Article

lxzndr's picture
article
Reads:

8452

Score:
2
2
7
 
Comments:

5

Allow Open Source MAIA Mailguard to Authenticate Users to a NetWare LDAP Server Using TLS

Author Info

25 April 2008 - 6:12am
Submitted by: lxzndr

Author Blog
Author Profile

Tags

Tags Map

(View Disclaimer)

Modifications to Maia Mailguard anti-spam and anti-virus e-mail gateway to allow user login using LDAP authentication to Novell eDirectory LDAP server.

Our Environment:

OpenSuSE10.3 with Maia Mailguard mail scanning/gateway software installed: (Should work with most Linux distributions).

For a good how-to guide on setting up the basic mail gateway, see Stephen Carter's cool solution: SUSE 10 Professional Anti-Spam & Anti-Virus Gateway Build Guide For Beginners: http://www.novell.com/coolsolutions/feature/16093....
If not using Suse 10, there may be some minor file location differences due to different versions and distributions. May need to find additional repositories and such.

NetWare 6.5 LDAP server - with "requires TLS for simple binds with password" enabled.

Problem:
I wanted to use LDAP for user logins so that we didn't need to migrate users to the gateway machine, and it would alleviate needing to remember to update user lists and such on that system as users are added/deleted. Also, it does not require users to remember yet another ID and password.

Following the instructions in the open source spam filtering / virus scanner, MAIA Mailguard, I could not login using LDAP authentication to our NetWare 6.5 LDAP server because it is configured to "require TLS for simple binds with password".

login errors reported: could not bind to ldap, login failed, or confidentiality Required error received.

An analysis of the TCP/IP traffic shows a LDAP "resultCode: confidentialityRequired" message to the request.

The standard configuration files for MAIA Mailguard 1.0.2a (and earlier?) ldap lookups do not include an option for TLS.

Solution:

Two files need to get modified:

1. /srv/www/htdocs/mail/config.php
2. /srv/www/htdocs/mail/auth.php

config.php: (in addition to the changes mentioned in the documentation to enable LDAP authentication)

find the "Authenticating via LDAP section"
anywhere within that section add a line:
$auth_ldap_use_tls = "yes";

Then set the following attributes:
set $auth_Ldap_server to your ldap server ip address

set $auth_ldap_query = "(&(cn=%%USER%%)(objectclass=person))"; (that will select only user accounts to authenticate with. Users will use their Novell login ID and password)
[using tls, you don't need to use a ldap user/password or a bind_dn to authenticate the users because you are not directly binding.]

set $auth_ldap_base_dn = your base context (top level to start the search from)

set $auth_ldap_attribute = "mail"; retrieve the users e-mail address from e-directory and use in MAIA as primary e-mail address (should use the first address listed if more than one)

set $auth_ldap_version = 3; (it may work at the default of 2, I changed it to 3 early on and didn't try changing it back.)

auth.php:

find the auth_ldap function:

add to the other globals there: 

	global $auth_ldap_use_tls;

Then, after this code:

        $ldap_conn = ldap_connect($auth_ldap_server)
		or die($lang['error_ldap_connect']);

add:

	# if using tls: attempt to start tls
	if (isset($auth_ldap_use_tls)) {
		@ldap_start_tls($ldap_conn)
			or die('error ldap_start_tls');
	}

If the mail scanner server is in a DMZ, you will need to add a filter exception to your firewall to allow the ldap request to go through.

+------------------------------------------------------------------------------+
¦                               Define Exception                               ¦
¦------------------------------------------------------------------------------¦
¦ Source Interface Type:      Interface                                        ¦
¦ Source Interface:           DMZ (Private)                                    ¦
¦ Source Circuit:                                                              ¦
¦                                                                              ¦
¦ Destination Interface Type: Interface                                        ¦
¦ Destination Interface:      INTERNAL (Private)                               ¦
¦ Destination Circuit:                                                         ¦
¦                                                                              ¦
¦ Packet Type:       LDAP              Protocol:           TCP                 ¦
¦ Src Port(s):       <All>             Dest Port(s):       389                 ¦
¦ ACK Bit Filtering: Disabled          Stateful Filtering: Enabled             ¦
¦                                                                              ¦
¦ Src Addr Type:              Host                                             ¦
¦ Src IP Address:             AAA.BBB.CCC.DDD  (mail scanner)                  ¦
¦ Dest Addr Type:             Host                                             ¦
¦ Dest IP Address:            WWW.XXX.YYY.ZZZ  (ldap server)                   ¦
¦ Logging:                    Disabled                                         ¦
¦ Comment:                  ldap user lookup from gateway to ldap              ¦
+------------------------------------------------------------------------------+

Users should now be able to login to the Maia Mailguard interface using their Novell user and password, it should also link their e-mail address automatically.

Mail that had already been quarantined by the gateway will not automatically get linked to their account, but all new mail should be properly associated with the user after initial login.

If you want to associate existing mail in the caches to new users, log into mysql, connect to the maia database and run the following mysql command:
update maia_mail_recipients a, users b, maia_mail c set a.recipient_id=b.maia_user_id where a.mail_id=c.id and c.envelope_to=b.email;


Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.



Related Articles


User Comments

notromda's picture

Adding to 1.0.3 tree

Submitted by notromda on 26 April 2008 - 5:09pm.

Thanks for the input, we've added it to the 1.0.3 tree.

I don't have LDAP set up right now, so I'd appreciate any testing comments to be sent to the Maia Developers mailing list.

georgearmstrong's picture

Works Like a charm

Submitted by georgearmstrong on 21 August 2008 - 1:32pm.

Running SLES 10 with Stephen Carter's cool solution: SUSE 10 Professional Anti-Spam & Anti-Virus Gateway Build Guide For Beginners.

Not only is this a excellent Spam/Virus Gateway setup the ldap authentication works like a charm!

One Question, how would I set it up for multiple ldap servers? - fail over?

lxzndr's picture

multiple ldap

Submitted by lxzndr on 22 August 2008 - 7:40am.

I've read in the Maia forums that they are working on multiple ldap authentication (for different domains) in a future release.

bkesting's picture

How about on linux?

Submitted by bkesting on 22 February 2009 - 2:58pm.

Will this work to get Maia to authenticate to an LDAP server running within ConsoleOne on SLES 9 or does the LDAP need to reside on Netware?

lxzndr's picture

I don't believe that the

Submitted by lxzndr on 23 February 2009 - 10:13am.

I don't believe that the LDAP would need to reside on Netware. I have not tested it as we do not have LDAP running on any of our SLES servers at this point. Should work against any ldap server, there would be changes required if it wasn't using the same field names as eDirectory.

© 2013 Novell