: /bin/bash
| uidNumber: 1044
| gidNumber: 1070
| gecos: Abc Def
| mail: abc@example.com
| gosaMailServer: dummyServer
| gosaMailDeliveryMode: [L]
| gosaSpamSortLevel: 0
| gosaSpamMailbox: INBOX
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: inetOrgPerson
| objectClass: gosaAccount
| objectClass: posixAccount
| objectClass: shadowAccount
| objectClass: gosaMailAccount
| sambaLMPassword: D67EB7B08921A946AAD3B435B51404EE
| sambaNTPassword: 5C997E97E7D4DEA3B5CCF8F5EDE7B263
| sambaPwdLastSet: 1252568280
| sambaBadPasswordCount: 0
| sambaBadPasswordTime: 0
| userPassword:: OFFzOW9LWE91bw==
| shadowLastCLastnamege: 14517
| gosaMailForwardingAddress: abc@example.org
| gosaMailAlternateAddress: abc2@example.com
| entryCSN: 20090930202643Z#000001#00#000000
| modifiersName: cn=admin,dc=example,dc=com
| modifyTimestamp: 20090930202643Z
| entryUUID: 49f0b6de-08a4-102e-8d00-950f04dd86f1
`--------`

- create an entry cn=vmail,dc=example,dc=com in gosa to read user info (can
  be done using eg phpldapadmin). Make sure this DN can read user data
  (including password). A quick and dirty solution is to add this ACL
  before any ACL in slapd.conf:
,--------,
| access to dn.regex=".*ou=(people|groups),dc=example,dc=com"
|         by dn.base="uid=vmail,ou=people,dc=example,dc=com" read
|         by * none break
`--------`

- change ldap connection in these files (host, port, bindn, binpw, etc.)
    /etc/postfix/ldap_virtual_alias_maps.cf
    /etc/postfix/ldap_virtual_mailbox_maps.cf
    /etc/postfix/ldap_sender_login_maps.cf
    /etc/postfix/ldap_virtual_group_maps.cf
    /etc/dovecot/dovecot-ldap.conf
    /usr/share/apache2/roundcubemail-0.2.1/config/main.inc.php

- further changes:
    /etc/postfix/ldap_virtual_alias_maps.cf
,--------,
| server_host     = <GOSA-IP-OR-HOSTNAME>
| server_port     = 389
| version         = 3
| bind            = yes
| start_tls       = no
| bind_dn         = cn=vmail,dc=example,dc=com
| bind_pw         = <PASSWORD-FOR-VMAIL>
| search_base     = ou=people,dc=example,dc=com
| scope           = sub
| query_filter    = (&(objectClass=gosaMailAccount)(gosaMailForwardingAddress=*)(|(mail=%s)(gosaMailAlternateAddress=%s)))
| result_attribute= gosaMailForwardingAddress
| debuglevel      = 0
`--------`

    /etc/postfix/ldap_virtual_mailbox_maps.cf
,--------,
| server_host     = <GOSA-IP-OR-HOSTNAME>
| server_port     = 389
| version         = 3
| bind            = yes
| start_tls       = no
| bind_dn         = cn=vmail,dc=example,dc=com
| bind_pw         = <PASSWORD-FOR-VMAIL>
| search_base     = ou=people,dc=example,dc=com
| scope           = one
| query_filter    = (&(objectClass=gosaMailAccount)(mail=%s))
| result_attribute= uid
| result_format   = /var/vmail/%s/
| debuglevel      = 0
`--------`

    /etc/postfix/ldap_sender_login_maps.cf
,--------,
| server_host     = <GOSA-IP-OR-HOSTNAME>
| server_port     = 389
| version         = 3
| bind            = yes
| start_tls       = no
| bind_dn         = cn=vmail,dc=example,dc=com
| bind_pw         = <PASSWORD-FOR-VMAIL>
| search_base     = ou=people,dc=example,dc=com
| scope           = one
| query_filter    = (&(mail=%s)(objectClass=gosaMailAccount))
| result_attribute= mail
| debuglevel      = 0
`--------`

    /etc/postfix/ldap_virtual_group_maps.cf
,--------,
| server_host     = <GOSA-IP-OR-HOSTNAME>
| server_port     = 389
| version         = 3
| bind            = yes
| start_tls       = no
| bind_dn         = cn=vmail,dc=example,dc=com
| bind_pw         = <PASSWORD-FOR-VMAIL>
| search_base     = ou=groups,dc=example,dc=com
| scope           = sub
| query_filter    = (&(objectClass=gosaMailAccount)(objectClass=posixGroup)(mail=%s))
| result_attribute= memberUid
| result_format   = %u@example.com
| debuglevel      = 0
`--------`

    /etc/dovecot/dovecot-ldap.conf
,--------,
| hosts           = <GOSA-IP-OR-HOSTNAME>:389
| ldap_version    = 3
| auth_bind       = yes
| dn              = cn=vmail,dc=example,dc=com
| dnpass          = <PASSWORD-FOR-VMAIL>
| base            = ou=people,dc=example,dc=com
| scope           = subtree
| deref           = never
| user_filter     = (&(objectClass=gosaMailAccount)(mail=%u))
| pass_filter     = (mail=%u)
| pass_attrs      = userPassword=password
| default_pass_scheme = PLAIN
| user_attrs      = uid=home=/var/vmail/%$,=mail=maildir:~/Maildir/,gosaMailQuota=quota_rule=*:bytes=%$M
`--------`

2

Re: How to use IRM with GOsa

Big thanks for you sharing smile