1

Topic: general Ldap Setup Question

==== Required information ====
- iRedMail version:  0.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Debian 7
- Related log if you're reporting an issue:
====

I want to setup additional Auth related Stuff, but I can't access the cn=admin,dc=config user.
It is protected by some password, but I don't know how to access it.

I need this because I need to execute these commands:

memberof_add.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_add.ldif

memboerof_config.ldif
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif


But on both the server tells me, I don't have permission to do this.
I'm a little bit confused as I didn't see that the Setup Script modifies anything in this.
Please help me ^^

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: general Ldap Setup Question

iRedMail doesn't configure OpenLDAP to use On-Line Config (slapd.d) to store configurations, but a static config file (slapd.conf). So you can update /etc/ldap/slapd.conf instead.

By the way, may I know why you need 'memberof' overlay? What additional authentication are you trying to implement?

3

Re: general Ldap Setup Question

I met the same situation when I use iredmail to install a mail server.
As Zhang said, iredmail does not use online config, ie. slapd.d to store configurations.
It uses slapd.conf as a static configuration file.
All these two files located at /etc/openldap/slapd.d (this one is a directory) and /etc/openldap/slapd.conf (file)

According the official document of openldap, you can change the static configuration to dynamic.
Follow the instruction in,
https://www.openldap.org/doc/admin24/slapdconf2.html
Section 5 and Section 6

you can use following command lines:

sudo rm -r /etc/ldap/slapd.d
sudo mkdir /etc/ldap/slapd.d
sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
sudo chown -R openldap:openldap /etc/ldap/slapd.d
sudo service slapd restart

convert the static configuration to dynamic.

Before that, you should add serveral lines in slapd.conf to give access right of database config ie. cn=config
as,
########
database config
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
    by * none

before line "database monitor"

The access directive means you can use "-Y EXTERNAL" with sudo to do ldap_add and ldapmodify command.
Otherwise, you should set exactly distinguish names to acess database cn=config, or you will get
insufficient permission(50) errors.

When you finish these, after restart the slapd service, your openldap is based on configuration from slapd.d

if you get any error from service restart process, most of failure comes from file owner or permission settings.

Enjoy!

4

Re: general Ldap Setup Question

@Anguo, Thanks for sharing. smile