HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   HOWTO-Related Questions (
-   -   Ubuntu 8.10 - openLDAP and Phamm for Postfix - dovecot (

gring 20th March 2009 04:27

Ubuntu 8.10 - openLDAP and Phamm for Postfix - dovecot
Hi, I've tried this howto: Postfix Virtual Hosting With LDAP Backend And With Dovecot As IMAP/POP3 Server On Ubuntu Intrepid Ibex Server 8.10

I've got the same issues than some of the people who commented the page about installing openLDAP:

- when trying to set the ACL's (what is an ACL by the way?) with the command: ldapmodify -x -D cn=admin,cn=config -W -f acl-del.ldif

I get the following error message: ldapmodify: wrong attributeType at line 3, entry "olcDatabase={1}hdb,cn=config"

should something be configured first in the server?

- when I try to add the phamm hosting organisation, I just get a "bad credentials" error.

Should the database (dn:o=hosting,dc=example,dc=tld
) be created first?

By the way, how can we define the database location in the filesystem? When looking for tutorials, it is shown that it was set within the slapd.conf file, which doesn't exist in openldap latest version.

Thanks for helping, the old server I'm migrating from is already down and my user's mails are falling nowhere, so I'm getting a little nervous :)... LDAP is not really beginner friendly so your help would REALLY be welcome.

gring 23rd March 2009 01:19


I wrote a private message to the howto's author, Miguel, who told me he also had the same problem:


Originally Posted by Miguel
I'm sorry that I can't help you.

It worked when I wrote the How To.

It does work without the ACL's, but then postmasters cannot create email adresses, only the 'admin' (Openldap account can).

The syntax is correct, but there seems to be a truncated entry in the latest Openldap version. Even when trying to delete (ACL) with the line number option the error occurs (which shouldn't).

I haven't found a solution myself for the problem.


It seems there are some changes in the latest versions of openLDAP, configuration is no more made through the slapd.conf file (like it is shown in many documentations on the web), but directly in the config database.

Here is the openLDAP page about ldap browsers (useful to edit it):

gring 26th March 2009 22:28

OpenLdap used to be configured with the file slapd.conf. With the latest Ubuntu packages, it is no more the case, and the server is configured with and internal ldap database, as it is explained here.

When you install slapd with apt-get, it creates the main configuration database (dc=config), and a default database.

Now, to edit the slapd configuration, take a ldap browser.
I used ldapAdmin

connect to the database: dc=config
with the user: cn=admin,cn=config
and the password you set during slapd installation.

As you can see, there are several entries:

- cn=schema, that should contain the default schema's and the 4 you added during the howto.

- olcDatabase={0}config, an occurence of the olcDatabaseConfig class, that holds the configuration of slapd's internal configuration database.

- olcDatabase={1}hdb, an occurence of olcDatabaseConfig AND olcHdbConfig, which holds the configuration of a database that is automatically created upon slapd installation.

(olcHdbConfig makes the entry hold configuration data like the path of the database, which is useless for the internal configuration db)

* I didn't manage to create a new database by adding an occurence of olcDatabaseConfig and olcHdbConfig, I keep having error messages saying the server can't initialise the db -> I cant' find any documentation about creating a db

* I didn't manage to change the suffix attribute, so I used dpkg-reconfigure slapd to set it during hdb's creation.

* I changed the database's location, to do that, copy the files in /var/lib/ldap to your directory, then change the olcDbDirectory attribute to match it. then restart your slapd server. I think it's a dirty way to do it, but it works

With your ldap browser, erase the olcAccess lines. (I'm not sure it works with all browsers). Then continue to follow the howto's instructions and add the acl's.

* the database contains a cn=admin entry, it seems to contain the admin's account data for the database

I go through the entire howto, but phamm keeps telling me "invalid credentials", though I can connect to the database with the ldap browser...

Any ideas?

gring 4th April 2009 21:00

There's a bug in the ubuntu phamm - apt-get package.

(The main program file does not look for the configuration file in /etc/phamm/config.php, you have to change it)

gring 4th April 2009 21:06

(the main program file is here: /usr/share/phamm/www-data/main.php

maczkal 8th April 2009 13:12

Hi, thanks a lot for this.
But please explain it step by step.
What change where.
In my configuration there's no /etc/phamm/config.php file. I even don't have /etc/phamm folder.

I hope you will help. Thanks one more time.

interrobang 15th April 2009 23:50


Originally Posted by maczkal (Post 180474)
Hi, thanks a lot for this.
But please explain it step by step.
What change where.
In my configuration there's no /etc/phamm/config.php file. I even don't have /etc/phamm folder.

I hope you will help. Thanks one more time.

the config.php file should be in the "phamm - apt-get package". but why use
gring the phamm package? the Howto does not contain any "phamm - apt-get package" - only a compressed "phamm-0.5.15.tar.gz". strange...

.. i am not able to complete my installation under this incomplete totorial :(

Miguel 16th April 2009 16:55

Why is there no apt-get install of the phamm package: two reasons

1. The pham package was outdated at the time when this How to was written
2. Even if you did install the apt package you would still have to do all of the configuration manually. It does not configure phamm, nor OpenLDAP.

I'm currently overloaded by a project for the governement so I cannot devote the time needed in order to resolve the issues with regard to the ACL.

However when this how to was written, I used it to install an configure the environment and it worked. There is now an update / upgrade available from Ubuntu for the Openldap package but I don't have the time to test it in regard to the how to.

Apart from the ACL issue the how to works, and without the ACL phamm works. Downside is that without the ACL, postmasters cannot add / change users, only the admin (Openldap admin) account can.

One of the issues I'm raising with the phamm developers is to hve the security (read ACL) in the package and not being dependant on Openldap.

For one:

If you add / change / modify ACL's, there is a major issue that phamm won't work or act strangely if the ACL's impose on Openldap by phamm aren't in the correct order (this just as a side note).

I'll try to do my best, but as I said I almost don't have any time except for work for the last 4 months and it isn't looking any better in the near future.

Resolving this is also important to me since my own (18 domains) are running on this setup.

I'm very sorry not being able to provide more assistance at this moment.

feydin 2nd May 2009 19:35

Are there any updates on the ACL issues? It really limit's the features phamm offers (f.e. Users are not able to set Vacation messages and so on).

Afanen 1st June 2009 15:08

Change the order of entries
I simply changed the order of the entries in add-del.ldif. My file looks like this:

dn: olcDatabase={1}hdb,cn=config
delete: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=orca-central,dc=de" write by anonymous auth by self write by * none
olcAccess: to * by dn="cn=admin,dc=orca-central,dc=de" write by * read
olcAccess: to dn.base="" by * read

You will see, that I simply swapped the last two lines. That solved the problem for me. Using linenumbers didn't do the trick.

I used slapcat to find out the actual order of the acls in the database. It seems the delete command needs them in the same order, as they were entered.


All times are GMT +2. The time now is 05:06.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.