Home Knowledge Base Mapping users/groups from OpenLDAP or Generic LDAP server
Mapping users/groups from OpenLDAP or Generic LDAP server PDF Print E-mail

User and Group mapping from the OpenLDAP server

This article describes how to setup basic OpenLDAP integration with Kerio MailServer. Please note this is not directly supported by Technical Support and you are using this feature at your own risk!!! We recommend to consider if this is really required scenario and we recommend to use some supported solution for not experienced user like Active Directory or Open Directory integration.

Content:

What should you know before you start reading this article

This article is written also for less experienced users, however user who reads this article should know following:

  • How to edit files under linux, for example using vi.
  • Basic knowledge about linux systems, for example how to install files.
  • Idea about the directory structure you want to implement.
  • This solution describes mapping of users and groups to Kerio MailServer.
  • This example use non-secured LDAP binding.
  • Authentication mechanism used in this scenario sends plain text passwords over the network, so it is recommended to have both - OpenLDAP server and Kerio MailServer on the same machine.
  • Example is for SuSe Linux 10.0, but it would work for other distributions as well.


System requirements

 

 

  • Supported Linux distribution, in this example it is SuSe linux 10.0.
  • Following packages are required in addition:
    • openldap2 - OpenLDAP server package
    • nss-ldap - optional module for user search in OpenLDAP required by some authentication mechanisms
    • pam_ldap - optional module required by PAM module for the user authentication against LDAP
  • Kerio MailServer installation, it is recomended to install it on the same machine as the OpenLDAP server is due to security reasons which will be described later in Authenticating against OpenLDAP server section.
  • Following files may be useful during the basic setup and getting the solution to work. In case you already have OpenLDAP installed and configured you will not need them or you can create new one from scratch if it's necessary.
OpenLDAP server installation and configuration

In case you haven't installed the OpenLDAP server yet, install it. You can do it easilly using the Yast configuration interface.

Install also the Kerio MailServer to some local machine or to the same machine as is your OpenLDAP server installed on. In case you will install the Kero MailServer to the same machine as the OpenLDAP server is installed, you need to modify port number for the built-in LDAP server in Kerio MailServer. Otherwise port conflict appears and the LDAP server may not start properly.

After the installation of OpenLDAP server default configuration is created. It will be used in this example. But you can modify this default configuration according to your needs. This configuration is stored in a file /etc/openldap/slapd.conf. There are few fields you will need to configure. In this example, we will assume that your domain is "my-domain.com" and will illustrate our configuration accordingly.

database        dbm  suffix          "dc=my-domain,dc=com"    rootdn          "cn=Manager,dc=my-domain,dc=com"  rootpw          secret  directory       /var/lib/ldap  index   objectClass,uid,uidNumber,gidNumber,memberUid   eq  index   cn,mail,surname,givenname                       eq,subinitial

The configuration file should looks like the following example. It contains more information but only these are important in this part of the configuration. Following table describes meaning of each configuration option:

slapd.conf 
databaseDatabase type
suffixThe base distinguished name of the LDAP directory schema
rootdnBuilt-in directory manager's name, it is not displayed in the directory structure
rootpwBuilt-in directory manager's password, it is not displayed in the directory structure
directoryThe directory where is stored the LDAP database
indexWhich attributes will be used for indexing

The managers password is stored unencrypted by default. It can be replaced with encrypted password if needed. The hash of the password can be obtained using the following command:

/root/ldapconf # slappasswd  New password:  Re-enter new password:  {SSHA}e4YJDouLxNrSgL/D3m7ZG49EriuICmP8

or using different hash if required:

/root/ldapconf # slappasswd -h {MD5}  New password:  Re-enter new password:  {MD5}c4gYerDyeue6NSgL/D3m7ghGsh9rhtu==

Before we will continue, start the OpenLDAP server to check everything is configured properly:

