How to setup Kopano with FreeIPA LDAP backend
burgessja last edited by
I have successfully deployed Kopano using FreeIPA as the LDAP/Authentication backend, with a few changes to the normal Kopano install process. I changed “olcAttributeTypes” to “attributetypes” and “olcObjectClasses” to “objectclasses” in the example ldif file. I also changed the dn of the schema to the correct location for 389ds (i think):
dn: cn=schema objectclass: top objectclass: ldapSubentry objectclass: subschema
This is the file I ended up using: https://pastebin.com/TA7GRUkD Lastly, instead of using ldapadd or ldapmodify, I placed the kopano99.ldif file in /etc/dirsrv/slapd-INSTANCE/schema/ and restarted the service.
As it stands now, I can see all the new objectclasses and attributes in the schema, and Kopano seems to be reading them correctly. To get Postfix to read the correct addresses/groups/aliases, use the Active Directory style configuration in your /etc/postfix/ldap*.cf config files (as seen in the wiki). Ex ldap-users.cf:
server_host = ldap://_server_ search_base = cn=users,cn=accounts,dc=base,dc=domain,dc=com version = 3 scope = sub bind = yes bind_dn = uid=binduser,cn=users,cn=accounts,dc=base,dc=domain,dc=com bind_pw = binduserpass #query_filter = (uid=%s) query_filter = (&(objectClass=posixaccount)(mail=%s)) result_attribute = mail
The default user objectclasses, like “kopano-user” can be added in the FreeIPA web UI, under IPA Server -> Configuration. For the rest of the objectclasses and attribute types, I use phpLDAPAdmin to manage the accounts after they have been created in FreeIPA. It’s important that the accounts are first created in FreeIPA, so that the appropriate attributes are created.
Eventually, I would like to create a Web UI and CLI plugin for FreeIPA that would allow for the editing of these attributes and objectclasses directly within the FreeIPA Web UI and console.
markb last edited by markb
AFAIK running the commands below is all required to include all the kopano attributes in ds389 server.
curl https://fedorapeople.org/groups/389ds//binaries/ol-schema-migrate.pl > ol-schema-migrate.pl perl ol-schema-migrate.pl -b /usr/share/doc/kopano/kopano.schema > /etc/dirsrv/slapd-FREEIPA-KOPANO-LAN/schema/61kopano.ldif chown dirsrv.dirsrv /etc/dirsrv/slapd-FREEIPA-KOPANO-LAN/schema/61kopano.ldif systemctl restart ipa
Why are you doing additional changes ?
burgessja last edited by
I was unable to get the ol-schema-migrate.pl script to work in my case, it seemed like the syntax for 389ds had changed since that script was written, but that was just a guess. The script ran fine, but 389ds complained about invalid characters and spacing. In my case, I effectively just did all the steps from the script manually.
The changes that I made to the postfix config files may have only been a requirement of FreeIPA., not 389ds. Without the bind username and password, Postfix was unable to find the user accounts.