1

Topic: cluebringer login issue

==== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Ubuntu 12.04.2 LTS
- Related log if you're reporting an issue:

https log file:

[Thu Feb 21 10:13:01 2013] [error] [client xxx.xxx.xxx.xxx] user postmaster@xxxxx.xx not found: /cluebringer/

====

Hi there!

Unfortunately I'm not able to login to cluebringer, even with the global domain admin.
Any hints?


Ist it OK to install iRedAPD, too, even if there is already cluebringer installed?

Thanks in advance!

Best,
Achim!

2

Re: cluebringer login issue

- Please access Cluebringer through HTTPS.
- iRedAPD and Cluebringer are installed by default.

3

Re: cluebringer login issue

I've already accessed cluebringer via httpS - no difference.

I questioned about iRedAPD because white-/blacklisting per email-address does not work (set up in iRedAdminPro).

Any hints?

4

Re: cluebringer login issue

- Could you please check /root/iRedMail-0.8.3/iRedMail.tips for more info about Cluebringer? The URL, username and password.
- Does it prompt you input username and password while accessing httpS://[your_server]/cluebringer/
- Could you please show me /opt/iredapd/etc/iredapd.ini here? WARNING: Remote username and password in this file before pasting.

5

Re: cluebringer login issue

iRedMail.tips:
-----------------
Policyd (cluebringer):
    * Configuration files:
        - /etc/cluebringer/cluebringer.conf
        - /etc/cluebringer/cluebringer-webui.conf
    * RC script:
        - /etc/init.d/postfix-cluebringer
    * Database:
        - Database name: cluebringer
        - Database user: cluebringer
        - Database password: <not shown here...>

Yes, it asks for username/password but no combination works.

In iredadmin/settings.ini I saw that that setting:
[policyd]

# Enable policyd integration: True, False.
enabled = False

Does that matter? Nevertheless iRedAdminPro allows us to change individual white-/blacklisting.


iredapd.ini:
-------------

[general]
# Listen address and port.
listen_addr = 127.0.0.1
listen_port = 7777

# Run as a low privileged user.
# If you don't want to create one, you can try 'nobody'.
run_as_user = iredapd

# Background/daemon mode: yes, no.
# Run iRedAPD as daemon, detach iredapd from terminal.
run_as_daemon = yes

# Path to pid file.
pid_file        = /var/run/iredapd.pid

# Log type: file.
# Set 'log_file = /dev/null' if you don't want to keep the log.
log_type        = file
log_file        = /var/log/iredapd.log

# Log level: info, error, debug.
log_level = info

# Backend: ldap, mysql, pgsql.
backend = ldap

[ldap]
# For ldap backend only.
# LDAP server setting.
# Uri must starts with ldap:// or ldaps:// (TLS/SSL).
#
# Tip: You can get binddn, bindpw from /etc/postfix/ldap_*.cf.
#
uri = ldap://127.0.0.1:389
binddn = cn=vmail,dc=<not shown here...>,dc=xx
bindpw = <not shown here...>
basedn = o=domains,dc=<not shown here...>,dc=xx

# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
#
# Available plugins:
#   * ldap_domain_wblist: per-domain white/blacklist support.
#       Note: If you want to enable this plugin, it's better to make it the
#             first one in enabled plugin list.
#   * ldap_maillist_access_policy: mail list deliver restrictions.
#   * block_amavisd_blacklisted_senders: per-user white/blacklist support.
plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders

[sql]
# For MySQL and PostgreSQL backends
server      = 127.0.0.1
port        = 3306
db          = vmail
user        = vmail
password    = <not shown here...>

# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory,
#     starts with 'sql_'.
#   - Plugin names MUST be seperated by comma.
plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders

6

Re: cluebringer login issue

aemaething wrote:

Yes, it asks for username/password but no combination works.

Oh, that's great. Please login with the first user (it's an admin, too) created during iRedMail installation. Usually it's "postmaster@xxx".

aemaething wrote:

In iredadmin/settings.ini I saw that that setting:
[policyd]
# Enable policyd integration: True, False.
enabled = False
Does that matter? Nevertheless iRedAdminPro allows us to change individual white-/blacklisting.

iRedAdmin-Pro doesn't support Cluebringer yet, so please keep "enabled = False".

aemaething wrote:

I questioned about iRedAPD because white-/blacklisting per email-address does not work (set up in iRedAdminPro).

With iRedMail-0.8.3 and earlier versions, you have to use another iRedAPD instance for per-user white/blacklist. But it's not necessary in upcoming release (iRedMail-0.8.4, which ships iRedAPD-1.4.0). New version of iRedAPD was rewritten to use only one instance for all plugins.