/etc/init.d/ldap start

It is also possible to adjust access lists (ACL) in the slapd.conf file. It is not necessary by default and we will not do it in this example. Currently we have OpenLDAP server running. We can try check if the server is running properly by performing a simple query:

linux:/etc/openldap # ldapsearch -x -b '' -s base '(objectClass=*)' namingContexts  # extended LDIF  #  # LDAPv3  # base <> with scope base  # filter: (objectClass=*)  # requesting: namingContexts  #    #  dn:  namingContexts: dc=my-domain,dc=com    # search result  search: 2  result: 0 Success    # numResponses: 2  # numEntries: 1  linux:/etc/openldap #

If you see similar output your OpenLDAP server is running properly. If you want to start OpenLDAP server automatically during the system startup execute following command:

linux:/etc/openldap # chkconfig ldap on
Adding new user/group to OpenLDAP server

In this step we describe how to add new users or create new groups in OpenLDAP server. This is still just OpenLDAP configuration and should be known before we will continue in further configuration. In this example is used only simple user objectClass which may vary accross LDAP implementations. In case you already use some users/group definition proceed to next step.

Objects can be easily imported to the OpenLDAP directory using a simple LDIF file. The LDIF file is a text file in special format containing data to import/modify/remove. This article will not describe the structure of this file, but you can use example files provided in this article. To import a test user account download the user.ldif file and execute following command:

linux:/etc/openldap #linux:/etc/openldap # ldapadd -f user.ldif -h 127.0.0.1 -D "cn=Manager,
dc=my-domain,dc=com" -x -W  Enter LDAP Password:  adding new entry "uid=test_user,dc=my-domain,dc=com"    linux:/etc/openldap #

The password is requested interactivelly (-W option), but you can provide it by -w [password] parameter. This password is LDAP administrators password provided in the slapd.conf file. The -f [filename] parameter specifies the LDIF file to import and the -h [IPaddress/hostname] specifies the IP address or a hostname of the LDAP server.

user.ldif file example...

dn: uid=test_user,dc=my-domain,dc=com  uid: test_user  sn: User  cn: Test User  objectClass: person  objectClass: organizationalPerson  objectClass: posixAccount  objectClass: top  loginShell: /bin/bash  homeDirectory: /home/testuser  uidNumber: 1001  gidNumber: 1001

Almost the same applies to groups, but the format is slightly different. See example LDIF file named group.ldif for more information. To add a group to your OpenLDAP server download the group.ldif file and execute following command:

linux:/etc/openldap #linux:/etc/openldap # ldapadd -f group.ldif -h 127.0.0.1 -D "cn=Manager
,dc=my-domain,dc=com" -x -W  Enter LDAP Password:  adding new entry "uid=Group1,dc=my-domain,dc=com"    linux:/etc/openldap #

group.ldif file example...

dn: cn=Group1,dc=my-domain,dc=com  cn: Group1  objectClass: top  objectClass: groupOfNames  objectClass: posixGroup  member: uid=test_user,dc=my-domain,dc=com  gidNumber: 100  memberUid: test_user

In group.ldif file are two independent group definitions - objecClasses. The groupOfNames class and posixGroup class. It is not necessary to use both of them, but I used them in this example. Choose one which fits to your needs. According to choosed group specify users using the member attribute - in case of groupOfNames objectClass definition, or using the memberUID attribute - in case of posixGroup objectClass definition.

Kerio MailServer configuration - directory mapping

Once we configured the OpenLDAP server and created new user and group we can try to bind them with Kerio MailServer. It is good to have a test user and group account before applying next steps to your actual user accounts. It is also recommended to make a backup copy of the OpenLDAP server configuration and its database.

  • Create a new email domain in Kerio MailServer. In Directory Services tab choose the Open Directory service. This service is closest to the OpenLDAP definition and can be used as the reference one. Fill necessary information in all dialogs according to the example below. Finally test the connection if everything is right and you can reach the OpenLDAP server.

  • Extend the OpenLDAP schema for the Kerio MailServer's properties. It will not affect any existing user, but it will be possible to add some additional attributes to each user/group definition. These attributes are used only by Kerio MailServer to store some special attributes. In case you already have your own attributes, it is possible to use them instead of Kerio ones. This will be described later.

