Child pages
  • Serversetup multi-tenant Kopano+Postfix+SASL+rspamd+openLDAP (Debian 10 buster)

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

Be careful when you edit the configuration! Editing the LDIF in ldapvi can be tricky at times. If in doubt, check the manual: http://www.lichteblau.com/ldapvi/manual/

  • Every entry needs a unique number in curly brackets. Order entries by incrementing numbers.
  • Ordering is important - LDAP ACLs are evaluated in order and you can block access to your users accidentally if the permissions are evaluated in the wrong way
  • No whitespace at the beginning or the end of lines! (hint: use ":set list" to spot them more easily)



Edit the config to set the ACLs:

No Format
~# ldapvi -h ldapi:// -Y EXTERNAL -b cn=config


Again, search for the entry "olcDatabase={1}mdb,cn=config" (there should be a number in front of it). Replace all "olcAccess" entries with something like this:

The entry "{5}" allows subtree access to a delegated mail domain admin. Replace "<MAILDOMAIN>" with the mail domain and "<MAILDOMAINADMIN>" with the user account of the mail domain admin.

No Format
~# ldapvi -h ldapi:// -Y EXTERNAL -b cn=config

(info)  You can duplicate the lines "{0}", "{5}" and "{6}" for every mail domain you host to delegate access to multiple mail admins. Don't forget to increment the numbers if you add more domains later.

No Format
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=<MAILDOMAINADMIN>,ou=<MAILDOMAIN>,dc=example,dc=com" write by * none break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {2}to attrs=shadowLastChange by self write by * read
olcAccess: {3}to dn="dc=example,dc=com" by * read by * auth
olcAccess: {4}to dn.subtree="dc=example,dc=com" by dn="cn=kopanoservice,dc=example,dc=com" read by * none break
olcAccess: {5}to dn.subtree="ou=<MAILDOMAIN>,dc=example,dc=com" by dn="cn=<MAILDOMAINADMIN>,ou=<MAILDOMAIN>,dc=example,dc=com" write by * none break
olcAccess: {6}to dn.subtree="dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" manage break
olcAccess: {7}to * by * none

(info)  You can duplicate the lines "{0}", "{5}" and "{6}" for every mail domain you host to delegate access to multiple mail admins. Don't forget to increment the numbers if you add more domains later.

(info) The entry "{5}" allows subtree access to a delegated mail domain admin. Replace "<MAILDOMAIN>" with the mail domain and "<MAILDOMAINADMIN>" with the user account of the mail domain admin.


Save the config and restart the LDAP server.

...