Tagged: OpenLDAP

Sudoers in LDAP

In addition to the standard sudoers file, sudo may be configured via LDAP. This can be especially useful for synchronizing sudoers in a large, distributed environment. You need to have LDAP server and client...

Linux LDAP autofs client configuration

There is a plenty of Linux distributions, so there is not my point to describe how to configure autofs in every one of them. This description is based on RedHat/CentOS, but it can be...

Solaris LDAP autofs client configuration

Last time I wrote about autofs configuration on LDAP server, now it is time to configure autofs client in Solaris. I assume that in DUAConfigProfile, objectClasses and attributes are already defined. You can check...

OpenDJ – online schema modification

I wrote before about schema conversion to LDIF format and how to add schemas offline by uploading them to config/schema directory in OpenDJ. Now I will describe how to extend schema online, without restart...

LDAP meta directory

Sometimes you need to combine two or more LDAP directories with same suffixes to one directory or you just need to have a proxy. My first attempts to combine two OpenLDAP directories was to make replication from two different sources. This solution however has some disadvantages. First of all: to have syncprov replication your environment must be uniform, this means all source servers and proxy needs to be OpenLDAP. Second: I observed that this is not so stable, because of mentioned earlier issues with OpenLDAP replication.

Mail delivery configuration with LDAP

(Polski) Ostatnim razem pisałem o uwierzytelnianiu użytkowników w katalogu LDAP aby umożliwiać im odbieranie i nadawanie poczty. Teraz nadszedł czas aby skonfigurować Postfixa aby dostarczał pocztę do właściwych skrzynek.
Jeśli sam kompilujesz Postfixa musisz pamiętać o dodaniu do niego wsparcia dla LDAP. Mój opis tym razem bazuje na Ubuntu, więc trzeba tylko zainstalować odpowiedni pakiet postfix-ldap:
$ sudo -i
# apt-get install postfix-ldap
To załatwi sprawę wsparcia map ldap: w Postfixie.
Teraz idziemy do konfiguracji Postfixa:


OpenLDAP jest implementacją open source protokołu Lightweight Directory Access Protocol.

soft@wega:~/openldap% ./drf_openldap-2.4.25_conf 
cc: Sun C 5.10 SunOS_sparc 2009/06/03
usage: cc [ options] files.  Use 'cc -flags' for details
CFLAGS=-fast -xautopar
CPPFLAGS=-I/usr/local/ssl/include -I/usr/local/BerkeleyDB.5.1/include -I/usr/local/include
CXXFLAGS=-fast -xautopar
LDFLAGS=-L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/BerkeleyDB.5.1/lib -R/usr/local/BerkeleyDB.5.1/lib -L/usr/local/lib -R/usr/local/lib
dmake clean [y|n] ?

Mail system authentication in LDAP

I suppose that Dovecot and Postfix are up and running, and you can receive and send mail with system user (see previous posts). It is time to configure authentication in LDAP.

Use of directory service to user authentication allows for flexible management of mail system, hosting and so on. LDAP is established standard for authentication and authorization and almost all software which requires authentication support this protocol.

Let’s begin from POP3/IMAP Dovecot server, which also deliver authentication mechanism for Postfix:

/usr/bin/sudo -i
cd /etc/dovecot
vi dovecot-ldap.conf

In this file you need to define LDAP server/s parameters, authentication method, filter and attributes. I list those most important:

hosts = localhost
auth_bind = yes
base = o=hosting,dc=example,dc=com
scope = subtree
user_attrs = homeDirectory=home
user_filter = (&(objectClass=mailUser)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailUser)(mail=%u))

Schema conversion – LDAP to LDIF

The power of directory service is possibility to define your own object classes, attributes, rules and so on. It also allows grouping it in schemas, which you can add to LDAP configuration.

As for now most of schemas, which you can find in Internet is organized into blocks, which contains definitions of attributes and object classes. This looks like:

attribute type definition:

attributetype ( NAME 'accountStatus'
    DESC 'The status of a user account: active, disabled'
    EQUALITY caseIgnoreIA5Match
    SUBSTR caseIgnoreSubstringsMatch