    • To extend the OpenLDAP schema download schema extension file appropriate for your version of Kerio MailServer from our download section, category - Others download. Move schema extension file to /etc/openldap/schema/ directory.

    • Edit the /etc/openldap/slapd.conf file (using the vi editor for example) and add new line to appropriate section (include section) of the config file:

      include         /etc/openldap/schema/kerio-mailserver.schema

  • Restart the OpenLDAP server by executing following command:

    /etc/init.d/ldap restart

  • We used the Apple Open Directory mapping as a reference configuration, but there are differencies in the OpenLDAP and Open Directory implementation. According to these different implementations we need to adjust Kerio MailServer's configuration file mailserver.cfg.

    • Stop Kerio MailServer service
    • Open mailserver.cfg file located in the installation directory of Kerio MailServer.

    • Locate your domain definition in following section of the configuration file:

      <list name="Ldap">

    • According to the example below for test domain example.com modify the UserBaseDN and GroupBaseDN search path to appropriate search path in your OpenLDAP implementation. In my example it is "dc=my-domain,dc=com" which is default domain after the OpenLDAP installation. But it can be different in case you have some containers for user accounts (for example), or if you use different domain name, of course.

        <listitem>        <variable name="Domain">example.com</variable>      <variable name="ServerName">127.0.0.1</variable>      <variable name="ServerPort">389</variable>        <variable name="BindDn">cn=Manager,dc=my-domain,dc=com</variable>      <variable name="BindPassword">DE3:716f95b639c...15</variable>      <variable name="MapFile">apple.map</variable>        <variable name="Filter"></variable>      <variable name="UserBaseDn">dc=my-domain,dc=com</variable>      <variable name="GroupBaseDn">dc=my-domain,dc=com</variable>        <variable name="Description"></variable>      <variable name="Enabled">1</variable>      <variable name="PrimaryRefreshInt">30</variable>        <variable name="LdapNetworkTimeout">10</variable>      <variable name="SecureConnection">0</variable>    </listitem>
  • Start Kerio MailServer engine.
  • You should not see any error message when you try to access Users or Groups in Domain Settings tree. You will not see any user yet, because users don't have any Kerio MailServer properties yet. However this test may prove the LDAP connection is working properly and Kerio MailServer extensions were installed properly, too. In case you receive error message saying the Directory Extensions were not installed properly, check steps above if you specified correct search patch and the include was accepted by the OpenLDAP server.
Extending user definitions in OpenLDAP for the Kerio MailServer properties

Currently we have properly configured OpenLDAP server and correctly configured Kerio MailServer to connect to the OpenLDAP directory.

But we still do not map any users from the directory. It is because there is no Kerio MailServer user enabled in your actual OpenLDAP directory. Each user which should have Kerio MailServer account have to be extended for Kerio MailServer properties. Follow these steps to extend user's attributes and configure correct user mapping to create a Kerio MailServer account for such user:

  • The OpenLDAP user have to be extended for Kerio MailServer attributes. We can divide it to two groups. First group contains necessary attributes (concretelly one objectClass definition), second one contains optional attributes. You can modify existing user.ldif file according to your needs or you can use an example kerio-user.ldif file as a reference one. These modifications can be easily applied by executing following command on your OpenLDAP server:

    linux:/etc/openldap # ldapmodify -f kerio_user.ldif -h 127.0.0.1 -x -D "cn=Manager,dc=
    my-domain,dc=com" -W  Enter LDAP Password:  modifying entry "uid=test_user,dc=my-domain,dc=com"    linux:/etc/openldap #

    The kerio_user.ldif file example...

    dn: uid=test_user,dc=my-domain,dc=com  uid: test_user  sn: User  cn: Test User  objectClass: person  objectClass: organizationalPerson  objectClass: posixAccount  objectClass: top  objectClass: kerio-Mail-User  loginShell: /bin/bash  homeDirectory: /home/testuser  uidNumber: 1001  gidNumber: 1001

    • MUST contain

      Necessary attributes/objectClasses 
      objectClass: kerio-Mail-UserThis option will extend the user attributes set for the Kerio MailServer ones.
      It allows to add optional attributes like the Message Quota, ...
      It does not activate the account,
      account needs to be activated using the optional kerio-Mail-Active attribute.

