Zarafa-dynamicgroup and Postfix

From Zarafa wiki

Jump to: navigation, search

Contents

Introduction

This article describes how to integrate zarafa-dynamicgroup (from OpenLDAP schema) with Postfix.
Postfix cannot resolve zarafaFilter attribute. To make working this kind of groups with Postfix, you'll need to use one trick available in OpenLDAP.
I'm not working with Active Directory but I think that the same trick could be available (if needed).

Tested on

  • OpenLDAP 2.4.23 (new style configuration with hdb as database)

Method

If Postfix cannot resolve zarafaFilter, OpenLDAP will do that with dynlist (overlay).

Pros & Cons

  • It works!
  • Don't need a lot of configuration.
  • You'll need to add labeledURIObject objectClass and labeledURI attribute on every zarafa-dynamicgroup.
  • "Redundant" field.

Setup

OpenLDAP

Enabling dynlist module

You'll need to activate dynlist. (dynlist.so must be available in your module directory)

Create EnableModule.ldif file.

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: dynlist

Then apply. Typical command:

$ ldapmodify -Y EXTERNAL -H ldapi:/// -f EnableModule.ldif

Add the overlay on your ldap database

You need to activate the overlay on your database. To make that, create EnableDynListHDB.ldif. In this file, you need to provide :

  • The right dn. Replace [Database Number]:
dn: olcOverlay=dynlist,olcDatabase{[Database Number]}hdb,cn=config
  • objectClasses:
objectClass: olcOverlayConfig
objectClass: olcDynamicList
  • olcDlAttrSet directive

This directive has 2 required value and one optional.

  1. Specifies which objectClass to resolve.
  2. Specifies the search URI.
  3. (Optional) Make the request return dn instead of search result.
olcDlAttrSet: objectClass SearchAttribute ReturnMember

Typical EnableDynListHDB.ldif

dn: olcOverlay=dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcDlAttrSet: labeledURIObject labeledURI member

Then apply.

$ ldapadd -Y EXTERNAL -H ldapi:/// -f EnableDynListHDB.ldif

How to use

On your groups, add objectClass: labeledURIObject Then add the attribute :

labeledURI: ldap:///[Base]?[Attribute To Resolve]?[Scope]?([content of zarafaFilter])


Exemple

Returning dn

EnableDynListHDB.ldif

dn: olcOverlay=dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcDlAttrSet: labeledURIObject labeledURI member

Group

dn: cn=ICT,cn=groups,ou=mail,dc=mycompany,dc=be
objectClass: labeledURIObject
objectClass: top
objectClass: zarafa-dynamicgroup
objectClass: zarafa-group
cn: ICT
mail: [email protected]
zarafaFilter: (employeeType=ICT)
labeledURI: ldap:///cn=users,ou=mail,dc=mycompany,dc=be?uid?sub?(employeeType=ICT)

Refresh/reload the entry and you'll get :

dn: cn=ICT,cn=groups,ou=mail,dc=mycompany,dc=be
objectClass: labeledURIObject
objectClass: top
objectClass: zarafa-dynamicgroup
objectClass: zarafa-group
cn: ICT
mail: [email protected]
zarafaFilter: (employeeType=ICT)
labeledURI: ldap:///cn=users,ou=mail,dc=mycompany,dc=be?uid?sub?(employeeType=ICT)
member: cn=Robert Fritt,cn=users,ou=mail,dc=mycompany,dc=be
member: cn=Bernard Minot,cn=users,ou=mail,dc=mycompany,dc=be
member: cn=Jean-Pierre Bocri,cn=users,ou=mail,dc=mycompany,dc=be
Returning attribute

EnableDynListHDB.ldif

dn: olcOverlay=dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcDlAttrSet: labeledURIObject labeledURI member

Group (same)

Refresh/reload the entry and you'll get :

...
zarafaFilter: (employeeType=ICT)
labeledURI: ldap:///cn=users,ou=mail,dc=mycompany,dc=be?uid?sub?(employeeType=ICT)
uid: robertf
uid: bernardm
uid: jeanpierreb
Returning attribute and dn (but 2 search are made)

EnableDynListHDB.ldif

dn: olcOverlay=dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcDlAttrSet: labeledURIObject labeledURI member
olcDlAttrSet: labeledURIObject labeledURI 

Group (same)

Refresh/reload the entry and you'll get :

...
zarafaFilter: (employeeType=ICT)
labeledURI: ldap:///cn=users,ou=mail,dc=mycompany,dc=be?uid?sub?(employeeType=ICT)
member: cn=Robert Fritt,cn=users,ou=mail,dc=mycompany,dc=be
member: cn=Bernard Minot,cn=users,ou=mail,dc=mycompany,dc=be
member: cn=Jean-Pierre Bocri,cn=users,ou=mail,dc=mycompany,dc=be
uid: robertf
uid: bernardm
uid: jeanpierreb

Postfix

For postfix configuration, you need to provide two alias_maps. One for users and one for groups.

Exemple

ldap-users.cf
server_host = ldap.mycompany.be
server_port = 389
search_base = cn=users,ou=mail,dc=mycompany,dc=be
bind_dn = cn=SomeoneLikeYou,dc=mycompany,dc=be
bind_pw = MyPasswordIsNotWeak
scope = sub
version = 3
query_filter = (|(mail=%s)(zarafaAliases=%s))
result_attribute = uid
ldap-groups.cf
server_host = ldap.mycompany.be
server_port = 389
search_base = cn=groups,ou=mail,dc=mycompany,dc=be
bind_dn = cn=SomeoneLikeYou,dc=mycompany,dc=be
bind_pw = MyPasswordIsNotWeak
scope = sub
version = 3
query_filter = (|(mail=%s)(zarafaAliases=%s))
result_attribute = uid
Postfix test command
$ postmap -q "[email protected]" ldap:/etc/postfix/ldap-groups.cf
result : robertf,bernardm,jeanpierreb

$ postmap -q "[email protected]" ldap:/etc/postfix/ldap-users.cf
result : jeanpierreb

More informations

OpenLdap ยง12.7. Dynamic Lists

Postfix ldap table

Personal tools