How to setup Kopano with FreeIPA LDAP backend

I have successfully deployed Kopano using FreeIPA as the LDAP/Authentication backend, with a few changes to the normal Kopano install process. I changed “olcAttributeTypes” to “attributetypes” and “olcObjectClasses” to “objectclasses” in the example ldif file. I also changed the dn of the schema to the correct location for 389ds (i think):

dn: cn=schema
objectclass: top
objectclass: ldapSubentry
objectclass: subschema

This is the file I ended up using: https://pastebin.com/TA7GRUkD Lastly, instead of using ldapadd or ldapmodify, I placed the kopano99.ldif file in /etc/dirsrv/slapd-INSTANCE/schema/ and restarted the service.

As it stands now, I can see all the new objectclasses and attributes in the schema, and Kopano seems to be reading them correctly. To get Postfix to read the correct addresses/groups/aliases, use the Active Directory style configuration in your /etc/postfix/ldap*.cf config files (as seen in the wiki). Ex ldap-users.cf:

server_host = ldap://_server_
search_base = cn=users,cn=accounts,dc=base,dc=domain,dc=com
version = 3
scope = sub
bind = yes
bind_dn = uid=binduser,cn=users,cn=accounts,dc=base,dc=domain,dc=com
bind_pw = binduserpass
#query_filter = (uid=%s)
query_filter = (&(objectClass=posixaccount)(mail=%s))
result_attribute = mail

The default user objectclasses, like “kopano-user” can be added in the FreeIPA web UI, under IPA Server -> Configuration. For the rest of the objectclasses and attribute types, I use phpLDAPAdmin to manage the accounts after they have been created in FreeIPA. It’s important that the accounts are first created in FreeIPA, so that the appropriate attributes are created.

Eventually, I would like to create a Web UI and CLI plugin for FreeIPA that would allow for the editing of these attributes and objectclasses directly within the FreeIPA Web UI and console.

@burgessja

Hi,
AFAIK running the commands below is all required to include all the kopano attributes in ds389 server.

curl https://fedorapeople.org/groups/389ds//binaries/ol-schema-migrate.pl > ol-schema-migrate.pl
perl ol-schema-migrate.pl -b /usr/share/doc/kopano/kopano.schema  > /etc/dirsrv/slapd-FREEIPA-KOPANO-LAN/schema/61kopano.ldif
chown dirsrv.dirsrv /etc/dirsrv/slapd-FREEIPA-KOPANO-LAN/schema/61kopano.ldif
systemctl restart ipa

Why are you doing additional changes ?

Kind regards,

Markb

I was unable to get the ol-schema-migrate.pl script to work in my case, it seemed like the syntax for 389ds had changed since that script was written, but that was just a guess. The script ran fine, but 389ds complained about invalid characters and spacing. In my case, I effectively just did all the steps from the script manually.

The changes that I made to the postfix config files may have only been a requirement of FreeIPA., not 389ds. Without the bind username and password, Postfix was unable to find the user accounts.

Log in to reply

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.