help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

Server + WebMail and Directory Services

Stewart -

PROBLEM
I'm not sure how to install and setup Atmail Server + WebMail to use directory services for authentication.

ENVIRONMENT

  • On-Premise Server + WebMail Installations: Current Version

CAUSE
Atmail has not yet been installed and setup to use directory services for authentication.

RESOLUTION

Atmail with OpenLDAP

LDAP is a powerful directory access protocol that you can use to authenticate your users. With LDAP, you can centralize your authentication needs; most LDAP clients need only the hostname and the base directory name of the LDAP server to make it authenticate.

This guide covers the steps that will help you setup your own LDAP server for use with Atmail.

With LDAP configuration you must configure local domains (using Webadmin) else all authentications will be assumed to be remote and LDAP server is not contacted for remote logons (remote logons are authenticated against remote IMAP server). Once local domain user is validated on the LDAP server the local IMAP user is created if not already setup.

Installing Open LDAP

Installing LDAP is an easy process for Linux machines that have access to modern package managers. You can use the package manager suited for your installation. For this example, we will use Centos 5.3:

yum install openldap openldap-servers openldap-devel openldap-clients

Setting up Open LDAP

You will need to configure the LDAP server to suit your needs. This can be done by editing '''/etc/openldap/slapd.conf''', and adding the following values:

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"
rootpw          secret

Alter the values to your liking. The '''suffix''' definition sets your base distinguished name; this should be set to your domain name. For example, a domain called atmail.com will have the following DN:

suffix             "dc=atmail,dc=com"

The rootdn definition applies to the user that you want to use as the administrator. The user may have access to all entries, without restrictions. The entry is set by defining the Common Name (cn), followed by your previously defined base DN.

Using the example above, if you want a root DN called "Administrator", it will take this format:

rootdn        "cn=Administrator,dc=atmail,dc=com"

The rootpw definition covers your root DN's password, in plaintext.

Afterwards, you can start your LDAP server:

service slapd start
/sbin/chkconfig slapd on

Adding the base LDAP tree

Now, you will need to setup the basic LDAP tree. This will be the framework that you will use for adding users in the future.

Create a file in the /tmp/ directory called ldapusers.ldif. In the file, place your desired entry in the following format:

dn: dc=domain,dc=com
objectclass: dcObject
objectclass: organization
o: Domain
dc: domain
 
dn: cn=Manager,dc=domain,dc=com
objectclass: organizationalRole
cn: Manager

Following the previous examples, the atmail.com entry would look like:

dn: dc=atmail,dc=com
objectclass: dcObject
objectclass: organization
o: Atmail
dc: atmail
 
dn: cn=Administrator,dc=atmail,dc=com
objectclass: organizationalRole
cn: Administrator

You can then add the ldif file via this command in the terminal:

ldapadd -W -x -D "cn=Administrator,dc=atmail,dc=com" -W -f /tmp/ldapusers.ldif

This will create both the Administrator entries, and the framework for future users.

Adding users to the LDAP Server

Now, you can add users to your LDAP server. Create a file called '''/tmp/importusers.ldif''', and place the following inside:

dn: cn=james.duncan@atmail.com,dc=atmail,dc=com
objectclass: inetorgperson
cn: james.duncan@atmail.com
sn: Duncan
userPassword: mypass
uid: james.duncan@atmail.com
 
dn: cn=mik.duncan@atmail.com,dc=atmail,dc=com
objectclass: inetorgperson
cn: mik.duncan@atmail.com
sn: Duncan
userPassword: princess
uid: mik.duncan@atmail.com

Add the users via the terminal:

ldapadd -W -x -D "cn=Administrator,dc=atmail,dc=com" -W -f /tmp/importusers.ldif

Querying the LDAP Server

To test if your users are available via an LDAP query, try this command via the terminal:

ldapsearch -x -b 'cn=mik.duncan@atmail.com,dc=atmail,dc=com' '(objectclass=*)' cn

The output of this should be similar to:

dn: cn=mik.duncan@atmail.com,dc=atmail,dc=com
cn: mik.duncan@atmail.com

LDAP and Atmail

You can now setup Atmail so that it authenticates via your LDAP server.

Atmail requires User Authenication Binds, please ensure this functions.

To do this, login to your WebAdmin panel. Go to Security >  Authentication. Toggle the dropdown box marked "Authentication Type", and set it to "LDAP".

After turning it on, set your desired settings, as per the following screenshot:

The settings are explained below:

LDAP Host - The hostname of your LDAP Server. In the example above, this is "127.0.0.1".

