Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    How to setup Kopano with FreeIPA LDAP backend

    General Discussion
    2
    3
    1436
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • burgessja
      burgessja last edited by

      I have successfully deployed Kopano using FreeIPA as the LDAP/Authentication backend, with a few changes to the normal Kopano install process. I changed “olcAttributeTypes” to “attributetypes” and “olcObjectClasses” to “objectclasses” in the example ldif file. I also changed the dn of the schema to the correct location for 389ds (i think):

      dn: cn=schema
objectclass: top
objectclass: ldapSubentry
objectclass: subschema

      This is the file I ended up using: https://pastebin.com/TA7GRUkD Lastly, instead of using ldapadd or ldapmodify, I placed the kopano99.ldif file in /etc/dirsrv/slapd-INSTANCE/schema/ and restarted the service.

      As it stands now, I can see all the new objectclasses and attributes in the schema, and Kopano seems to be reading them correctly. To get Postfix to read the correct addresses/groups/aliases, use the Active Directory style configuration in your /etc/postfix/ldap*.cf config files (as seen in the wiki). Ex ldap-users.cf:

      server_host = ldap://_server_
search_base = cn=users,cn=accounts,dc=base,dc=domain,dc=com
version = 3
scope = sub
bind = yes
bind_dn = uid=binduser,cn=users,cn=accounts,dc=base,dc=domain,dc=com
bind_pw = binduserpass
#query_filter = (uid=%s)
query_filter = (&(objectClass=posixaccount)(mail=%s))
result_attribute = mail

      The default user objectclasses, like “kopano-user” can be added in the FreeIPA web UI, under IPA Server -> Configuration. For the rest of the objectclasses and attribute types, I use phpLDAPAdmin to manage the accounts after they have been created in FreeIPA. It’s important that the accounts are first created in FreeIPA, so that the appropriate attributes are created.

      Eventually, I would like to create a Web UI and CLI plugin for FreeIPA that would allow for the editing of these attributes and objectclasses directly within the FreeIPA Web UI and console.

      markb 1 Reply Last reply Reply Quote 0
      • markb
        markb @burgessja last edited by markb

        @burgessja

        Hi,
        AFAIK running the commands below is all required to include all the kopano attributes in ds389 server.

        curl https://fedorapeople.org/groups/389ds//binaries/ol-schema-migrate.pl > ol-schema-migrate.pl
perl ol-schema-migrate.pl -b /usr/share/doc/kopano/kopano.schema  > /etc/dirsrv/slapd-FREEIPA-KOPANO-LAN/schema/61kopano.ldif
chown dirsrv.dirsrv /etc/dirsrv/slapd-FREEIPA-KOPANO-LAN/schema/61kopano.ldif
systemctl restart ipa

        Why are you doing additional changes ?

        Kind regards,

        Markb

        1 Reply Last reply Reply Quote 0
        • burgessja
          burgessja last edited by

          I was unable to get the ol-schema-migrate.pl script to work in my case, it seemed like the syntax for 389ds had changed since that script was written, but that was just a guess. The script ran fine, but 389ds complained about invalid characters and spacing. In my case, I effectively just did all the steps from the script manually.

          The changes that I made to the postfix config files may have only been a requirement of FreeIPA., not 389ds. Without the bind username and password, Postfix was unable to find the user accounts.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post