###################################### LDAP ##############################################
~Lightweight Directory Access Protocol
#### basic LDAP SERVER configuration:
### install LDAP
apt install slapd ldap-utils
# set LDAP's administrator password
# configure the service:
dpkg-reconfigure slapd
# options to select: no, domain, organization, password, yes, yes
# (optional) confirm LDAP is working:
netstat -natl #check port 389
# install a desktop management tool:
apt install phpldapadmin
# cofigure phpldapadmin:
nano /etc/phpldapadmin/config.php
# at * Define your LDAP servers in this section *, modify those lines:
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
# access the desktop tool using your browser (you can create organizational units,
# groups, users, etc):
https://example.com/phpldapadmin #your_server_webpage/phpldapadmin
## if you get this error: "Unrecognized error number: 8192: trim()", it
## was corrected on Ubuntu 23 and more recent versions, for Ubuntu 22.04 download manually
## the following version from Ubuntu's repositories:
wget http://archive.ubuntu.com/ubuntu/pool/universe/p/phpldapadmin/phpldapadmin_1.2.6.3-0.3_all.deb
dpkg -i phpldapadmin_1.2.6.3-0.3_all.deb
apt install dialog apt-utils #if you get an error while trying the last command...
# then, run it again to be error-free!
apt-get -f install #fix/install dependencies
## Before creating users in LDAP, it is interesting to change the following line at
## the file /etc/phpldapadmin/config.php with the uidNumber greater than the last user
## with an account already created on the server, and maybe even give it an interval
## range... Ex.: usually the first account created on the server has the uidNumber
## 1000, then change it to 1200 or more:
$servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500));
# command to verify uidNumbers on Ubuntu:
cat /etc/passwd
#########################################################################################
#### basic LDAP CLIENT configuration:
### install LDAP client packs:
apt install ldap-auth-client nscd #options:
ldap://LDAP-server-IP-Address
dc=example,dc=com
LDAP version: 3
Make local root Database admin: Yes
Does the LDAP database require login: No
c=admin,dc=example,dc=com
your-server's-LDAP-root-password
# configure the client credential's source files:
nano /etc/nsswitch.conf #add to those lines the option 'ldap', like this:
passwd: files systemd ldap
group: files systemd ldap
shadow: ldap
# configure the permission to create home directory for LDAP users:
nano /etc/pam.d/common-session #add this line to the end of the file:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
# restart the configured services:
systemctl restart nscd
pam-auth-update
# to test it, be sure to have some users added in LDAP, then run this command:
id LDAP_username #that should show the information of the specified LDAP user
# finally, reboot the client and the new login options for the LDAP users should be enabled
#########################################################################################
#### basic LDAP with site (APACHE) access configuration:
### enable LDAP module in Apache
a2enmod authnz_ldap
### insert the next lines at the desired site configuration file
### (/etc/apache2/sites-available/your_chosen_site_configuration_file.conf), under the
### 'DocumentRoot' line, replacing the 'AuthLDAPURL' line content with the data from
### your LDAP server's Organizational Unit containing the users you wish to grant access:
<Directory "/var/www/html">
AuthName "Inform your LDAP credentials"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://127.0.0.1/ou=People,dc=example,dc=com
Require valid-user
</Directory>
#restart Apache
systemctl restart apache2
# if you try to access that site now, it will require authentication using your LDAP
# valid user credentials
#########################################################################################
