Как использовать базу данных LDAP iRedMail для аутентификации пользователя?
Если Ваши пользователи используют Outlook в качестве клиента Exchange, который действительно является, как они должны использовать его, если у них есть Exchange Server, то перемещение в POP3/SMTP требует полного реконфигурирования Outlook; они также будут в для некоторого действительно противного удивления, если они привыкнут совместно использовать календари и сделают некоторые из других многих вещей тот Exchange поддержки.
Так или иначе я не должен здесь подвергать сомнению Ваш выбор..., но движущийся Outlook от того, чтобы быть клиентом Exchange к простому POP3/SMTP автоматически для всех Ваших пользователей определенно не тривиален. Что-то может, вероятно, быть достигнуто с помощью.PRF файлы, но это ни один тривиально, также.
So, I figured it out. Here's a quick and dirty guide on how I got it done:
First, iRedMail automatically generates an SSL certificate on install. If your hostname is not what you want the CN for the cert to be, then you're going to need to generate a new SSL cert. Actually, I'd do this regardless. Here's how to accomplish step one:
$ cd iRedMail-0.8.5/tools $ vi generate_ssl_keys.sh # Modify the following line export HOSTNAME="*.yourdomain.com" # I created a wildcard cert # Set the rest (e.g., TLS_COUNTRY) to match your informationNow we need to generate our SSL certs:
$ sh generate_ssl_keys.sh $ mv certs/iRedMail_CA.pem /etc/pki/tls/certs/ $ mv private/iRedMail.key /etc/pki/tls/private/На этом пионте я перезагрузил свою систему. Для меня это было проще, чем перезапуск нескольких служб.
Теперь, прежде чем мы перейдем к нашим клиентам LDAP, нам нужно внести некоторые изменения в наш сервер LDAP. Первое изменение, которое мы сделаем, - это добавление unixHomeDirectory к объектному классу posixAccount. Причина: я не хотел, чтобы мои пользователи застревали в домашнем каталоге, который iRedMail связывает с их учетной записью.
$ vi /etc/openldap/schema/nis.schema # Добавьте следующее в attributetype nisMapEntry (1.3.6.1.1.1.1.27) attributetype (1.3.6.1.1.1.1.28 ИМЯ 'unixHomeDirectory' DESC 'Абсолютный путь к домашнему каталогу пользователя' EQUALITY caseExactIA5Match СИНТАКСИС 1.3.6.1.4.1.1466.115.121.1.26 ОДНОЗНАЧЕНИЕ) # Свяжите unixHomeDirectory с объектным классом posixAccount objectclass (1.3.6.1.1.1.2.0 ИМЯ 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ unixHomeDirectory $ description ) )Now we are going to add an obMemberOf attribute for our users. This will be used later with sssd.
$ vi /etc/openldap/schema/iredmail.schema # I added this under listAllowedUser attributetype (1.3.6.1.4.1.32349.1.2.3.3) attributetype ( 1.3.6.1.4.1.32359.1.2.3.4 NAME 'obMemberOf' DESC 'Distinguished name of a group of which the object is a member' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) # And then I associated it with the objectclass mailUser objectclass ( 1.3.6.1.4.1.32349.1.2.4.3 NAME 'mailUser' DESC 'Mail User' SUP top AUXILIARY MUST ( mail $ uid ) MAY ( storageBaseDirectory $ mailMessageStore $ homeDirectory $ userPassword $ mailHost $ mailUID $ mailGID $ mailQuota $ mailQuotaMessageLimit $ mailForwardingAddress $ shadowAddress $ accountStatus $ userRecipientBccAddress $ userSenderBccAddress $ enabledService $ telephoneNumber $ backupMailAddress $ mtaTransport $ memberOfGroup $ expiredDate $ lastLoginDate $ lastLoginIP $ lastLoginProtocol $ preferredLanguage $ disclaimer $ accountSetting $ title $ userManager $ mailWhitelistRecipient $ mailBlacklistRecipient $ domainGlobalAdmin $ obMemberOf ))I made the following changes to /etc/openldap/slapd.conf
