My-Tiny.Net :: Networking with Virtual Machines
Configuring Services to use LDAP
The last step in this process is to configure Dovecot and SquirrelMail to use LDAP for looking up user mailboxes.
Configuring Dovecot to use LDAP
One of the reasons we use Dovecot LDA for local delivery is that it will automatically create an inbox for a new user (which postfix does not). So, once we set up the LDAP and configure Dovecot to use it, all we have to do is use interactive PLA to add a new user to the directory, and they can send and receive mail instantly (very nice for webmail and enterprise mail systems!).This requires changes to three configuration files: two for Dovecot on the MailHost and one for Squirrelmail on the WebServer.
[ 1 ] First, we need to tell Dovecot to look up usernames and passwords in the LDAP directory. Dovecot does not like to search from the rootDSE, so we need to create a passdb ldap and userdb ldap section and a configuration file for each search base.
Start by uncommenting these lines in the section at the bottom of /etc/dovecot/dovecot-auth.conf:
#---%<---------------------------------------------------------------
## Authentication databases
# fallback works only with the PLAIN authentication mechanism
# (tried in order)
# args = Path to passwd-file or LDAP configuration file
passdb {
driver = ldap
args = /etc/dovecot/ldap-dn_o.dbconf
}
#passdb {
# driver = ldap
# args = /etc/dovecot/ldap-dn_dc.dbconf
#}
passdb {
driver = passwd-file
args = /home/vmail/mail-pwd
}
userdb {
driver = ldap
args = /etc/dovecot/ldap-dn_o.dbconf
}
#userdb {
# driver = ldap
# args = /etc/dovecot/ldap-dn_dc.dbconf
#}
userdb {
driver = static
args = uid=vmail gid=vmail
}
#---%<---------------------------------------------------------------
The key LDAP parameters are defined in the file specified with
args = which points to the next configuration step.
The one that needs to stay commented out is for a second DIT: see
Configure LDAP :: Adding a DIT on the menu.
[ 2 ] We have /etc/dovecot/ldap-dn_o.dbconf ready for the o=tinynet.edu directory, with one important change to tell Dovecot which LDAP attributes it needs to match when it queries the LDAP database.
Password and mail user attributes are specified down near the bottom of the file, along with a search filter. These are specified using a combination of dovecot configuration variables, and attribute names from the file /etc/openldap/topclass.ldif that was used to set up the database.
The pass_attrs and user_attrs are specified correctly, but there is a problem with the filters: if we use (%u) Dovecot tries to match the sender as the user (mailadmin@mailhost.tinynet.edu for example) rather than the recipient name and domain (%n@%d) which is what we want.
# passdb lookup: tell dovecot # which LDAP attributes are associated with the user's password # and the search filter, e.g., (&(objectClass=posixAccount) (uid=%u)) pass_attrs = userPassword=password pass_filter = (mail=%n@%d) # userdb lookup: tell dovecot # which LDAP attributes map to uid, gid, home and mail # (note the use of static text for mail - see the documentation) # and the search filter, possibly with extra fields to return user_attrs = uid=user,=mail=mbox:/home/vmail/%d/%n user_filter = (mail=%n@%d)After making that change, save the file. Now restart dovecot, and we're ready to go! Test it out by using telnet to connect to the server and check the mailbox for someone in the LDAP DIT (See Configure Mail :: Testing):
telnet localhost 143
11 login "b.jensen@net-a.tinynet.edu" "LetMeIn"
Configuring SquirrelMail to use LDAP
[ 3 ] Now it's time to need to edit /var/www/squirrelmail/config/svr_ldap on the WebServer.All we need to change is the host to contact our LDAP server - we can change this back to localhost later when we set up stunnel to secure our communications with SSL (see SSL & SSH :: stunnel on the menu).
$ldap_server[0] = Array(
'host' => 'ldap.tinynet.edu',
'name' => 'ldap o=tinynet.edu',
'base' => 'o=tinynet.edu'
);
Then stop and restart the webserver, and check the default capabilities:
Login to Squirrelmail as mailadmin with your host browser,
click Compose, then the Addresses button, and then the List All button
in the Address Book Search page. Pick one to use in the To: address, and
send a test email. Logout as mailadmin and login as your test user (check
userdata.ldif for the password), or just check /home/vmail
on the Mailserver for the new mailbox folder.
Squirrelmail has a plugin to do more interesting LDAP queries. To activate it, the first step is to find this section in plugins.php and uncomment one line:
# 3rd party - # allows users to search the Directory Servers by name and # lookup phone numbers, addresses, and other data $plugins[8] = 'ldapquery';The plugin will use the LDAP servers defined in the SquirrelMail configuration. The default plugin configuration is in plugins/ldapquery/config_default.php, but it is better to copy it to config/ldapquery_config.php and modify that. There are only a few things you need to define, and the instructions in the README file are clear.
When you finish, stop and restart the webserver to check the new capabilities.