#### basic LDAP with e-mail (POSTFIX) configuration:
# assuming you have already installed and configured Postfix to be used with regular
# user accounts from this server, we'll need to swith the configuration settings so
# that it works with the LDAP accounts instead. From that point on, if the server
# user is not on LDAP, he will not be able to use the mail functions of this server
# (it is possible to configure mail redirecting to fix this, but that will not be
# covered in this guide). To follow this guide, it is also necessary to have some
# users already created on LDAP with registered mail addresses!
## other helpful and more in-depth recommended guides:
# basic configuration and tests:
https://www.postfix.org/LDAP_README.html
# virtual mailbox configuration:
https://www.postfix.org/VIRTUAL_README.html
# example of scripts' syntax for the interaction between postfix and LDAP:
https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains#the_mailboxes
### install postfix-ldap:
apt install postfix-ldap
### configure postfix:
nano /etc/postfix/main.cf
## * remove your domain from the line 'mydestination', the domain can NEVER be repeated
## among this line, the line with 'myhostname' and the line with 'virtual_mailbox_domains'!!!
## * add the following lines to this file:
virtual_mailbox_domains = example.com #or your domain(s)
virtual_mailbox_base = /
virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_maps
virtual_minimum_uid = 100
virtual_uid_maps = ldap:/etc/postfix/virtual_uidNumber_maps
virtual_gid_maps = ldap:/etc/postfix/virtual_gidNumber_maps
virtual_alias_maps = ldap:/etc/postfix/virtual_alias_maps
### create the following files, with the respective contents, inside the
### directory /etc/postfix (be sure to replace the specific informations from
### your server, like IP and domain):
------ files' description START
## file name: virtual_alias_maps
server_host = ldap://your_Server's_IP/ #inform your server's IP
search_base = dc=example, dc=com #inform your domain
query_filter = (|(uid=%s)(mail=%s@example.com)(mail=%s)) #inform your domain
result_attribute = mail
result_format = %s
------
## file name: virtual_gidNumber_maps
server_host = ldap://your_Server's_IP #inform your server's IP
search_base = dc=example, dc=com #inform your domain
query_filter = mail=%s
result_attribute = gidNumber
------
## file name: virtual_mailbox_maps
server_host = ldap://your_Server's_IP #inform your server's IP
search_base = dc=example, dc=com #inform your domain
query_filter = mail=%s
result_attribute = homeDirectory
result_format = %s/mailbox/
------
## file name: virtual_uidNumber_maps
server_host = ldap://your_Server's_IP #inform your server's IP
search_base = dc=example, dc=com #inform your domain
query_filter = mail=%s
result_attribute = uidNumber
------ files' description END
### create the database for each postfix/ldap script and restart postfix:
postmap /etc/postfix/virtual_alias_maps
postmap /etc/postfix/virtual_gidNumber_maps
postmap /etc/postfix/virtual_mailbox_maps
postmap /etc/postfix/virtual_uidNumber_maps
postfix reload
### Create the directory in which the maildir structure will be created and
### give the correct permissions so that any user can write in it, and let's
### assume that the LDAP users' homeDirectory is /home/users/username:
mkdir /home/users
chmod o+w /home/users
### test it by sending an e-mail with postfix (see the TEST-1 at the postfix guide on
### this site), then check the logs e the directory to read the e-mail:
cat /var/log/mail.log
cd /home/users/username
### this guide does not cover interactions between LDAP and Dovecot/Squirrelmail/etc...
#########################################################################################
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EXTRAS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#### how to create new schema with specific attributes for postfix/e-mail:~~~~~~~~~~~~~~~~
# copy postfix.schema from https://github.com/credativ/postfix-ldap-schema
# install schema2ldif and convert the schema file in ldif:
apt install schema2ldif
schema2ldif postfix.schema > postfix.ldif
# follow the instructions on this link to change the password of cn=config:
https://tech.feedyourhead.at/content/openldap-set-config-admin-password
# copy the ldif file with the new postfix's attributes to the server's schema:
ldapadd -x -W -D cn=admin,cn=config -H ldap://your_Server's_IP -f postfix.ldif
# add to each LDAP user (the ones you wish to use postfix with) the objectClass "PostfixUser"
# then, add the fields 'maildrop' and 'mailacceptinggeneralid' to that same users
#### how to test the communication between LDAP and Postfix, with a script example (similar
#### to the files 'virtual_*', with explanation):~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## create the file /etc/postfix/ldap-aliases.cf with this content:
------ content START (don't add this line to the file)
server_host = ldap://your_Server's_IP #inform your server's IP
search_base = dc=example, dc=com #inform your domain
#look for entries with this
query_filter = (|(uid=%s)(mailacceptinggeneralid=%s)(mail=%s@example.com.br))
#what attribute from the search result is returned
result_attribute = mail
#the format in which the result is returned
result_format = %s
------ content END (don't add this line to the file)
## update the file /etc/postfix/main.cf with:
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
## restart postfix and create the postmap base:
systemctl restart postfix
postmap /etc/postfix/ldap-aliases.cf
## (optional) this test should retrieve the user's e-mail:
postmap -q username ldap:/etc/postfix/ldap-aliases.cf
#########################################################################################
ATTENTION: Always read a script before you run it!!!
To run a basic LDAP Server configuration script, run the following command line in your server's terminal:
wget -nc https://www.maycke.com.br/guides/raw/ldap-server.sh && chmod 700 ldap-server.sh && sudo ./ldap-server.sh && sudo rm ldap-server.sh
#########################################################################################
ATTENTION: Always read a script before you run it!!!
To run a basic LDAP Client configuration script, run the following command line in your client's terminal:
wget -nc https://www.maycke.com.br/guides/raw/ldap-client.sh && chmod 700 ldap-client.sh && sudo ./ldap-client.sh && sudo rm ldap-client.sh
#########################################################################################