1

Topic: Openldap integration

I have had numerous issues trying to bind to the openldap backend of iredmail. Now my project requires that this actually be successful.
I am looking for information for two purposes:
1. What would the ldap information look like for having joomla with advanced ldap tools bind to openldap?
http://imgur.com/7XptE.png

That is the required information for binding and creating/modifying users.

2. I don't seem to have phpldapadmin installed with my setup, I was wondering what settings would be specific to iredmails default setup in order to properly configure phpldapadmin to bind to the system. Thank You.

Also, there is an international ldap schema for joomla:

# Joomla Group Attribute; free form text
attributetype ( 1.3.6.1.4.1.27457.1.1
        NAME 'JoomlaGroup'
        DESC 'Joomla: Group to belong to'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

# Joomla User Alias attribute; free form text
attributetype ( 1.3.6.1.4.1.27457.1.3
    NAME ('uidAlias' 'useridAlias')
    DESC 'Aliased user id'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

# Joomla Block User attribute; boolean
attributetype ( 1.3.6.1.4.1.27457.1.4
    NAME 'JoomlaBlockUser'
    DESC 'If the user should be blocked'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    )
    
# Joomla User Params; free form text
attributetype ( 1.3.6.1.4.1.27457.1.5
    NAME 'JoomlaUserParams'
    DESC 'Joomla User Parameters'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{65535} )

# Joomla User Object Class
# Requires various elements
# Extra name details are optional
objectclass     ( 1.3.6.1.4.1.27457.1.2
    NAME 'JoomlaUser'
    DESC 'User of a Joomla instance'
    AUXILIARY
    MUST ( cn $ JoomlaGroup $ uid $ mail $ userPassword $ JoomlaBlockUser )
    MAY ( givenName $ sn $ useridAlias $ displayName $ givenName $ initials $ JoomlaUserParams )
    )

And this is the jauthtools website:
http://sammoffatt.com.au/jauthtools/LDAP_Tools

2

Re: Openldap integration

You can find conncet username and password in /etc/postfix/ldap_virtual_mailbox_maps.cf (bind dn and password). Other settings in your screenshot seem ok. Note: iRedMail blocks all ldap connection request form external networks by default, don't forget to check your firewall rule if your Joomla is not deployed on same machine.

phpLDAPadmin doesn't require addition config for localhost connection.

3 (edited by gordonwater 2010-06-28 02:02:30)

Re: Openldap integration

What settings need to be changed to in order to allow ldap binding from external networks (non 127). Is it something like /etc/hosts.allow or what files specifically? (This is a noob question, but I would like it documented.)

4

Re: Openldap integration

As i said in above post, you should change only iptables rules.

5

Re: Openldap integration

Alright, $25 bounty placed on however can help me finish this project. I cannot, for the life of me, have Joomla 1.5 with jauthtools bind to the integrated openldap of iredmail with iptables allowing incoming on 389 for both tcp and udp. I can post any relevant information, just that all binding seems to fail.

6

Re: Openldap integration

http://imgur.com/deQCo.png

That is a visual of my ldap schema. I am not sure how to translate that into the necessary joomla files. I have all the info from iredmail.tips as well.

7

Re: Openldap integration

On RHEL/CentOS, iptables rule file is /etc/sysconfig/iptables, On Debian/Ubuntu, it's /etc/default/iptables.
You can find these two lines in this file:

# ldap/ldaps
#-A INPUT -p tcp -m multiport --dport 389,636 -j ACCEPT

Remove the '#' in second line, and restart your iptables service:

# /etc/init.d/iptables restart

Now, you can connect to iRedMail OpenLDAP service from external network.

For security reason, it's recommended that you only allow connection from your Joomla server, like this:

# ldap/ldaps
#-A INPUT -p tcp -m multiport --dport 389,636 -j ACCEPT
-A INPUT -p tcp -m multiport --dport 389,636 -s 192.168.10.10 -j ACCEPT

Here, 192.168.10.10 is the IP address of your Joomla server.

8

Re: Openldap integration

I read the Joomla ldap schema you post in first post, looks like you can simply add one more objectClass (JoomlaUser)  in existing mail user, and then add necessary attributes and values for Joomla user account (it's mail user too).

9

Re: Openldap integration

ZhangHuangbin wrote:

On RHEL/CentOS, iptables rule file is /etc/sysconfig/iptables, On Debian/Ubuntu, it's /etc/default/iptables.
You can find these two lines in this file:

# ldap/ldaps
#-A INPUT -p tcp -m multiport --dport 389,636 -j ACCEPT

Remove the '#' in second line, and restart your iptables service:

# /etc/init.d/iptables restart

Now, you can connect to iRedMail OpenLDAP service from external network.

For security reason, it's recommended that you only allow connection from your Joomla server, like this:

# ldap/ldaps
#-A INPUT -p tcp -m multiport --dport 389,636 -j ACCEPT
-A INPUT -p tcp -m multiport --dport 389,636 -s 192.168.10.10 -j ACCEPT

Here, 192.168.10.10 is the IP address of your Joomla server.


# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:cbt 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:submission 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtps 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldap 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ndmp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

So I know my iptables is fine.

10

Re: Openldap integration

ZhangHuangbin wrote:

I read the Joomla ldap schema you post in first post, looks like you can simply add one more objectClass (JoomlaUser)  in existing mail user, and then add necessary attributes and values for Joomla user account (it's mail user too).

I guess my lack of knowledge of ldap attributes. I really am lost at this point because of the lack of documentation from Joomla. Plus I need joomla created users in a separate OU cause they are only privileged for joomla. The regular mail accounts are supposed to be privileged to allow access to services such as wikimedia, NAS, phpBB etc. Employees Vs Customers at this point.

11

Re: Openldap integration

http://www.howtoforge.com/using-iredmai … centos-5.4

you can refer , like add vpn service for mail account.

you also need consider filter

# User Search Filter
SearchFilter    "(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"

12

Re: Openldap integration

shake wrote:

http://www.howtoforge.com/using-iredmai … centos-5.4

you can refer , like add vpn service for mail account.

you also need consider filter

# User Search Filter
SearchFilter    "(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"

OK, So you have helped point me in the right direction. However, How do you add attributes and search filters as such? Or attributes like UserType/ObjectClass/JoomlaUser etc.

Remember, $25 bounty!

13 (edited by shake 2010-07-02 09:06:48)

Re: Openldap integration

I hhave intergrate some application to ldap.

some application like OpenVPN ,no schema,

some application like PureFTP, have own schema

the intergration have some different.

now the joomla have schema, so maybe you refer http://www.iredmail.org/wiki/index.php? … DAP/CentOS

14

Re: Openldap integration

Thanks for the help. Though I am going to keep persisting till this works. After I do, I'll post a good amount of information so the next person inline has this as a reference.

15

Re: Openldap integration

Actually, I just came across this and it seems to come in the right direction: http://danieljamesscott.org/documentati … ation.html