LDAP Base DN - The DN you specified before in the slapd.conf file. For our example, this is: dc=atmail,dc=com

Bind Authentication DN - Specifies the DN format used for authentication. Default for OpenLDAP is cn=%u,dc=domain,dc=org. For our example, this is: cn=%u,dc=atmail,dc=com.

Save your changes afterwards.

With LDAP configuration you must configure local domains (using WebAdmin) else all authentications will be assumed to be remote and LDAP server is not contacted for remote logons (remote logons are authenticated against remote IMAP server). Once local domain user is validated on the LDAP server the local IMAP user is created if not already setup.

Adding new domain

You need to add your new email domain to the Atmail server. Login to the WebAdmin, click the “New Domain” button and enter the DNS name of the domain you'd like to add. The domain's MX record must point to the Atmail server before mail will be received.

Each domain that will authenticate via LDAP must have the local domain defined in the WebAdmin.

Logging in

You can now login via LDAP. Open up your browser and go to http://yourhost/mail/index.php. Replace "yourhost" with the IP address of your server. For this example, we'll use http://192.168.0.2/mail/index.php

Login with the user you added in the ldif import:

This will then authenticate via LDAP, and create the user entries in MySQL. Congratulations.

Atmail with OpenLDAP and CentOS 6+

LDAP is a powerful directory access protocol that you can use to authenticate your users. With LDAP, you can centralize your authentication needs; most LDAP clients need only the hostname and the base directory name of the LDAP server to make it authenticate.

This guide covers the steps that will help you setup your own LDAP server for use with Atmail.

With LDAP configuration you must configure local domains (using Webadmin) else all authentications will be assumed to be remote and LDAP server is not contacted for remote logons (remote logons are authenticated against remote IMAP server). Once local domain user is validated on the LDAP server the local IMAP user is created if not already setup.

Install openldap servers

yum install openldap-servers

Generate/Locate SSL certs

Generate certs if needed, else find existing for reference next.

openssl req -new -x509 -nodes -out /etc/pki/tls/certs/main1_cert.pem -keyout /etc/pki/tls/certs/main1_key.pem -days 365
chown -Rf root:ldap /etc/pki/tls/certs/main1_cert.pem
chmod -Rf 750 /etc/pki/tls/certs/main1_key.pem

Encrypted password

Generated encrypted password to use in case of example "password" as password if desired

slappasswd

slapdpasswd of "example" will generate {SSHA}R6zJBEcX1ltYDwbWkqYZ8GrrUFQZbKyN use this instead of password "password"
Be very careful to remove any trailing spaces and line breaks from the end of the file, else using them may fail


nano -w /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
# Replace references to my-domain.com with your-domain.com
# Add these 3 lines at the end (removing the #)
# olcRootPW: password
# olcTLSCertificateFile: /etc/pki/tls/certs/main1_cert.pem
# olcTLSCertificateKeyFile: /etc/pki/tls/certs/main1_key.pem

nano -w /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
# Replace references to my-domain.com with your-domain.com. If using vim editor you can use similar:
# :%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=your-domain,dc=com/g

# Copy sample DB config
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -Rf ldap:ldap /var/lib/ldap/

# Enable LDAPS if desired
nano -w /etc/sysconfig/ldap
# change to: SLAPD_LDAPS=yes

# Test base configuration
slaptest -u
# You should at least see:  "config file testing succeeded"

service slapd start

nano -w /etc/openldap/ldap.conf
# Add these 3 lines at the end (removing the #)
# TLS_CACERT /etc/pki/tls/certs/main1_cert.pem
# URI ldap://127.0.0.1
# BASE dc=your-domain,dc=com

# You should be able to initiate a search now
ldapsearch -x  -b "dc=your-domain,dc=com"
# you should see at least:
# # search result
# search: 2

# Now create the basic organisational configuration files

nano -w /etc/openldap/schema/base.ldif
Insert:

dn: dc=your-domain,dc=com
dc: your-domain
objectClass: top
objectClass: domain

dn: ou=People,dc=your-domain,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=your-domain,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

nano /etc/openldap/schema/group.ldif
Insert:

dn: cn=group1,ou=Group,dc=your-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: Group One
userPassword: password
gidNumber: 1000


nano /etc/openldap/schema/people.ldif
Insert:

dn: uid=user1,ou=People,dc=your-domain,dc=com
uid: user1
cn: User One
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: password
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user1

ldapadd -x -W -D "cn=Manager,dc=your-domain,dc=com" -f /etc/openldap/schema/base.ldif
ldapadd -x -W -D "cn=Manager,dc=your-domain,dc=com" -f /etc/openldap/schema/group.ldif
ldapadd -x -W -D "cn=Manager,dc=your-domain,dc=com" -f /etc/openldap/schema/people.ldif

# Searching should now yield results
ldapsearch -x -b "dc=your-domain,dc=com"

Atmail and Active Directory

Active Directory is another great directory access server. It is most commonly packaged with the Microsoft Exchange Server, and is widely used for centralized authentication across platforms. This guide covers the steps you need to create your users via the Active Directory service.