    • OPTIONAL attributes

      Optional Kerio MailServer attributes 
      kerio-Mail-ActiveIt activates the Kerio MailServer account.
      0 - not active
      1 - active
      kerio-Mail-AccountEnabledIt can enable/disable the account.
      kerio-Mail-AdminRightsAdmin rights.
      kerio-Mail-AuthorizationThe authorization properties.
      kerio-Mail-AddressUser's email address.
      kerio-Mail-ForwardModeForward mode.
      kerio-Mail-ForwardAddressAddress to which email should be forwarded in case forward mode is enabled.
      kerio-Mail-QuotaStorageThe user's storage quota.
      kerio-Mail-QuotaMessageThe max. number of emails user's quota.
      kerio-Mail-MaxOutgoingMessageSizeMaximal outgoing message size.
      kerio-Mail-WebReplyToAddressReply-to address used in webmail interface.

    • Examples:

      Example attribute sets 
      objectClass: kerio-Mail-User
      kerio-Mail-Active: 1      		The user can have Kerio MailServer account.
      The account is activated (can receive emails).
  • It should be possible to activate (Add) new user from the Administration console of Kerio MailServer. Activated user can not be used because there is no user-group mapping and there is no authentication method specified. To create Kerio MailServer group in OpenLDAP and to create user-group mapping read next chapter.
Extending group definitions in OpenLDAP for the Kerio MailServer properties

OpenLDAP uses different mapping for users into groups. Usually other directory services use two directional mapping when each group definition contains users which belongs to the group, and vise versa the user contains the information to which group belongs. This scenario is used in Active Directory or Open Directory.

OpenLDAP uses only one way mapping when group contains its members. But the information in user definition to which group the user belongs is missing. Because of this limitation it is required to create such mapping manually. So we can divide the group integration into two parts. Extending the schema for custom groupMemberShip attribute and to mapping the OpenLDAP group to Kerio MailServer. Follow next steps to extend the schema for custom groupMemberShip attribute:

  • Open the OpenLDAP schema file defining the user definition - /etc/openldap/schema/rfc2307bis.schema in our example. You can modify any schema used for user definition in case you use different OpenLDAP implementation. If you already have such mapping, skip extending the schema for the groupMemberShip attribute and proceed to part describing the group mapping to Kerio MailServer:

  • Locate last attribute definition in this file.

    attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'    DESC 'Automount information'    EQUALITY caseExactIA5Match    SUBSTR caseExactIA5SubstringsMatch    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )    objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY    DESC 'Abstraction of an account with POSIX attributes'    MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )    MAY ( userPassword $ loginShell $ gecos $ groupMemberShip $          description ) )

  • Once you find last attribute definition change it according to following example.

    attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'    DESC 'Automount information'    EQUALITY caseExactIA5Match    SUBSTR caseExactIA5SubstringsMatch    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )     attributetype ( 1.3.6.1.1.1.1.34 NAME 'groupMemberShip'    EQUALITY caseExactIA5Match    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )      objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY    DESC 'Abstraction of an account with POSIX attributes'    MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )    MAY ( userPassword $ loginShell $ gecos $ groupMemberShip $          description ) )

    Check numbering order. To keep correct order just copy the attribute number from the last attribute and increase last number by 1 as shown in our example. The attribute number has to be unique within the file.

  • Restart the OpenLDAP server to apply changes.

We extended user definition for a new attribute describing the group to which user belongs, what is native for most LDAP implementations including Kerio MailServer's one. In this point we need to map our OpenLDAP group to Kerio MailServer and we will add our test user into this new group then.

