How to setup Kopano with FreeIPA LDAP backend

  • I have successfully deployed Kopano using FreeIPA as the LDAP/Authentication backend, with a few changes to the normal Kopano install process. I changed “olcAttributeTypes” to “attributetypes” and “olcObjectClasses” to “objectclasses” in the example ldif file. I also changed the dn of the schema to the correct location for 389ds (i think):

    dn: cn=schema
    objectclass: top
    objectclass: ldapSubentry
    objectclass: subschema

    This is the file I ended up using: Lastly, instead of using ldapadd or ldapmodify, I placed the kopano99.ldif file in /etc/dirsrv/slapd-INSTANCE/schema/ and restarted the service.

    As it stands now, I can see all the new objectclasses and attributes in the schema, and Kopano seems to be reading them correctly. To get Postfix to read the correct addresses/groups/aliases, use the Active Directory style configuration in your /etc/postfix/ldap*.cf config files (as seen in the wiki). Ex

    server_host = ldap://_server_
    search_base = cn=users,cn=accounts,dc=base,dc=domain,dc=com
    version = 3
    scope = sub
    bind = yes
    bind_dn = uid=binduser,cn=users,cn=accounts,dc=base,dc=domain,dc=com
    bind_pw = binduserpass
    #query_filter = (uid=%s)
    query_filter = (&(objectClass=posixaccount)(mail=%s))
    result_attribute = mail

    The default user objectclasses, like “kopano-user” can be added in the FreeIPA web UI, under IPA Server -> Configuration. For the rest of the objectclasses and attribute types, I use phpLDAPAdmin to manage the accounts after they have been created in FreeIPA. It’s important that the accounts are first created in FreeIPA, so that the appropriate attributes are created.

    Eventually, I would like to create a Web UI and CLI plugin for FreeIPA that would allow for the editing of these attributes and objectclasses directly within the FreeIPA Web UI and console.

  • @burgessja

    AFAIK running the commands below is all required to include all the kopano attributes in ds389 server.

    curl >
    perl -b /usr/share/doc/kopano/kopano.schema  > /etc/dirsrv/slapd-FREEIPA-KOPANO-LAN/schema/61kopano.ldif
    chown dirsrv.dirsrv /etc/dirsrv/slapd-FREEIPA-KOPANO-LAN/schema/61kopano.ldif
    systemctl restart ipa

    Why are you doing additional changes ?

    Kind regards,


  • I was unable to get the script to work in my case, it seemed like the syntax for 389ds had changed since that script was written, but that was just a guess. The script ran fine, but 389ds complained about invalid characters and spacing. In my case, I effectively just did all the steps from the script manually.

    The changes that I made to the postfix config files may have only been a requirement of FreeIPA., not 389ds. Without the bind username and password, Postfix was unable to find the user accounts.

Log in to reply