Creating Users

First, open up the Active Directory Users And Computers. This can be found via your Start Menu > Programs > Microsoft Exchange > Active Directory Users and Computers.

After opening the window, click to expand your domain. For this example, we will use atmailexchange.lan. Select Users.

Click on the New User icon at the top right of your window. This is marked by an icon of a single person. This will open up the New Object - User window. Fill the fields accordingly. Note that the User logon name will be the account name the user will login as.

Fill in the required password fields. It is important to highlight that the user must NOT have to change his or her password during the next logon. This is the first checkbox in the window.

For this example, since the mailboxes will be stored under Atmail, we will not create an Exchange mailbox.

Finish creating the account.

Querying the AD Server

To test authentication, you can use any directory access client. For this example, we will use the Linux ldapsearch utility. The format for the command is as follows:

ldapsearch -x -LLL -E pr=200/noprompt -h [Active Directory Host] -D "[Active Directory User]" -W  -b "[Active Directory Search Base]" -s sub "(cn=*)"  cn

This will search the '''cn''' value for the user. For the above example user, specified as Mikaela Duncan, the format would be:

ldapsearch -x -LLL -E pr=200/noprompt -h 192.168.0.139 -D "mik.duncan@atmailexchange.lan" -W  -b "cn=Mikaela Duncan,cn=users,dc=atmailexchange,dc=lan" -s sub "(cn=*)"

The output should be similar to:

Active Directory and Atmail

You can now setup Atmail so that it authenticates via your LDAP server. To do this, login to your WebAdmin panel. Go to Security > Authentication. Toggle the dropdown box marked "Authentication Type", and set it to "LDAP".

After turning it on, set your desired settings as per the following screenshot:

The settings are explained below:

LDAP Host - The hostname of your LDAP Server. In the example above, this is 192.168.0.139.

LDAP Base DN - The DN you specified before in the slapd.conf file. For our example, this is: dc=atmailexchange,dc=lan.

Bind Authentication DN - Specifies the DN format used for authentication. Default for AD is %u. For our example, this is: %u.

Save your changes afterwards.

Adding new domain

You need to add your new email domain to the Atmail server. Login to the Webadmin, click the “New Domain” button and enter the DNS name of the domain you'd like to add. The domain's MX record must point to the Atmail server before mail will be received.

Each domain that will authenticate via LDAP must have the local domain defined in the Webadmin.

http://atmail.com/videos/movs/adding-a-domain.mov

Logging in

You can now login via Active Directory. Open up your browser and go to http://yourhost/mail/index.php. Replace "yourhost" with the IP address of your server. For this example, we'll use http://192.168.0.2/mail/index.php

Login with the user you added via Active Directory:

This will then authenticate via Active Directory and create the user entries in MySQL.

Atmail and Other LDAP servers

In order to get LDAP authentication wotking against other LDAP servers try the following procedure:

Edit atmail/webmail/library/Atmail/Exim_Config.php

around line 1424 change:

pass_filter = (&(objectClass={$configDovecot['ldap_passfilter']})(uid=%n))
user_filter = (&(objectClass={$configDovecot['ldap_passfilter']})(uid=%n))

to read:

pass_filter = {$configDovecot['ldap_passfilter']}
user_filter = {$configDovecot['ldap_passfilter']}

This will give you more control over how the filter is compiled

Now go into Webadmin > Settings > Global.

you can try one of following 2 methods:

  • Bind as a user with rights to query for any user credentials

    Set most of the fields up as normal with the exception of the following:

    Set LDAP Bind DN to a user with admin/manager rights to query against all users
    Set LDAP Password Filter to: (cn=%n)
    Set Bind Authentication to: off

    Leave Bind Authentication DN empty
  • Query the LDAP server as the user trying to log in

    Set LDAP Password Filter to match a specific user, e.g. CN=%n,OU=CUSTOMER,DC=domain,DC=com
    Set Bind Authentication to: on
    Leave LDAP Bind DN empty
    Leave LDAP Bind Pass empty

    Set Bind Authentication to: cn=%n

    i.e. %n if your LDAP server is expecting first part of email address, or %u for full email address

    Your mileage may vary, and is mostly dependant on acurately composing the filters specific to your LDAP server setup.

    The exact authentication string depends on hor your LDAP server is set up.

    e.g. CN=usernameHere,OU=organizationalUnitHere,DC=domainComponentHere,DC=domainComponentHere

 

 

Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com