There is a new version of this tutorial available for Ubuntu 18.04 (Bionic Beaver).

Postfix Virtual Hosting With LDAP Backend And With Dovecot As IMAP/POP3 Server On Ubuntu Trusty Tahr 14.04 - Page 2

Step2: Install and configure openldap

Install openldap and ldap-utils:

apt install slapd ldap-utils

Reconfigure slapd to make sure it reflects your wanted setup

dpkg-reconfigure slapd

 You will have to answer some questions:

Omit OpenLDAP server configuration? ==> No
DNS domain name:  example.tld ==> put your domain name here
Organization name: example.tld ==> put your organization here
Administrator password: secret ==> put your password
Confirm password: secret
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? Yes
Allow LDAPv2 protocol?  No
Move old database? Yes

Change into the /etc/ldap/schema directory:

cd /etc/ldap/schema

Copy the phamm.schema and perversia.net.schema from the phamm package to the schema directory:

cp /usr/src/phamm-0.6.2/schema/phamm.schema /etc/ldap/schema.
cp /usr/src/phamm-0.6.2/schema/contrib/perversia.net.schema /etc/ldap/schema.

Get some more schema's we need.

cd schema
wget http://open.rhx.it/phamm/schema/ISPEnv2.schema
wget http://open.rhx.it/phamm/schema/amavis.schema
wget http://open.rhx.it/phamm/schema/pureftpd.schema
cd ../

Now we need to convert the schema's to ldif format.

Create a file called convert and paste the text below in to it.

vi convert

Contents of convert:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/phamm.schema
include         /etc/ldap/schema/ISPEnv2.schema
include         /etc/ldap/schema/amavis.schema
include         /etc/ldap/schema/pureftpd.schema
include         /etc/ldap/schema/perversia.net.schema

Now we will convert the shema's:

mkdir ldif
slaptest -f convert -F ldif

Now we change in to the directory that contains the converted schemas:

cd ldif/cn\=config/cn\=schema

The directory should contain the following files:

cn={0}core.ldif    cn={3}inetorgperson.ldif  cn={6}amavis.ldif
cn={1}cosine.ldif  cn={4}phamm.ldif          cn={7}pureftpd.ldif
cn={2}nis.ldif     cn={5}ISPEnv2.ldif        cn={8}perversia.ldif

We will need to edit the phamm, amavis, pureftpd, ISPEnv2 and perversia schemas. For each you need to do the following (example for the phamm schema):

Change:

dn: cn={4}phamm objectClass: olcSchemaConfig cn: {4}phamm

to

dn: cn=phamm,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: phamm

And delete:

structuralObjectClass: olcSchemaConfig entryUUID: c27532b2-6a27-102e-88a5-e92372c94d84 creatorsName: cn=config createTimestamp: 20091120135300Z entryCSN: 20091120135300.238121Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20091120135300Z

So for each of these do repectively and make the changes like above:

vi cn\=\{4\}phamm.ldif
vi cn\=\{5\}ISPEnv2.ldif
vi cn\=\{6\}amavis.ldif
vi cn\=\{7\}pureftpd.ldif
vi cn\=\{8\}perversia.ldif

Note: the enry phamm in the example is ISPEnv2, amavis, pureftpd and pervisia in the  other ldif's.

Now we copy the ldifs to the /etc/ldap/schema directory (this is not needed, but is handy whenever the ldif's are needed).

cp cn\=\{4\}phamm.ldif /etc/ldap/schema/phamm.ldif
cp cn\=\{5\}ISPEnv2.ldif /etc/ldap/schema/ISPEnv2.ldif
cp cn\=\{6\}amavis.ldif /etc/ldap/schema/amavis.ldif
cp cn\=\{7\}pureftpd.ldif /etc/ldap/schema/pureftpd.ldif
cp cn\=\{8\}perversia.ldif /etc/ldap/schema/perversia.ldif

We can now delete the ldif directory since we don't need it anymore and also to avoid any confusion and change back to the /etc/ldap/schema directory.

cd /etc/ldap/schema
rm -R ldif

Now we add the schemas to openldap.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/phamm.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ISPEnv2.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/amavis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/pureftpd.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/perversia.ldif

Now we create the o=hosting, and phamm account.

Modify the text below to your needs and wants and generate a password for the phamm account. The hash currently in this file sets the password to readonly

To create the hash for the phamm account  issue the following command:

slappasswd -h {MD5}

Type the wanted pasword twice and copy the result in to the text below.

Create the base.ldif:

vi base.ldif

Content of base.ldif.

dn: o=hosting,dc=example,dc=tld

objectClass: organization

objectClass: top

o: hosting description: Hosting Organization

# Read only account

dn: cn=phamm,o=hosting,dc=example,dc=tld

objectClass: simpleSecurityObject

objectClass: organizationalRole

cn: phamm

userPassword: {MD5}M267sheb6qc0Ck8WIPOvQA==

description: Read only account

Load the base dn into the database with the following command:

ldapmodify -a -D cn=admin,dc=example,dc=tld -W -f base.ldif

Now we need to modify the acl's so that the correct access is given to each user type.

Note: the way we are going to modify the acl's is not the official Openldap way but it worked for me. When I get it working the official way I will update this guide.

cd /etc/ldap/slapd.d/cn\=config

Next we will edit  olcDatabase={1}hdb.ldif to replace the current acl's with the new ones.

First backup the olcDatabase={1}hdb.ldif so that you have a copy if anything goes wrong.

cp olcDatabase={1}hdb.ldif olcDatabase={1}hdb.ldif.bck 

Delete the following lines:

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=iredmail,dc=org" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by  dn="cn=admin,dc=example,dc=tld" write by * read

With:

olcAccess: {0}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
olcAccess: {1}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
olcAccess: {2}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
olcAccess: {3}to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts by dn="cn=admin,dc=example,dc=tld" write by self read by set.expand="user/editAccounts & [TRUE]" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by * none
olcAccess: {4}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
olcAccess: {5}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
olcAccess: {6}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=otherPath by dn="cn=admin,dc=example,dc=tld" write by anonymous read by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
olcAccess: {7}to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=createMaildir,vdHome,mailbox,otherTransport by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" read
olcAccess: {8}to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
olcAccess: {9}to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [FALSE]" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
olcAccess: {10}to dn.regex=".+,o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
olcAccess: {11}to dn.regex=".+,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
olcAccess: {12}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=tld" write by anonymous auth by self write by * none
olcAccess: {13}to dn.base="" by * read
olcAccess: {14}to * by dn="cn=admin,dc=example,dc=tld" write by * read

Now we have openldap configured and we can go to the next step.

Share this page:

0 Comment(s)