The OpenLDAP group has to be extended for Kerio MailServer attributes as well as the OpenLDAP user. We can divide attributes to two groups. First group contains necessary attributes (concretelly one objectClass definition), second one contains optional attributes. You can modify existing group.ldif file according to your needs or you can use an example kerio-group.ldif file as a reference one. These modifications can be easily applied by executing following command on your OpenLDAP server:

linux:/etc/openldap # ldapmodify -f kerio_group.ldif -h 127.0.0.1 -x -D "cn=Manager,dc=my-do
main,dc=com" -W  Enter LDAP Password:  modifying entry "cn=Group1,dc=my-domain,dc=com"    linux:/etc/openldap #

The kerio_group.ldif file example...

dn: cn=Group1,dc=my-domain,dc=com  cn: Group1  objectClass: top  objectClass: groupOfNames  objectClass: posixGroup  objectClass: kerio-Mail-Group  member: uid=test_user,dc=my-domain,dc=com  gidNumber: 100  memberUid: test_user

  • MUST contain

    Necessary attributes/objectClasses 
    objectClass: kerio-Mail-GroupThis option will extend the user attributes set for the Kerio MailServer ones.
    It allows to add optional attributes like the Message Quota, ...
    It does not activate the account,
    account needs to be activated using the optional kerio-Mail-Active attribute.

  • OPTIONAL attributes

    Optional Kerio MailServer attributes 
    kerio-Mail-ActiveIt activates the Kerio MailServer group account.
    0 - not active
    1 - active
    kerio-Mail-AdminRightsAdmin rights.
    kerio-Mail-AuthorizationThe directory where is stored the LDAP database
    kerio-Mail-AddressWhich attributes will be used for indexing

  • Examples:

    Example attribute sets 
    objectClass: kerio-Mail-Group
    kerio-Mail-Active: 1    		The user can have Kerio MailServer account.
    The account is activated (can receive emails).
  • In this point we have created Kerio MailServer group in OpenLDAP server. So we can adjust the map file to map the OpenLDAP group definition with Kerio MailServer.

  • To create appropriate mapping follow these steps:

    • We used Apple Open Directory server mapping as a reference configuration. Hence we need to adjust the apple.map file which is used for this mapping. This file is located in ../installation_directory/ldapmap folder. Locate this file and open it via some text editor.

    • Locate Group definition section at the bottom of this file. See this example from original apple.map file.

      <map table="Group">      <filter>objectclass=apple-group</filter>      <active-attribute>kerio-Mail-Active</active-attribute>      <variable>          <name>Name</name>        <value><attribute>cn</attribute></value>      </variable>      <variable>          <name>MailAddress</name>        <value><attribute>kerio-Mail-Address</attribute></value>      </variable>      <variable>          <name>Rights</name>        <value><attribute>kerio-Mail-AdminRights</attribute></value>      </variable>      <variable>    		<name>Authorization</name>  		<value><attribute>kerio-Mail-Authorization</attribute></value>      </variable>      <variable>          <name>Description</name>        <value><attribute>apple-group-realname</attribute></value>      </variable>    </map>    </mapfile>

    • Change the group map file according to your group definition in OpenLDAP. We used three group objectClass definitions in our OpenLDAP group - groupOfNames, posixGroup, kerio-MailGroup. Choose one from this list and use it as a filter. So only OpenLDAP items with the specified objectClass will be searched as Kerio MailServer groups. All other attributes are optional and may stay unchanged (instead of last one which use apple attribute, change it to some attribute describing your OpenLDAP group - in this example it is description attribute).

    • Example of group definitions...

      <map table="Group">        <filter>objectclass=groupOfNames</filter>      <active-attribute>kerio-Mail-Active</active-attribute>      <variable>        <name>Name</name>          <value><attribute>cn</attribute></value>      </variable>      <variable>        <name>MailAddress</name>          <value><attribute>kerio-Mail-Address</attribute></value>      </variable>      <variable>        <name>Rights</name>          <value><attribute>kerio-Mail-AdminRights</attribute></value>      </variable>      <variable>  		<name>Authorization</name>    		<value><attribute>kerio-Mail-Authorization</attribute></value>      </variable>      <variable>        <name>Description</name>          <value><attribute>description</attribute></value>      </variable>    </map>
    • Restart the Kerio MailServer engine to apply changes.

