1

Topic: Authenticate ownCloud against iRedMails LDAP-Server

Hi there,

i'm using iRedMail 0.8.4 on Debian Squeeze since version 0.7.0 with 8 domains and 500 users and everything works fine. The LDAP could be of more use, so i decided to give the users some extra featuares by setting up ownCloud 5.0 -> http://owncloud.org, which is authenticating against the builtin LDAP-Server. So each user can login with his emailaddress and his password.
It shouldn't matter if it runs on the same server as iRedMail or which distro you use. I'm using an extra server with a fresh debian wheezy for that.

This is what i did:

get ownCloud -> http://software.opensuse.org/download/p … e=owncloud

in my case
# echo 'deb http://download.opensuse.org/repositori … ebian_7.0/ /' >> /etc/apt/sources.list.d/owncloud.list
# apt-get update

You can add the repository key to apt like this:
# wget http://download.opensuse.org/repositori … elease.key
# apt-key add - < Release.key 

For more than one user, onwCloud recommends i.e. a mysql-database:
# apt-get install mysql-server

Install some usefull extra for virusscan, external storage and the php-ldap-module
# apt-get install apache2 php5 php5-gd php-xml-parser php5-intl
# apt-get install php5-sqlite php5-mysql php5-pgsql smbclient curl libcurl3 php5-curl clamav libclamunrar6 php5-ldap libgd-tools
# apt-get install owncloud

You should configure your Apache and you might want to force SSL like this -> http://wiki.apache.org/httpd/RewriteHTTPToHTTPS
Don't forgert to restart Apache.
Access the install wizard https://your-ip/owncloud
Click on the Advanced options to show the configuration options. You may enter admin credentials and let ownCloud create its own database user, or enter a preconfigured user for the database.

Now log into ownCloud as the admin user, go to the upper right corner, then click APPS. Enable "LDAP user and group backend", you might also want to enable some other usefull featuares, like externat storage and Antivirus, too.
Now go back to the menu and click ADMIN, and you'll find the LDAP-Section.
After installation of your iRedMail-server you got a summary of passwords, accounts and settings, you'll need those information now:

LDAP Basic - Tab

HOST -> could be localhost, fqdn or an IP-address
Base DN -> LDAP base dn: o=domains,dc=example,dc=org
User DN -> LDAP admin dn: cn=vmailadmin,dc=example,dc=org
Password : LDAP admin dn-password
User Login Filter : mail=%uid
User List Filter : objectClass=mailUser
Group Filter : objectClass=posixGroup

Advanced - Tab

Connection Settings:
For basic functionality i had to disable TLS

Directory Settings:
User Display Name Field : cn
Base User Tree : o=domains,dc=example,dc=org
User Search Attributes :  enabledService

Special Attributes:
Email Field : mail
User Home Folder Naming Rule : mail (optional)

Test your configuration and save it.

I had some help from Felix Bartels, thanks for that, you can find some german translations for the LDAP-settings there -> http://blog.host-consultants.de/2012/07 … omment-400

Some documentation worth reading
ownClouds LDAP-docs -> http://doc.owncloud.org/server/5.0/admi … _ldap.html
ownClouds Administrators Manual http://doc.owncloud.org/server/5.0/admi … tents.html

Last but not least, thanks to ZhangHuangbin for iRedMail !

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Authenticate ownCloud against iRedMails LDAP-Server

jobu wrote:

Group Filter : objectClass=posixGroup

The mailing list created by iRedMail uses 'objectClass=mailList', not posixGroup.

jobu wrote:

Connection Settings:
For basic functionality i had to disable TLS

Why TLS must be disabled? Any error message?

3

Re: Authenticate ownCloud against iRedMails LDAP-Server

The mailing list created by iRedMail uses 'objectClass=mailList', not posixGroup.

Alright, thanks, works even finer now. I'm not so deep into ldap ...

Why TLS must be disabled? Any error message?

Warning PHP ldap_start_tls(): Unable to start TLS: Connect error
I need to import the certificates on the seperate owncloud-server, on the same server it would have worked out of the box, i guess. Do you know exactly which certificate (/etc/ssl/certs/iRedMail_CA.pem) to which location on the ownCloud-server, to make it work with php ?

4

Re: Authenticate ownCloud against iRedMails LDAP-Server

iRedMail creates two files for SSL certificate on Debian during installation:

- /etc/ssl/certs/iRedMail_CA.pem
- /etc/ssl/private/iRedMail.key

You can use them. But i'm not familiar with OwnCloud and PHP, sorry.

5 (edited by jobu 2017-08-25 16:15:20)

Re: Authenticate ownCloud against iRedMails LDAP-Server

ZhangHuangbin wrote:

iRedMail creates two files for SSL certificate on Debian during installation:

- /etc/ssl/certs/iRedMail_CA.pem
- /etc/ssl/private/iRedMail.key

You can use them. But i'm not familiar with OwnCloud and PHP, sorry.

I played around a little - for my purpose the Group Filter works better as a domin filter, since the people in the maildomains are coworkers and like to share spaces in their group, so i now use :

Group Filter : objectClass=mailDomain

TLS works now fine, too. I had to copy over the mentioned .pem to the ownCloud-server
On ownCloud-server:
# scp root@ip-of-iRedMail-server:/etc/ssl/certs/iRedMail_CA.pem /etc/ssl/certs/
Note: the whole chain has to be in that file.

Then, add following to /etc/ldap/ldap.conf:
BASE    dc=example,dc=org
URI     ldap://server.example.org:389
TLS_CACERT /etc/ssl/certs/iRedMail_CA.pem
TLS_CACERTDIR   /etc/ssl/certs
Note: see /etc/ldap/ldap.conf on iRedMail-server and use the fqdn

Activate TLS in ADMIN-Section of ownCloud, use fqdn for hostname, too, then test and save.

Cheers