If you're urgent to enable this feature, please follow below tutorial. Or, wait for some more days.
http://www.iredmail.org/wiki/index.php? … D/OpenLDAP

7

Re: cluebringer login issue

ZhangHuangbin wrote:
aemaething wrote:

Yes, it asks for username/password but no combination works.

Oh, that's great. Please login with the first user (it's an admin, too) created during iRedMail installation. Usually it's "postmaster@xxx".

That's exactly what is NOT working.

ZhangHuangbin wrote:

If you're urgent to enable this feature, please follow below tutorial. Or, wait for some more days.
http://www.iredmail.org/wiki/index.php? … D/OpenLDAP

Thanks, I'll wait.

8

Re: cluebringer login issue

The user created during iRedMail installation, postmaster@xxx, is a global admin by default, and Cluebringer is configured to allow only global admin to login.

- Did you mark postmaster@xxx as a normal domain admin?
- Could you please show me /etc/apache2/conf.d/cluebringer.conf? (NOTE: remove password in this file before pasting).

9 (edited by aemaething 2013-02-25 17:43:18)

Re: cluebringer login issue

ZhangHuangbin wrote:

The user created during iRedMail installation, postmaster@xxx, is a global admin by default, and Cluebringer is configured to allow only global admin to login.
- Did you mark postmaster@xxx as a normal domain admin?

Didn't change a thing. Login to iRedAdmin is working like a charm.

ZhangHuangbin wrote:

- Could you please show me /etc/apache2/conf.d/cluebringer.conf? (NOTE: remove password in this file before pasting).

Here it is:

<Directory /usr/share/postfix-cluebringer-webui/webui/>
    DirectoryIndex index.php
    Options ExecCGI
    Order allow,deny
    #allow from 127.0.0.1
    allow from all

    AuthType basic
    AuthName "Authorization Required"

    AuthBasicProvider ldap
    AuthzLDAPAuthoritative   Off

    AuthLDAPUrl   ldap://127.0.0.1:389/o=domains,dc=<not shown here>,dc=<not shown here>?mail?sub?(&(objectclass=mailUser)(accountStatus=active)(domainGlobalAdmin=yes))

    AuthLDAPBindDN "cn=vmail,dc=<not shown here>,dc=<not shown here>"
    AuthLDAPBindPassword "<not shown here...>"

    Require valid-user
</Directory>

Thank you!

10

Re: cluebringer login issue

Maybe this message helps a bit?

==> /var/log/apache2/mail.<xxx>.net.error.log <==
[Mon Feb 25 11:03:34 2013] [error] [client 85.183.15.4] user postmaster@<xxx>.<xxx> not found: /cluebringer/

The LDAP scheme was imported from an older iRedMail installation.
But all administrative Accounts have the correct password, I updated them via phpLdapAdmin.

Best,
Achim

11

Re: cluebringer login issue

aemaething wrote:

The LDAP scheme was imported from an older iRedMail installation.
But all administrative Accounts have the correct password, I updated them via phpLdapAdmin.

Apache config file looks fine. No idea yet, sorry.

Does this admin account (postmaster@xxx) placed under LDAP dn "o=domainAdmins,dc=xx,dc=xx"?

12

Re: cluebringer login issue

Yep - it is.

We have another domainAdmin there, it's login doesn't work, either.
Is there any way to change the settings for more verbosity for easier debugging?

Thank you!

Best,
Achim

13

Re: cluebringer login issue

We promoted a standard user to "globalAdmin" - his account is able to login now.
It's ok for us now - many thanks for your help!

Best,
Achim

14

Re: cluebringer login issue

aemaething wrote:

We have another domainAdmin there, it's login doesn't work, either.

That's the problem.

You have below setting in /etc/apache2/conf.d/cluebringer.conf:

AuthLDAPUrl   ldap://127.0.0.1:389/o=domains,dc=<not shown here>,dc=<not shown here>?mail?sub?(&(objectclass=mailUser)(accountStatus=active)(domainGlobalAdmin=yes))

But your admin accounts are placed under 'o=domainAdmins', so LDAP query cannot find this account.

In old iRedMail releases, we store admin accounts under o=domainAdmins,dc=xx,dc=xx. But it's changed since iRedMail-0.8.3, it doesn't require a separate o=domainsAdmin,dc=xx,dc=xx at all. You can create a mail user, then mark it as either global domain admin (a.k.a. super admin) or normal domain admin.