# Comment out disallow bind_anon # Disallow bind as anonymous. #disallow bind_anon # Uncommented this line # Uncomment below line to allow binding as anonymouse. allow bind_anon_cred # access to dn.regex="cn=[^,]+,dc=domain,dc=com" by anonymous auth by self write by users none # Added these two lines access to dn.exact="" by * read # And these two access to dn.exact="cn=Subschema" by * read # And gave anonymous read access # Set default permission. access to * by anonymous read by self write by users readNow I went to https://www.mydomain.com/iredadmin and added a user. After adding the user, an ldapsearch returns the following:
# user1@mydomain.com, Users, mydomain.com, domains, mydomain.com dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com objectClass: inetOrgPerson objectClass: mailUser objectClass: shadowAccount objectClass: amavisAccount mail: user1@mydomain.com userPassword:: XXX uid: user1 storageBaseDirectory: /var/vmail mailMessageStore: vmail1/mydomain.com/d/a/w/user1-2013.11.19.17.43.46/ homeDirectory: /var/vmail/vmail1/mydomain.com/d/a/w/user1-2013.11.19.17.43.46/ enabledService: mail enabledService: deliver enabledService: lda enabledService: smtp enabledService: smtpsecured enabledService: pop3 enabledService: pop3secured enabledService: imap enabledService: imapsecured enabledService: managesieve enabledService: managesievesecured enabledService: sieve enabledService: sievesecured enabledService: forward enabledService: senderbcc enabledService: recipientbcc enabledService: internal enabledService: lib-storage enabledService: shadowaddress enabledService: displayedInGlobalAddressBook shadowLastChange: 0 amavisLocal: TRUE mailQuota: 0 cn: Good User givenName: user1 sn: user1 preferredLanguage: en_US employeeNumber: Application Developer accountStatus: activeAs we can see, everything to make this a posixAccount is missing. So, that's what we're going to do:
$ vi /tmp/user1.modify # Now, I create a file called /tmp/user1.modify that looks like this dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com changetype: modify add: objectClass objectClass: posixAccount - add: loginShell loginShell: /bin/bash - add: uidNumber uidNumber: 2006 - add: gidNumber gidNumber: 2006 - add: unixHomeDirectory unixHomeDirectory: /home/user1And we run ldapmodify to add the attributes to the account
ldapmodify -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/user1.modifyNow I create an LDAP group.
vi /tmp/devgroup.ldif # Paste the following in there dn: cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com objectClass: posixGroup objectClass: top cn: developers userPassword:: {crypt}x gidNumber: 1500 memberUid: user1 # And add to LDAP ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/devgroup.ldifAdd user1 as an obMemberOf the developers group
vi /tmp/user1.modify # It should now look like this dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com changetype: modify add: obMemberOf obMemberOf: cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com # Run ldapmodify ldapmodify -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/user1.modifyAt this point we have user1, two custom attributes (obMemberOf, unixHomeDirectory), and an LDAP group for developers. It's now time to set up a few clients. The first client I set up was running Ubuntu 12.04 server. Here are the steps for that client:
# First install all the relevant packages $ apt-get install ldap-utils libpam-ldap libnss-ldap nslcd # I need the SSL cert from my iRedMail host scp user@mydomain.com:/etc/pki/tls/certs/iRedMail_CA.pem /etc/ssl/certs/cacert.pem # Now we configure the LDAP client $ vi /etc/ldap.conf # Here's what my ldap.conf ended up looking like: # BEGIN /etc/ldap.conf host ldap.mydomain.com base dc=mydomain,dc=com ldap_version 3 # You can user cn=Manager,dc=yourdomain,dc=com if you'd like. iRedMail sets up this vmail account as read-only, so I went with that instead. rootbinddn cn=vmail,dc=mydomain,dc=com pam_password ssha nss_base_passwd ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com nss_base_shadow ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com nss_base_group ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com nss_map_attribute homeDirectory unixHomeDirectory pam_login_attribute uid ssl start_tls tls_checkpeer yes tls_cacertfile /etc/ssl/certs/cacert.pem # END /etc/ldap.conf # Create file /etc/ldap.secret and put the plain text password for your rootbinddnn in there, then 'chmod 600 /etc/ldap.secret (root:root ownership). # Next I edit /etc/nslcd.conf. Here is that file # BEGIN /etc/nslcd.conf uid nslcd gid nslcd uri ldap://ldap.mydomain.com base dc=mydomain,dc=com ldap_version 3 ssl start_tls tls_reqcert demand tls_cacertfile /etc/ssl/certs/cacert.pem # END /etc/nslcd.conf # Now I edit /etc/ldap/ldap.conf and add the following line to the bottom # It is the only uncommented line in the file TLS_CACERT /etc/ssl/certs/cacert.pem # My PAM files look as follows # BEGIN /etc/pam.d/common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so # END /etc/pam.d/common-account # BEGIN /etc/pam.d/common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so # END /etc/pam.d/common-auth # BEGIN /etc/pam.d/common-password password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass password requisite pam_deny.so password required pam_permit.so # END /etc/pam.d/common-password # BEGIN /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_ldap.so session optional pam_systemd.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 # END /etc/pam.d/common-session # I then edit /etc/nsswitch.conf and added ldap at the end of the passwd, group and shadow lines passwd: compat ldap group: compat ldap shadow: compat ldap # Enable the service and restart it $ update-rc.d nslcd enable $ /etc/init.d/nscd restart # Test things out $ gnutls-cli --x509cafile /etc/ssl/certs/cacert.pem ldap.mydomain.com $ ldapsearch -H"ldap://ldap.mydomain.com" -D "cn=vmail,dc=mydomain,dc=com" -b "dc=mydomain,dc=com" -W -d-1 -Z $ getent passwd $ id user1 # You should now be able to su to user1 and ssh in as user1.The next client I set up was a CentOS 6.4 server running sssd.
# Install the relevant packages $ yum install openldap-clients sssd $ chkconfig sssd on # For now I set SELinux to permissive $ echo 0 > /selinux/enforce # scp my cert over $ scp user@mydomain.com:/etc/pki/tls/certs/iRedMail_CA.pem /tmp $ scp user@mydomain.com:/etc/pki/tls/private/iRedMail.key /tmp # combine the two certs $ awk 'FNR==1{print ""}1' /tmp/iRedMail.key /tmp/iRedMail_CA.pem > /etc/openldap/cacerts/iRedMail_CA.pem $ cacertdir_rehash /etc/openldap/cacerts/ # Enable sssd. $ authconfig --enableldap --enableldapauth --ldapserver=ldaps://ldap.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --update # I modified my /etc/sssd.conf file to look like this: [sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd [pam] [domain/LDAP] ldap_search_base = dc=mydomain,dc=com ldap_access_filter = obMemberOf=cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldap.mydomain.com ldap_user_name = uid ldap_user_home_directory = unixHomeDirectory ldap_user_search_base = ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com ldap_group_search_base = ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com ldap_default_bind_dn = cn=vmail,dc=mydomain,dc=com ldap_default_authtok_type = password ldap_default_authtok = p4ssw0rd enumerate = true cache_credentials = true ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts # Start sssd in the foreground with debugging on. $ /usr/sbin/sssd -i -d7 # Open another terminal and do the following $ getent passwd $ id user1 $ ssh user1@localhost $ su - user1 # Check the other terminal for any errors and fix as necessary. # If no errors... break the sssd process with Ctrl+C $ service sssd start
Here are some of the errors I ran into during this process and what I did to fix each of them.
Warning: LDAP access rule 'filter' is set, but no ldap_access_filter configured. All domain users will be denied access.
This is why I added the LDAP group on my server and the obMemberOf attribute. I then used it on the sssd client as my ldap_access_filter (i.e., anyone who has attribute obMemberOf set to the DN for the development group has access to the system.
TLS: skipping 'iRedMail_CA.pem' - filename does not have expected format (certificate hash with numeric suffix)
Running 'cacertdir_rehash /etc/openldap/cacerts/' seemed to fix things. It created a symlink (the certificates hash with numeric suffix) that points to iRedMail_CA.pem
I ran into quite a few other errors (A plethora of "Invalid Credentials," "Access Denied," and other access related errors). I will update this later to cover them as well.
Интересно, можно ли настроить sssd для использования гибкого фильтра ldap и поиска различных (не по умолчанию) атрибутов ldap в этом случае.
Если вы изменили файл схемы LDAP iRedMail, вам следует обратите внимание на синхронизацию этой схемы с восходящим потоком.