    It would be possible to see OpenLDAP group in Kerio MailServer's Administration console. In next chapter will be described how you can add users into groups.

    Adding users to groups

    If you sucessfully passed all previous configuration steps, you see users in your OpenLDAP database in the Kerio MailServer Administration console and you can see also groups defined in your OpenLDAP server in it. In this part will be described how to add a user into group using the OpenLDAP directory.

    As was described in Group mapping section OpenLDAP uses one way mapping of users. Because of this we have created new special attribute named groupMemeberShip which can be used by Kerio MailServer to locate group to which user belongs. So adding a user to some group means adding this attribute to user definition in OpenLDAP server.

    See following example how to add our test_user to our Group1. Exactly it means extending the user definition for groupMemeberShip attribute.

    • Edit the kerio_user.ldif file, or your custom user definition file.

    • Add attribute groupMemeberShip to definition file as is shown on following example:

      dn: uid=test_user,dc=my-domain,dc=com  uid: test_user  sn: User  cn: Test User  objectClass: person  objectClass: organizationalPerson  objectClass: posixAccount  objectClass: top  objectClass: kerio-Mail-User  loginShell: /bin/bash  homeDirectory: /home/testuser  uidNumber: 1001  gidNumber: 1001   groupMemberShip: Group1
    • Now the user belongs to a group named Group1.
    Authentication

    We set up the OpenLDAP account and the OpenLDAP group and we performed correct mapping. But the user still can't authenticate. This is because of the incorrect authentication type used for a user. The authentication type is set in the apple.map file. Default value is Kerberos authetication in Apple OpenDirectory.

    • The authentication type is set in the map file (apple.map) and is set to 4 by default. See possible authetication methods:

      • 0 - Internal database authentication
      • 1 - NT doamin authetication.
      • 2 - LinuxPAM authetication method.
      • 3 - Kerberos authetication. Requires Kerberos server.
      • 4 - Apple Password Server authetication method.
      • 5 - Authetication against LDAP server. It is used in this example.

      All methods are well described and this article is not related to authetication problem. However we will describe one authetication method which is not common and which is close to the OpenLDAP server. This authentication method (5 - Authentication against LDAP server) is simple authetication method, which tries to autheticate user to LDAP server. If it is sucessfull the user is also autheticated for Kerio MailServer.

    • This method send passwords in plain text format to the LDAP server so it is not secure to send it over the network. Hence it is highly recommended to have Kerio MailServer on the same machine as your OpenLDAP server. The second disadvantage of this solution is that the user can not change his password. We recommend to use different authetication method if it is possible hence it is more secure, and it supports also users password changes.

      If it is necessary to use this authentication type follow these instructions to enable it.

    • Stop Kerio MailServer engine.

    • Modify the apple.map file according to following example:

      <variable>  	<name>Auth_type</name>  	<value>5</value>    </variable>

    • Modify or add additional map attribute (in apple.map file in user definition section) according to the following example:

      <variable>  	<name>LdapDN</name>    	<value><dn /></value>  </variable>
    • Start Kerio MailServer engine. Now you should be able to authenticate against the OpenLDAP server.

    Note: Notice that a new user created in OpenLDAP does not have a password. To create password for the OpenLDAP user use following command:

    linux:/etc/openldap # ldappasswd -S -D "cn=Manager,dc=my-domain,dc=com" -h 127.0.0.1 -x -W "
    uid=test_user,dc=my-domain,dc=com"  New password:  Re-enter new password:  Enter LDAP Password:  Result: Success (0)  linux:/etc/openldap #



    •  

     

    http://support.kerio.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=409#

     

     
     

    Latest IT News

    RSS Feed Over Here