Ubuntu 8.10 - openLDAP and Phamm for Postfix - dovecot

Discussion in 'HOWTO-Related Questions' started by gring, Mar 20, 2009.

  1. gring

    gring Member HowtoForge Supporter

    Hi, I've tried this howto: Postfix Virtual Hosting With LDAP Backend And With Dovecot As IMAP/POP3 Server On Ubuntu Intrepid Ibex Server 8.10

    I've got the same issues than some of the people who commented the page about installing openLDAP:

    - when trying to set the ACL's (what is an ACL by the way?) with the command: ldapmodify -x -D cn=admin,cn=config -W -f acl-del.ldif

    I get the following error message: ldapmodify: wrong attributeType at line 3, entry "olcDatabase={1}hdb,cn=config"

    should something be configured first in the server?

    - when I try to add the phamm hosting organisation, I just get a "bad credentials" error.

    Should the database (dn:eek:=hosting,dc=example,dc=tld
    ) be created first?

    By the way, how can we define the database location in the filesystem? When looking for tutorials, it is shown that it was set within the slapd.conf file, which doesn't exist in openldap latest version.

    Thanks for helping, the old server I'm migrating from is already down and my user's mails are falling nowhere, so I'm getting a little nervous :)... LDAP is not really beginner friendly so your help would REALLY be welcome.
  2. gring

    gring Member HowtoForge Supporter


    I wrote a private message to the howto's author, Miguel, who told me he also had the same problem:

    It seems there are some changes in the latest versions of openLDAP, configuration is no more made through the slapd.conf file (like it is shown in many documentations on the web), but directly in the config database.

    Here is the openLDAP page about ldap browsers (useful to edit it): http://www.openldap.org/faq/data/cache/270.html
  3. gring

    gring Member HowtoForge Supporter

    OpenLdap used to be configured with the file slapd.conf. With the latest Ubuntu packages, it is no more the case, and the server is configured with and internal ldap database, as it is explained here.

    When you install slapd with apt-get, it creates the main configuration database (dc=config), and a default database.

    Now, to edit the slapd configuration, take a ldap browser.
    I used ldapAdmin

    connect to the database: dc=config
    with the user: cn=admin,cn=config
    and the password you set during slapd installation.

    As you can see, there are several entries:

    - cn=schema, that should contain the default schema's and the 4 you added during the howto.

    - olcDatabase={0}config, an occurence of the olcDatabaseConfig class, that holds the configuration of slapd's internal configuration database.

    - olcDatabase={1}hdb, an occurence of olcDatabaseConfig AND olcHdbConfig, which holds the configuration of a database that is automatically created upon slapd installation.

    (olcHdbConfig makes the entry hold configuration data like the path of the database, which is useless for the internal configuration db)

    * I didn't manage to create a new database by adding an occurence of olcDatabaseConfig and olcHdbConfig, I keep having error messages saying the server can't initialise the db -> I cant' find any documentation about creating a db

    * I didn't manage to change the suffix attribute, so I used dpkg-reconfigure slapd to set it during hdb's creation.

    * I changed the database's location, to do that, copy the files in /var/lib/ldap to your directory, then change the olcDbDirectory attribute to match it. then restart your slapd server. I think it's a dirty way to do it, but it works

    With your ldap browser, erase the olcAccess lines. (I'm not sure it works with all browsers). Then continue to follow the howto's instructions and add the acl's.

    * the database contains a cn=admin entry, it seems to contain the admin's account data for the database

    I go through the entire howto, but phamm keeps telling me "invalid credentials", though I can connect to the database with the ldap browser...

    Any ideas?
  4. gring

    gring Member HowtoForge Supporter

    There's a bug in the ubuntu phamm - apt-get package.

    (The main program file does not look for the configuration file in /etc/phamm/config.php, you have to change it)
  5. gring

    gring Member HowtoForge Supporter

    (the main program file is here: /usr/share/phamm/www-data/main.php
  6. maczkal

    maczkal New Member

    Hi, thanks a lot for this.
    But please explain it step by step.
    What change where.
    In my configuration there's no /etc/phamm/config.php file. I even don't have /etc/phamm folder.

    I hope you will help. Thanks one more time.
  7. interrobang

    interrobang New Member

    the config.php file should be in the "phamm - apt-get package". but why use
    gring the phamm package? the Howto does not contain any "phamm - apt-get package" - only a compressed "phamm-0.5.15.tar.gz". strange...

    .. i am not able to complete my installation under this incomplete totorial :(
  8. Miguel

    Miguel New Member HowtoForge Supporter

    Why is there no apt-get install of the phamm package: two reasons

    1. The pham package was outdated at the time when this How to was written
    2. Even if you did install the apt package you would still have to do all of the configuration manually. It does not configure phamm, nor OpenLDAP.

    I'm currently overloaded by a project for the governement so I cannot devote the time needed in order to resolve the issues with regard to the ACL.

    However when this how to was written, I used it to install an configure the environment and it worked. There is now an update / upgrade available from Ubuntu for the Openldap package but I don't have the time to test it in regard to the how to.

    Apart from the ACL issue the how to works, and without the ACL phamm works. Downside is that without the ACL, postmasters cannot add / change users, only the admin (Openldap admin) account can.

    One of the issues I'm raising with the phamm developers is to hve the security (read ACL) in the package and not being dependant on Openldap.

    For one:

    If you add / change / modify ACL's, there is a major issue that phamm won't work or act strangely if the ACL's impose on Openldap by phamm aren't in the correct order (this just as a side note).

    I'll try to do my best, but as I said I almost don't have any time except for work for the last 4 months and it isn't looking any better in the near future.

    Resolving this is also important to me since my own (18 domains) are running on this setup.

    I'm very sorry not being able to provide more assistance at this moment.
  9. feydin

    feydin New Member

    Are there any updates on the ACL issues? It really limit's the features phamm offers (f.e. Users are not able to set Vacation messages and so on).
  10. Afanen

    Afanen New Member

    Change the order of entries

    I simply changed the order of the entries in add-del.ldif. My file looks like this:
    dn: olcDatabase={1}hdb,cn=config
    delete: olcAccess
    olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=orca-central,dc=de" write by anonymous auth by self write by * none
    olcAccess: to * by dn="cn=admin,dc=orca-central,dc=de" write by * read
    olcAccess: to dn.base="" by * read 
    You will see, that I simply swapped the last two lines. That solved the problem for me. Using linenumbers didn't do the trick.

    I used slapcat to find out the actual order of the acls in the database. It seems the delete command needs them in the same order, as they were entered.


Share This Page