1 Topic by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Topic: LDAP Authentication

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Debian
- Related log if you're reporting an issue:
====

Hello I am currently evaluating iRedMail as a replacement to our current directory/mail server and am having some difficulty authenticating users against the LDAP schema from iRedMail. I would like to be able to authenticate my VPN users against the directory but have had no luck. My vpn is currently configured on my firewall and when i set this up for extend authentication and test the ldap authentication it comes back saying that the server is unreachable. Also when i try to fetch the search base using LDAP Manager i get an error message stating "bind error please check the DNS name and network connection and try again." Any help on the issue would be great.  thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

iRedMail doesn't open LDAP services in iptables firewall by default, so you have to open them first. if this is a testing server, the simplest solution is disabling iptables service:

# /etc/init.d/iptables stop

If you don't want to disable iptables, please check file /etc/default/iptables and uncomment below lines and restart iptables service:

-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 636 -j ACCEPT

3 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

when trying to stop the iptables I receive the following

~# service iptables stop
[ ok ] Flushing firewall rules: iptables.
[ ok ] Setting chains to policy ACCEPT: filter.
[FAILding iptables modules failed!

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

Seems this script has minor issue to work with Debian/Ubuntu. But it should be just fine because iptables rules were flushed.

5 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

even after running that script i am still receiving the same errors from ldap manager and my firewall

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

*) Check whether you have any iptables rules running with command "iptables -L -n".
*) Check whether your OpenLDAP is listening on port 389 and accepts connection from external network. e.g.

# netstat -ntlp | grep 389
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      3184/slapd

NOTE: If it's 0.0.0.0:389, it's fine. if it's '127.0.0.1:389', you have to update parameter 'SLAPD_SERVICES' in /etc/default/slapd:

SLAPD_SERVICES="ldap:/// ldapi:///"

Then use correct LDAP server address, port (389), bind dn and password in your ldap client.

7 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

Here are the results i am getting

netstat -ntlp | grep 389
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      3034/slapd     
tcp6       0      0 :::389                  :::*                    LISTEN      3034/slapd     

the ip is set to zero but i am still getting "Bind Error Please check the DNS name and network connection and try again" from LDAP manager even when using the bind dn and password.

8 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

i am Still unable to reach the LDAP schema from LDAP manager or my firewall, any additional help would be greatly appreciated.

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

Did you use the right bind dn and password? Which one did you use? Also, did you use IP address or hostname of ldap server for testing?

10 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

I used cn=Manager, dc=example, dc=com (replaced the dc with my domain name) and the password that was set during installation and receive a bind error. I also tried cn=vmailadmin and that returned the same result. I am currently using the IP address of the ldap server not the hostname.

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

*) Does firewall block port 389?
*) Do your bind dn and password work on localhost (the server runs OpenLDAP service)?

12 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

firewall does not block port 389. As far as i know yes the bind dn and password work on locale host, this is a new install and I have not added any users yet and the only on that slapcat shows is admin.

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

Bind dn/password is correct, LDAP service is listening on 0.0.0.0:389, firewall doesn't block port 389, everything seems just fine. No idea yet.

Did you try another LDAP client software?

14 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

I finally did a complete reinstall of debian and iRedMail and I am now able to query the ldap backend on the iredmail install. I do have another question reguarding the admin panel. I have noticed on your pro demo that it has the ability to add aliases I do not see that in the open source version. Is there away this can be done in the open source version or is it only an option in the pro admin panel?

15 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

jon.hoffart wrote:

I have noticed on your pro demo that it has the ability to add aliases I do not see that in the open source version. Is there away this can be done in the open source version or is it only an option in the pro admin panel?

You can add it manually with phpLDAPadmin or other LDAP client tools.
References:

- Add mailing list with phpLDAPadmin: http://www.iredmail.org/wiki/index.php? … pLDAPadmin
- Add mail alias with phpLDAPadmin: http://www.iredmail.org/wiki/index.php? … pLDAPadmin

16 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

One more question currently we host multiple domains. Meaning if mail is sent to person@domain1.com or person@domain2.com it all ends up in the same mailbox for that person. Now I understand that iredmail can host virtual domains but this delivers mail sent to person@domain1.com and person@domain2.com to two separate inboxes and this is not what i want i want messages sent to both addresses to end up in the same mailbox. Can I do this with iredmail?

17 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

Yes. Steps:

1. Add domain 'domain1.com'.
2. Add 'domain2.com' as an alias domain of 'domain1.com'. Then all emails sent to 'person@domain1.com' and 'person@domain2.com' will be delivered to the same mailbox (person@domain1.com).

With iRedAdmin-Pro, you can easily achieve this. Screenshot attached for your reference:

http://www.iredmail.org/images/iredadmin/domain_profile_alias.png

18 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

If I understand you right then that feature is only available with the pro edition and not the open source edition?

19 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: LDAP Authentication

jon.hoffart wrote:

If I understand you right then that feature is only available with the pro edition and not the open source edition?

This feature is implemented in iRedMail part, iRedAdmin-Pro just helps you to manage it. You can add alias domain manually with phpLDAPadmin or other LDAP tools, but iRedAdmin-Pro is the easiest one.

20 Reply by jon.hoffart

  • jon.hoffart
  • Member
  • Offline
  • Registered: 2014-02-18
  • Posts: 51

Re: LDAP Authentication

ZhangHuangbin wrote:
jon.hoffart wrote:

If I understand you right then that feature is only available with the pro edition and not the open source edition?

This feature is implemented in iRedMail part, iRedAdmin-Pro just helps you to manage it. You can add alias domain manually with phpLDAPadmin or other LDAP tools, but iRedAdmin-Pro is the easiest one.


Thanks for the clarification.