Postfix Virtual Hosting With LDAP Backend And With Dovecot As IMAP/POP3 Server On Ubuntu Trusty Tahr 14.04 - Page 2
This tutorial exists for these OS versions
- Ubuntu 18.04 (Bionic Beaver)
- Ubuntu 14.04 LTS (Trusty Tahr)
- Ubuntu 9.10 (Karmic Koala)
- Ubuntu 8.10 (Intrepid Ibex)
- Ubuntu 8.04 (Hardy Heron)
On this page
Step2: Install and configure openldap
Install openldap and ldap-utils:
apt install slapd ldap-utils
Reconfigure slapd to make sure it reflects your wanted setup
dpkg-reconfigure slapd
You will have to answer some questions:
Omit OpenLDAP server configuration? ==> NoDNS domain name: example.tld ==> put your domain name hereOrganization name: example.tld ==> put your organization hereAdministrator password: secret ==> put your passwordConfirm password: secretDatabase backend to use: HDBDo you want the database to be removed when slapd is purged? YesAllow LDAPv2 protocol? No
Move old database? Yes
Change into the /etc/ldap/schema directory:
cd /etc/ldap/schema
Copy the phamm.schema and perversia.net.schema from the phamm package to the schema directory:
cp /usr/src/phamm-0.6.2/schema/phamm.schema /etc/ldap/schema.
cp /usr/src/phamm-0.6.2/schema/contrib/perversia.net.schema /etc/ldap/schema.
Get some more schema's we need.
cd schema
wget http://open.rhx.it/phamm/schema/ISPEnv2.schema
wget http://open.rhx.it/phamm/schema/amavis.schema
wget http://open.rhx.it/phamm/schema/pureftpd.schema
cd ../
Now we need to convert the schema's to ldif format.
Create a file called convert and paste the text below in to it.
vi convert
Contents of convert:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/phamm.schema include /etc/ldap/schema/ISPEnv2.schema include /etc/ldap/schema/amavis.schema include /etc/ldap/schema/pureftpd.schema include /etc/ldap/schema/perversia.net.schema
Now we will convert the shema's:
mkdir ldif
slaptest -f convert -F ldif
Now we change in to the directory that contains the converted schemas:
cd ldif/cn\=config/cn\=schema
The directory should contain the following files:
cn={0}core.ldif cn={3}inetorgperson.ldif cn={6}amavis.ldif
cn={1}cosine.ldif cn={4}phamm.ldif cn={7}pureftpd.ldif
cn={2}nis.ldif cn={5}ISPEnv2.ldif cn={8}perversia.ldif
We will need to edit the phamm, amavis, pureftpd, ISPEnv2 and perversia schemas. For each you need to do the following (example for the phamm schema):
Change:
dn: cn={4}phamm objectClass: olcSchemaConfig cn: {4}phamm
to
dn: cn=phamm,cn=schema,cn=config objectClass: olcSchemaConfig cn: phamm
And delete:
structuralObjectClass: olcSchemaConfig entryUUID: c27532b2-6a27-102e-88a5-e92372c94d84 creatorsName: cn=config createTimestamp: 20091120135300Z entryCSN: 20091120135300.238121Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20091120135300Z
So for each of these do repectively and make the changes like above:
vi cn\=\{4\}phamm.ldif
vi cn\=\{5\}ISPEnv2.ldif
vi cn\=\{6\}amavis.ldif
vi cn\=\{7\}pureftpd.ldif
vi cn\=\{8\}perversia.ldif
Note: the enry phamm in the example is ISPEnv2, amavis, pureftpd and pervisia in the other ldif's.
Now we copy the ldifs to the /etc/ldap/schema directory (this is not needed, but is handy whenever the ldif's are needed).
cp cn\=\{4\}phamm.ldif /etc/ldap/schema/phamm.ldif
cp cn\=\{5\}ISPEnv2.ldif /etc/ldap/schema/ISPEnv2.ldif
cp cn\=\{6\}amavis.ldif /etc/ldap/schema/amavis.ldif
cp cn\=\{7\}pureftpd.ldif /etc/ldap/schema/pureftpd.ldif
cp cn\=\{8\}perversia.ldif /etc/ldap/schema/perversia.ldif
We can now delete the ldif directory since we don't need it anymore and also to avoid any confusion and change back to the /etc/ldap/schema directory.
cd /etc/ldap/schema
rm -R ldif
Now we add the schemas to openldap.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/phamm.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ISPEnv2.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/amavis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/pureftpd.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/perversia.ldif
Now we create the o=hosting, and phamm account.
Modify the text below to your needs and wants and generate a password for the phamm account. The hash currently in this file sets the password to readonly
To create the hash for the phamm account issue the following command:
slappasswd -h {MD5}
Type the wanted pasword twice and copy the result in to the text below.
Create the base.ldif:
vi base.ldif
Content of base.ldif.
dn: o=hosting,dc=example,dc=tld
objectClass: organization
objectClass: top
o: hosting description: Hosting Organization
# Read only account
dn: cn=phamm,o=hosting,dc=example,dc=tld
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: phamm
userPassword: {MD5}M267sheb6qc0Ck8WIPOvQA==
description: Read only account
Load the base dn into the database with the following command:
ldapmodify -a -D cn=admin,dc=example,dc=tld -W -f base.ldif
Now we need to modify the acl's so that the correct access is given to each user type.
Note: the way we are going to modify the acl's is not the official Openldap way but it worked for me. When I get it working the official way I will update this guide.
cd /etc/ldap/slapd.d/cn\=config
Next we will edit olcDatabase={1}hdb.ldif to replace the current acl's with the new ones.
First backup the olcDatabase={1}hdb.ldif so that you have a copy if anything goes wrong.
cp olcDatabase={1}hdb.ldif olcDatabase={1}hdb.ldif.bck
Delete the following lines:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=iredmail,dc=org" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=tld" write by * read
With:
olcAccess: {0}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write olcAccess: {1}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write olcAccess: {2}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write olcAccess: {3}to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts by dn="cn=admin,dc=example,dc=tld" write by self read by set.expand="user/editAccounts & [TRUE]" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by * none olcAccess: {4}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read olcAccess: {5}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write olcAccess: {6}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=otherPath by dn="cn=admin,dc=example,dc=tld" write by anonymous read by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write olcAccess: {7}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=createMaildir,vdHome,mailbox,otherTransport by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" read olcAccess: {8}to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write olcAccess: {9}to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [FALSE]" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write olcAccess: {10}to dn.regex=".+,o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth olcAccess: {11}to dn.regex=".+,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth olcAccess: {12}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=tld" write by anonymous auth by self write by * none olcAccess: {13}to dn.base="" by * read olcAccess: {14}to * by dn="cn=admin,dc=example,dc=tld" write by * read
Now we have openldap configured and we can go to the next step.