主题: 关于使用 iredmail 中的ldap作linux用户登陆使用
我想将iredmail中的ldap作linux遥望登陆时使用的认证服务器,这样就可以避免重复建设ldap服务器,但我设置不成功,想请教一下需要怎么样的设置。
我是这样做的,将普通的mail=boomer.zha@example.com,ou=Users…… 添加了posixAccount objectclass,属性方面添加了uidNumber、loginshell等等
dn: mail=boomer.zha@example.cn,ou=Users,domainName=example.cn,o=domains,dc=example,dc=cn
mail: boomer.zha@example.cn
accountStatus: active
enabledService: mail
enabledService: internal
enabledService: smtp
enabledService: smtpsecured
enabledService: pop3
enabledService: pop3secured
enabledService: imap
enabledService: imapsecured
enabledService: deliver
enabledService: lda
enabledService: forward
enabledService: senderbcc
enabledService: recipientbcc
enabledService: managesieve
enabledService: managesievesecured
enabledService: sieve
enabledService: sievesecured
enabledService: displayedInGlobalAddressBook
enabledService: shadowaddress
storageBaseDirectory: /home
mailMessageStore: example.cn/boomer.zha/
sn: boomer
givenName: Boomer
mailQuota: 0
cn: Boomer Zha
gecos: boomer.zha
gidNumber: 1000
homeDirectory: /home/example.cn/boomer.zha
loginShell: /bin/bash
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: amavisAccount
objectClass: mailUser
uid: boomer.zha
uidNumber: 1000
userPassword: {md5}KGzzfpaTQIqwPPhU9NOf3Q==
注:我将mail帐号的家目录改到了 /home/example.cn/ 下面,邮件系统可以运行
客户端的设置是
ldap://IP
dc=example,dc=cn
或
ldap://IP
ou=Users,domainName=example.cn,o=domain,dc=example,dc=cn
两种设置结果一样
openldap的ACL设置是iredmail建立时的设置,因为slapd.conf里面包含了下面的ACL,所以我没有动了
access to *
by anonymous auth
by self write
by users read
同时我还在ou=Users下面建了一个uid=user1,ou=Uses…… 的帐号,这个用户并没有添加mail的相关属性,但不管是哪个用户都无法在linux系统里面登陆,下面是ldap的log
Sep 20 18:05:44 ldap slapd[4261]: => acl_mask: access to entry "ou=Users,domainName=example.cn,o=domains,dc=example,dc=cn", attr "entry" requested
Sep 20 18:05:44 ldap slapd[4261]: => acl_mask: to all values by "", (=0)
Sep 20 18:05:44 ldap slapd[4261]: <= check a_dn_pat: anonymous
Sep 20 18:05:44 ldap slapd[4261]: <= acl_mask: [1] applying auth(=xd) (stop)
Sep 20 18:05:44 ldap slapd[4261]: <= acl_mask: [1] mask: auth(=xd)
Sep 20 18:05:44 ldap slapd[4261]: => slap_access_allowed: search access denied by auth(=xd)
Sep 20 18:05:44 ldap slapd[4261]: => access_allowed: no more rules
Sep 20 18:05:44 ldap slapd[4261]: => access_allowed: search access to "ou=Users,domainName=example.cn,o=domains,dc=example,dc=cn" "entry" requested
Sep 20 18:05:44 ldap slapd[4261]: => dn: [1] mail=.*@example.cn,ou=users,domainName=example.cn,o=domains,dc=example,dc=cn$
Sep 20 18:05:44 ldap slapd[4261]: => dnpat: [2] cn=[^,]+,mail=([^,]+)@([^,]+),ou=Users,domainName=([^,]+),o=domains,dc=example,dc=cn$ nsub: 3
Sep 20 18:05:44 ldap slapd[4261]: => dn: [8] cn=vmail,dc=example,dc=cn
Sep 20 18:05:44 ldap slapd[4261]: => dn: [9] cn=vmailadmin,dc=example,dc=cn
Sep 20 18:05:44 ldap slapd[4261]: => dnpat: [10] domainName=([^,]+),o=domains,dc=example,dc=cn$ nsub: 1
Sep 20 18:05:44 ldap slapd[4261]: => acl_get: [10] matched
Sep 20 18:05:44 ldap slapd[4261]: => acl_get: [10] attr entry
Sep 20 18:05:44 ldap slapd[4261]: => match[dn0]: 9 57
Sep 20 18:05:44 ldap slapd[4261]: => acl_mask: access to entry "ou=Users,domainName=example.cn,o=domains,dc=example,dc=cn", attr "entry" requested
Sep 20 18:05:44 ldap slapd[4261]: => acl_mask: to all values by "", (=0)
Sep 20 18:05:44 ldap slapd[4261]: <= check a_dn_pat: anonymous
Sep 20 18:05:44 ldap slapd[4261]: <= acl_mask: [1] applying auth(=xd) (stop)
Sep 20 18:05:44 ldap slapd[4261]: <= acl_mask: [1] mask: auth(=xd)
Sep 20 18:05:44 ldap slapd[4261]: => slap_access_allowed: search access denied by auth(=xd)
Sep 20 18:05:44 ldap slapd[4261]: => access_allowed: no more rules